diff --git a/ChangeLog b/ChangeLog index 92afe6b46..82e854541 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (djm) Add --with-superuser-path=xxx configure option to specify what $PATH the superuser receives. - (djm) Bug #231: UsePrivilegeSeparation turns off Banner. + - (djm) Add --with-privsep-path configure option 20020511 - (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch. @@ -572,4 +573,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2108 2002/05/13 01:07:41 djm Exp $ +$Id: ChangeLog,v 1.2109 2002/05/13 03:15:42 djm Exp $ diff --git a/Makefile.in b/Makefile.in index 6af2e3a87..7f7c8d88a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,8 +1,10 @@ -# $Id: Makefile.in,v 1.206 2002/05/09 14:05:59 tim Exp $ +# $Id: Makefile.in,v 1.207 2002/05/13 03:15:43 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ +AUTORECONF=autoreconf + prefix=@prefix@ exec_prefix=@exec_prefix@ bindir=@bindir@ @@ -21,12 +23,14 @@ VPATH=@srcdir@ SSH_PROGRAM=@bindir@/ssh ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server +PRIVSEP_PATH=@PRIVSEP_PATH@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ + -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" -DSSH_RAND_HELPER=\"$(libexecdir)/ssh-rand-helper\" CC=@CC@ @@ -80,6 +84,7 @@ PATHSUBS = \ -D/etc/ssh/moduli=$(sysconfdir)/moduli \ -D/etc/ssh/sshrc=$(sysconfdir)/sshrc \ -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \ + -D/var/empty=$(PRIVSEP_PATH) \ -D/usr/bin:/bin:/usr/sbin:/sbin=@user_path@ FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) @@ -184,7 +189,7 @@ catman-do: done distprep: catman-do - autoreconf + $(AUTORECONF) (cd scard && $(MAKE) -f Makefile.in distprep) install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key diff --git a/acconfig.h b/acconfig.h index 6fabc0b05..bbe50162b 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.136 2002/05/13 00:56:51 djm Exp $ */ +/* $Id: acconfig.h,v 1.137 2002/05/13 03:15:43 djm Exp $ */ #ifndef _CONFIG_H #define _CONFIG_H @@ -352,6 +352,9 @@ /* Define if you want a different $PATH for the superuser */ #undef SUPERUSER_PATH +/* Path that unprivileged child will chroot() to in privep mode */ +#undef PRIVSEP_PATH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff --git a/configure.ac b/configure.ac index 1b8aa5e1c..acbfe78bf 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.57 2002/05/13 00:48:58 djm Exp $ +# $Id: configure.ac,v 1.58 2002/05/13 03:15:43 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -1792,6 +1792,17 @@ AC_ARG_WITH(rsh, ] ) +PRIVSEP_PATH=/var/empty +AC_ARG_WITH(privsep-path, + [ --with-privsep-path=xxx Path for privilege seperation chroot ], + [ + if test "x$withval" != "$no" ; then + PRIVSEP_PATH=$withval + fi + ] +) +AC_SUBST(PRIVSEP_PATH) + AC_ARG_WITH(xauth, [ --with-xauth=PATH Specify path to xauth program ], [ @@ -2363,41 +2374,43 @@ D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}` E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}` F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}` G=`eval echo ${piddir}` ; G=`eval echo ${G}` -H=`eval echo ${user_path}` ; H=`eval echo ${H}` -I=`eval echo ${superuser_path}` ; I=`eval echo ${I}` +H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}` +I=`eval echo ${user_path}` ; I=`eval echo ${I}` +J=`eval echo ${superuser_path}` ; J=`eval echo ${J}` echo "" echo "OpenSSH has been configured with the following options:" -echo " User binaries: $B" -echo " System binaries: $C" -echo " Configuration files: $D" -echo " Askpass program: $E" -echo " Manual pages: $F" -echo " PID file: $G" +echo " User binaries: $B" +echo " System binaries: $C" +echo " Configuration files: $D" +echo " Askpass program: $E" +echo " Manual pages: $F" +echo " PID file: $G" +echo " Privilege separation chroot path: $H" if test "$USES_LOGIN_CONF" = "yes" ; then -echo " At runtime, sshd will use the path defined in /etc/login.conf" +echo " At runtime, sshd will use the path defined in /etc/login.conf" else -echo " sshd default user PATH: $H" +echo " sshd default user PATH: $I" fi if test ! -z "$superuser_path" ; then -echo " sshd superuser user PATH: $I" +echo " sshd superuser user PATH: $J" fi -echo " Manpage format: $MANTYPE" -echo " PAM support: ${PAM_MSG}" -echo " KerberosIV support: $KRB4_MSG" -echo " KerberosV support: $KRB5_MSG" -echo " Smartcard support: $SCARD_MSG" -echo " AFS support: $AFS_MSG" -echo " S/KEY support: $SKEY_MSG" -echo " TCP Wrappers support: $TCPW_MSG" -echo " MD5 password support: $MD5_MSG" -echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" -echo " Use IPv4 by default hack: $IPV4_HACK_MSG" -echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" -echo " BSD Auth support: $BSD_AUTH_MSG" -echo " Random number source: $RAND_MSG" +echo " Manpage format: $MANTYPE" +echo " PAM support: ${PAM_MSG}" +echo " KerberosIV support: $KRB4_MSG" +echo " KerberosV support: $KRB5_MSG" +echo " Smartcard support: $SCARD_MSG" +echo " AFS support: $AFS_MSG" +echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" +echo " MD5 password support: $MD5_MSG" +echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" +echo " Use IPv4 by default hack: $IPV4_HACK_MSG" +echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +echo " BSD Auth support: $BSD_AUTH_MSG" +echo " Random number source: $RAND_MSG" if test ! -z "$USE_RAND_HELPER" ; then - echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" +echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" fi echo "" diff --git a/pathnames.h b/pathnames.h index 943830c08..691293c33 100644 --- a/pathnames.h +++ b/pathnames.h @@ -141,7 +141,10 @@ #endif /* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */ +#ifndef _PATH_PRIVSEP_CHROOT_DIR #define _PATH_PRIVSEP_CHROOT_DIR "/var/empty" +#endif + #ifndef _PATH_LS #define _PATH_LS "ls" #endif