openssh unix dev - Jul 2002 - Patch: Solaris packages don't create privsep user or group

Hi.
	Solaris packages created by buildpkg.sh don't create privsep user or
group and sshd won't start until they are created (or privsep is
disabled):

## Executing postinstall script.
starting /usr/local/sbin/sshd... Privilege separation user sshd does not
exist
/etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd...
bailing.

	The attached patch (against -cvs) ports the relevant parts from the AIX
package builder. I've tested it on Solaris 8 only and would be
interested to know if it works on other SysV-based systems.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: contrib/solaris/buildpkg.sh
==================================================================RCS file:
/cvs/openssh/contrib/solaris/buildpkg.sh,v
retrieving revision 1.5
diff -u -r1.5 buildpkg.sh
--- contrib/solaris/buildpkg.sh	9 Jul 2002 02:02:11 -0000	1.5
+++ contrib/solaris/buildpkg.sh	15 Jul 2002 12:32:49 -0000
@@ -98,6 +98,19 @@
         eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
 done
 
+
+## Collect value of privsep user
+for confvar in SSH_PRIVSEP_USER
+do
+        eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}'
config.h`
+done
+
+## Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+        SSH_PRIVSEP_USER=sshd
+fi
+
 ## Extract common info requires for the 'info' part of the package.
 VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
 
@@ -213,6 +226,33 @@
 [ -d $piddir ]  ||  installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d
755 root sys
 
 installf -f ${PKGNAME}
+
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no'
$sysconfdir/sshd_config >/dev/null
+then
+        echo "UsePrivilegeSeparation disabled in config, not creating
PrivSep user"
+        echo "or group."
+else
+        echo "UsePrivilegeSeparation enabled in config (or defaulting to
on)."
+
+        # create group if required
+        if cut -f1 -d: /etc/group | egrep
'^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep group $SSH_PRIVSEP_USER already
exists."
+        else
+                echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+                groupadd $SSH_PRIVSEP_USER
+        fi
+
+        # Create user if required
+        if cut -f1 -d: /etc/passwd | egrep
'^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+        else
+                echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+                useradd -c 'SSHD PrivSep User' -s /bin/false -g
$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
+		passwd -l $SSH_PRIVSEP_USER
+        fi
+fi
 
 [ "\${POST_INS_START}" = "yes" ]  && 
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
 exit 0

Hmm.. Does this work with JumpStart?  Can you add users at install time?

- Ben

On Mon, 15 Jul 2002, Darren Tucker wrote:
> Hi.
> 	Solaris packages created by buildpkg.sh don't create privsep user or
> group and sshd won't start until they are created (or privsep is
> disabled):
>
> ## Executing postinstall script.
> starting /usr/local/sbin/sshd... Privilege separation user sshd does not
> exist
> /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd...
> bailing.
>
> 	The attached patch (against -cvs) ports the relevant parts from the AIX
> package builder. I've tested it on Solaris 8 only and would be
> interested to know if it works on other SysV-based systems.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

You sure can...

Nico
-- 
> -----Original Message-----
> From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org]
> Sent: Monday, July 15, 2002 1:56 PM
> To: Darren Tucker
> Cc: OpenSSH Devel List
> Subject: Re: Patch: Solaris packages don't create privsep 
> user or group
> 
> 
> 
> 
> Hmm.. Does this work with JumpStart?  Can you add users at 
> install time?
> 
> - Ben
> 
> On Mon, 15 Jul 2002, Darren Tucker wrote:
> 
> > Hi.
> > 	Solaris packages created by buildpkg.sh don't create 
> privsep user or
> > group and sshd won't start until they are created (or privsep is
> > disabled):
> >
> > ## Executing postinstall script.
> > starting /usr/local/sbin/sshd... Privilege separation user 
> sshd does not
> > exist
> > /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd...
> > bailing.
> >
> > 	The attached patch (against -cvs) ports the relevant 
> parts from the AIX
> > package builder. I've tested it on Solaris 8 only and would be
> > interested to know if it works on other SysV-based systems.
> >
> > --
> > Darren Tucker (dtucker at zip.com.au)
> > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
> >     Good judgement comes with experience. Unfortunately, 
> the experience
> > usually comes from bad judgement.
> 
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Commited..

