pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/openssh



Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Jul  1 09:19:40 UTC 2024

Modified Files:
        pkgsrc/security/openssh: Makefile PLIST distinfo
        pkgsrc/security/openssh/patches: patch-Makefile.in patch-clientloop.c
            patch-configure.ac patch-defines.h patch-sandbox-darwin.c
Added Files:
        pkgsrc/security/openssh/patches: patch-sshd-session.c
Removed Files:
        pkgsrc/security/openssh/patches: patch-config.h.in patch-loginrec.c
            patch-openbsd-compat_openbsd-compat.h
            patch-openbsd-compat_port-net.c patch-sshd.8 patch-sshd.c

Log Message:
openssh: update to 9.8p1.

pkgsrc changes:

Remove outdated or undocumented patches.

Remove Interix support.

Remove tcp_wrappers support - does not apply cleanly to this
version and arguable, if we even should have such a big patch for openssh in pkgsrc.

Updated Apple patches from macPorts.

Upstream Changes:

Security
========

This release contains fixes for two security problems, one critical
and one minor.

1) Race condition in sshd(8)

A critical vulnerability in sshd(8) was present in Portable OpenSSH
versions 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary code
execution with root privileges.

Successful exploitation has been demonstrated on 32-bit Linux/glibc
systems with ASLR. Under lab conditions, the attack requires on
average 6-8 hours of continuous connections up to the maximum the
server will accept. Exploitation on 64-bit systems is believed to be
possible but has not been demonstrated at this time. It's likely that
these attacks will be improved upon.

Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
OpenBSD is not vulnerable.

We thank the Qualys Security Advisory Team for discovering, reporting
and demonstrating exploitability of this problem, and for providing
detailed feedback on additional mitigation measures.

2) Logic error in ssh(1) ObscureKeystrokeTiming

In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an
OpenSSH server version 9.5 or later, a logic error in the ssh(1)
ObscureKeystrokeTiming feature (on by default) rendered this feature
ineffective - a passive observer could still detect which network
packets contained real keystrokes when the countermeasure was active
because both fake and real keystroke packets were being sent
unconditionally.

This bug was found by Philippos Giavridis and also independently by
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the
University of Cambridge Computer Lab.

Worse, the unconditional sending of both fake and real keystroke
packets broke another long-standing timing attack mitigation. Since
OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for
traffic received on TTYs in echo-off mode, such as when entering a
password into su(8) or sudo(8). This bug rendered these fake
keystroke echoes ineffective and could allow a passive observer of
a SSH session to once again detect when echo was off and obtain
fairly limited timing information about keystrokes in this situation
(20ms granularity by default).

This additional implication of the bug was identified by Jacky Wei
En Kung, Daniel Hugenroth and Alastair Beresford and we thank them
for their detailed analysis.

This bug does not affect connections when ObscureKeystrokeTiming
was disabled or sessions where no TTY was requested.

Potentially-incompatible changes
--------------------------------

 * all: as mentioned above, the DSA signature algorithm is now
   disabled at compile time.

 * sshd(8): the server will now block client addresses that
   repeatedly fail authentication, repeatedly connect without ever
   completing authentication or that crash the server. See the
   discussion of PerSourcePenalties below for more information.
   Operators of servers that accept connections from many users, or
   servers that accept connections from addresses behind NAT or
   proxies may need to consider these settings.

 * sshd(8): the server has been split into a listener binary, sshd(8),
   and a per-session binary "sshd-session". This allows for a much
   smaller listener binary, as it no longer needs to support the SSH
   protocol. As part of this work, support for disabling privilege
   separation (which previously required code changes to disable) and
   disabling re-execution of sshd(8) has been removed. Further
   separation of sshd-session into additional, minimal binaries is
   planned for the future.

 * sshd(8): several log messages have changed. In particular, some
   log messages will be tagged with as originating from a process
   named "sshd-session" rather than "sshd".

