Patch: Solaris packages don't create privsep user or group

Darren Tucker dtucker at zip.com.au
Wed Jul 17 09:54:28 EST 2002


Darren Tucker wrote:
> How about something like the attached patch (b+c)? (Currently untested,
> please don't commit.) Or is it too convoluted?

FWIW here's a patch that works (on Solaris 7 anyway) during a jumpstart
finish_script (ie with pkgadd -R).

If a consensus is reached about a better way to do the account/group
stuff I'll be happy to post a new patch.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: contrib/solaris/buildpkg.sh
===================================================================
RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v
retrieving revision 1.6
diff -u -r1.6 buildpkg.sh
--- contrib/solaris/buildpkg.sh	15 Jul 2002 18:49:21 -0000	1.6
+++ contrib/solaris/buildpkg.sh	16 Jul 2002 12:19:46 -0000
@@ -20,6 +20,8 @@
 PKGNAME=OpenSSH
 SYSVINIT_NAME=opensshd
 MAKE=${MAKE:="make"}
+SSHDUID=22	# Default privsep uid
+SSHDGID=22	# Default privsep gid
 # uncomment these next two as needed
 #PERMIT_ROOT_LOGIN=no
 #X11_FORWARDING=yes
@@ -227,7 +229,13 @@
 
 installf -f ${PKGNAME}
 
-if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+# Use chroot to handle PKG_INSTALL_ROOT
+if [ ! -z "\${PKG_INSTALL_ROOT}" ]
+then
+	chroot="chroot \${PKG_INSTALL_ROOT}"
+fi
+
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
 then
         echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
         echo "or group."
@@ -235,22 +243,32 @@
         echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
 
         # create group if required
-        if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
         then
                 echo "PrivSep group $SSH_PRIVSEP_USER already exists."
         else
+		# Use gid of 22 if possible
+		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
+		then
+			sshdgid="-g 22"
+		fi
                 echo "Creating PrivSep group $SSH_PRIVSEP_USER."
-                groupadd $SSH_PRIVSEP_USER
+                \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
         fi
 
         # Create user if required
-        if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
         then
                 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
         else
+		# Use uid of 22 if possible
+		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+		then
+			sshduid="-u 22"
+		fi
                 echo "Creating PrivSep user $SSH_PRIVSEP_USER."
-                useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
-		passwd -l $SSH_PRIVSEP_USER
+		\$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
+		\$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
         fi
 fi
 


More information about the openssh-unix-dev mailing list