- Ben

On Mon, 15 Jul 2002, Darren Tucker wrote:
> Hi.
> 	Solaris packages created by buildpkg.sh don't create privsep user or
> group and sshd won't start until they are created (or privsep is
> disabled):
>
> ## Executing postinstall script.
> starting /usr/local/sbin/sshd... Privilege separation user sshd does not
> exist
> /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd...
> bailing.
>
> 	The attached patch (against -cvs) ports the relevant parts from the AIX
> package builder. I've tested it on Solaris 8 only and would be
> interested to know if it works on other SysV-based systems.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Yes.

You can edit any config file you want during JumpStart.

Just make sure that you handle $PKG_INSTAL_ROOT and the
like correctly.

The pkg should either have an edit script for /etc/password
or it should do its thing in the postinstall script and
then use installf to indicate that it edited /etc/passwd.

Cheers,

Nico
-- 
> -----Original Message-----
> From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org]
> Sent: Monday, July 15, 2002 2:14 PM
> To: Williams, Nicolas
> Cc: openssh-unix-dev at mindrot.org
> Subject: RE: Patch: Solaris packages don't create privsep 
> user or group
> 
> 
> 
> 
> 
> On Mon, 15 Jul 2002 Nicolas.Williams at ubsw.com wrote:
> 
> >
> > You sure can...
> >
> 
> Let me rephrase.  HAS anyone tried this with jumpstart?  Or 
> done something
> like it that can verify that it will be acceptable.
> 
> - Ben
> 
> 
Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Hi,
	Hopefully this doesn't seem like hair-splitting but I'd like to suggest
the following additions to Darren's patch.  This allows for the option
of turning off priv_sep at package build time:

Index: openssh/contrib/solaris/buildpkg.sh
==================================================================RCS file:
/cvs/openssh/contrib/solaris/buildpkg.sh,v
retrieving revision 1.6
diff -u -r1.6 buildpkg.sh
--- openssh/contrib/solaris/buildpkg.sh 15 Jul 2002 18:49:21 -0000     
1.6
+++ openssh/contrib/solaris/buildpkg.sh 15 Jul 2002 22:06:25 -0000
@@ -23,6 +23,7 @@
 # uncomment these next two as needed
 #PERMIT_ROOT_LOGIN=no
 #X11_FORWARDING=yes
+#USE_PRIVSEP=no
 # list of system directories we do NOT want to change owner/group/perms
 # when installing our package
 SYSTEM_DIR="/etc       \
@@ -140,6 +141,9 @@
                $FAKE_ROOT/${sysconfdir}/sshd_config
 [ "${X11_FORWARDING}" = yes ]  &&  \
        perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+               $FAKE_ROOT/${sysconfdir}/sshd_config
+[ "${USE_PRIVSEP}" = no ]  &&  \
+       perl -p -i -e "s/#UsePrivilegeSeparation
yes/UsePrivilegeSeparation no/" \
                $FAKE_ROOT/${sysconfdir}/sshd_config
 # fix PrintMotd
 perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \


-- 
David M. Williams, CISSP		Phone: 505-665-5021
Systems Engineer, CCN-2			Fax:   505-667-7428
Los Alamos National Laboratory		Email: d_wllms at lanl.gov

>Should we:
>(a) move them to the /etc/init.d/openssh script same as the keygens
>(b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd
>(c) chroot tricks?
>(d) ?
>
>I prefer (a).
(b) is what would be done by a Solaris shipped package.  Given that the
format of /etc/passwd and /etc/shadow are stable interfaces there is
no problem doing that.