 * ssh-keyscan(1): this tool previously emitted comment lines
   containing the hostname and SSH protocol banner to standard error.
   This release now emits them to standard output, but adds a new
   "-q" flag to silence them altogether.

 * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
   as the PAM service name. A new "PAMServiceName" sshd_config(5)
   directive allows selecting the service name at runtime. This
   defaults to "sshd". bz2101

 * (portable OpenSSH only) Automatically-generated files, such as
   configure, config.h.in, etc will now be checked in to the portable
   OpenSSH git release branch (e.g. V_9_8). This should ensure that
   the contents of the signed release branch exactly match the
   contents of the signed release tarball.


To generate a diff of this commit:
cvs rdiff -u -r1.282 -r1.283 pkgsrc/security/openssh/Makefile
cvs rdiff -u -r1.20 -r1.21 pkgsrc/security/openssh/PLIST
cvs rdiff -u -r1.122 -r1.123 pkgsrc/security/openssh/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/security/openssh/patches/patch-Makefile.in
cvs rdiff -u -r1.5 -r1.6 pkgsrc/security/openssh/patches/patch-clientloop.c
cvs rdiff -u -r1.7 -r0 pkgsrc/security/openssh/patches/patch-config.h.in
cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/openssh/patches/patch-configure.ac
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssh/patches/patch-defines.h
cvs rdiff -u -r1.6 -r0 pkgsrc/security/openssh/patches/patch-loginrec.c
cvs rdiff -u -r1.4 -r0 \
    pkgsrc/security/openssh/patches/patch-openbsd-compat_openbsd-compat.h
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/security/openssh/patches/patch-openbsd-compat_port-net.c
cvs rdiff -u -r1.2 -r1.3 \
    pkgsrc/security/openssh/patches/patch-sandbox-darwin.c
cvs rdiff -u -r0 -r1.1 pkgsrc/security/openssh/patches/patch-sshd-session.c
cvs rdiff -u -r1.2 -r0 pkgsrc/security/openssh/patches/patch-sshd.8
cvs rdiff -u -r1.13 -r0 pkgsrc/security/openssh/patches/patch-sshd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/openssh/Makefile
diff -u pkgsrc/security/openssh/Makefile:1.282 pkgsrc/security/openssh/Makefile:1.283
--- pkgsrc/security/openssh/Makefile:1.282      Tue Jun 25 17:38:40 2024
+++ pkgsrc/security/openssh/Makefile    Mon Jul  1 09:19:40 2024
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.282 2024/06/25 17:38:40 wiz Exp $
+# $NetBSD: Makefile,v 1.283 2024/07/01 09:19:40 wiz Exp $
 
-DISTNAME=              openssh-9.7p1
+DISTNAME=              openssh-9.8p1
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 
@@ -48,7 +48,6 @@ GNU_CONFIGURE=                yes
 CONFIGURE_ARGS+=       --with-mantype=man
 CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=       --with-pid-dir=${SSH_PID_DIR}
-CONFIGURE_ARGS+=       --with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
 
 CONFIGURE_ARGS+=       --with-privsep-path=${OPENSSH_CHROOT:Q}
 CONFIGURE_ARGS+=       --with-privsep-user=${OPENSSH_USER}
@@ -77,12 +76,6 @@ CONFIGURE_ENV+=              LD=${CC:Q}
 # if we have utmpx et al do not try to use login()
 CONFIGURE_ARGS+=       --disable-libutil
 .  endif
-#
-# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
-# prior version don't have it.  So, disable use of strnvis(3) now.
-#
-CONFIGURE_ENV+=                ac_cv_func_strnvis=no
-#
 # workaround for ./configure problem, pkg/50936
 #
 CONFIGURE_ENV+=                ac_cv_func_reallocarray=no
@@ -144,7 +137,6 @@ SUBST_SED.patch=    -e '/channel_input_port
 SUBST_VARS.patch=      PKG_SYSCONFDIR
 
 .include "../../devel/zlib/buildlink3.mk"
-.include "../../security/tcp_wrappers/buildlink3.mk"
 
