'verbose' => \$verbose,
) or pod2usage(2);
+#
+# miscellaneous initialization functions
+#
+
+setPrivilegeSeparation(0);
+
#
# main execution. This should find its way into a subroutine at some future
# point.
print "generate them for you.)\n";
print "\n";
print " Jacobim Mugatu says,\n";
-print " \t\"Utopian Prime Minister Bad! GSI-OpenSSH Good!\"\n";
+print " \"Utopian Prime Minister Bad! GSI-OpenSSH Good!\"\n";
print "\n";
if ( isForced() )
print " o I see that you have your GLOBUS_LOCATION environmental variable\n";
print " set to:\n";
print "\n";
-print " \t\"$gpath\"\n";
+print " \"$gpath\"\n";
print "\n";
print " Remember to keep this variable set (correctly) when you want to\n";
print " use the executables that came with this package.\n";
print "\n";
print " After that you may execute, for example:\n";
print "\n";
-print " \t\$ . \$GLOBUS_LOCATION/etc/globus-user-env.sh\n";
+print " \$ . \$GLOBUS_LOCATION/etc/globus-user-env.sh\n";
print "\n";
print " to prepare your environment for running the gsi_openssh\n";
print " executables.\n";
print " this feature, your system appears to require some additional\n";
print " configuration.\n";
print "\n";
- print " Perform the following steps to enable privilege separation:\n";
+ print " From the file README.privsep, included as a part of the OpenSSH\n";
+ print " distribution:\n";
print "\n";
- print " \t1) If the system user 'sshd' does not already exist, add a\n";
- print " \t user with that username.\n";
+ print " When privsep is enabled, during the pre-authentication\n";
+ print " phase sshd will chroot(2) to \"/var/empty\" and change its\n";
+ print " privileges to the \"sshd\" user and its primary group. sshd\n";
+ print " is a pseudo-account that should not be used by other\n";
+ print " daemons, and must be locked and should contain a \"nologin\"\n";
+ print " or invalid shell.\n";
print "\n";
- print " \t2) Verify that /var/empty exists, is owned by root, and has\n";
- print " \t a mode of 0700.\n";
+ print " You should do something like the following to prepare the\n";
+ print " privsep preauth environment:\n";
print "\n";
- print " \t3) Enable the feature UsePrivilegeSeparation in\n";
- print " \t \$GLOBUS_LOCATION/etc/ssh/sshd_config.\n";
+ print " \# mkdir /var/empty\n";
+ print " \# chown root:sys /var/empty\n";
+ print " \# chmod 755 /var/empty\n";
+ print " \# groupadd sshd\n";
+ print " \# useradd -g sshd -c 'sshd privsep' -d /var/empty \\\n";
+ print " -s /bin/false sshd\n";
+ print "\n";
+ print " /var/empty should not contain any files.\n";
}
print "\n";
print "Press <return> to continue... ";
$trash = <STDIN>;
-print "\n";
print "---------------------------------------------------------------------\n";
print "$myname: Finished configuring package 'gsi_openssh'.\n";
my($mode, $uid, $gid);
my($data);
- if ( isPresent("/dev/random") && !isForced() )
+ if ( isPresent("$sysconfdir/ssh_prng_cmds") && !isForced() )
{
- printf("/dev/random found and not forced. Not installing ssh_prng_cmds...\n");
+ printf("ssh_prng_cmds found and not forced. Not installing ssh_prng_cmds...\n");
return;
}
# check to see whether we should enable privilege separation
#
- if ( userExists("sshd") && ( -d "/var/empty" ) && ( getMode("/var/empty") eq "0700" ) )
+ if ( userExists("sshd") && ( -d "/var/empty" ) && ( getOwnerID("/var/empty") eq 0 ) )
{
setPrivilegeSeparation(1);
}
# set the sftp directive
#
- $text = "Subsystem\tsftp\t$gpath/libxec/sftp-server";
+ $text = "Subsystem\tsftp\t$gpath/libexec/sftp-server";
$data =~ s:^[\s|#]*Subsystem\s+sftp\s+.*$:$text:gm;
#
sub copySXXScript
{
my($in, $out) = @_;
+ my($tmpgpath);
if ( !isReadable($in) )
{
return;
}
+ #
+ # clean up any junk in the globus path variable
+ #
+
+ $tmpgpath = $gpath;
+ $tmpgpath =~ s:/+:/:g;
+ $tmpgpath =~ s:([^/]+)/$:\1:g;
+
+ #
+ # read in the script, substitute globus location, then write it back out
+ #
+
$data = readFile($in);
- $data =~ s|\@GLOBUS_LOCATION\@|$gpath|g;
+ $data =~ s|\@GLOBUS_LOCATION\@|$tmpgpath|g;
writeFile($out, $data);
action("chmod 755 $out");
}
return $file;
}
+### getOwnerID( $file )
+#
+# return the uid containing the owner ID of the given file.
+#
+
+sub getOwnerID
+{
+ my($file) = @_;
+ my($uid);
+
+ #
+ # call stat() to get the mode of the file
+ #
+
+ $uid = (stat($file))[4];
+
+ return $uid;
+}
+
### getMode( $file )
#
# return a string containing the mode of the given file.