diff options
| author | Rickard Nilsson <rickynils@gmail.com> | 2016-07-16 10:08:29 +0200 |
|---|---|---|
| committer | Rickard Nilsson <rickynils@gmail.com> | 2016-07-16 10:15:58 +0200 |
| commit | 4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605 (patch) | |
| tree | 4fa9ab4925d28bd8689a3edae2e516a5279f6316 /pkgs/tools/networking/openssh | |
| parent | 3a8067e6ded9cb0a1a7931141821ed5ee6502e64 (diff) | |
| download | nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.tar nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.tar.gz nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.tar.bz2 nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.tar.lz nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.tar.xz nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.tar.zst nixlib-4f8f1c30cbfb3e5e346a7ad1a699d3c8b3a46605.zip | |
openssh: Use the default privilege separation dir (/var/empty)
(This is a rewritten version of the reverted commit a927709a35cee56f878f0f57a932e1a6e2ebe23b, that disables the creation of /var/empty during build so that sandboxed builds also works. For more context, see https://github.com/NixOS/nixpkgs/pull/16966) If running NixOS inside a container where the host's root-owned files and directories have been mapped to some other uid (like nobody), the ssh daemon fails to start, producing this error message: fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable. The reason for this is that when openssh is built, we explicitly set `--with-privsep-path=$out/empty`. This commit removes that flag which causes the default directory /var/empty to be used instead. Since NixOS' activation script correctly sets up that directory, the ssh daemon now also works within containers that have a non-root-owned nix store.
Diffstat (limited to 'pkgs/tools/networking/openssh')
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 8 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/dont_create_privsep_path.patch | 11 |
2 files changed, 14 insertions, 5 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 64b9fe98278b..6d6b43c5f8d9 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -45,6 +45,9 @@ stdenv.mkDerivation rec { ./locale_archive.patch ./fix-host-key-algorithms-plus.patch ./CVE-2015-8325.patch + + # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 + ./dont_create_privsep_path.patch ] ++ optional withGssapiPatches gssapiSrc; @@ -66,11 +69,6 @@ stdenv.mkDerivation rec { ++ optional stdenv.isDarwin "--disable-libutil" ++ optional (!linkOpenssl) "--without-openssl"; - preConfigure = '' - configureFlagsArray+=("--with-privsep-path=$out/empty") - mkdir -p $out/empty - ''; - enableParallelBuilding = true; postInstall = '' diff --git a/pkgs/tools/networking/openssh/dont_create_privsep_path.patch b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch new file mode 100644 index 000000000000..b6d432d5c5de --- /dev/null +++ b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch @@ -0,0 +1,11 @@ +diff -ur openssh-7.2p2_orig/Makefile.in openssh-7.2p2/Makefile.in +--- openssh-7.2p2_orig/Makefile.in 2016-03-09 19:04:48.000000000 +0100 ++++ openssh-7.2p2/Makefile.in 2016-07-16 09:56:05.643903293 +0200 +@@ -301,7 +301,6 @@ + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5 + $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 + $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) +- (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) |