OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Christoph Schug
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 29-Mar-2004 14:44:24
Branch: HEAD Handle: 2004032913442300
Added files:
openpkg-src/openssh openssh.patch.sftplogging
Modified files:
openpkg-src/openssh openssh.spec
Log:
added patch based on http://sftplogging.sf.net/ which allows
controlled umask-ing and controls chown/chmod in SFTP sessions
Summary:
Revision Changes Path
1.1 +712 -0 openpkg-src/openssh/openssh.patch.sftplogging
1.128 +15 -10 openpkg-src/openssh/openssh.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.patch.sftplogging
============================================================================
$ cvs diff -u -r0 -r1.1 openssh.patch.sftplogging
--- /dev/null 2004-03-29 14:44:23.000000000 +0200
+++ openssh.patch.sftplogging 2004-03-29 14:44:23.000000000 +0200
@@ -0,0 +1,712 @@
+diff -wur openssh-3.8p1.orig/servconf.c openssh-3.8p1/servconf.c
+--- openssh-3.8p1.orig/servconf.c 2004-01-23 12:03:10.000000000 +0100
++++ openssh-3.8p1/servconf.c 2004-03-29 10:44:26.000000000 +0200
+@@ -102,6 +102,15 @@
+ options->authorized_keys_file = NULL;
+ options->authorized_keys_file2 = NULL;
+
++ options->log_sftp = LOG_SFTP_NOT_SET;
++ options->sftp_log_facility = SYSLOG_FACILITY_NOT_SET;
++ options->sftp_log_level = SYSLOG_LEVEL_NOT_SET;
++
++ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH);
++
++ options->sftp_permit_chmod = SFTP_PERMIT_NOT_SET;
++ options->sftp_permit_chown = SFTP_PERMIT_NOT_SET;
++
+ /* Needs to be accessable in many places */
+ use_privsep = -1;
+ }
+@@ -228,6 +237,24 @@
+ if (options->authorized_keys_file == NULL)
+ options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+
++ /* Turn sftp-server logging off by default */
++ if (options->log_sftp == LOG_SFTP_NOT_SET)
++ options->log_sftp = LOG_SFTP_NO;
++ if (options->sftp_log_facility == SYSLOG_FACILITY_NOT_SET)
++ options->sftp_log_facility = SYSLOG_FACILITY_AUTH;
++ if (options->sftp_log_level == SYSLOG_LEVEL_NOT_SET)
++ options->sftp_log_level = SYSLOG_LEVEL_INFO;
++
++ /* Don't set sftp-server umask */
++ if (!options->sftp_umask)
++ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH);
++
++ /* allow sftp client to issue chmod, chown / chgrp commands */
++ if (options->sftp_permit_chmod == SFTP_PERMIT_NOT_SET)
++ options->sftp_permit_chmod = SFTP_PERMIT_YES;
++ if (options->sftp_permit_chown == SFTP_PERMIT_NOT_SET)
++ options->sftp_permit_chown = SFTP_PERMIT_YES;
++
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+ use_privsep = 1;
+@@ -268,6 +295,9 @@
+ sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sGssAuthentication, sGssCleanupCreds,
+ sUsePrivilegeSeparation,
++ sLogSftp, sSftpLogFacility, sSftpLogLevel,
++ sSftpUmask,
++ sSftpPermitChown, sSftpPermitChmod,
+ sDeprecated, sUnsupported
+ } ServerOpCodes;
+
+@@ -366,6 +396,12 @@
+ { "authorizedkeysfile", sAuthorizedKeysFile },
+ { "authorizedkeysfile2", sAuthorizedKeysFile2 },
+ { "useprivilegeseparation", sUsePrivilegeSeparation},
++ { "logsftp", sLogSftp},
++ { "sftplogfacility", sSftpLogFacility},
++ { "sftploglevel", sSftpLogLevel},
++ { "sftpumask", sSftpUmask},
++ { "sftppermitchmod", sSftpPermitChmod},
++ { "sftppermitchown", sSftpPermitChown},