 #
 # type of key "ecdsa" isn't always supported depends on OpenSSL.

Index: pkgsrc/security/openssh/PLIST
diff -u pkgsrc/security/openssh/PLIST:1.20 pkgsrc/security/openssh/PLIST:1.21
--- pkgsrc/security/openssh/PLIST:1.20  Wed May 27 13:49:27 2020
+++ pkgsrc/security/openssh/PLIST       Mon Jul  1 09:19:40 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.20 2020/05/27 13:49:27 sevan Exp $
+@comment $NetBSD: PLIST,v 1.21 2024/07/01 09:19:40 wiz Exp $
 bin/scp
 bin/sftp
 bin/ssh
@@ -10,6 +10,7 @@ libexec/sftp-server
 libexec/ssh-keysign
 libexec/ssh-pkcs11-helper
 libexec/ssh-sk-helper
+libexec/sshd-session
 man/man1/scp.1
 man/man1/sftp.1
 man/man1/ssh-add.1

Index: pkgsrc/security/openssh/distinfo
diff -u pkgsrc/security/openssh/distinfo:1.122 pkgsrc/security/openssh/distinfo:1.123
--- pkgsrc/security/openssh/distinfo:1.122      Tue Jun 25 17:38:40 2024
+++ pkgsrc/security/openssh/distinfo    Mon Jul  1 09:19:40 2024
@@ -1,17 +1,12 @@
-$NetBSD: distinfo,v 1.122 2024/06/25 17:38:40 wiz Exp $
+$NetBSD: distinfo,v 1.123 2024/07/01 09:19:40 wiz Exp $
 
-BLAKE2s (openssh-9.7p1.tar.gz) = cfa9904afcdf9c2b1ff80b4ee1109a2f71bb60daae1669586e4ccb4a10a05f47
-SHA512 (openssh-9.7p1.tar.gz) = 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55
-Size (openssh-9.7p1.tar.gz) = 1848766 bytes
-SHA1 (patch-Makefile.in) = 70d6ca9c803b6193d0e340cb0518936a00e57492
-SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
-SHA1 (patch-config.h.in) = 7d1050743da7264763254b57938775c546c3baa5
-SHA1 (patch-configure.ac) = 65507029aa7570bcc1e588d022812e708ef5cd5d
-SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
-SHA1 (patch-loginrec.c) = 76f1e03182cbd18dd9ac0bdfcb6502eec7eb56a9
-SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
-SHA1 (patch-openbsd-compat_port-net.c) = b2a0ce81a52b00f106198d549b5068a5e67092ef
-SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
-SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = 0c5725305cbab3855b52c1a63fe4e987ed14e44e
+BLAKE2s (openssh-9.8p1.tar.gz) = 813dc945583cd4a126388d2b70f8e0aec259c72c5545108bfe7fe9f2d29c17b8
+SHA512 (openssh-9.8p1.tar.gz) = 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
+Size (openssh-9.8p1.tar.gz) = 1910393 bytes
+SHA1 (patch-Makefile.in) = 38df2aa7aaeeaac660763724188852bdb8bdcd24
+SHA1 (patch-clientloop.c) = 6211c64f77e1f5cf687d38e201b97f7a415d3598
+SHA1 (patch-configure.ac) = eb759d065e296a5fdf1e8925308e6e77ea2c60a8
+SHA1 (patch-defines.h) = 5424b1b24f1d4bbd47efa614ee180a45e7b9a54e
+SHA1 (patch-sandbox-darwin.c) = 5ae84525b5bf8232afc2d201868e19ac7e5b2bc8
+SHA1 (patch-sshd-session.c) = 1269a177432e92c8937ee43c0093882207c203c5
 SHA1 (patch-sshkey.h) = aaaf622f377e455c49683fcc2ca42576ccd097bb

Index: pkgsrc/security/openssh/patches/patch-Makefile.in
diff -u pkgsrc/security/openssh/patches/patch-Makefile.in:1.7 pkgsrc/security/openssh/patches/patch-Makefile.in:1.8
--- pkgsrc/security/openssh/patches/patch-Makefile.in:1.7       Sun May 15 19:21:56 2022
+++ pkgsrc/security/openssh/patches/patch-Makefile.in   Mon Jul  1 09:19:40 2024
@@ -1,8 +1,10 @@
-$NetBSD: patch-Makefile.in,v 1.7 2022/05/15 19:21:56 wiz Exp $
+$NetBSD: patch-Makefile.in,v 1.8 2024/07/01 09:19:40 wiz Exp $
+
+Use askpass provided by pkgsrc.
 
