1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-04 22:33:27 +00:00
freebsd-ports/security/ssh2/files/patch-af
Peter Wemm 25c2756dd9 Update from ssh-1.2.19 to ssh-1.2.20. All patches applied still, I just
regenerated them to fix the line numbers.  Also, I added two commented out
options in Makefile, one to tell sshd that a group writeable homedir
is OK because all users are in their own group, and the other is to allow
an unencrypted connection (which is dangerous since it can lead to
compromise of keys), but on a secure network it's damn useful for backups
etc.
1997-04-25 05:01:06 +00:00

359 lines
9.9 KiB
Plaintext

*** sshd.c.orig Wed Apr 23 08:40:08 1997
--- sshd.c Fri Apr 25 12:40:20 1997
***************
*** 400,405 ****
--- 400,409 ----
#include "firewall.h" /* TIS authsrv authentication */
#endif
+ #ifdef HAVE_LOGIN_CAP_H
+ #include <login_cap.h>
+ #endif
+
#ifdef _PATH_BSHELL
#define DEFAULT_SHELL _PATH_BSHELL
#else
***************
*** 2654,2659 ****
--- 2658,2666 ----
struct sockaddr_in from;
int fromlen;
struct pty_cleanup_context cleanup_context;
+ #ifdef HAVE_LOGIN_CAP_H
+ login_cap_t *lc;
+ #endif
/* We no longer need the child running on user's privileges. */
userfile_uninit();
***************
*** 2725,2735 ****
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
&from);
/* Check if .hushlogin exists. Note that we cannot use userfile
here because we are in the child. */
sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
!
/* If the user has logged in before, display the time of last login.
However, don't display anything extra if a command has been
specified (so that ssh can be used to execute commands on a remote
--- 2732,2750 ----
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
&from);
+ #ifdef HAVE_LOGIN_CAP_H
+ lc = login_getclass(pw);
+ #endif
+
/* Check if .hushlogin exists. Note that we cannot use userfile
here because we are in the child. */
sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
!
! #ifdef HAVE_LOGIN_CAP_H
! quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
! #endif
!
/* If the user has logged in before, display the time of last login.
However, don't display anything extra if a command has been
specified (so that ssh can be used to execute commands on a remote
***************
*** 2749,2754 ****
--- 2764,2792 ----
printf("Last login: %s from %s\r\n", time_string, buf);
}
+ #ifdef __FreeBSD__
+ if (command == NULL && !quiet_login)
+ {
+ #ifdef HAVE_LOGIN_CAP_H
+ char *cw;
+ FILE *f;
+
+ cw = login_getcapstr(lc, "copyright", NULL, NULL);
+ if (cw != NULL && (f = fopen(cw, "r")) != NULL)
+ {
+ while (fgets(line, sizeof(line), f))
+ fputs(line, stdout);
+ fclose(f);
+ }
+ else
+ #endif
+ printf("%s\n\t%s %s\n\n",
+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
+ #endif
+
/* Print /etc/motd unless a command was specified or printing it was
disabled in server options. Note that some machines appear to
print it in /etc/profile or similar. */
***************
*** 2758,2764 ****
--- 2796,2806 ----
FILE *f;
/* Print /etc/motd if it exists. */
+ #ifdef HAVE_LOGIN_CAP_H
+ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
+ #else
f = fopen("/etc/motd", "r");
+ #endif
if (f)
{
while (fgets(line, sizeof(line), f))
***************
*** 2766,2771 ****
--- 2808,2836 ----
fclose(f);
}
}
+ #ifdef __FreeBSD__
+ if (command == NULL && !quiet_login)
+ {
+ #ifdef broken_HAVE_LOGIN_CAP_H
+ char *mp = getenv("MAIL");
+
+ if (mp != NULL)
+ {
+ strncpy(line, mp, sizeof line);
+ line[sizeof line - 1] = '\0';
+ }
+ else
+ #endif
+ sprintf(line, "%s/%.200s", _PATH_MAILDIR, pw->pw_name);
+ if (stat(line, &st) == 0 && st.st_size != 0)
+ printf("You have %smail.\n",
+ (st.st_mtime > st.st_atime) ? "new " : "");
+ }
+ #endif
+
+ #ifdef HAVE_LOGIN_CAP_H
+ login_close(lc);
+ #endif
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
***************
*** 3017,3023 ****
char *user_shell;
char *remote_ip;
int remote_port;
!
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
if (f)
--- 3082,3094 ----
char *user_shell;
char *remote_ip;
int remote_port;
! #ifdef HAVE_LOGIN_CAP_H
! login_cap_t *lc;
! char *real_shell;
!
! lc = login_getuserclass(pw);
! auth_checknologin(lc);
! #else /* !HAVE_LOGIN_CAP_H */
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
if (f)
***************
*** 3031,3036 ****
--- 3102,3108 ----
if (pw->pw_uid != UID_ROOT)
exit(254);
}
+ #endif /* HAVE_LOGIN_CAP_H */
if (command != NULL)
{
***************
*** 3043,3049 ****
else
log_msg("executing remote command as user %.200s", pw->pw_name);
}
!