+ { NULL, sBadOption }
+ };
+
+@@ -431,6 +467,8 @@
+ char *cp, **charptr, *arg, *p;
+ int *intptr, value, i, n;
+ ServerOpCodes opcode;
++ unsigned int umaskvalue = 0;
++ char *umaskptr;
+
+ cp = line;
+ arg = strdelim(&cp);
+@@ -871,6 +909,58 @@
+ case sBanner:
+ charptr = &options->banner;
+ goto parse_filename;
++
++ case sLogSftp:
++ intptr = &options->log_sftp;
++ goto parse_flag;
++
++ case sSftpLogFacility:
++ intptr = (int *) &options->sftp_log_facility;
++ arg = strdelim(&cp);
++ value = log_facility_number(arg);
++ if (value == SYSLOG_FACILITY_NOT_SET)
++ fatal("%.200s line %d: unsupported log facility '%s'",
++ filename, linenum, arg ? arg : "<NONE>");
++ if (*intptr == -1)
++ *intptr = (SyslogFacility) value;
++ break;
++
++ case sSftpLogLevel:
++ intptr = (int *) &options->sftp_log_level;
++ arg = strdelim(&cp);
++ value = log_level_number(arg);
++ if (value == SYSLOG_LEVEL_NOT_SET)
++ fatal("%.200s line %d: unsupported log level '%s'",
++ filename, linenum, arg ? arg : "<NONE>");
++ if (*intptr == -1)
++ *intptr = (LogLevel) value;
++ break;
++
++ case sSftpUmask:
++ arg = strdelim(&cp);
++ umaskptr = arg;
++ while (*arg && *arg >= '0' && *arg <= '9')
++ umaskvalue = umaskvalue * 8 + *arg++ - '0';
++ if (*arg || umaskvalue > 0777)
++ fatal("%s line %d: bad value for umask",
++ filename, linenum);
++ else {
++ while (*umaskptr && *umaskptr == '0')
++ *umaskptr++;
++ strncpy(options->sftp_umask, umaskptr,
++ SFTP_UMASK_LENGTH);
++ }
++
++ break;
++
++ case sSftpPermitChmod:
++ intptr = &options->sftp_permit_chmod;
++ goto parse_flag;
++
++ case sSftpPermitChown:
++ intptr = &options->sftp_permit_chown;
++ goto parse_flag;
++
+ /*
+ * These options can contain %X options expanded at
+ * connect time, so that you can specify paths like:
+@@ -913,6 +1003,7 @@
+ if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
+ fatal("%s line %d: garbage at end of line; \"%.200s\".",
+ filename, linenum, arg);
++
+ return 0;
+ }
+
+diff -wur openssh-3.8p1.orig/servconf.h openssh-3.8p1/servconf.h
+--- openssh-3.8p1.orig/servconf.h 2003-12-31 01:37:34.000000000 +0100
++++ openssh-3.8p1/servconf.h 2004-03-29 10:44:26.000000000 +0200
+@@ -32,6 +32,18 @@
+ #define PERMIT_NO_PASSWD 2
+ #define PERMIT_YES 3
+
++/* sftp-server logging */
++#define LOG_SFTP_NOT_SET -1
++#define LOG_SFTP_NO 0
++#define LOG_SFTP_YES 1
++
++/* sftp-server umask control */
++#define SFTP_UMASK_LENGTH 5
++
++/* sftp-server client priviledge */
++#define SFTP_PERMIT_NOT_SET -1
++#define SFTP_PERMIT_NO 0
++#define SFTP_PERMIT_YES 1
+
+ typedef struct {
+ u_int num_ports;
+@@ -125,6 +137,13 @@
+ char *authorized_keys_file; /* File containing public keys */
+ char *authorized_keys_file2;
+ int use_pam; /* Enable auth via PAM */
++ int log_sftp; /* perform sftp-server logging */
++ SyslogFacility sftp_log_facility; /* Facility for sftp subsystem
logging. */
++ LogLevel sftp_log_level; /* Level for sftp subsystem logging. */
++ char sftp_umask[SFTP_UMASK_LENGTH]; /* Sftp Umask */
++ int sftp_permit_chmod;
++ int sftp_permit_chown;
++
+ } ServerOptions;
+
+ void initialize_server_options(ServerOptions *);
+diff -wur openssh-3.8p1.orig/session.c openssh-3.8p1/session.c