 Removed install-sysconf as we handle that phase through post-install
 
---- Makefile.in.orig   2022-04-06 00:47:48.000000000 +0000
+--- Makefile.in.orig   2024-07-01 04:36:28.000000000 +0000
 +++ Makefile.in
 @@ -21,7 +21,7 @@ abs_top_builddir=@abs_top_builddir@
  DESTDIR=
@@ -12,8 +14,8 @@ Removed install-sysconf as we handle tha
 +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
  SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
-@@ -382,7 +382,7 @@ distprep: catman-do depend-check
+ SSHD_SESSION=$(libexecdir)/sshd-session
+@@ -389,7 +390,7 @@ distprep: catman-do depend-check
        -rm -rf autom4te.cache .depend.bak
  
  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config

Index: pkgsrc/security/openssh/patches/patch-clientloop.c
diff -u pkgsrc/security/openssh/patches/patch-clientloop.c:1.5 pkgsrc/security/openssh/patches/patch-clientloop.c:1.6
--- pkgsrc/security/openssh/patches/patch-clientloop.c:1.5      Fri Dec 30 04:43:16 2016
+++ pkgsrc/security/openssh/patches/patch-clientloop.c  Mon Jul  1 09:19:40 2024
@@ -1,8 +1,8 @@
-$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
+$NetBSD: patch-clientloop.c,v 1.6 2024/07/01 09:19:40 wiz Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 
-https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+https://github.com/macports/macports-ports/blob/master/net/openssh/files/launchd.patch
 
 --- clientloop.c.orig  2016-12-19 04:59:41.000000000 +0000
 +++ clientloop.c
@@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/
        *_proto = proto;
        *_data = data;
        proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
-@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
+@@ -331,6 +331,18 @@ client_x11_get_proto(const char *display
        }
  
        if (xauth_path != NULL) {
@@ -29,23 +29,8 @@ https://trac.macports.org/browser/trunk/
 +                       * to determine if an error should be displayed.
 +                       */
 +                      char path[PATH_MAX];
-+                      struct stat sbuf;
 +
-+                      strlcpy(path, display, sizeof(path));
-+                      if (0 == stat(path, &sbuf)) {
-+                              is_path_to_socket = 1;
-+                      } else {
-+                              char *dot = strrchr(path, '.');
-+                              if (dot) {
-+                                      *dot = '\0';
-+                                      /* screen = atoi(dot + 1); */
-+                                      if (0 == stat(path, &sbuf)) {
-+                                              is_path_to_socket = 1;
-+                                              debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
-+                                              setenv("DISPLAY", path, 1);
-+                                      }
-+                              }
-+                      }
++                      is_path_to_socket = is_path_to_xsocket(display, path, sizeof(path));
 +              }
 +#endif /* __APPLE__ */
                /*

Index: pkgsrc/security/openssh/patches/patch-configure.ac
diff -u pkgsrc/security/openssh/patches/patch-configure.ac:1.9 pkgsrc/security/openssh/patches/patch-configure.ac:1.10
--- pkgsrc/security/openssh/patches/patch-configure.ac:1.9      Sun May 15 19:21:56 2022
+++ pkgsrc/security/openssh/patches/patch-configure.ac  Mon Jul  1 09:19:40 2024
@@ -1,8 +1,8 @@
-$NetBSD: patch-configure.ac,v 1.9 2022/05/15 19:21:56 wiz Exp $
+$NetBSD: patch-configure.ac,v 1.10 2024/07/01 09:19:40 wiz Exp $
 
