Merge remote-tracking branch 'upstream/master' into hardened-stdenv

2 files changed, 14 insertions, 5 deletions

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 064745f88558..a0cb0795a261 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -45,6 +45,9 @@ stdenv.mkDerivation rec {
       ./locale_archive.patch
       ./fix-host-key-algorithms-plus.patch
       ./CVE-2015-8325.patch
+
+      # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
+      ./dont_create_privsep_path.patch
     ]
     ++ optional withGssapiPatches gssapiSrc;
 
@@ -66,11 +69,6 @@ stdenv.mkDerivation rec {
     ++ optional stdenv.isDarwin "--disable-libutil"
     ++ optional (!linkOpenssl) "--without-openssl";
 
-  preConfigure = ''
-    configureFlagsArray+=("--with-privsep-path=$out/empty")
-    mkdir -p $out/empty
-  '';
-
   enableParallelBuilding = true;
 
   hardeningEnable = [ "pie" ];
diff --git a/pkgs/tools/networking/openssh/dont_create_privsep_path.patch b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
new file mode 100644
index 000000000000..b6d432d5c5de
--- /dev/null
+++ b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
@@ -0,0 +1,11 @@
+diff -ur openssh-7.2p2_orig/Makefile.in openssh-7.2p2/Makefile.in
+--- openssh-7.2p2_orig/Makefile.in	2016-03-09 19:04:48.000000000 +0100
++++ openssh-7.2p2/Makefile.in	2016-07-16 09:56:05.643903293 +0200
+@@ -301,7 +301,6 @@
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
+-	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)