+--- openssh-3.8p1.orig/session.c 2004-02-23 14:01:27.000000000 +0100
++++ openssh-3.8p1/session.c 2004-03-29 10:44:26.000000000 +0200
+@@ -112,6 +112,15 @@
+
+ static int is_child = 0;
+
++/* so SFTP_LOG_FACILITY and SFTP_LOG_LEVEL can be passed through the
++ environment to the sftp-server subsystem. */
++static const char *sysfac_to_int[] = { "0", "1", "2", "3", "4", "5", "6",
++ "7", "8", "9", "10", "11", "-1" };
++static const char *syslevel_to_int[] = { "0", "1", "2", "3", "4", "5", "6",
++ "7", "-1" };
++
++static char *sftpumask;
++
+ /* Name and directory of socket for authentication agent forwarding. */
+ static char *auth_sock_name = NULL;
+ static char *auth_sock_dir = NULL;
+@@ -971,6 +980,7 @@
+ env = xmalloc(envsize * sizeof(char *));
+ env[0] = NULL;
+
++
+ #ifdef HAVE_CYGWIN
+ /*
+ * The Windows environment contains some setting which are
+@@ -1111,6 +1121,67 @@
+ child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
+ auth_sock_name);
+
++ /* LOG_SFTP */
++ if (options.log_sftp == -1 )
++ child_set_env(&env, &envsize, "LOG_SFTP", "-1");
++ else if (options.log_sftp == 0)
++ child_set_env(&env, &envsize, "LOG_SFTP", "0");
++ else
++ child_set_env(&env, &envsize, "LOG_SFTP", "1");
++
++ /* SFTP_LOG_FACILITY */
++ if (options.sftp_log_facility < 0)
++ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY",
++ "-1");
++ else
++ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY",
++ sysfac_to_int[options.sftp_log_facility]);
++
++ /* SFTP_LOG_LEVEL */
++ if (options.sftp_log_level < 0)
++ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL",
++ "-1");
++ else
++ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL",
++ syslevel_to_int[options.sftp_log_level]);
++
++ /* SFTP_UMASK */
++
++ if (options.sftp_umask[0] == '\0')
++ child_set_env(&env, &envsize, "SFTP_UMASK",
++ "" );
++ else {
++ if (!(sftpumask = calloc(SFTP_UMASK_LENGTH,1))) {
++
++logit("session.c: unabled to allocate memory for SftpUmask. SftpUmask control \
++will be turned off.");
++
++ child_set_env(&env, &envsize, "SFTP_UMASK",
++ "" );
++ } else {
++ strncpy(sftpumask, options.sftp_umask,
++ SFTP_UMASK_LENGTH);
++ child_set_env(&env, &envsize, "SFTP_UMASK",
++ sftpumask );
++ }
++ }
++
++ /* SFTP_PERMIT_CHMOD */
++ if (options.sftp_permit_chmod == -1 )
++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "-1");
++ else if (options.sftp_permit_chmod == 0)
++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "0");
++ else
++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "1");
++
++ /* SFTP_PERMIT_CHOWN */
++ if (options.sftp_permit_chown == -1 )
++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "-1");
++ else if (options.sftp_permit_chown == 0)
++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "0");
++ else
++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "1");
++
+ /* read $HOME/.ssh/environment. */
+ if (options.permit_user_env && !options.use_login) {
+ snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
+diff -wur openssh-3.8p1.orig/sftp-server.8 openssh-3.8p1/sftp-server.8
+--- openssh-3.8p1.orig/sftp-server.8 2003-10-15 07:50:43.000000000 +0200
++++ openssh-3.8p1/sftp-server.8 2004-03-29 10:44:26.000000000 +0200
+@@ -41,6 +41,20 @@
+ .Cm Subsystem
+ option.