---- configure.ac.orig  2022-04-06 00:47:48.000000000 +0000
+--- configure.ac.orig  2024-07-01 04:36:28.000000000 +0000
 +++ configure.ac
-@@ -340,6 +340,9 @@ AC_ARG_WITH([rpath],
+@@ -380,6 +380,9 @@ AC_ARG_WITH([rpath],
        ]
  )
  
@@ -12,78 +12,7 @@ $NetBSD: patch-configure.ac,v 1.9 2022/0
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
        [  --with-cflags           Specify additional flags to pass to compiler],
-@@ -434,6 +437,7 @@ AC_CHECK_HEADERS([ \
-       maillock.h \
-       ndir.h \
-       net/if_tun.h \
-+      net/tun/if_tun.h \
-       netdb.h \
-       netgroup.h \
-       pam/pam_appl.h \
-@@ -1601,6 +1605,62 @@ else
-       AC_MSG_RESULT([no])
- fi
- 
-+# Check whether user wants TCP wrappers support
-+TCPW_MSG="no"
-+AC_ARG_WITH([tcp-wrappers],
-+      [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
-+      [
-+              if test "x$withval" != "xno" ; then
-+                      saved_LIBS="$LIBS"
-+                      saved_LDFLAGS="$LDFLAGS"
-+                      saved_CPPFLAGS="$CPPFLAGS"
-+                      if test -n "${withval}" && \
-+                          test "x${withval}" != "xyes"; then
-+                              if test -d "${withval}/lib"; then
-+                                      if test -n "${need_dash_r}"; then
-+                                              LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-+                                      else
-+                                              LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-+                                      fi
-+                              else
-+                                      if test -n "${need_dash_r}"; then
-+                                              LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-+                                      else
-+                                              LDFLAGS="-L${withval} ${LDFLAGS}"
-+                                      fi
-+                              fi
-+                              if test -d "${withval}/include"; then
-+                                      CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-+                              else
-+                                      CPPFLAGS="-I${withval} ${CPPFLAGS}"
-+                              fi
-+                      fi
-+                      LIBS="-lwrap $LIBS"
-+                      AC_MSG_CHECKING([for libwrap])
-+                      AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-+#include <sys/types.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <tcpd.h>
-+int deny_severity = 0, allow_severity = 0;
-+                              ]], [[
-+      hosts_access(0);
-+                              ]])], [
-+                                      AC_MSG_RESULT([yes])
-+                                      AC_DEFINE([LIBWRAP], [1],
-+                                              [Define if you want
-+                                              TCP Wrappers support])
-+                                      SSHDLIBS="$SSHDLIBS -lwrap"
-+                                      TCPW_MSG="yes"
-+                              ], [
-+                                      AC_MSG_ERROR([*** libwrap missing])
-+                              
-+                      ])
-+                      LIBS="$saved_LIBS"
-+              fi
-+      ]
-+)
-+
- # Check whether user wants to use ldns
- LDNS_MSG="no"
- AC_ARG_WITH(ldns,
-@@ -5480,9 +5540,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -5568,9 +5628,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
        if test x"$system_wtmpx_path" = x"no" ; then
@@ -103,7 +32,7 @@ $NetBSD: patch-configure.ac,v 1.9 2022/0
        AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
                [Define if you want to specify the path to your wtmpx file])
  fi
-@@ -5580,7 +5648,7 @@ echo "OpenSSH has been configured with t
+@@ -5677,7 +5745,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
@@ -112,11 +41,3 @@ $NetBSD: patch-configure.ac,v 1.9 2022/0
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
-@@ -5602,6 +5670,7 @@ echo "                       PAM support
- echo "                   OSF SIA support: $SIA_MSG"
- echo "                 KerberosV support: $KRB5_MSG"
- echo "                   SELinux support: $SELINUX_MSG"
-+echo "              TCP Wrappers support: $TCPW_MSG"
- echo "                   libedit support: $LIBEDIT_MSG"
- echo "                   libldns support: $LDNS_MSG"
- echo "  Solaris process contract support: $SPC_MSG"

