diff -u openssh-4.7p1/monitor.c openssh-4.7p1/monitor.c --- openssh-4.7p1/monitor.c +++ openssh-4.7p1/monitor.c @@ -368,7 +368,7 @@ if (!(ent->flags & MON_AUTHDECIDE)) fatal("%s: unexpected authentication from %d", __func__, ent->type); - if (authctxt->pw->pw_uid == 0 && + if (authctxt->pw->pw_uid == ROOT_UID && !auth_root_allowed(auth_method)) authenticated = 0; #ifdef USE_PAM diff -u openssh-4.7p1/sshconnect.c openssh-4.7p1/sshconnect.c --- openssh-4.7p1/sshconnect.c +++ openssh-4.7p1/sshconnect.c @@ -38,6 +38,7 @@ #include #include #include +#include #include "xmalloc.h" #include "key.h" diff -u openssh-4.7p1/configure openssh-4.7p1/configure --- openssh-4.7p1/configure +++ openssh-4.7p1/configure @@ -7538,6 +7538,65 @@ _ACEOF ;; +*-*-interix*) + CPPFLAGS="$CPPFLAGS -D_ALL_SOURCE -I/usr/include/bind9" + LIBS="$LIBS -lcrypt -lbind9" + +cat >>confdefs.h <<\_ACEOF +#define DISABLE_UTMP 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define DISABLE_WTMP 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define DISABLE_LOGIN 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define DISABLE_SHADOW 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define DISABLE_LASTLOG 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define HAVE_STRUCT_TIMESPEC 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define IP_TOS_IS_BROKEN 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define MISSING_HOWMANY 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define USE_PIPES 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define NO_IPPORT_RESERVED_CONCEPT 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define DISABLE_FD_PASSING 1 +_ACEOF + + ;; *-*-k*bsd*-gnu) check_for_libcrypt_later=1 cat >>confdefs.h <<\_ACEOF @@ -28386,7 +28445,9 @@ /* end confdefs.h. */ #include +#ifdef HAVE_UTMP_H #include +#endif #ifdef HAVE_UTMPX_H #include #endif @@ -28457,7 +28518,9 @@ /* end confdefs.h. */ #include +#ifdef HAVE_UTMP_H #include +#endif #ifdef HAVE_UTMPX_H #include #endif diff -u openssh-4.7p1/configure.ac openssh-4.7p1/configure.ac --- openssh-4.7p1/configure.ac +++ openssh-4.7p1/configure.ac @@ -519,6 +519,21 @@ AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; +*-*-interix*) + CPPFLAGS="$CPPFLAGS -D_ALL_SOURCE -I/usr/include/bind9" + LIBS="$LIBS -lcrypt -lbind9" + AC_DEFINE(DISABLE_UTMP, 1, [Interix doesn't have utmp]) + AC_DEFINE(DISABLE_WTMP, 1, [Interix doesn't have wtmp]) + AC_DEFINE(DISABLE_LOGIN, 1, [Interix doesn't have login with utmp]) + AC_DEFINE(DISABLE_SHADOW, 1, [Interix doesn't have shadow passwords]) + AC_DEFINE(DISABLE_LASTLOG, 1, [Interix doesn't have lastlog]) + AC_DEFINE(HAVE_STRUCT_TIMESPEC, 1, [Interix has struct timespec]) + AC_DEFINE(IP_TOS_IS_BROKEN, 1, [Interix doesn't support IP_TOS]) + AC_DEFINE(MISSING_HOWMANY, 1, [Interix doesn't define howmany()]) + AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()]) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1, [Define if the concept of ports only accessible to superusers isn't known]) + AC_DEFINE(DISABLE_FD_PASSING, 1, [Define if your platform needs to skip post auth file descriptor passing]) + ;; *-*-k*bsd*-gnu) check_for_libcrypt_later=1 AC_DEFINE(PAM_TTY_KLUDGE) @@ -3959,7 +3974,9 @@ AC_MSG_CHECKING([if your system defines UTMPX_FILE]) AC_TRY_COMPILE([ #include +#ifdef HAVE_UTMP_H #include +#endif #ifdef HAVE_UTMPX_H #include #endif @@ -3985,7 +4002,9 @@ AC_MSG_CHECKING([if your system defines WTMPX_FILE]) AC_TRY_COMPILE([ #include +#ifdef HAVE_UTMP_H #include +#endif #ifdef HAVE_UTMPX_H #include #endif diff -u openssh-4.7p1/readconf.c openssh-4.7p1/readconf.c --- openssh-4.7p1/readconf.c +++ openssh-4.7p1/readconf.c @@ -251,7 +251,7 @@ Forward *fwd; #ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; - if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) + if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != ROOT_UID) fatal("Privileged ports can only be forwarded by root."); #endif if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) @@ -987,7 +987,7 @@ if (fstat(fileno(f), &sb) == -1) fatal("fstat %s: %s", filename, strerror(errno)); - if (sb.st_uid != 0 && sb.st_uid != getuid()) + if (sb.st_uid != ROOT_UID && sb.st_uid != getuid()) bad_modes = 1; if ((sb.st_mode & 020) != 0) { /* If the file is group-writable, the group in diff -u openssh-4.7p1/ssh.c openssh-4.7p1/ssh.c --- openssh-4.7p1/ssh.c +++ openssh-4.7p1/ssh.c @@ -692,7 +692,7 @@ #ifdef HAVE_CYGWIN options.use_privileged_port, #else - original_effective_uid == 0 && options.use_privileged_port, + original_effective_uid == ROOT_UID && options.use_privileged_port, #endif options.proxy_command) != 0) exit(255); @@ -741,7 +741,7 @@ * user's home directory if it happens to be on a NFS volume where * root is mapped to nobody. */ - if (original_effective_uid == 0) { + if (original_effective_uid == ROOT_UID) { PRIV_START; permanently_set_uid(pw); } diff -u openssh-4.7p1/sshd.c openssh-4.7p1/sshd.c --- openssh-4.7p1/sshd.c +++ openssh-4.7p1/sshd.c @@ -656,7 +656,7 @@ close(pmonitor->m_sendfd); /* Demote the child */ - if (getuid() == 0 || geteuid() == 0) + if (getuid() == ROOT_UID || geteuid() == ROOT_UID) privsep_preauth_child(); setproctitle("%s", "[net]"); } @@ -669,7 +669,7 @@ #ifdef DISABLE_FD_PASSING if (1) { #else - if (authctxt->pw->pw_uid == 0 || options.use_login) { + if (authctxt->pw->pw_uid == ROOT_UID || options.use_login) { #endif /* File descriptor passing is broken or root login */ use_privsep = 0; @@ -1261,7 +1261,7 @@ av = saved_argv; #endif - if (geteuid() == 0 && setgroups(0, NULL) == -1) + if (geteuid() == ROOT_UID && setgroups(0, NULL) == -1) debug("setgroups(): %.200s", strerror(errno)); /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ @@ -1554,8 +1554,12 @@ if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) +#elif defined(__INTERIX) + /* allow any user, changing personality for unpriviledged use isn't + * possible anyway. */ + if ((st.st_uid != getuid() && st.st_uid != ROOT_UID) || (st.st_mode & (S_IWGRP | S_IWOTH)) != 0) #else - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) + if (st.st_uid != ROOT_UID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); diff -u openssh-4.7p1/auth2.c openssh-4.7p1/auth2.c --- openssh-4.7p1/auth2.c +++ openssh-4.7p1/auth2.c @@ -44,6 +44,7 @@ #include "dispatch.h" #include "pathnames.h" #include "buffer.h" +#include "misc.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -228,7 +229,7 @@ authctxt->user); /* Special handling for root */ - if (authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == ROOT_UID && !auth_root_allowed(method)) { authenticated = 0; #ifdef SSH_AUDIT_EVENTS diff -u openssh-4.7p1/log.h openssh-4.7p1/log.h --- openssh-4.7p1/log.h +++ openssh-4.7p1/log.h @@ -52,7 +52,7 @@ SyslogFacility log_facility_number(char *); LogLevel log_level_number(char *); -void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); +void fatal(const char *, ...) __attribute__((format(printf, 1, 2))); void error(const char *, ...) __attribute__((format(printf, 1, 2))); void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); void logit(const char *, ...) __attribute__((format(printf, 1, 2))); @@ -64,3 +64,3 @@ void do_log(LogLevel, const char *, va_list); -void cleanup_exit(int) __dead; +void cleanup_exit(int); #endif diff -u openssh-4.7p1/serverloop.c openssh-4.7p1/serverloop.c --- openssh-4.7p1/serverloop.c +++ openssh-4.7p1/serverloop.c @@ -1113,7 +1113,7 @@ if (!options.allow_tcp_forwarding || no_port_forwarding_flag #ifndef NO_IPPORT_RESERVED_CONCEPT - || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) + || (listen_port < IPPORT_RESERVED && pw->pw_uid != ROOT_UID) #endif ) { success = 0; diff -u openssh-4.7p1/ssh_config openssh-4.7p1/ssh_config --- openssh-4.7p1/ssh_config +++ openssh-4.7p1/ssh_config @@ -51,2 +51,2 @@ - GSSAPIAuthentication yes - GSSAPIDelegateCredentials no +# GSSAPIAuthentication yes +# GSSAPIDelegateCredentials no diff -u openssh-4.7p1/session.c openssh-4.7p1/session.c --- openssh-4.7p1/session.c +++ openssh-4.7p1/session.c @@ -87,6 +87,7 @@ #include "session.h" #include "kex.h" #include "monitor_wrap.h" +#include "misc.h" #if defined(KRB5) && defined(USE_AFS) #include @@ -347,7 +348,7 @@ break; } debug("Received TCP/IP port forwarding request."); - if (channel_input_port_forward_request(s->pw->pw_uid == 0, + if (channel_input_port_forward_request(s->pw->pw_uid == ROOT_UID, options.gateway_ports) < 0) { debug("Port forwarding failed."); break; @@ -954,7 +955,7 @@ if (tmpenv == NULL) return; - if (uid == 0) + if (uid == ROOT_UID) var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); @@ -1025,6 +1026,99 @@ } #endif +#ifdef __INTERIX + { + char *tmp = NULL; + const char **e; + const char *envvars[] = { + "ALLUSERSPROFILE", + "COMMONPROGRAMFILES", + "COMPUTERNAME", + "COMSPEC", + "NUMBER_OF_PROCESSORS", + "OS", + "PATHEXT", + "PROCESSOR_ARCHITECTURE", + "PROCESSOR_IDENTIFIER", + "PROCESSOR_LEVEL", + "PROCESSOR_REVISION", + "PROGRAMFILES", + "SYSTEMDRIVE", + "SYSTEMROOT", + "TMP", + "TEMP", + "WINDIR", + /* these