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. Warning: setsid() must be called before
this. */
--- 3115,3122 ----
else
log_msg("executing remote command as user %.200s", pw->pw_name);
}
!
! #ifndef HAVE_LOGIN_CAP_H
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. Warning: setsid() must be called before
this. */
***************
*** 3064,3069 ****
--- 3137,3143 ----
if (setpcred((char *)pw->pw_name, NULL))
log_msg("setpcred %.100s: %.100s", strerror(errno));
#endif /* HAVE_USERSEC_H */
+ #endif /* !HAVE_LOGIN_CAP_H */
/* Save some data that will be needed so that we can do certain cleanups
before we switch to user's uid. (We must clear all sensitive data
***************
*** 3134,3139 ****
--- 3208,3271 ----
if (command != NULL || !options.use_login)
#endif /* USELOGIN */
{
+ #ifdef HAVE_LOGIN_CAP_H
+ char *p, *s, **tmpenv;
+
+ /* Save previous environment array
+ */
+ tmpenv = environ;
+ /* Initialize the new environment.
+ */
+ envsize = 64;
+ environ = env = xmalloc(envsize * sizeof(char *));
+ env[0] = NULL;
+
+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
+
+ #ifdef MAIL_SPOOL_DIRECTORY
+ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+ child_set_env(&env, &envsize, "MAIL", buf);
+ #else /* MAIL_SPOOL_DIRECTORY */
+ #ifdef MAIL_SPOOL_FILE
+ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+ child_set_env(&env, &envsize, "MAIL", buf);
+ #endif /* MAIL_SPOOL_FILE */
+ #endif /* MAIL_SPOOL_DIRECTORY */
+
+ /* Let it inherit timezone if we have one. */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+ /* Set the user's login environment
+ */
+ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+ {
+ perror("setusercontext");
+ exit(1);
+ }
+
+ p = getenv("PATH");
+ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
+ *s = '\0';
+ if (p != NULL)
+ {
+ strcat(s, p);
+ strcat(s, ":");
+ }
+ strcat(s, SSH_BINDIR);
+
+ env = environ;
+ environ = tmpenv; /* Restore parent environment */
+ for (envsize = 0; env[envsize] != NULL; ++envsize)
+ ;
+ /* Reallocate this to what is expected */
+ envsize = (envsize < 100) ? 100 : envsize + 16;
+ env = xrealloc(env, envsize * sizeof(char *));
+
+ child_set_env(&env, &envsize, "PATH", s);
+ xfree(s);
+
+ #else /* !HAVE_LOGIN_CAP_H */
/* Set uid, gid, and groups. */
if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
{
***************
*** 3165,3170 ****
--- 3297,3303 ----
if (getuid() != user_uid || geteuid() != user_uid)
fatal("Failed to set uids to %d.", (int)user_uid);
+ #endif /* HAVE_LOGIN_CAP_H */
}
/* Reset signals to their default settings before starting the user
***************
*** 3175,3185 ****
--- 3308,3323 ----
and means /bin/sh. */
shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
+ #ifdef HAVE_LOGIN_CAP_H
+ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
+ login_close(lc);
+ #else /* !HAVE_LOGIN_CAP_H */
/* Initialize the environment. In the first part we allocate space for
all environment variables. */
envsize = 100;
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
+ #endif /* HAVE_LOGIN_CAP_H */
#ifdef USELOGIN
if (command != NULL || !options.use_login)
***************
*** 3189,3194 ****
--- 3327,3334 ----
child_set_env(&env, &envsize, "HOME", user_dir);
child_set_env(&env, &envsize, "USER", user_name);
child_set_env(&env, &envsize, "LOGNAME", user_name);
+
+ #ifndef HAVE_LOGIN_CAP_H
child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
#ifdef MAIL_SPOOL_DIRECTORY
***************
*** 3200,3205 ****
--- 3340,3346 ----
child_set_env(&env, &envsize, "MAIL", buf);
#endif /* MAIL_SPOOL_FILE */
#endif /* MAIL_SPOOL_DIRECTORY */
+ #endif /* !HAVE_LOGIN_CAP_H */
#ifdef HAVE_ETC_DEFAULT_LOGIN
/* Read /etc/default/login; this exists at least on Solaris 2.x. Note
***************
*** 3215,3223 ****
--- 3356,3366 ----
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
+ #ifndef HAVE_LOGIN_CAP_H
/* Let it inherit timezone if we have one. */
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ #endif /* !HAVE_LOGIN_CAP_H */
/* Set custom environment options from RSA authentication. */
while (custom_environment)
***************
*** 3437,3443 ****
--- 3580,3590 ----
/* Execute the shell. */
argv[0] = buf;
argv[1] = NULL;
+ #ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+ #else
execve(shell, argv, env);
+ #endif /* HAVE_LOGIN_CAP_H */
/* Executing the shell failed. */
perror(shell);
exit(1);
***************
*** 3458,3464 ****
--- 3605,3615 ----
argv[1] = "-c";
argv[2] = (char *)command;
argv[3] = NULL;
+ #ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+ #else
execve(shell, argv, env);
+ #endif /* HAVE_LOGIN_CAP_H */
perror(shell);
exit(1);
}