Hello!
Now that PrivSep stuff works for PAM too, I took the time to update
contrib/redhat/openssh.spec to create the sshd user and set up the
/var/empty dir when installing the packages.
These have been done the Red Hat style, the uid/gif 74 is currently free
in RHL.
The only minor issues I could think of were:
- I'm not sure if /var/empty should be owned by openssh-server package,
but rather a filesystems package or such.. Is this even LSB compliant?
- do all of these 'useradd' options also work in some
"ancient" versions
of RHL, like 5.2?
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
-------------- next part --------------
Index: openssh.spec
==================================================================RCS file:
/cvs/openssh/contrib/redhat/openssh.spec,v
retrieving revision 1.97
diff -u -r1.97 openssh.spec
--- openssh.spec 23 Apr 2002 11:17:18 -0000 1.97
+++ openssh.spec 6 May 2002 21:01:42 -0000
@@ -85,7 +85,7 @@
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
-PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9
+PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9, /usr/sbin/useradd
%if %{redhat7}
Requires: /etc/pam.d/system-auth
%endif
@@ -202,6 +202,7 @@
DESTDIR=/ # Hack to disable key generation
+install -d $RPM_BUILD_ROOT/var/empty
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
@@ -238,6 +239,9 @@
/sbin/chkconfig --del sshd
fi
+%pre server
+/usr/sbin/useradd -c "sshd privilege separation user" -r -M -s
/sbin/nologin -u 74 -d /var/empty sshd 2>/dev/null || :
+
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
@@ -271,6 +275,7 @@
%files server
%defattr(-,root,root)
+%attr(0755,root,root) /var/empty
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
Damien Miller
2002-May-07 02:24 UTC
patch: contrib/redhat/openssh.spec updates for privsep
On Tue, 7 May 2002, Pekka Savola wrote:> Hello! > > Now that PrivSep stuff works for PAM too, I took the time to update > contrib/redhat/openssh.spec to create the sshd user and set up the > /var/empty dir when installing the packages. > > These have been done the Red Hat style, the uid/gif 74 is currently free > in RHL. > > The only minor issues I could think of were: > - I'm not sure if /var/empty should be owned by openssh-server package, > but rather a filesystems package or such..Agreed - I was thinking of making it /var/run/empty until such time as there is an officially blessed place for it.> Is this even LSB compliant?No idea :)> - do all of these 'useradd' options also work in some "ancient" versions > of RHL, like 5.2?Since the spec won't build with rpm < 4.x I don't think that this is too much of a problem. I'll take a look at the patch itself when time permits, probably this weekend. -d
Markus Friedl
2002-May-12 15:05 UTC
patch: contrib/redhat/openssh.spec updates for privsep
On Tue, May 07, 2002 at 12:03:20AM +0300, Pekka Savola wrote:> Hello! > > Now that PrivSep stuff works for PAM too, I took the time to update > contrib/redhat/openssh.spec to create the sshd user and set up the > /var/empty dir when installing the packages. > > These have been done the Red Hat style, the uid/gif 74 is currently free > in RHL. > > The only minor issues I could think of were: > - I'm not sure if /var/empty should be owned by openssh-server package, > but rather a filesystems package or such.. Is this even LSB compliant?don't think so :) it's popa3d compliant