X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/fd2eb2b2903bae5bb076277b381d0e8ce3f8111a..ed46ef38b08c9b3410cf118f3c68d72fe8a0b4ea:/setup/setup-openssh.pl

diff --git a/setup/setup-openssh.pl b/setup/setup-openssh.pl
index 1a8da78..d6680a7 100644
--- a/setup/setup-openssh.pl
+++ b/setup/setup-openssh.pl
@@ -105,6 +105,12 @@ GetOptions(
             'verbose' => \$verbose,
           ) or pod2usage(2);
 
+#
+# miscellaneous initialization functions
+#
+
+setPrivilegeSeparation(0);
+
 #
 # main execution.  This should find its way into a subroutine at some future
 # point.
@@ -186,7 +192,10 @@ if ( !getPrivilegeSeparation() )
     print "    From the file README.privsep, included as a part of the OpenSSH\n";
     print "    distribution:\n";
     print "\n";
-    print "        sshd is a pseudo-account that should not be used by other\n";
+    print "        When privsep is enabled, during the pre-authentication\n";
+    print "        phase sshd will chroot(2) to \"/var/empty\" and change its\n";
+    print "        privileges to the \"sshd\" user and its primary group.  sshd\n";
+    print "        is a pseudo-account that should not be used by other\n";
     print "        daemons, and must be locked and should contain a \"nologin\"\n";
     print "        or invalid shell.\n";
     print "\n";
@@ -315,9 +324,9 @@ sub copyPRNGFile
     my($mode, $uid, $gid);
     my($data);
 
-    if ( isPresent("/dev/random") && !isForced() )
+    if ( isPresent("$sysconfdir/ssh_prng_cmds") && !isForced() )
     {
-        printf("/dev/random found and not forced.  Not installing ssh_prng_cmds...\n");
+        printf("ssh_prng_cmds found and not forced.  Not installing ssh_prng_cmds...\n");
         return;
     }
 
@@ -795,7 +804,7 @@ sub copySSHDConfigFile
     # check to see whether we should enable privilege separation
     #
 
-    if ( userExists("sshd") && ( -d "/var/empty" ) && ( getMode("/var/empty") eq "0700" ) )
+    if ( userExists("sshd") && ( -d "/var/empty" ) && ( getOwnerID("/var/empty") eq 0 ) )
     {
         setPrivilegeSeparation(1);
     }
@@ -988,6 +997,7 @@ sub copyFile
 sub copySXXScript
 {
     my($in, $out) = @_;
+    my($tmpgpath);
 
     if ( !isReadable($in) )
     {
@@ -1000,8 +1010,20 @@ sub copySXXScript
         return;
     }
 
+    #
+    # clean up any junk in the globus path variable
+    #
+
+    $tmpgpath = $gpath;
+    $tmpgpath =~ s:/+:/:g;
+    $tmpgpath =~ s:([^/]+)/$:\1:g;
+
+    #
+    # read in the script, substitute globus location, then write it back out
+    #
+
     $data = readFile($in);
-    $data =~ s|\@GLOBUS_LOCATION\@|$gpath|g;
+    $data =~ s|\@GLOBUS_LOCATION\@|$tmpgpath|g;
     writeFile($out, $data);
     action("chmod 755 $out");
 }
@@ -1150,6 +1172,25 @@ sub absolutePath
     return $file;
 }
 
+### getOwnerID( $file )
+#
+# return the uid containing the owner ID of the given file.
+#
+
+sub getOwnerID
+{
+    my($file) = @_;
+    my($uid);
+
+    #
+    # call stat() to get the mode of the file
+    #
+
+    $uid = (stat($file))[4];
+
+    return $uid;
+}
+
 ### getMode( $file )
 #
 # return a string containing the mode of the given file.