Patch: Solaris packages don't create privsep user or group

Tue Jul 16 16:18:17 EST 2002

Darren Moffat wrote:
> >Should we:
> >(a) move them to the /etc/init.d/openssh script same as the keygens
> >(b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd
> >(c) chroot tricks?
> >(d) ?
> >
> >I prefer (a).
> 
> (b) is what would be done by a Solaris shipped package.  Given that the
> format of /etc/passwd and /etc/shadow are stable interfaces there is
> no problem doing that.

How about something like the attached patch (b+c)? (Currently untested,
please don't commit.) Or is it too convoluted?

> The more you add to the openssh init.d script the longer it takes to
> startup that Solaris instance - this is an issue for some people.

Doing it in the init script would mean that if someone enabled privsep
and restarted it would magically work.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: contrib/solaris/buildpkg.sh
===================================================================
RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v
retrieving revision 1.6
diff -u -r1.6 buildpkg.sh

--- contrib/solaris/buildpkg.sh	15 Jul 2002 18:49:21 -0000	1.6
+++ contrib/solaris/buildpkg.sh	16 Jul 2002 06:19:16 -0000
@@ -20,6 +20,8 @@
 PKGNAME=OpenSSH
 SYSVINIT_NAME=opensshd
 MAKE=${MAKE:="make"}
+SSHDUID=22	# Default privsep uid
+SSHDGID=22	# Default privsep gid
 # uncomment these next two as needed
 #PERMIT_ROOT_LOGIN=no
 #X11_FORWARDING=yes
@@ -227,6 +229,12 @@
 
 installf -f ${PKGNAME}
 
+# Use chroot to handle PKG_INSTALL_ROOT
+if [ ! -z "\${PKG_INSTALL_ROOT}" ]
+then
+	chroot="chroot \${PKG_INSTALL_ROOT}"
+fi
+
 if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
 then
         echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
@@ -235,22 +243,32 @@
         echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
 
         # create group if required
-        if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
         then
                 echo "PrivSep group $SSH_PRIVSEP_USER already exists."
         else
+		# Use gid of 22 if possible
+		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
+		then
+			sshdgid="-g 22"
+		fi
                 echo "Creating PrivSep group $SSH_PRIVSEP_USER."
-                groupadd $SSH_PRIVSEP_USER
+                $chroot groupadd \$sshdgid $SSH_PRIVSEP_USER
         fi
 
         # Create user if required
-        if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
         then
                 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
         else
+		# Use uid of 22 if possible
+		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+		then
+			sshduid="-u 22"
+		fi
                 echo "Creating PrivSep user $SSH_PRIVSEP_USER."
-                useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
-		passwd -l $SSH_PRIVSEP_USER
+		$chroot useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
+		$chroot passwd -l $SSH_PRIVSEP_USER
         fi
 fi
 