+ See
++.Xr sshd 8
++for more information. Sftp-server transactions may be logged
++using the
++.Cm LogSftp ,
++.Cm SftpLogFacility ,
++and
++.Cm SftpLogLevel
++options. The administrator may exert control over the file and directory
++permission and ownership, with
++.Cm SftpUmask ,
++.Cm SftpPermitChmod ,
++and
++.Cm SftpPermitChown
++. See
+ .Xr sshd_config 5
+ for more information.
+ .Sh SEE ALSO
+diff -wur openssh-3.8p1.orig/sftp-server.c openssh-3.8p1/sftp-server.c
+--- openssh-3.8p1.orig/sftp-server.c 2004-02-23 23:19:15.000000000 +0100
++++ openssh-3.8p1/sftp-server.c 2004-03-29 10:45:39.000000000 +0200
+@@ -31,6 +31,13 @@
+ #define get_string(lenp) buffer_get_string(&iqueue, lenp);
+ #define TRACE debug
+
++/* SFTP_UMASK */
++static mode_t setumask = 0;
++
++static int permit_chmod = 1;
++static int permit_chown = 1;
++static int permit_logging = 0;
++
+ #ifdef HAVE___PROGNAME
+ extern char *__progname;
+ #else
+@@ -385,6 +392,14 @@
+ a = get_attrib();
+ flags = flags_from_portable(pflags);
+ mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
++
++ if (setumask != 0) {
++ if ( permit_logging == 1 )
++ logit("setting file creation mode to 0666 and umask to %o", setumask);
++ mode = 0666;
++ umask(setumask);
++ }
++
+ TRACE("open id %u name %s flags %d mode 0%o", id, name, pflags, mode);
+ fd = open(name, flags, mode);
+ if (fd < 0) {
+@@ -398,6 +413,8 @@
+ status = SSH2_FX_OK;
+ }
+ }
++ if ( permit_logging == 1 )
++ logit("open %s", name);
+ if (status != SSH2_FX_OK)
+ send_status(id, status);
+ xfree(name);
+@@ -434,6 +451,7 @@
+ (u_int64_t)off, len);
+ if (len > sizeof buf) {
+ len = sizeof buf;
++ if ( permit_logging == 1 )
+ logit("read change len %d", len);
+ }
+ fd = handle_to_fd(handle);
+@@ -453,6 +471,8 @@
+ }
+ }
+ }
++ if ( permit_logging == 1 )
++ logit("reading file");
+ if (status != SSH2_FX_OK)
+ send_status(id, status);
+ }
+@@ -487,10 +507,13 @@
+ } else if (ret == len) {
+ status = SSH2_FX_OK;
+ } else {
++ if ( permit_logging == 1 )
+ logit("nothing at all written");
+ }
+ }
+ }
++ if ( permit_logging == 1 )
++ logit("writing file");
+ send_status(id, status);
+ xfree(data);
+ }
+@@ -583,24 +606,46 @@
+ a = get_attrib();
+ TRACE("setstat id %u name %s", id, name);
+ if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
++if ( permit_logging == 1 )
++logit("process_setstat: truncate");
+ ret = truncate(name, a->size);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ }
+ if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
++ if (permit_chmod == 1) {
+ ret = chmod(name, a->perm & 0777);
+ if (ret == -1)
+ status = errno_to_portable(errno);
++ else
++ if ( permit_logging == 1 )
++ logit("chmod'ed %s", name);
++ } else {
++ status = SSH2_FX_PERMISSION_DENIED;
++ if ( permit_logging == 1 )
++ logit("chmod %s: operation prohibited by sftp-server
configuration.", name);
++ }
+ }
+ if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
++if ( permit_logging == 1 )
++logit("process_setstat: utimes");
+ ret = utimes(name, attrib_to_tv(a));
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ }
+ if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
++ if (permit_chown == 1) {
+ ret = chown(name, a->uid, a->gid);
+ if (ret == -1)
+ status = errno_to_portable(errno);
++ else
