summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Rice <tim@multitalents.net>2002-07-19 11:57:57 -0700
committerTim Rice <tim@multitalents.net>2002-07-19 11:57:57 -0700
commitf1a1001f0ea4ffee74baf733d390f2fd1b98fa51 (patch)
tree4a8a7d626b7ddeec6b96152d52f9ec16ce1e1186
parenteae876e8ae41aedb992f26317f0262464bbaa5f5 (diff)
[contrib/solaris/buildpkg.sh] create privsep user/group if needed.
Patch by dtucker@zip.com.au
-rw-r--r--ChangeLog6
-rwxr-xr-xcontrib/solaris/buildpkg.sh44
2 files changed, 41 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index e510f9f42..0ec31832a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
120020719
2 - (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed.
3 Patch by dtucker@zip.com.au
4
120020718 520020718
2 - (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org 6 - (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org
3 - (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported 7 - (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported
@@ -1389,4 +1393,4 @@
1389 - (stevesk) entropy.c: typo in debug message 1393 - (stevesk) entropy.c: typo in debug message
1390 - (djm) ssh-keygen -i needs seeded RNG; report from markus@ 1394 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
1391 1395
1392$Id: ChangeLog,v 1.2377 2002/07/18 18:49:32 tim Exp $ 1396$Id: ChangeLog,v 1.2378 2002/07/19 18:57:57 tim Exp $
diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh
index def325b87..c41b3f963 100755
--- a/contrib/solaris/buildpkg.sh
+++ b/contrib/solaris/buildpkg.sh
@@ -15,11 +15,14 @@ umask 022
15# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty 15# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
16# and 16# and
17# PKGNAME=tOpenSSH should allow testing a package without interfering 17# PKGNAME=tOpenSSH should allow testing a package without interfering
18# with a real OpenSSH package on a system. 18# with a real OpenSSH package on a system. This is not needed on systems
19# that support the -R option to pkgadd.
19#TEST_DIR=/var/tmp # leave commented out for production build 20#TEST_DIR=/var/tmp # leave commented out for production build
20PKGNAME=OpenSSH 21PKGNAME=OpenSSH
21SYSVINIT_NAME=opensshd 22SYSVINIT_NAME=opensshd
22MAKE=${MAKE:="make"} 23MAKE=${MAKE:="make"}
24SSHDUID=67 # Default privsep uid
25SSHDGID=67 # Default privsep gid
23# uncomment these next two as needed 26# uncomment these next two as needed
24#PERMIT_ROOT_LOGIN=no 27#PERMIT_ROOT_LOGIN=no
25#X11_FORWARDING=yes 28#X11_FORWARDING=yes
@@ -57,7 +60,7 @@ SYSTEM_DIR="/etc \
57/var/tmp \ 60/var/tmp \
58/tmp" 61/tmp"
59 62
60# We may need to buiild as root so we make sure PATH is set up 63# We may need to build as root so we make sure PATH is set up
61# only set the path if it's not set already 64# only set the path if it's not set already
62[ -d /usr/local/bin ] && { 65[ -d /usr/local/bin ] && {
63 echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1 66 echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
@@ -227,7 +230,18 @@ fi
227 230
228installf -f ${PKGNAME} 231installf -f ${PKGNAME}
229 232
230if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null 233# Use chroot to handle PKG_INSTALL_ROOT
234if [ ! -z "\${PKG_INSTALL_ROOT}" ]
235then
236 chroot="chroot \${PKG_INSTALL_ROOT}"
237fi
238# If this is a test build, we will skip the groupadd/useradd/passwd commands
239if [ ! -z "${TEST_DIR}" ]
240then
241 chroot=echo
242fi
243
244if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
231then 245then
232 echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" 246 echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
233 echo "or group." 247 echo "or group."
@@ -235,22 +249,36 @@ else
235 echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." 249 echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
236 250
237 # create group if required 251 # create group if required
238 if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null 252 if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
239 then 253 then
240 echo "PrivSep group $SSH_PRIVSEP_USER already exists." 254 echo "PrivSep group $SSH_PRIVSEP_USER already exists."
241 else 255 else
256 # Use gid of 67 if possible
257 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
258 then
259 :
260 else
261 sshdgid="-g $SSHDGID"
262 fi
242 echo "Creating PrivSep group $SSH_PRIVSEP_USER." 263 echo "Creating PrivSep group $SSH_PRIVSEP_USER."
243 groupadd $SSH_PRIVSEP_USER 264 \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
244 fi 265 fi
245 266
246 # Create user if required 267 # Create user if required
247 if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null 268 if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
248 then 269 then
249 echo "PrivSep user $SSH_PRIVSEP_USER already exists." 270 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
250 else 271 else
272 # Use uid of 67 if possible
273 if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
274 then
275 :
276 else
277 sshduid="-u $SSHDUID"
278 fi
251 echo "Creating PrivSep user $SSH_PRIVSEP_USER." 279 echo "Creating PrivSep user $SSH_PRIVSEP_USER."
252 useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER 280 \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
253 passwd -l $SSH_PRIVSEP_USER 281 \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
254 fi 282 fi
255fi 283fi
256 284