Patch: Solaris packages don't create privsep user or group

Darren Tucker dtucker at zip.com.au
Mon Jul 15 22:32:16 EST 2002 

Hi.
	Solaris packages created by buildpkg.sh don't create privsep user or
group and sshd won't start until they are created (or privsep is
disabled):

## Executing postinstall script.
starting /usr/local/sbin/sshd... Privilege separation user sshd does not
exist
/etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd...
bailing.

	The attached patch (against -cvs) ports the relevant parts from the AIX
package builder. I've tested it on Solaris 8 only and would be
interested to know if it works on other SysV-based systems.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: contrib/solaris/buildpkg.sh
===================================================================
RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v
retrieving revision 1.5
diff -u -r1.5 buildpkg.sh
--- contrib/solaris/buildpkg.sh	9 Jul 2002 02:02:11 -0000	1.5
+++ contrib/solaris/buildpkg.sh	15 Jul 2002 12:32:49 -0000
@@ -98,6 +98,19 @@
         eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
 done
 
+
+## Collect value of privsep user
+for confvar in SSH_PRIVSEP_USER
+do
+        eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
+done
+
+## Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+        SSH_PRIVSEP_USER=sshd
+fi
+
 ## Extract common info requires for the 'info' part of the package.
 VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
 
@@ -213,6 +226,33 @@
 [ -d $piddir ]  ||  installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys
 
 installf -f ${PKGNAME}
+
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+then
+        echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
+        echo "or group."
+else
+        echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
+
+        # create group if required
+        if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep group $SSH_PRIVSEP_USER already exists."
+        else
+                echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+                groupadd $SSH_PRIVSEP_USER
+        fi
+
+        # Create user if required
+        if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+        else
+                echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+                useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
+		passwd -l $SSH_PRIVSEP_USER
+        fi
+fi
 
 [ "\${POST_INS_START}" = "yes" ]  &&  ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
 exit 0

More information about the openssh-unix-dev mailing list