++ if ( permit_logging == 1 )
++ logit("chown'ed %s.", name);
++ } else {
++ status = SSH2_FX_PERMISSION_DENIED;
++ if ( permit_logging == 1 )
++ logit("chown %s: operation prohibited by sftp-server
configuration.", name);
++ }
+ }
+ send_status(id, status);
+ xfree(name);
+@@ -615,6 +660,9 @@
+ int status = SSH2_FX_OK;
+ char *name;
+
++if ( permit_logging == 1 )
++logit("process_fsetstat");
++
+ id = get_int();
+ handle = get_handle();
+ a = get_attrib();
+@@ -625,11 +673,14 @@
+ status = SSH2_FX_FAILURE;
+ } else {
+ if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
++if ( permit_logging == 1 )
++logit("process_fsetstat: ftruncate");
+ ret = ftruncate(fd, a->size);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ }
+ if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
++ if (permit_chmod == 1) {
+ #ifdef HAVE_FCHMOD
+ ret = fchmod(fd, a->perm & 0777);
+ #else
+@@ -637,8 +688,18 @@
+ #endif
+ if (ret == -1)
+ status = errno_to_portable(errno);
++ else
++ if ( permit_logging == 1 )
++ logit("chmod: succeeded.");
++ } else {
++ status = SSH2_FX_PERMISSION_DENIED;
++ if ( permit_logging == 1 )
++ logit("chmod: operation prohibited by sftp-server
configuration.");
++ }
+ }
+ if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
++if ( permit_logging == 1 )
++logit("process_fsetstat: utimes");
+ #ifdef HAVE_FUTIMES
+ ret = futimes(fd, attrib_to_tv(a));
+ #else
+@@ -648,6 +709,7 @@
+ status = errno_to_portable(errno);
+ }
+ if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
++ if (permit_chown == 1) {
+ #ifdef HAVE_FCHOWN
+ ret = fchown(fd, a->uid, a->gid);
+ #else
+@@ -655,6 +717,14 @@
+ #endif
+ if (ret == -1)
+ status = errno_to_portable(errno);
++ else
++ if ( permit_logging == 1 )
++ logit("chown: succeeded");
++ } else {
++ status = SSH2_FX_PERMISSION_DENIED;
++ if ( permit_logging == 1 )
++ logit("chown: operation prohibited by sftp-server
configuration.");
++ }
+ }
+ }
+ send_status(id, status);
+@@ -684,6 +754,8 @@
+ }
+
+ }
++ if ( permit_logging == 1 )
++ logit("opendir %s", path);
+ if (status != SSH2_FX_OK)
+ send_status(id, status);
+ xfree(path);
+@@ -757,6 +829,8 @@
+ TRACE("remove id %u name %s", id, name);
+ ret = unlink(name);
+ status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
++ if ( permit_logging == 1 )
++ logit("remove file %s", name);
+ send_status(id, status);
+ xfree(name);
+ }
+@@ -774,9 +848,19 @@
+ a = get_attrib();
+ mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
+ a->perm & 0777 : 0777;
++
++ if (setumask != 0) {
++ if ( permit_logging == 1 )
++ logit("setting directory creation mode to 0777 and umask to %o.",
setumask);
++ mode = 0777;
++ umask(setumask);
++ }
++
+ TRACE("mkdir id %u name %s mode 0%o", id, name, mode);
+ ret = mkdir(name, mode);
+ status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
++ if ( permit_logging == 1 )
++ logit("mkdir %s", name);
+ send_status(id, status);
+ xfree(name);
+ }
+@@ -793,6 +877,8 @@
+ TRACE("rmdir id %u name %s", id, name);
+ ret = rmdir(name);
+ status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
++ if ( permit_logging == 1 )
++ logit("rmdir %s", name);
+ send_status(id, status);
+ xfree(name);
+ }
+@@ -819,6 +905,8 @@
+ s.name = s.long_name = resolvedname;
+ send_names(id, 1, &s);
+ }
++ if ( permit_logging == 1 )
