Attachment 1944 Details for Bug 1832 – patch for interix

[patch] patch for interix

openssh-5.5_p1-interix.patch (text/plain), 15.76 KB, created by Markus Duft on 2010-11-03 18:18:53 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Markus Duft

Created: 2010-11-03 18:18:53 AEDT

Size: 15.76 KB

patch

obsolete

>diff -ru openssh-5.5p1.orig/auth-passwd.c openssh-5.5p1/auth-passwd.c
>--- openssh-5.5p1.orig/auth-passwd.c	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/auth-passwd.c	2010-10-27 10:43:28 +0200
>@@ -53,6 +53,12 @@
> #include "hostfile.h"
> #include "auth.h"
> #include "auth-options.h"
>+#include "misc.h"
>+
>+#ifdef __INTERIX
>+# include <interix/security.h>
>+extern char* InterixPwdToken;
>+#endif
> 
> extern Buffer loginmsg;
> extern ServerOptions options;
>@@ -111,6 +117,14 @@
> 		return ok;
> 	}
> #endif
>+#ifdef __INTERIX
>+	if(setuser(authctxt->user, password, SU_CHECK) == 0) {
>+		InterixPwdToken = xstrdup(password);
>+		return ok;
>+	} else {
>+		return 0;
>+	}
>+#endif
> #ifdef USE_PAM
> 	if (options.use_pam)
> 		return (sshpam_auth_passwd(authctxt, password) && ok);
>diff -ru openssh-5.5p1.orig/auth.c openssh-5.5p1/auth.c
>--- openssh-5.5p1.orig/auth.c	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/auth.c	2010-10-27 10:43:28 +0200
>@@ -541,6 +541,28 @@
> 
> 	pw = getpwnam(user);
> 
>+#ifdef __INTERIX
>+    /* on windows, if there is no such user in the principal domain
>+	 * (which is checked by default), we also have a look at the
>+	 * local accounts by prefixing the username with the hostname
>+	 */
>+	if (pw == NULL) {
>+		char *tmp = xmalloc(MAXHOSTNAMELEN + strlen(user) + 2);
>+
>+		if(gethostname(tmp, MAXHOSTNAMELEN) == 0) {
>+			strcat(tmp, "+");
>+			strcat(tmp, user);
>+
>+			pw = getpwnam(tmp);
>+
>+			if(pw)
>+				debug2("found local %s as fallback for principal domain", tmp);
>+		}
>+
>+        xfree(tmp);
>+	}
>+#endif /* __INTERIX */
>+
> #if defined(_AIX) && defined(HAVE_SETAUTHDB)
> 	aix_restoreauthdb();
> #endif
>diff -ru openssh-5.5p1.orig/configure.ac openssh-5.5p1/configure.ac
>--- openssh-5.5p1.orig/configure.ac	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/configure.ac	2010-10-27 10:43:28 +0200
>@@ -448,6 +448,24 @@
> 		file descriptor passing])
> 	AC_DEFINE(SSH_IOBUFSZ, 65535, [Windows is sensitive to read buffer size])
> 	;;
>+*-*-interix*)
>+	AC_DEFINE(MISSING_HOWMANY, 1, [howmany macro is missing])
>+	AC_DEFINE(DISABLE_LOGIN, 1,
>+		[Define if you don't want to use your system's login() call])
>+	AC_DEFINE(DISABLE_SHADOW, 1,
>+	    [Define if you want to disable shadow passwords])
>+	AC_DEFINE(IP_TOS_IS_BROKEN, 1,
>+	    [Define if your system choked on IP TOS setting])
>+	AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1,
>+	    [Define if the concept of ports only accessible to
>+		superusers isn't known])
>+	AC_DEFINE(DISABLE_FD_PASSING, 1,
>+		[Define if your platform needs to skip post auth
>+		file descriptor passing])
>+	AC_DEFINE(LOGIN_NO_ENDOPT, 1,
>+	    [Define if your login program cannot handle end of options ("--")])
>+	SSHDLIBS="$SSHDLIBS -lcrypt"
>+	;;
> *-*-dgux*)
> 	AC_DEFINE(IP_TOS_IS_BROKEN, 1,
> 		[Define if your system choked on IP TOS setting])
>@@ -1562,6 +1580,13 @@
> dnl    Checks for lastlog functions
> AC_CHECK_FUNCS(getlastlogxbyname)
> 
>+dnl    Checks for res_query function
>+AC_CHECK_FUNC(res_query,
