patch: contrib/redhat/openssh.spec updates for privsep

Jim Knoble jmknoble at pobox.com
Wed May 8 04:07:54 EST 2002


Circa 2002-May-07 12:24:44 +1000 dixit Damien Miller:

: On Tue, 7 May 2002, Pekka Savola wrote:
: 
: > Now that PrivSep stuff works for PAM too, I took the time to update 
: > contrib/redhat/openssh.spec to create the sshd user and set up the 
: > /var/empty dir when installing the packages.
: > 
: > These have been done the Red Hat style, the uid/gif 74 is currently free 
: > in RHL.
: > 
: > The only minor issues I could think of were:
: >  - I'm not sure if /var/empty should be owned by openssh-server package, 
: > but rather a filesystems package or such..
: 
: Agreed - I was thinking of making it /var/run/empty until such time as
: there is an officially blessed place for it.

vsftpd uses /usr/share/empty.  However, either or both of /usr and
/usr/share could be network-mounted.  I also don't like the idea of
several servers potentially chrooted into the same directory.

: > Is this even LSB compliant?
: 
: No idea :)

According to FHS-2.2, /var/run/<dir> is allowed.  I would advocate
either /var/run/openssh/empty/ or /var/run/sshd/empty/, so that no
other service is liable to be chrooted into the same spot.

However, note this:

  5.13 /var/run : Run-time variable data

  5.13.1
  
  [...] Files under this directory must be cleared (removed or
  truncated as appropriate) at the beginning of the boot process. [...]

Unless there will never be any files inside .../empty/, this sounds
like /var/run/ may not be the right place.  In that case, i would
advocate either /var/lib/openssh/empty/ or /var/lib/sshd/empty/.
FHS-2.2 seems to indicate that /var/lib/<package>, not
/var/lib/<subsystem>, is preferred.  Thus, /var/lib/openssh/empty/
would be the preferred spot.

: >  - do all of these 'useradd' options also work in some "ancient" versions 
: > of RHL, like 5.2?
: 
: Since the spec won't build with rpm < 4.x I don't think that this is too
: much of a problem.

useradd is part of shadow-utils, which does come with RHL-5.x.  It
doesn't come with 4.x, but folks who are still using it really should
have backported shadow-utils to RHL-4.x by now (along with other useful
things such as chkconfig, recent automake/autoconf/libtool, recent EGCS
or GCC compiler, recent rsync, openssl, etc.).

I don't think there's any problem with using 'useradd' in the %pre
scriptlet.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020507/721b6f87/attachment.bin 


More information about the openssh-unix-dev mailing list