- (djm) Add --with-privsep-path configure option
diff --git a/ChangeLog b/ChangeLog
index 92afe6b..82e8545 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
- (djm) Add --with-superuser-path=xxx configure option to specify what $PATH
the superuser receives.
- (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
+ - (djm) Add --with-privsep-path configure option
20020511
- (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch.
@@ -572,4 +573,4 @@
- (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2108 2002/05/13 01:07:41 djm Exp $
+$Id: ChangeLog,v 1.2109 2002/05/13 03:15:42 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index 6af2e3a..7f7c8d8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,8 +1,10 @@
-# $Id: Makefile.in,v 1.206 2002/05/09 14:05:59 tim Exp $
+# $Id: Makefile.in,v 1.207 2002/05/13 03:15:43 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
+AUTORECONF=autoreconf
+
prefix=@prefix@
exec_prefix=@exec_prefix@
bindir=@bindir@
@@ -21,12 +23,14 @@
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
+PRIVSEP_PATH=@PRIVSEP_PATH@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
+ -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
-DSSH_RAND_HELPER=\"$(libexecdir)/ssh-rand-helper\"
CC=@CC@
@@ -80,6 +84,7 @@
-D/etc/ssh/moduli=$(sysconfdir)/moduli \
-D/etc/ssh/sshrc=$(sysconfdir)/sshrc \
-D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \
+ -D/var/empty=$(PRIVSEP_PATH) \
-D/usr/bin:/bin:/usr/sbin:/sbin=@user_path@
FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS)
@@ -184,7 +189,7 @@
done
distprep: catman-do
- autoreconf
+ $(AUTORECONF)
(cd scard && $(MAKE) -f Makefile.in distprep)
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key
diff --git a/acconfig.h b/acconfig.h
index 6fabc0b..bbe5016 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.136 2002/05/13 00:56:51 djm Exp $ */
+/* $Id: acconfig.h,v 1.137 2002/05/13 03:15:43 djm Exp $ */
#ifndef _CONFIG_H
#define _CONFIG_H
@@ -352,6 +352,9 @@
/* Define if you want a different $PATH for the superuser */
#undef SUPERUSER_PATH
+/* Path that unprivileged child will chroot() to in privep mode */
+#undef PRIVSEP_PATH
+
@BOTTOM@
/* ******************* Shouldn't need to edit below this line ************** */
diff --git a/configure.ac b/configure.ac
index 1b8aa5e..acbfe78 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.57 2002/05/13 00:48:58 djm Exp $
+# $Id: configure.ac,v 1.58 2002/05/13 03:15:43 djm Exp $
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
@@ -1792,6 +1792,17 @@
]
)
+PRIVSEP_PATH=/var/empty
+AC_ARG_WITH(privsep-path,
+ [ --with-privsep-path=xxx Path for privilege seperation chroot ],
+ [
+ if test "x$withval" != "$no" ; then
+ PRIVSEP_PATH=$withval
+ fi
+ ]
+)
+AC_SUBST(PRIVSEP_PATH)
+
AC_ARG_WITH(xauth,
[ --with-xauth=PATH Specify path to xauth program ],
[
@@ -2363,41 +2374,43 @@
E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
G=`eval echo ${piddir}` ; G=`eval echo ${G}`
-H=`eval echo ${user_path}` ; H=`eval echo ${H}`
-I=`eval echo ${superuser_path}` ; I=`eval echo ${I}`
+H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
+I=`eval echo ${user_path}` ; I=`eval echo ${I}`
+J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
echo ""
echo "OpenSSH has been configured with the following options:"
-echo " User binaries: $B"
-echo " System binaries: $C"
-echo " Configuration files: $D"
-echo " Askpass program: $E"
-echo " Manual pages: $F"
-echo " PID file: $G"
+echo " User binaries: $B"
+echo " System binaries: $C"
+echo " Configuration files: $D"
+echo " Askpass program: $E"
+echo " Manual pages: $F"
+echo " PID file: $G"
+echo " Privilege separation chroot path: $H"
if test "$USES_LOGIN_CONF" = "yes" ; then
-echo " At runtime, sshd will use the path defined in /etc/login.conf"
+echo " At runtime, sshd will use the path defined in /etc/login.conf"
else
-echo " sshd default user PATH: $H"
+echo " sshd default user PATH: $I"
fi
if test ! -z "$superuser_path" ; then
-echo " sshd superuser user PATH: $I"
+echo " sshd superuser user PATH: $J"
fi
-echo " Manpage format: $MANTYPE"
-echo " PAM support: ${PAM_MSG}"
-echo " KerberosIV support: $KRB4_MSG"
-echo " KerberosV support: $KRB5_MSG"
-echo " Smartcard support: $SCARD_MSG"
-echo " AFS support: $AFS_MSG"
-echo " S/KEY support: $SKEY_MSG"
-echo " TCP Wrappers support: $TCPW_MSG"
-echo " MD5 password support: $MD5_MSG"
-echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
-echo " Use IPv4 by default hack: $IPV4_HACK_MSG"
-echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
-echo " BSD Auth support: $BSD_AUTH_MSG"
-echo " Random number source: $RAND_MSG"
+echo " Manpage format: $MANTYPE"
+echo " PAM support: ${PAM_MSG}"
+echo " KerberosIV support: $KRB4_MSG"
+echo " KerberosV support: $KRB5_MSG"
+echo " Smartcard support: $SCARD_MSG"
+echo " AFS support: $AFS_MSG"
+echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
+echo " MD5 password support: $MD5_MSG"
+echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+echo " Use IPv4 by default hack: $IPV4_HACK_MSG"
+echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+echo " BSD Auth support: $BSD_AUTH_MSG"
+echo " Random number source: $RAND_MSG"
if test ! -z "$USE_RAND_HELPER" ; then
- echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
+echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
fi
echo ""
diff --git a/pathnames.h b/pathnames.h
index 943830c..691293c 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -141,7 +141,10 @@
#endif
/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */
+#ifndef _PATH_PRIVSEP_CHROOT_DIR
#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty"
+#endif
+
#ifndef _PATH_LS
#define _PATH_LS "ls"
#endif