are required to detect visual studio */ + "VS70COMNTOOLS", + "VS71COMNTOOLS", + "VS80COMNTOOLS", + "VS90COMNTOOLS", + /* these are the interix directory variables... */ + "INTERIX_ROOT", + "INTERIX_ROOT_WIN", + "SFUDIR", + "SFUDIR_WIN", + "SUA_ROOT", + "SUA_ROOT_WIN", + "OPENNT_ROOT", + /* LD_LIBRARY_PATH required? */ + NULL}; + + for (e = envvars; *e; e++) { + if((tmp = getenv(*e)) != NULL) + child_set_env(&env, &envsize, *e, tmp); + } + } + { + /* does this really work? */ + struct passwd* fullpw = getpwuid_ex(pw->pw_uid, PW_FULLNAME); + char* pos_enddomain = NULL; + + if(fullpw) { + char* domain = strdup(fullpw->pw_name); + pos_enddomain = strchr(domain, '+'); + + if(!pos_enddomain) + pos_enddomain = strchr(domain, '\\'); + + if(pos_enddomain) { + *pos_enddomain = '\0'; + child_set_env(&env, &envsize, "USERDOMAIN", domain); + child_set_env(&env, &envsize, "USERNAME", ++pos_enddomain); + } + + free(domain); + } else + debug2("cannot determine user information by uid %d", pw->pw_uid); + + if(!pos_enddomain) { + char* pdomain; + int pdomain_size; + + debug2("cannot find domain, using principal domain"); + + pdomain_size = getpdomain(NULL, 0); + + if(pdomain_size > 0) + { + pdomain = malloc(pdomain_size); + if(getpdomain(pdomain, pdomain_size) != 0) { + debug2("cannot get principal domain!"); + } else { + /* ok, set... */ + child_set_env(&env, &envsize, "USERDOMAIN", pdomain); + child_set_env(&env, &envsize, "USERNAME", pw->pw_name); + } + free(pdomain); + } else { + debug2("cannot determine principal domain size"); + } + } + } + + /* also USERPROFILE would be good, but thats a hard one. */ +#endif + #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit @@ -1063,7 +1157,7 @@ # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { child_set_env(&env, &envsize, "PATH", - s->pw->pw_uid == 0 ? + s->pw->pw_uid == ROOT_UID ? SUPERUSER_PATH : _PATH_STDPATH); } # endif /* HAVE_CYGWIN */ @@ -1289,7 +1383,7 @@ do_setusercontext(struct passwd *pw) { #ifndef HAVE_CYGWIN - if (getuid() == 0 || geteuid() == 0) + if (getuid() == ROOT_UID || geteuid() == ROOT_UID) #endif /* HAVE_CYGWIN */ { @@ -2087,7 +2181,7 @@ record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ - if (getuid() == 0) + if (getuid() == ROOT_UID) pty_release(s->tty); /* diff -u openssh-4.7p1/clientloop.c openssh-4.7p1/clientloop.c --- openssh-4.7p1/clientloop.c +++ openssh-4.7p1/clientloop.c @@ -750,7 +750,7 @@ close(client_fd); return; } - if ((euid != 0) && (getuid() != euid)) { + if ((euid != ROOT_UID) && (getuid() != euid)) { error("control mode uid mismatch: peer euid %u != uid %u", (u_int) euid, (u_int) getuid()); close(client_fd); diff -u openssh-4.7p1/auth1.c openssh-4.7p1/auth1.c --- openssh-4.7p1/auth1.c +++ openssh-4.7p1/auth1.c @@ -39,6 +39,7 @@ #endif #include "monitor_wrap.h" #include "buffer.h" +#include "misc.h" /* import */ extern ServerOptions options; @@ -325,7 +326,7 @@ } #else /* Special handling for root */ - if (authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == ROOT_UID && !auth_root_allowed(meth->name)) { authenticated = 0; # ifdef SSH_AUDIT_EVENTS @@ -430,7 +431,7 @@ * the server. */ #ifndef HAVE_CYGWIN - if (!use_privsep && getuid() != 0 && authctxt->pw && + if (!use_privsep && getuid() != ROOT_UID && authctxt->pw && authctxt->pw->pw_uid != getuid()) packet_disconnect("Cannot change user when server not running as root."); #endif diff -u openssh-4.7p1/debian/openssh-server.postrm openssh-4.7p1/debian/openssh-server.postrm --- openssh-4.7p1/debian/openssh-server.postrm +++ openssh-4.7p1/debian/openssh-server.postrm @@ -54,9 +54,9 @@ update-rc.d ssh remove >/dev/null - if type deluser >/dev/null 2>&1; then - deluser --quiet sshd > /dev/null || true - fi + #if type deluser >/dev/null 2>&1; then + # deluser --quiet sshd > /dev/null || true + #fi finish_mv_conffile /etc/pam.d/ssh ;; diff -u openssh-4.7p1/debian/openssh-client.postrm openssh-4.7p1/debian/openssh-client.postrm --- openssh-4.7p1/debian/openssh-client.postrm +++ openssh-4.7p1/debian/openssh-client.postrm @@ -25,7 +25,7 @@ rm -f /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 rmdir --ignore-fail-on-non-empty /etc/ssh - delgroup --quiet ssh > /dev/null || true +# delgroup --quiet ssh > /dev/null || true ;; esac diff -u openssh-4.7p1/debian/openssh-server.postinst openssh-4.7p1/debian/openssh-server.postinst --- openssh-4.7p1/debian/openssh-server.postinst +++ openssh-4.7p1/debian/openssh-server.postinst @@ -66,8 +66,8 @@ print "$option $value" unless $done;' \ "$option" "$value" \ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new - chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new - chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new +# chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new +# chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config } @@ -91,8 +91,8 @@ }' \ "$option" \ < /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new - chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new - chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new +# chown --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new +# chmod --reference /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-new mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config } @@ -257,11 +257,11 @@ perl -pe 's/^(PAMAuthenticationViaKbdInt|RhostsAuthentication)\b/#$1/i' \ /etc/ssh/sshd_config > /etc/ssh/sshd_config.dpkg-new echo >> /etc/ssh/sshd_config.dpkg-new - echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new - chown --reference /etc/ssh/sshd_config \ - /etc/ssh/sshd_config.dpkg-new - chmod --reference /etc/ssh/sshd_config \ - /etc/ssh/sshd_config.dpkg-new +# echo 'UsePAM yes' >> /etc/ssh/sshd_config.dpkg-new +# chown --reference /etc/ssh/sshd_config \ +# /etc/ssh/sshd_config.dpkg-new +# chmod --reference /etc/ssh/sshd_config \ +# /etc/ssh/sshd_config.dpkg-new mv /etc/ssh/sshd_config.dpkg-new /etc/ssh/sshd_config echo fi @@ -310,8 +310,8 @@ # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes +#Privilege Separation is turned off on Interix +UsePrivilegeSeparation no # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 @@ -374,7 +374,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server -UsePAM yes +#UsePAM yes EOF } @@ -388,15 +388,17 @@ } fix_sshd_shell() { - if getent passwd sshd | grep -q ':/bin/false$'; then - usermod -s /usr/sbin/nologin sshd || true - fi +# if getent passwd sshd | grep -q ':/bin/false$'; then +# usermod -s /usr/sbin/nologin sshd || true +# fi + : } setup_sshd_user() { - if ! getent passwd sshd >/dev/null; then - adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd - fi +# if ! getent passwd sshd >/dev/null; then +# adduser --quiet --system --no-create-home --home /var/run/sshd --shell /usr/sbin/nologin sshd +# fi + : } fix_conffile_permissions() { @@ -417,7 +419,9 @@ setup_init() { if [ -x /etc/init.d/ssh ]; then - update-rc.d ssh start 16 2 3 4 5 . stop 84 1 . >/dev/null +# update-rc.d ssh start 16 2 3 4 5 . stop 84 1 . >/dev/null + ln -sf ../init.d/ssh /etc/rc2.d/S16ssh + ln -sf ../init.d/ssh /etc/rc2.d/K84ssh if [ -x /usr/sbin/invoke-rc.d ]; then invoke-rc.d ssh restart else diff -u openssh-4.7p1/debian/openssh-server.init openssh-4.7p1/debian/openssh-server.init --- openssh-4.7p1/debian/openssh-server.init +++ openssh-4.7p1/debian/openssh-server.init @@ -88,7 +88,8 @@ check_for_no_start check_dev_null log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + #if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if /usr/sbin/sshd $SSHD_OPTS; then log_end_msg 0 adjust_oom else @@ -97,7 +98,8 @@ ;; stop) log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" - if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then + #if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid; then + if kill -KILL `/bin/cat /var/run/sshd.pid`; then log_end_msg 0 else log_end_msg 1 @@ -108,7 +110,8 @@ check_for_no_start check_config log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" - if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then + #if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd; then + if kill -HUP `/bin/cat /var/run/sshd.pid`; then log_end_msg 0 else log_end_msg 1 @@ -119,10 +122,12 @@ check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid + #start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd.pid + kill -KILL `/bin/cat /var/run/sshd.pid` || true check_for_no_start log_end_msg check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + #if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if /usr/sbin/sshd $SSHD_OPTS; then log_end_msg 0 adjust_oom else @@ -135,7 +140,8 @@ check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" set +e - start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid + #start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd.pid + kill -KILL `/bin/cat /var/run/sshd.pid` RET="$?" set -e case $RET in @@ -143,7 +149,8 @@ # old daemon stopped check_for_no_start log_end_msg check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + #if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if /usr/sbin/sshd $SSHD_OPTS; then log_end_msg 0 else log_end_msg 1 diff -u openssh-4.7p1/debian/openssh-client.postinst openssh-4.7p1/debian/openssh-client.postinst --- openssh-4.7p1/debian/openssh-client.postinst +++ openssh-4.7p1/debian/openssh-client.postinst @@ -78,18 +78,19 @@ fix_ssh_group() { # Try to remove non-system group mistakenly created by 1:3.5p1-1. # set_ssh_agent_permissions() below will re-create it properly. - if getent group ssh >/dev/null; then - delgroup --quiet ssh || true - fi +# if getent group ssh >/dev/null; then +# delgroup --quiet ssh || true +# fi + : } set_ssh_agent_permissions() { - if ! getent group ssh >/dev/null; then - addgroup --system --quiet ssh - fi +# if ! getent group ssh >/dev/null; then +# addgroup --system --quiet ssh +# fi if ! [ -x /usr/sbin/dpkg-statoverride ] || \ ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then - chgrp ssh /usr/bin/ssh-agent +# chgrp ssh /usr/bin/ssh-agent chmod 2755 /usr/bin/ssh-agent fi } diff -u openssh-4.7p1/debian/control openssh-4.7p1/debian/control --- openssh-4.7p1/debian/control +++ openssh-4.7p1/debian/control @@ -2,13 +2,13 @@ Section: net Priority: standard Maintainer: Debian OpenSSH Maintainers -Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev +Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libedit-dev, debhelper (>= 5.0.22), sharutils, libbind-dev, libncurses-dev Standards-Version: 3.7.3 Uploaders: Colin Watson , Matthew Vernon Package: openssh-client Architecture: any -Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd, libssl0.9.8 (>= 0.9.8g-9) +Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, dpkg (>= 1.7.0), libssl0.9.8 (>= 0.9.8g-9) Recommends: xauth Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) Replaces: ssh, ssh-krb5 @@ -37,7 +37,7 @@ Package: openssh-server Priority: optional Architecture: any -Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.0-6), libssl0.9.8 (>= 0.9.8g-9), openssh-blacklist +Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.0-6), libssl0.9.8 (>= 0.9.8g-9), openssh-blacklist Recommends: xauth Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5 diff -u openssh-4.7p1/debian/changelog openssh-4.7p1/debian/changelog --- openssh-4.7p1/debian/changelog +++ openssh-4.7p1/debian/changelog @@ -1,3 +1,24 @@ +openssh (1:4.7p1-9+interix.3) unstable; urgency=low + + * Non-maintainer upload. + * patches for interix-i386 + + -- Martin Koeppe Sat, 06 Dec 2008 01:01:13 +0100 + +openssh (1:4.7p1-9+interix.2) unstable; urgency=low + + * Non-maintainer upload. + * patches for interix-i386: use setuser() instead of setuid()/setgid() + + -- Martin Koeppe Sun, 02 Nov 2008 21:45:18 +0100 + +openssh (1:4.7p1-9+interix.1) unstable; urgency=low + + * Non-maintainer upload. + * patches for interix-i386 + + -- Martin Koeppe Fri, 16 May 2008 23:05:14 +0200 + openssh (1:4.7p1-9) unstable; urgency=critical * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8. diff -u openssh-4.7p1/debian/rules openssh-4.7p1/debian/rules --- openssh-4.7p1/debian/rules +++ openssh-4.7p1/debian/rules @@ -63,7 +63,7 @@ # Common build options. confflags += --with-mantype=doc -confflags += --with-4in6 +confflags += --without-4in6 confflags += --with-privsep-path=/var/run/sshd confflags += --without-rand-helper @@ -72,14 +72,18 @@ confflags += --with-libs=-lcrypt endif +ifeq ($(DEB_HOST_ARCH_OS),interix) +confflags += ac_cv_func_poll=no +endif + # Everything above here is common to the deb and udeb builds. confflags_udeb := $(confflags) # Options specific to the deb build. confflags += --with-tcp-wrappers -confflags += --with-pam +confflags += --without-pam confflags += --with-libedit -confflags += --with-kerberos5=/usr +confflags += --without-kerberos5 confflags += --with-ssl-engine ifeq ($(DEB_HOST_ARCH_OS),linux) confflags += --with-selinux @@ -123,7 +127,7 @@ perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb/config.h $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' - $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc $(OPTFLAGS) -g -Wall' + #$(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc $(OPTFLAGS) -g -Wall' touch build-deb-stamp @@ -177,16 +181,16 @@ install -m 644 -c contrib/ssh-copy-id.1 debian/openssh-client/usr/share/man/man1/ssh-copy-id.1 install -m 644 debian/moduli.5 debian/openssh-client/usr/share/man/man5/moduli.5 - install -s -o root -g root -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass + #install -s -m 755 contrib/gnome-ssh-askpass2 debian/ssh-askpass-gnome/usr/lib/openssh/gnome-ssh-askpass install -m 644 debian/gnome-ssh-askpass.1 debian/ssh-askpass-gnome/usr/share/man/man1/gnome-ssh-askpass.1 uudecode -o debian/ssh-askpass-gnome/usr/share/pixmaps/ssh-askpass-gnome.png debian/ssh-askpass-gnome.png.uue install -m 755 debian/ssh-argv0 debian/openssh-client/usr/bin/ssh-argv0 install -m 644 debian/ssh-argv0.1 debian/openssh-client/usr/share/man/man1/ssh-argv0.1 - install -o root -g root debian/openssh-server.init debian/openssh-server/etc/init.d/ssh - install -o root -g root -m 644 debian/openssh-server.default debian/openssh-server/etc/default/ssh - install -o root -g root debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server + install debian/openssh-server.init debian/openssh-server/etc/init.d/ssh + install -m 644 debian/openssh-server.default debian/openssh-server/etc/default/ssh + install debian/openssh-server.if-up debian/openssh-server/etc/network/if-up.d/openssh-server install -m 755 build-udeb/ssh debian/openssh-client-udeb/usr/bin/ssh install -m 755 build-udeb/scp debian/openssh-client-udeb/usr/bin/scp @@ -196,9 +200,19 @@ # Remove version control tags to avoid unnecessary conffile # resolution steps for administrators. - sed -i '/\$$OpenBSD:/d' \ - debian/openssh-client/etc/ssh/moduli \ - debian/openssh-client/etc/ssh/ssh_config +# sed -i '/\$$OpenBSD:/d' \ +# debian/openssh-client/etc/ssh/moduli \ +# debian/openssh-client/etc/ssh/ssh_config +# +# workaround problem with "sed -i" within chroot +# + mv debian/openssh-client/etc/ssh/moduli debian/openssh-client/etc/ssh/moduli.in + sed '/\$$OpenBSD:/d' < debian/openssh-client/etc/ssh/moduli.in > debian/openssh-client/etc/ssh/moduli + rm debian/openssh-client/etc/ssh/moduli.in + + mv debian/openssh-client/etc/ssh/ssh_config debian/openssh-client/etc/ssh/ssh_config.in + sed '/\$$OpenBSD:/d' < debian/openssh-client/etc/ssh/ssh_config.in > debian/openssh-client/etc/ssh/ssh_config + rm debian/openssh-client/etc/ssh/ssh_config.in # Build architecture-independent files here. binary-indep: binary-ssh binary-ssh-krb5 @@ -309,7 +323,7 @@ dh_compress dh_fixperms dh_installdeb - install -p -o root -g root -m 755 debian/openssh-client-udeb.isinstallable debian/openssh-client-udeb/DEBIAN/isinstallable + install -p -m 755 debian/openssh-client-udeb.isinstallable debian/openssh-client-udeb/DEBIAN/isinstallable dh_shlibdeps dh_gencontrol dh_md5sums only in patch2: unchanged: --- openssh-4.7p1.orig/auth-pam.c +++ openssh-4.7p1/auth-pam.c @@ -265,7 +265,7 @@ if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) fatal("%s: setreuid failed: %s", __func__, strerror(errno)); result = pam_chauthtok(pamh, flags); - if (setreuid(0, -1) == -1) + if (setreuid(ROOT_UID, -1) == -1) fatal("%s: setreuid failed: %s", __func__, strerror(errno)); return result; } @@ -779,7 +779,7 @@ } if (type == PAM_SUCCESS) { if (!sshpam_authctxt->valid || - (sshpam_authctxt->pw->pw_uid == 0 && + (sshpam_authctxt->pw->pw_uid == ROOT_UID && options.permit_root_login != PERMIT_YES)) fatal("Internal error: PAM auth " "succeeded when it should have " @@ -830,7 +830,7 @@ } buffer_init(&buffer); if (sshpam_authctxt->valid && - (sshpam_authctxt->pw->pw_uid != 0 || + (sshpam_authctxt->pw->pw_uid != ROOT_UID || options.permit_root_login == PERMIT_YES)) buffer_put_cstring(&buffer, *resp); else @@ -1193,7 +1193,7 @@ * by PermitRootLogin, use an invalid password to prevent leaking * information via timing (eg if the PAM config has a delay on fail). */ - if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && + if (!authctxt->valid || (authctxt->pw->pw_uid == ROOT_UID && options.permit_root_login != PERMIT_YES)) sshpam_password = badpw; only in patch2: unchanged: --- openssh-4.7p1.orig/auth-passwd.c +++ openssh-4.7p1/auth-passwd.c @@ -45,6 +45,11 @@ #include #include +#ifdef __INTERIX +# include +# include "xmalloc.h" +#endif + #include "packet.h" #include "buffer.h" #include "log.h" @@ -53,6 +58,7 @@ #include "hostfile.h" #include "auth.h" #include "auth-options.h" +#include "misc.h" extern Buffer loginmsg; extern ServerOptions options; @@ -61,6 +67,9 @@ extern login_cap_t *lc; #endif +#ifdef __INTERIX +extern char *users_passwd; +#endif #define DAY (24L * 60 * 60) /* 1 day in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ @@ -87,7 +96,8 @@ #endif #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + /* hehe, the interix change would make this work on cygwin too :) */ + if (pw->pw_uid == ROOT_UID && options.permit_root_login != PERMIT_YES) ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) @@ -109,6 +119,15 @@ return 0; cygwin_set_impersonation_token(hToken); return ok; + } +#endif +#ifdef __INTERIX + if (setuser(authctxt->user, password, SU_CHECK) == 0) { + /* save password for future calls setuser() */ + users_passwd = xstrdup(password); + return ok; + } else { + return 0; } #endif #ifdef USE_PAM only in patch2: unchanged: --- openssh-4.7p1.orig/auth-rhosts.c +++ openssh-4.7p1/auth-rhosts.c @@ -37,6 +37,7 @@ #include "key.h" #include "hostfile.h" #include "auth.h" +#include "misc.h" /* import */ extern ServerOptions options; @@ -212,7 +213,7 @@ return 0; /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ - if (pw->pw_uid != 0) { + if (pw->pw_uid != ROOT_UID) { if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", @@ -238,7 +239,7 @@ return 0; } if (options.strict_modes && - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || + ((st.st_uid != ROOT_UID && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { logit("Rhosts authentication refused for %.100s: " "bad ownership or modes for home directory.", pw->pw_name); @@ -265,7 +266,7 @@ * allowing access to their account by anyone. */ if (options.strict_modes && - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || + ((st.st_uid != ROOT_UID && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { logit("Rhosts authentication refused for %.100s: bad modes for %.200s", pw->pw_name, buf); only in patch2: unchanged: --- openssh-4.7p1.orig/auth-sia.c +++ openssh-4.7p1/auth-sia.c @@ -107,7 +107,7 @@ sia_ses_release(&ent); - setuid(0); + setuid(ROOT_UID); permanently_set_uid(pw); } only in patch2: unchanged: --- openssh-4.7p1.orig/auth.c +++ openssh-4.7p1/auth.c @@ -377,7 +377,7 @@ user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); if (options.strict_modes && (stat(user_hostfile, &st) == 0) && - ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || + ((st.st_uid != ROOT_UID && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { logit("Authentication refused for %.100s: " "bad owner or modes for %.200s", @@ -430,7 +430,7 @@ /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || + (st.st_uid != ROOT_UID && st.st_uid != uid) || (st.st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); @@ -447,7 +447,7 @@ debug3("secure_filename: checking '%s'", buf); if (stat(buf, &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || + (st.st_uid != ROOT_UID && st.st_uid != uid) || (st.st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for directory %s", buf); only in patch2: unchanged: --- openssh-4.7p1.orig/includes.h +++ openssh-4.7p1/includes.h @@ -16,6 +16,12 @@ #ifndef INCLUDES_H #define INCLUDES_H +#ifdef __INTERIX +#define initgroups(user,group) 0 +#define setgroups(size,list) 0 +#define IOV_MAX 1024 +#endif + #include "config.h" #define _GNU_SOURCE /* activate extra prototypes for glibc */ only in patch2: unchanged: --- openssh-4.7p1.orig/loginrec.c +++ openssh-4.7p1/loginrec.c @@ -175,6 +175,7 @@ #include "canohost.h" #include "auth.h" #include "buffer.h" +#include "misc.h" #ifdef HAVE_UTIL_H # include @@ -432,7 +433,7 @@ login_write(struct logininfo *li) { #ifndef HAVE_CYGWIN - if (geteuid() != 0) { + if (geteuid() != ROOT_UID) { logit("Attempt to write login records by non-root user (aborting)"); return (1); } @@ -1636,7 +1637,7 @@ time_t t; struct stat fst; - if (geteuid() != 0) + if (geteuid() != ROOT_UID) return; if ((fd = open(_PATH_BTMP, O_WRONLY | O_APPEND)) < 0) { debug("Unable to open the btmp file %s: %s", _PATH_BTMP, @@ -1648,7 +1649,7 @@ strerror(errno)); goto out; } - if((fst.st_mode & (S_IRWXG | S_IRWXO)) || (fst.st_uid != 0)){ + if((fst.st_mode & (S_IRWXG | S_IRWXO)) || (fst.st_uid != ROOT_UID)){ logit("Excess permission or bad ownership on file %s", _PATH_BTMP); goto out; only in patch2: unchanged: --- openssh-4.7p1.orig/logintest.c +++ openssh-4.7p1/logintest.c @@ -125,7 +125,7 @@ if (be_verbose) dump_logininfo(li1, "li1"); - if ((int)geteuid() != 0) { + if ((int)geteuid() != ROOT_UID) { printf("NOT RUNNING LOGIN TESTS - you are not root!