From f1a1001f0ea4ffee74baf733d390f2fd1b98fa51 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Fri, 19 Jul 2002 11:57:57 -0700 Subject: [PATCH] [contrib/solaris/buildpkg.sh] create privsep user/group if needed. Patch by dtucker@zip.com.au --- ChangeLog | 6 ++++- contrib/solaris/buildpkg.sh | 44 ++++++++++++++++++++++++++++++------- 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index e510f9f42..0ec31832a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20020719 + - (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed. + Patch by dtucker@zip.com.au + 20020718 - (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org - (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported @@ -1389,4 +1393,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2377 2002/07/18 18:49:32 tim Exp $ +$Id: ChangeLog,v 1.2378 2002/07/19 18:57:57 tim Exp $ diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh index def325b87..c41b3f963 100755 --- a/contrib/solaris/buildpkg.sh +++ b/contrib/solaris/buildpkg.sh @@ -15,11 +15,14 @@ umask 022 # configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty # and # PKGNAME=tOpenSSH should allow testing a package without interfering -# with a real OpenSSH package on a system. +# with a real OpenSSH package on a system. This is not needed on systems +# that support the -R option to pkgadd. #TEST_DIR=/var/tmp # leave commented out for production build PKGNAME=OpenSSH SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} +SSHDUID=67 # Default privsep uid +SSHDGID=67 # Default privsep gid # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes @@ -57,7 +60,7 @@ SYSTEM_DIR="/etc \ /var/tmp \ /tmp" -# We may need to buiild as root so we make sure PATH is set up +# We may need to build as root so we make sure PATH is set up # only set the path if it's not set already [ -d /usr/local/bin ] && { echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 @@ -227,7 +230,18 @@ fi installf -f ${PKGNAME} -if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi +# If this is a test build, we will skip the groupadd/useradd/passwd commands +if [ ! -z "${TEST_DIR}" ] +then + chroot=echo +fi + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null then echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" echo "or group." @@ -235,22 +249,36 @@ else echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." # create group if required - if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep group $SSH_PRIVSEP_USER already exists." else + # Use gid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshdgid="-g $SSHDGID" + fi echo "Creating PrivSep group $SSH_PRIVSEP_USER." - groupadd $SSH_PRIVSEP_USER + \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER fi # Create user if required - if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep user $SSH_PRIVSEP_USER already exists." else + # Use uid of 67 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + then + : + else + sshduid="-u $SSHDUID" + fi echo "Creating PrivSep user $SSH_PRIVSEP_USER." - useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER - passwd -l $SSH_PRIVSEP_USER + \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER fi fi