Index: pkgsrc/security/openssh/patches/patch-defines.h
diff -u pkgsrc/security/openssh/patches/patch-defines.h:1.4 pkgsrc/security/openssh/patches/patch-defines.h:1.5
--- pkgsrc/security/openssh/patches/patch-defines.h:1.4 Mon Jan 18 12:53:26 2016
+++ pkgsrc/security/openssh/patches/patch-defines.h     Mon Jul  1 09:19:40 2024
@@ -1,25 +1,9 @@
-$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-defines.h,v 1.5 2024/07/01 09:19:40 wiz Exp $
 
 Define ROOTUID, UTMPX_FILE and WTMPX_FILE
 
 --- defines.h.orig     2015-08-21 04:49:03.000000000 +0000
 +++ defines.h
-@@ -30,6 +30,15 @@
- 
- /* Constants */
- 
-+#ifdef HAVE_INTERIX
-+/* Interix has a special concept of "administrator". */
-+# define ROOTUID      197108
-+# define ROOTGID      131616
-+#else
-+# define ROOTUID      0
-+# define ROOTGID      0
-+#endif
-+
- #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
- enum
- {
 @@ -721,6 +730,24 @@ struct winsize {
  #    endif
  #  endif

Index: pkgsrc/security/openssh/patches/patch-sandbox-darwin.c
diff -u pkgsrc/security/openssh/patches/patch-sandbox-darwin.c:1.2 pkgsrc/security/openssh/patches/patch-sandbox-darwin.c:1.3
--- pkgsrc/security/openssh/patches/patch-sandbox-darwin.c:1.2  Mon Jan 18 12:53:26 2016
+++ pkgsrc/security/openssh/patches/patch-sandbox-darwin.c      Mon Jul  1 09:19:40 2024
@@ -1,10 +1,11 @@
-$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-sandbox-darwin.c,v 1.3 2024/07/01 09:19:40 wiz Exp $
 
 Support sandbox on newer OSX, from MacPorts.
+https://github.com/macports/macports-ports/blob/master/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
 
---- sandbox-darwin.c.orig      2015-08-21 04:49:03.000000000 +0000
+--- sandbox-darwin.c.orig      2024-07-01 04:36:28.000000000 +0000
 +++ sandbox-darwin.c
-@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+@@ -63,8 +63,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
        struct rlimit rl_zero;
  
        debug3("%s: starting Darwin sandbox", __func__);

Added files:

Index: pkgsrc/security/openssh/patches/patch-sshd-session.c
diff -u /dev/null pkgsrc/security/openssh/patches/patch-sshd-session.c:1.1
--- /dev/null   Mon Jul  1 09:19:40 2024
+++ pkgsrc/security/openssh/patches/patch-sshd-session.c        Mon Jul  1 09:19:40 2024
@@ -0,0 +1,25 @@
+$NetBSD: patch-sshd-session.c,v 1.1 2024/07/01 09:19:40 wiz Exp $
+
+Apple change based on
+https://github.com/macports/macports-ports/blob/master/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
+
+--- sshd-session.c.orig        2024-07-01 08:27:04.662426784 +0000
++++ sshd-session.c
+@@ -376,10 +383,17 @@ privsep_preauth(struct ssh *ssh)
+               /* Arrange for logging to be sent to the monitor */
+               set_log_handler(mm_log_handler, pmonitor);
+ 
++#ifdef  __APPLE_SANDBOX_NAMED_EXTERNAL__
++              /* We need to do this before we chroot() so we can read sshd.sb */
++              if (box != NULL)
++                      ssh_sandbox_child(box);
++#endif
+               privsep_preauth_child();
+               setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+               if (box != NULL)
+                       ssh_sandbox_child(box);
++#endif
+ 
+               return 0;
+       }



Home | Main Index | Thread Index | Old Index