Patch: Solaris packages don't create privsep user or group
Darren Tucker
dtucker at zip.com.au
Wed Jul 17 09:54:28 EST 2002
Darren Tucker wrote:
> How about something like the attached patch (b+c)? (Currently untested,
> please don't commit.) Or is it too convoluted?
FWIW here's a patch that works (on Solaris 7 anyway) during a jumpstart
finish_script (ie with pkgadd -R).
If a consensus is reached about a better way to do the account/group
stuff I'll be happy to post a new patch.
--
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: contrib/solaris/buildpkg.sh
===================================================================
RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v
retrieving revision 1.6
diff -u -r1.6 buildpkg.sh
--- contrib/solaris/buildpkg.sh 15 Jul 2002 18:49:21 -0000 1.6
+++ contrib/solaris/buildpkg.sh 16 Jul 2002 12:19:46 -0000
@@ -20,6 +20,8 @@
PKGNAME=OpenSSH
SYSVINIT_NAME=opensshd
MAKE=${MAKE:="make"}
+SSHDUID=22 # Default privsep uid
+SSHDGID=22 # Default privsep gid
# uncomment these next two as needed
#PERMIT_ROOT_LOGIN=no
#X11_FORWARDING=yes
@@ -227,7 +229,13 @@
installf -f ${PKGNAME}
-if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+# Use chroot to handle PKG_INSTALL_ROOT
+if [ ! -z "\${PKG_INSTALL_ROOT}" ]
+then
+ chroot="chroot \${PKG_INSTALL_ROOT}"
+fi
+
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
then
echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
echo "or group."
@@ -235,22 +243,32 @@
echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
# create group if required
- if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
then
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
else
+ # Use gid of 22 if possible
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
+ then
+ sshdgid="-g 22"
+ fi
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
- groupadd $SSH_PRIVSEP_USER
+ \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
fi
# Create user if required
- if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
then
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
else
+ # Use uid of 22 if possible
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+ then
+ sshduid="-u 22"
+ fi
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
- useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
- passwd -l $SSH_PRIVSEP_USER
+ \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
+ \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
fi
fi
More information about the openssh-unix-dev
mailing list