>+    [AC_DEFINE(HAVE_RES_QUERY, 1, [Define if your system has res_query()])],
>+    [AC_CHECK_LIB(resolv, res_query,
>+        [LIBS="$LIBS -lresolv"; AC_DEFINE(HAVE_RES_QUERY)])]
>+)
>+
> AC_CHECK_FUNC(daemon,
> 	[AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])],
> 	[AC_CHECK_LIB(bsd, daemon,
>diff -ru openssh-5.5p1.orig/defines.h openssh-5.5p1/defines.h
>--- openssh-5.5p1.orig/defines.h	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/defines.h	2010-10-27 10:43:28 +0200
>@@ -732,7 +732,11 @@
> #endif
> 
> #ifndef IOV_MAX
>-# if defined(_XOPEN_IOV_MAX)
>+# ifdef __INTERIX
>+   // Interix: has _XOPEN_IOV_MAX = INT_MAX which breaks
>+   // the compilation, since an iovec array of INT_MAX is too large
>+#  define	IOV_MAX		_SC_IOV_MAX
>+# elif defined(_XOPEN_IOV_MAX)
> #  define	IOV_MAX		_XOPEN_IOV_MAX
> # elif defined(DEF_IOV_MAX)
> #  define	IOV_MAX		DEF_IOV_MAX
>diff -ru openssh-5.5p1.orig/hostfile.c openssh-5.5p1/hostfile.c
>--- openssh-5.5p1.orig/hostfile.c	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/hostfile.c	2010-10-27 10:43:28 +0200
>@@ -45,7 +45,9 @@
> #include <openssl/hmac.h>
> #include <openssl/sha.h>
> 
>-#include <resolv.h>
>+#ifndef __INTERIX
>+# include <resolv.h>
>+#endif
> #include <stdarg.h>
> #include <stdio.h>
> #include <stdlib.h>
>diff -ru openssh-5.5p1.orig/openbsd-compat/bsd-misc.h openssh-5.5p1/openbsd-compat/bsd-misc.h
>--- openssh-5.5p1.orig/openbsd-compat/bsd-misc.h	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/openbsd-compat/bsd-misc.h	2010-10-27 10:43:28 +0200
>@@ -68,12 +68,14 @@
> #endif /* HAVE_TRUNCATE */
> 
> #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
>+#ifndef __INTERIX
> #ifndef HAVE_STRUCT_TIMESPEC
> struct timespec {
> 	time_t	tv_sec;
> 	long	tv_nsec;
> };
> #endif
>+#endif
> int nanosleep(const struct timespec *, struct timespec *);
> #endif
> 
>diff -ru openssh-5.5p1.orig/openbsd-compat/getrrsetbyname.c openssh-5.5p1/openbsd-compat/getrrsetbyname.c
>--- openssh-5.5p1.orig/openbsd-compat/getrrsetbyname.c	2010-10-27 11:07:37 +0200
>+++ openssh-5.5p1/openbsd-compat/getrrsetbyname.c	2010-10-27 10:43:28 +0200
>@@ -61,6 +61,10 @@
> extern int h_errno;
> #endif
> 
>+/* on interix, all this stuff won't work that easy
>+ * so we skip it for now. */
>+#ifndef __INTERIX
>+
> /* We don't need multithread support here */
> #ifdef _THREAD_PRIVATE
> # undef _THREAD_PRIVATE
>@@ -182,11 +186,16 @@
> 
> static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
> 
>+#endif /* __INTERIX */
>+
> int
> getrrsetbyname(const char *hostname, unsigned int rdclass,
>     unsigned int rdtype, unsigned int flags,
>     struct rrsetinfo **res)
> {
>+#ifndef HAVE_RES_QUERY
>+	return (ERRSET_FAIL);
>+#else
> 	struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res);
> 	int result;
> 	struct rrsetinfo *rrset = NULL;
>@@ -343,6 +352,7 @@
> 	if (response != NULL)
> 		free_dns_response(response);
> 	return (result);
>+#endif /* HAVE_RES_QUERY */
> }
> 
> void
>@@ -376,6 +386,8 @@
> 	free(rrset);
> }
> 
>+#ifndef __INTERIX
>+
> /*
>  * DNS response parsing routines
>  */
>@@ -607,4 +619,6 @@
> 	return (n);
> }
> 
>+#endif /* __INTERIX */
>+
> #endif /* !defined(HAVE_GETRRSETBYNAME) */
>diff -ru openssh-5.5p1.orig/openbsd-compat/getrrsetbyname.h openssh-5.5p1/openbsd-compat/getrrsetbyname.h
>--- openssh-5.5p1.orig/openbsd-compat/getrrsetbyname.h	2010-10-27 11:07:38 +0200
>+++ openssh-5.5p1/openbsd-compat/getrrsetbyname.h	2010-10-27 10:43:28 +0200