++ logit("realpath %s", path);
+ xfree(path);
+ }
+
+@@ -854,6 +942,8 @@
+ status = SSH2_FX_OK;
+ }
+ send_status(id, status);
++ if ( permit_logging == 1 )
++ logit("rename old %s new %s", oldpath, newpath);
+ xfree(oldpath);
+ xfree(newpath);
+ }
+@@ -879,6 +969,8 @@
+ s.name = s.long_name = link;
+ send_names(id, 1, &s);
+ }
++ if ( permit_logging == 1 )
++ logit("readlink %s", path);
+ xfree(path);
+ }
+
+@@ -897,6 +989,8 @@
+ ret = symlink(oldpath, newpath);
+ status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+ send_status(id, status);
++ if ( permit_logging == 1 )
++ logit("symlink old %s new %s", oldpath, newpath);
+ xfree(oldpath);
+ xfree(newpath);
+ }
+@@ -1018,6 +1112,8 @@
+ {
+ fd_set *rset, *wset;
+ int in, out, max;
++ unsigned int val = 0;
++ char *umask_env;
+ ssize_t len, olen, set_size;
+
+ /* XXX should use getopt */
+@@ -1025,6 +1121,16 @@
+ __progname = ssh_get_progname(av[0]);
+ handle_init();
+
++ /* Transaction logging */
++
++ if (atoi(getenv("LOG_SFTP")) == 1)
++ {
++ permit_logging = 1;
++ log_init("sftp-server", atoi(getenv("SFTP_LOG_LEVEL")),
++ atoi(getenv("SFTP_LOG_FACILITY")), 0);
++ };
++
++
+ #ifdef DEBUG_SFTP_SERVER
+ log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0);
+ #endif
+@@ -1032,6 +1138,39 @@
+ in = dup(STDIN_FILENO);
+ out = dup(STDOUT_FILENO);
+
++ if ( permit_logging == 1 )
++ logit("Starting sftp-server logging for user %s.", getenv("USER"));
++
++ /* Umask control */
++
++ umask_env = getenv("SFTP_UMASK");
++ while (*umask_env && *umask_env >= '0' && *umask_env <= '9')
++ val = val * 8 + *umask_env++ - '0';
++
++ if (*umask_env || val > 0777 || val == 0) {
++ if ( permit_logging == 1 )
++ logit("bad value %o for SFTP_UMASK, turning umask control off.", val);
++ setumask = 0;
++ } else {
++ if ( permit_logging == 1 )
++ logit("umask control is on.");
++ setumask = val;
++ };
++
++
++ /* Sensitive client commands */
++
++ if (atoi(getenv("SFTP_PERMIT_CHMOD")) != 1) {
++ permit_chmod = 0;
++ if ( permit_logging == 1 )
++ logit("client is not permitted to chmod.");
++ };
++ if (atoi(getenv("SFTP_PERMIT_CHOWN")) != 1) {
++ permit_chown = 0;
++ if ( permit_logging == 1 )
++ logit("client is not permitted to chown.");
++ };
++
+ #ifdef HAVE_CYGWIN
+ setmode(in, O_BINARY);
+ setmode(out, O_BINARY);
+@@ -1071,6 +1210,8 @@
+ len = read(in, buf, sizeof buf);
+ if (len == 0) {
+ debug("read eof");
++ if ( permit_logging == 1 )
++ logit("sftp-server finished.");
+ exit(0);
+ } else if (len < 0) {
+ error("read error");
+diff -wur openssh-3.8p1.orig/sshd_config openssh-3.8p1/sshd_config
+--- openssh-3.8p1.orig/sshd_config 2003-12-31 01:38:32.000000000 +0100
++++ openssh-3.8p1/sshd_config 2004-03-29 10:44:26.000000000 +0200
+@@ -95,3 +95,14 @@
+
+ # override default of no subsystems
+ Subsystem sftp /usr/libexec/sftp-server
++
++# sftp-server logging
++#LogSftp no
++#SftpLogFacility AUTH
++#SftpLogLevel INFO
++
++# sftp-server umask control
++#SftpUmask
++
++#SftpPermitChmod yes
++#SftpPermitChown yes
+diff -wur openssh-3.8p1.orig/sshd_config.5 openssh-3.8p1/sshd_config.5
+--- openssh-3.8p1.orig/sshd_config.5 2004-02-18 04:31:24.000000000 +0100
++++ openssh-3.8p1/sshd_config.5 2004-03-29 10:44:26.000000000 +0200
+@@ -374,6 +374,10 @@
+ DEBUG and DEBUG1 are equivalent.
