public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssh: Use the default privilege separation dir (/var/empty)

Browse Source 
(This is a rewritten version of the reverted commit
a927709a35cee56f878f0f57a932e1a6e2ebe23b, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)

If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
This commit is contained in:
Rickard Nilsson 2016-07-16 10:08:29 +02:00
parent 3a8067e6de
commit 4f8f1c30cb
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkgs/tools/networking/openssh/default.nix
View File

@ -45,6 +45,9 @@ stdenv.mkDerivation rec {
./locale_archive.patch ./locale_archive.patch
./fix-host-key-algorithms-plus.patch ./fix-host-key-algorithms-plus.patch
./CVE-2015-8325.patch ./CVE-2015-8325.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch
] ]
++ optional withGssapiPatches gssapiSrc; ++ optional withGssapiPatches gssapiSrc;
@ -66,11 +69,6 @@ stdenv.mkDerivation rec {
++ optional stdenv.isDarwin "--disable-libutil" ++ optional stdenv.isDarwin "--disable-libutil"
++ optional (!linkOpenssl) "--without-openssl"; ++ optional (!linkOpenssl) "--without-openssl";
preConfigure = ''
configureFlagsArray+=("--with-privsep-path=$out/empty")
mkdir -p $out/empty
'';
enableParallelBuilding = true; enableParallelBuilding = true;
postInstall = '' postInstall = ''

11
pkgs/tools/networking/openssh/dont_create_privsep_path.patch Normal file
View File

@ -0,0 +1,11 @@
diff -ur openssh-7.2p2_orig/Makefile.in openssh-7.2p2/Makefile.in
--- openssh-7.2p2_orig/Makefile.in 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/Makefile.in 2016-07-16 09:56:05.643903293 +0200
@@ -301,7 +301,6 @@
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
- (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)