>@@ -54,9 +54,11 @@
> 
> #include <sys/types.h>
> #include <netinet/in.h>
>-#include <arpa/nameser.h>
>+#ifndef __INTERIX
>+# include <arpa/nameser.h>
>+# include <resolv.h>
>+#endif
> #include <netdb.h>
>-#include <resolv.h>
> 
> #ifndef HFIXEDSZ
> #define HFIXEDSZ 12
>diff -ru openssh-5.5p1.orig/openbsd-compat/inet_ntop.c openssh-5.5p1/openbsd-compat/inet_ntop.c
>--- openssh-5.5p1.orig/openbsd-compat/inet_ntop.c	2010-10-27 11:07:38 +0200
>+++ openssh-5.5p1/openbsd-compat/inet_ntop.c	2010-10-27 10:43:28 +0200
>@@ -27,7 +27,9 @@
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
>-#include <arpa/nameser.h>
>+#ifndef __INTERIX
>+# include <arpa/nameser.h>
>+#endif
> #include <string.h>
> #include <errno.h>
> #include <stdio.h>
>diff -ru openssh-5.5p1.orig/session.c openssh-5.5p1/session.c
>--- openssh-5.5p1.orig/session.c	2010-10-27 11:07:38 +0200
>+++ openssh-5.5p1/session.c	2010-10-27 11:04:45 +0200
>@@ -91,6 +91,27 @@
> #include "monitor_wrap.h"
> #include "sftp.h"
> 
>+#ifdef __INTERIX
>+# include <interix/env.h>
>+# include <interix/security.h>
>+char* InterixPwdToken = NULL;
>+
>+#define INTERIX_PWD_WARNING \
>+    "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n" \
>+    "@ WARNING: Due to limitations in the POSIX Subsystem and Win32  @\n" \
>+    "@     a Password is required to acquire a full authentication.  @\n" \
>+    "@     Without such an authentication token, certain things will @\n" \
>+    "@     only be available in a very limited way (Visual Studio's  @\n" \
>+    "@     link.exe can only link without debug information, network @\n" \
>+    "@     shares that require user authentication don't fully work, @\n" \
>+    "@     etc.). However if you don't require those things to work, @\n" \
>+    "@     you may be just fine without password (public-key, etc.). @\n" \
>+    "@ To obtain a full authentication you need to use password      @\n" \
>+    "@ authentication at the moment. To do so, remove your public    @\n" \
>+    "@ key from your ~/.ssh/authorized_keys[2] file(s).              @\n" \
>+    "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
>+#endif
>+
> #if defined(KRB5) && defined(USE_AFS)
> #include <kafs.h>
> #endif
>@@ -1142,6 +1163,17 @@
> 	}
> #endif
> 
>+#ifdef __INTERIX
>+	{
>+		/* new stuff: create a full windows login environment */
>+		struct passwd* fullpw = getpwuid_ex(pw->pw_uid, PW_FULLNAME);
>+		env_t* w_env = env_login(fullpw);
>+		
>+		copy_environment(env_array(w_env), &env, &envsize);
>+		env_free(w_env);
>+	}
>+#endif
>+
> #ifdef GSSAPI
> 	/* Allow any GSSAPI methods that we've used to alter
> 	 * the childs environment as they see fit
>@@ -1504,11 +1536,13 @@
> 			perror("setgid");
> 			exit(1);
> 		}
>+#ifndef __INTERIX
> 		/* Initialize the group list. */
> 		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> 			perror("initgroups");
> 			exit(1);
> 		}
>+#endif
> 		endgrent();
> # ifdef USE_PAM
> 		/*
>@@ -1572,8 +1606,29 @@
> 			exit(1);
> 		}
> #else
>+#ifdef __INTERIX
>+		/* on interix, to get a full env, we _need_ the plain text
>+		 * password during this! */
>+		if(InterixPwdToken) {
>+			debug2("re-setting user password");
>+			strcpy(pw->pw_passwd, InterixPwdToken);
>+		} else {
>+			fprintf(stderr, INTERIX_PWD_WARNING);
>+		}
>+#endif
> 		/* Permanently switch to the desired uid. */
> 		permanently_set_uid(pw);
>+
>+#ifdef __INTERIX