\n"); return 1; } only in patch2: unchanged: --- openssh-4.7p1.orig/misc.h +++ openssh-4.7p1/misc.h @@ -15,6 +15,18 @@ #ifndef _MISC_H #define _MISC_H +/* This one is required for propper interix support, since there the "root" user + * is Administrator (or maybe something else). In any case the uid of that user + * is 197108 (i don't know how much you have to drink before inventing such a + * root uid...) */ +#ifdef __INTERIX +# define ROOT_UID 197108 +# define ROOT_GID 131616 +#else +# define ROOT_UID 0 +# define ROOT_GID 0 +#endif + /* misc.c */ char *chop(char *); only in patch2: unchanged: --- openssh-4.7p1.orig/sshpty.c +++ openssh-4.7p1/sshpty.c @@ -78,8 +78,8 @@ void pty_release(const char *tty) { - if (chown(tty, (uid_t) 0, (gid_t) 0) < 0) - error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); + if (chown(tty, (uid_t) ROOT_UID, (gid_t) ROOT_GID) < 0) + error("chown %.100s %d %d failed: %.100s", tty, ROOT_UID, ROOT_GID, strerror(errno)); if (chmod(tty, (mode_t) 0666) < 0) error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); } @@ -224,7 +224,7 @@ if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(tty, pw->pw_uid, gid) < 0) { if (errno == EROFS && - (st.st_uid == pw->pw_uid || st.st_uid == 0)) + (st.st_uid == pw->pw_uid || st.st_uid == ROOT_UID)) debug("chown(%.100s, %u, %u) failed: %.100s", tty, (u_int)pw->pw_uid, (u_int)gid, strerror(errno)); only in patch2: unchanged: --- openssh-4.7p1.orig/uidswap.c +++ openssh-4.7p1/uidswap.c @@ -23,9 +23,20 @@ #include +#ifdef __INTERIX +# include +#endif + #include "log.h" #include "uidswap.h" #include "xmalloc.h" +#include "misc.h" + +#ifdef __INTERIX +/* store the user's password from auth-passwd.c for later use in setuser() */ +char *users_passwd = NULL; +#endif + /* * Note: all these functions must work in all of the following cases: @@ -66,13 +77,13 @@ (u_int)pw->pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid, (u_int)saved_egid); #ifndef HAVE_CYGWIN - if (saved_euid != 0) { + if (saved_euid != ROOT_UID) { privileged = 0; return; } #endif #else - if (geteuid() != 0) { + if (geteuid() != ROOT_UID) { privileged = 0; return; } @@ -153,7 +164,7 @@ fatal("setuid %u: %.100s", (u_int)uid, strerror(errno)); #endif -#ifndef HAVE_CYGWIN +#if !defined(HAVE_CYGWIN) && !defined(__INTERIX) /* Try restoration of UID if changed (test clearing of saved uid) */ if (old_uid != uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) @@ -220,6 +231,40 @@ debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); +#if defined(__INTERIX) + char *p = users_passwd; + char pass[1024]; + + if (!p) { + /* if not given interactively, try getting the password + from the LSA secret area, where it may have been put with regpwd */ + char key[132] = ""; + wchar_t wpass[1024]; + struct passwd *pwfull = getpwuid_ex(pw->pw_uid, PW_FULLNAME); + if (pwfull == NULL) + fatal("permanently_set_uid: getpwuid_ex() failed"); + strncat(key, pwfull->pw_name, sizeof(key) - 1); + *strchr(key, '+') = '_'; + strncat(key, "_microsoft_sfu_utility", sizeof(key) - 1); + + int ret = getsecret(key, wpass, sizeof(wpass)); + if (ret > 0) { + ret = wcstombs(pass, wpass, ret); + if (ret > 0) p = pass; + memset(wpass, 0, sizeof(wpass)); + } + } + + if (setuser(pw->pw_name, p, SU_COMPLETE)) + fatal("setuser %.100s: %.100s", pw->pw_name, strerror(errno)); + if (users_passwd) { + memset(users_passwd, 0, strlen(users_passwd)); + xfree(users_passwd); + users_passwd = NULL; + } + memset(pass, 0, sizeof(pass)); +#else + #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); @@ -248,9 +293,11 @@ fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); #endif -#ifndef HAVE_CYGWIN +#endif /* defined(__INTERIX) */ + +#if !defined(HAVE_CYGWIN) && !defined(__INTERIX) /* Try restoration of GID if changed (test clearing of saved gid) */ - if (old_gid != pw->pw_gid && pw->pw_uid != 0 && + if (old_gid != pw->pw_gid && pw->pw_uid != ROOT_UID && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) fatal("%s: was able to restore old [e]gid", __func__); #endif @@ -262,7 +309,7 @@ (u_int)pw->pw_gid); } -#ifndef HAVE_CYGWIN +#if !defined(HAVE_CYGWIN) && !defined(__INTERIX) /* Try restoration of UID if changed (test clearing of saved uid) */ if (old_uid != pw->pw_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) only in patch2: unchanged: --- openssh-4.7p1.orig/openbsd-compat/port-aix.c +++ openssh-4.7p1/openbsd-compat/port-aix.c @@ -243,7 +243,7 @@ * logins via ssh) or if running as non-root user (since * loginrestrictions will always fail due to insufficient privilege). */ - if (pw->pw_uid == 0 || geteuid() != 0) { + if (pw->pw_uid == ROOT_UID || geteuid() != ROOT_UID) { debug3("%s: not checking", __func__); return 1; } @@ -300,7 +300,7 @@ void record_failed_login(const char *user, const char *hostname, const char *ttyname) { - if (geteuid() != 0) + if (geteuid() != ROOT_UID) return; aix_setauthdb(user);