The more you add to the openssh init.d script the longer it takes to
startup that Solaris instance - this is an issue for some people.

--
Darren J Moffat

>Here are the checkinstall script and the postinstall script that I use in
>my openssh package for Solaris. They create the keys and the group and
>user for ssh (sshd), and, if the package is being installed in a different
>root, create an init script that will run these things and then remove
>itself on the next reboot. Feel free to use any part of this. The
>/var/empty directory is, by the way, installed by the package itself.
Creating the keys in a postinstall script makes the package incompatible
with Jumpstart Flash installations.  It is a better idea to keep the
current practice and create the keys at boot time if they don't already
exist.

In Solaris 9 we create the keys at boot time and also modified sys-unconfig
to remove the keys from the system.  Both of these ensure that Flash
archives can be created that don't contain the identity of the original
system.

--
Darren J Moffat

Darren,

How can a package's checkinstall/postinstall detect that
JSS Flash is being used?

Nico
-- 
> -----Original Message-----
> From: Darren J Moffat [mailto:Darren.Moffat at Sun.COM]
> Sent: Tuesday, July 16, 2002 5:21 PM
> To: openssh-unix-dev at mindrot.org; wknox at mitre.org
> Subject: Re: Patch: Solaris packages don't create privsep 
> user or group
> 
> 
> >Here are the checkinstall script and the postinstall script 
> that I use in
> >my openssh package for Solaris. They create the keys and the 
> group and
> >user for ssh (sshd), and, if the package is being installed 
> in a different
> >root, create an init script that will run these things and 
> then remove
> >itself on the next reboot. Feel free to use any part of this. The
> >/var/empty directory is, by the way, installed by the package itself.
> 
> Creating the keys in a postinstall script makes the package 
> incompatible
> with Jumpstart Flash installations.  It is a better idea to keep the
> current practice and create the keys at boot time if they 
> don't already
> exist.
> 
> In Solaris 9 we create the keys at boot time and also 
> modified sys-unconfig
> to remove the keys from the system.  Both of these ensure that Flash
> archives can be created that don't contain the identity of 
> the original
> system.
> 
> --
> Darren J Moffat
> 
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

>How can a package's checkinstall/postinstall detect that
>JSS Flash is being used?
It can't.

When you use Jumpstart Flash you install the system from packages
as normal.  Then run sys-unconfig and create flash archives (basically
cpio bundles with extra info).

For a package to be Jumpstart Flash "safe" it shouldn't do
anything to
the system that isn't generic to all installs.  In the case of sshd
the keys identify a particular system so you really don't want them
in your flash archives.

--
Darren J Moffat

Right. But I was wondering if the pkg could detect that it's
being installed on a build intended to be a Flash Start
archive image. A response file could do it I suppose...

In any case, even when doing a Flash install there is still a
finish script that runs for every build, yes? If so then one
can write a finish script to re-gen keys and leave existing
pkgs that gen keys alone.

Cheers,

Nico
-- 
> -----Original Message-----
> From: Darren Moffat [mailto:Darren.Moffat at Sun.COM]
> Sent: Wednesday, July 17, 2002 12:37 PM
> To: Williams, Nicolas
> Cc: openssh-unix-dev at mindrot.org
> Subject: RE: Patch: Solaris packages don't create privsep 
> user or group
> 
> 
> >How can a package's checkinstall/postinstall detect that
> >JSS Flash is being used?
> 
> It can't.
> 
> When you use Jumpstart Flash you install the system from packages
> as normal.  Then run sys-unconfig and create flash archives (basically
> cpio bundles with extra info).
> 
> For a package to be Jumpstart Flash "safe" it shouldn't do
anything to
> the system that isn't generic to all installs.  In the case of sshd
> the keys identify a particular system so you really don't want them
> in your flash archives.
> 
> --
> Darren J Moffat
> 
> 
Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.