>+		/* after authentication, wipe out the memorized password
>+		 * for increased security (tm) */
>+		if(InterixPwdToken) {
>+			memset(InterixPwdToken, 0, strlen(InterixPwdToken));
>+			memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
>+			strcpy(pw->pw_passwd, "*");
>+			debug2("wiped password from memory");
>+		}
>+#endif
> #endif
> 	}
> 
>@@ -1607,6 +1662,13 @@
> launch_login(struct passwd *pw, const char *hostname)
> {
> 	/* Launch login(1). */
>+	#ifdef __INTERIX
>+	/* -f only works if the user is already autheticated as the requested user */
>+	if (!InterixPwdToken)
>+		fprintf(stderr, INTERIX_PWD_WARNING);
>+	if (setuser(pw->pw_name, InterixPwdToken, SU_COMPLETE))
>+		fatal("setuser %.100s: %.100s", pw->pw_name, strerror(errno));
>+	#endif
> 
> 	execl(LOGIN_PROGRAM, "login", "-h", hostname,
> #ifdef xxxLOGIN_NEEDS_TERM
>diff -ru openssh-5.5p1.orig/sshd.c openssh-5.5p1/sshd.c
>--- openssh-5.5p1.orig/sshd.c	2010-10-27 11:07:38 +0200
>+++ openssh-5.5p1/sshd.c	2010-10-27 10:43:28 +0200
>@@ -137,6 +137,10 @@
> #define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
> #define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
> 
>+#ifdef __INTERIX
>+# include <interix/security.h>
>+#endif
>+
> extern char *__progname;
> 
> /* Server configuration options. */
>@@ -236,7 +240,11 @@
> int startup_pipe;		/* in child */
> 
> /* variables used for privilege separation */
>+#ifdef __INTERIX
>+int use_privsep = 0;
>+#else
> int use_privsep = -1;
>+#endif
> struct monitor *pmonitor = NULL;
> 
> /* global authentication context */
>@@ -613,8 +621,10 @@
> 	do_setusercontext(privsep_pw);
> #else
> 	gidset[0] = privsep_pw->pw_gid;
>+#ifndef __INTERIX
> 	if (setgroups(1, gidset) < 0)
> 		fatal("setgroups: %.100s", strerror(errno));
>+#endif
> 	permanently_set_uid(privsep_pw);
> #endif
> }
>@@ -1310,8 +1320,10 @@
> 	av = saved_argv;
> #endif
> 
>+#ifndef __INTERIX
> 	if (geteuid() == 0 && setgroups(0, NULL) == -1)
> 		debug("setgroups(): %.200s", strerror(errno));
>+#endif
> 
> 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
> 	sanitise_stdfd();
>@@ -1532,6 +1544,29 @@
> 
> 	debug("sshd version %.100s", SSH_RELEASE);
> 
>+#ifdef __INTERIX
>+	/* on interix >= 6, there is a problem is sshd is started from init:
>+	 * even though the process runs as "Administrator", it seems that
>+	 * the authentication token is pretty much stripped down, so it is
>+	 * not possible for the process to impersonate another user.
>+	 * impersonating ourself works around the problem by creating a full
>+	 * authetication token for the current user (Administrator...), which
>+	 * then is allowed to set uid/gid of any other user as normal. */
>+	if(getuid() == 0) {
>+		struct passwd* _admin = getpwuid(getuid());
>+
>+		if(!_admin) {
>+			fatal("Cannot retrieve user information for current user!\n");
>+		}
>+
>+		debug3("impersonating %s to upgrade authentication token\n", _admin->pw_name);
>+
>+		if(setuser(_admin->pw_name, NULL, SU_COMPLETE) != 0) {
>+			fatal("Cannot obtain full authentication for current user: %s\n", strerror(errno));
>+		}
>+	}
>+#endif
>+
> 	/* Store privilege separation user for later use if required. */
> 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
> 		if (use_privsep || options.kerberos_authentication)
>@@ -1688,8 +1723,10 @@
> 	 * to create a file, and we can't control the code in every
> 	 * module which might be used).
> 	 */
>+#ifndef __INTERIX
