commit: b6150ddac2b5cf1d8d1421afeaa1a9c3e9615d9e Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Mon Mar 25 15:26:12 2024 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Mon Mar 25 15:26:12 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6150dda
net-misc/openssh: fix install mode for config dropins Closes: https://bugs.gentoo.org/906639 Closes: https://bugs.gentoo.org/915840 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> ...nssh-9.7_p1.ebuild => openssh-9.7_p1-r1.ebuild} | 78 +++++++++++++--------- 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/net-misc/openssh/openssh-9.7_p1.ebuild b/net-misc/openssh/openssh-9.7_p1-r1.ebuild similarity index 93% rename from net-misc/openssh/openssh-9.7_p1.ebuild rename to net-misc/openssh/openssh-9.7_p1-r1.ebuild index 9508c8162da3..fdead7192a13 100644 --- a/net-misc/openssh/openssh-9.7_p1.ebuild +++ b/net-misc/openssh/openssh-9.7_p1-r1.ebuild @@ -217,24 +217,18 @@ src_configure() { econf "${myconf[@]}" } -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi +tweak_ssh_configs() { + cat <<-EOF >> ssh_config.out || die - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" </dev/null + Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" + EOF + cat <<-EOF >> sshd_config.out || die + + Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" + EOF } -# Gentoo tweaks to default config files. -tweak_ssh_configs() { +create_config_dropins() { local locale_vars=( # These are language variables that POSIX defines. # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 @@ -245,15 +239,9 @@ tweak_ssh_configs() { LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE ) - dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die - Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" - EOF - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die - Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" - EOF + mkdir -p "${WORKDIR}"/etc/ssh/{ssh_config.d,sshd_config.d} || die - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die # Send locale environment variables (bug #367017) SendEnv ${locale_vars[*]} @@ -261,16 +249,16 @@ tweak_ssh_configs() { SendEnv COLORTERM EOF - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" EOF - cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== EOF - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die # Allow client to pass locale environment variables (bug #367017) AcceptEnv ${locale_vars[*]} @@ -279,7 +267,7 @@ tweak_ssh_configs() { EOF if use pam ; then - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die UsePAM yes # This interferes with PAM. PasswordAuthentication no @@ -290,13 +278,36 @@ tweak_ssh_configs() { fi if use livecd ; then - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die # Allow root login with password on livecds. PermitRootLogin Yes EOF fi } +src_compile() { + default + tweak_ssh_configs + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" </dev/null +} + + src_install() { emake install-nokeys DESTDIR="${D}" fperms 600 /etc/ssh/sshd_config @@ -308,8 +319,6 @@ src_install() { newpamd "${FILESDIR}"/sshd.pam_include.2 sshd fi - tweak_ssh_configs - doman contrib/ssh-copy-id.1 dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config @@ -320,6 +329,15 @@ src_install() { systemd_dounit "${FILESDIR}"/sshd.socket systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service systemd_newunit "${FILESDIR}"/sshd_at.service.1 '[email protected]' + + # Install dropins with explicit mode, bug 906638, 915840 + diropts -m0755 + insopts -m0644 + insinto /etc/ssh + doins -r "${WORKDIR}"/etc/ssh/ssh_config.d + diropts -m0700 + insopts -m0600 + doins -r "${WORKDIR}"/etc/ssh/sshd_config.d } pkg_preinst() {