+ DEBUG2 and DEBUG3 each specify higher levels of debugging output.
+ Logging with a DEBUG level violates the privacy of users and is not recommended.
++.It Cm LogSftp
++Specifies whether to perform logging of
++.Nm sftp-server
++subsystem transactions. Must be "yes" or "no." The default value is "no."
+ .It Cm MACs
+ Specifies the available MAC (message authentication code) algorithms.
+ The MAC algorithm is used in protocol version 2
+@@ -526,6 +530,37 @@
+ .It Cm ServerKeyBits
+ Defines the number of bits in the ephemeral protocol version 1 server key.
+ The minimum value is 512, and the default is 768.
++.It Cm SftpLogFacility
++Gives the facility code that is used when logging
++.Nm sftp-server .
++transactions. The possible values are: DAEMON, USER, AUTH, LOCAL0,
++LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
++The default is AUTH.
++.It Cm SftpLogLevel
++Gives the verbosity level that is used when logging messages from
++.Nm sftp-server .
++The possible values are:
++QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
++The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
++and DEBUG3 each specify higher levels of debugging output.
++Logging with a DEBUG level violates the privacy of users
++and is not recommended.
++.It Cm SftpPermitChmod
++Specifies whether the sftp-server allows the sftp client to execute chmod
++commands on the server. The default is yes.
++.It Cm SftpPermitChown
++Specifies whether the sftp-server allows the sftp client to execute chown
++or chgrp commands on the server. Turning this value on means that the client
++is allowed to execute both chown and chgrp commands. Turning it off means that
++the client is prohibited from executing either chown or chgrp.
++ The default is yes.
++.It Cm SftpUmask
++Specifies an optional umask for
++.Nm sftp-server
++subsystem transactions. If a umask is given, this umask will override all system,
++environment or sftp client permission modes. If
++no umask or an invalid umask is given, file creation mode defaults to the
permission
++mode specified by the sftp client. The default is for no umask.
+ .It Cm StrictModes
+ Specifies whether
+ .Nm sshd
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.spec
============================================================================
$ cvs diff -u -r1.127 -r1.128 openssh.spec
--- openpkg-src/openssh/openssh.spec 24 Mar 2004 19:55:41 -0000 1.127
+++ openpkg-src/openssh/openssh.spec 29 Mar 2004 12:44:23 -0000 1.128
@@ -42,18 +42,19 @@
Group: Security
License: BSD
Version: %{V_base}%{V_portable}
-Release: 20040324
+Release: 20040329
# package options
-%option with_fsl yes
-%option with_pam no
-%option with_skey no
-%option with_x11 no
-%option with_chroot no
-%option with_alias no
-%option with_watchdog no
-%option with_ldap no
-%option with_wrap no
+%option with_fsl yes
+%option with_alias no
+%option with_chroot no
+%option with_ldap no
+%option with_pam no
+%option with_sftplogging no
+%option with_skey no
+%option with_watchdog no
+%option with_wrap no
+%option with_x11 no
# list of sources
Source0:
ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -70,6 +71,7 @@
Patch2: openssh.patch.alias
Patch3:
http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-%{V_watchdog}-watchdog.patch.tgz
Patch4:
http://ldappubkey.gcu-squad.org/%{V_ldap_vers1}/ldappubkey-ossh%{V_ldap_base}-%{V_ldap_vers2}.patch
+Patch5: openssh.patch.sftplogging
# build information
Prefix: %{l_prefix}
@@ -147,6 +149,9 @@
%endif
%if "%{with_ldap}" == "yes"
%{l_gzip} -d -c %{SOURCE ldappubkey-ossh%{V_ldap_base}-%{V_ldap_vers2}.patch} |
%{l_patch} -p0
+%endif
+%if "%{with_sftplogging}" == "yes"
+ %patch -p1 -P 5
%endif
%build
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