> 	if (setgroups(0, NULL) < 0)
> 		debug("setgroups() failed: %.200s", strerror(errno));
>+#endif
> 
> 	if (rexec_flag) {
> 		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
>diff -ru openssh-5.5p1.orig/uidswap.c openssh-5.5p1/uidswap.c
>--- openssh-5.5p1.orig/uidswap.c	2010-10-27 11:07:38 +0200
>+++ openssh-5.5p1/uidswap.c	2010-10-27 10:43:28 +0200
>@@ -14,6 +14,10 @@
> 
> #include "includes.h"
> 
>+#ifdef __INTERIX
>+# include <interix/security.h>
>+#endif
>+
> #include <sys/param.h>
> #include <errno.h>
> #include <pwd.h>
>@@ -81,6 +85,7 @@
> 	privileged = 1;
> 	temporarily_use_uid_effective = 1;
> 
>+#ifndef __INTERIX
> 	saved_egroupslen = getgroups(0, NULL);
> 	if (saved_egroupslen < 0)
> 		fatal("getgroups: %.100s", strerror(errno));
>@@ -116,6 +121,7 @@
> 	/* Set the effective uid to the given (unprivileged) uid. */
> 	if (setgroups(user_groupslen, user_groups) < 0)
> 		fatal("setgroups: %.100s", strerror(errno));
>+#endif
> #ifndef SAVED_IDS_WORK_WITH_SETEUID
> 	/* Propagate the privileged gid to all of our gids. */
> 	if (setgid(getegid()) < 0)
>@@ -153,7 +159,7 @@
> 		fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
> #endif
> 
>-#ifndef HAVE_CYGWIN
>+#if !defined(HAVE_CYGWIN) && !defined(__INTERIX)
> 	/* Try restoration of UID if changed (test clearing of saved uid) */
> 	if (old_uid != uid &&
> 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
>@@ -198,8 +204,10 @@
> 	setgid(getgid());
> #endif /* SAVED_IDS_WORK_WITH_SETEUID */
> 
>+#ifndef __INTERIX
> 	if (setgroups(saved_egroupslen, saved_egroups) < 0)
> 		fatal("setgroups: %.100s", strerror(errno));
>+#endif
> 	temporarily_use_uid_effective = 0;
> }
> 
>@@ -220,6 +228,15 @@
> 	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
> 	    (u_int)pw->pw_gid);
> 
>+#ifdef __INTERIX
>+	if (strcmp(pw->pw_passwd, "*") == 0) {
>+		if (setuser(pw->pw_name, NULL, SU_COMPLETE))
>+			fatal("setuser %.100s: %.100s", pw->pw_name, strerror(errno));
>+	} else {
>+		if (setuser(pw->pw_name, pw->pw_passwd, SU_COMPLETE))
>+			fatal("setuser %.100s: %.100s", pw->pw_name, strerror(errno));
>+	}
>+#else
> #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
> 	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
> 		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
>@@ -257,8 +274,9 @@
> 	if (setuid(pw->pw_uid) < 0)
> 		fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
> #endif
>+#endif /* __INTERIX */
> 
>-#ifndef HAVE_CYGWIN
>+#if !defined(HAVE_CYGWIN) && !defined(__INTERIX)
> 	/* Try restoration of GID if changed (test clearing of saved gid) */
> 	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
> 	    (setgid(old_gid) != -1 || setegid(old_gid) != -1))
>@@ -272,7 +290,7 @@
> 		    (u_int)pw->pw_gid);
> 	}
> 
>-#ifndef HAVE_CYGWIN
>+#if !defined(HAVE_CYGWIN) && !defined(__INTERIX)
> 	/* Try restoration of UID if changed (test clearing of saved uid) */
> 	if (old_uid != pw->pw_uid &&
> 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
>diff -ru openssh-5.5p1.orig/uuencode.c openssh-5.5p1/uuencode.c
>--- openssh-5.5p1.orig/uuencode.c	2010-10-27 11:07:38 +0200
>+++ openssh-5.5p1/uuencode.c	2010-10-27 10:43:28 +0200
>@@ -27,7 +27,9 @@
> 
> #include <sys/types.h>
> #include <netinet/in.h>
>-#include <resolv.h>
>+#ifndef __INTERIX
>+# include <resolv.h>
>+#endif
> #include <stdio.h>
> 
> #include "xmalloc.h"

Actions: View | Diff

Attachments on bug 1832: 1944