net-misc/openssh*: Add no-subsystems USE flag#31615
net-misc/openssh*: Add no-subsystems USE flag#31615krnowak wants to merge 2 commits intogentoo:masterfrom
Conversation
Pull Request assignmentSubmitter: @krnowak net-misc/openssh: @gentoo/base-system Linked bugsNo bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment. If you do not receive any reply to this pull request, please open or link a bug to attract the attention of maintainers. In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
Pull request CI reportReport generated at: 2023-06-26 11:55 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
Thanks! On IRC, we discussed this a bit. @chutz is fine with the idea, I felt a little bit uneasy about the USE flag for it if there's no better option. @floppym suggested we do this w/ a config patch:
Aside, it might be worth us considering while here:
|
That would work for Flatcar too, and it wouldn't involve the USE flag. I'll update the PR.
I'll try fixing those as well. |
f5470d3 to
51d8feb
Compare
Pull request CI reportReport generated at: 2023-06-29 11:45 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
51d8feb to
18f7ab1
Compare
Pull request CI reportReport generated at: 2023-06-29 12:00 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
93ba7f2 to
a7e1561
Compare
|
Please have a look. Thanks. |
Pull request CI reportReport generated at: 2023-06-29 12:15 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Pull request CI reportReport generated at: 2023-06-29 12:45 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
For the record:
(the double slash here is a bit jarring, probably could be fixed with
|
a7e1561 to
533feba
Compare
Pull request CI reportReport generated at: 2023-06-29 15:20 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
| insert_include() { | ||
| local src_config=${1} | ||
| local options=${2} | ||
| local includedir=${3} |
There was a problem hiding this comment.
I find it a bit easier to read with these on a single line, though that is just cosmetic.
|
|
||
| name=${src_config##*/} | ||
| copy="${T}/${name}" | ||
| cp -a "${src_config}" "${copy}" |
There was a problem hiding this comment.
Pleas add || die to the end of this, since there is nothing catching if this fails
| regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]' | ||
| { grep -ne "${regexp}" -m 1 "${copy}" || die; } | cut -d : -f 1 >"${T}/lineno" | ||
| lineno=$(<"${T}"/lineno) | ||
| rm -f "${T}/lineno" |
There was a problem hiding this comment.
Rather than writing to a file, then reading and deleting the file, you could do this in one line with a process substitution. You can also use pipefail in the process substitution to catch the failure (you aren't catching a failure in the cut command above). Something like this:
lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)There was a problem hiding this comment.
I wrote it in such a convoluted way, because I wanted to make sure that if grep fails, the build fails. But I didn't know that die kills the build even if called from the subshell. I'll rewrite it.
| EOF | ||
| tail -n "+${lineno}" "${copy}" | ||
| } >"${src_config}" | ||
| rm -f "${copy}" |
There was a problem hiding this comment.
This is probably not entirely necessary as ${T} gets removed at the end of the merge, however if you are going to call rm, use a || die
| Include "${EPREFIX}/${includedir}/*.conf" | ||
|
|
||
| EOF | ||
| tail -n "+${lineno}" "${copy}" |
There was a problem hiding this comment.
These commands should have || die after them (the head, and tail)
| # non-comment line just above the comments of the option. The | ||
| # lineno - 2 is here to ignore the line just above the option | ||
| # in case the comment block is separated by an empty line. | ||
| lineno=$(head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1) |
There was a problem hiding this comment.
Probably want a || die in here, see the example with set -o pipefail above.
533feba to
49dbb3c
Compare
|
Addressed the issues and rebased to master. |
Pull request CI reportReport generated at: 2023-06-30 05:45 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
- Mark the package as stable. - Remove the socket unit's rate limiting. - Fixes to configuration handling. We are trying to upstream these changes, so this package will be eventually moved to portage-stable. But updating it in coreos-overlay for now to drop the use of the obsolete cygwin USE flags. Upstream PR: gentoo/gentoo#31615
- Mark the package as stable. - Remove the socket unit's rate limiting. - Fixes to configuration handling. We are trying to upstream these changes, so this package will be eventually moved to portage-stable. But updating it in coreos-overlay for now to drop the use of the obsolete cygwin USE flags. Upstream PR: gentoo/gentoo#31615
- Mark the package as stable. - Remove the socket unit's rate limiting. - Fixes to configuration handling. We are trying to upstream these changes, so this package will be eventually moved to portage-stable. But updating it in coreos-overlay for now to drop the use of the obsolete cygwin USE flags. Upstream PR: gentoo/gentoo#31615
49dbb3c to
d42ed1d
Compare
|
Updated to base my changes on top of new 9.3_p2 ebuilds. |
Meh, I wanted to update it, but something must have distracted me, sorry about that. Thanks for reminding. Here goes for openssh ( 22c22
< KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
---
> KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
229a230,260
> insert_include() {
> local src_config=${1} options=${2} includedir=${3}
> local name copy regexp_options regexp lineno comment_options
>
> name=${src_config##*/}
> copy="${T}/${name}"
> cp -a "${src_config}" "${copy}" || die
>
> # Catch "Option ", "#Option " or "# Option ".
> regexp_options=${options//,/'\|'}
> regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
> lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
> # We have found a first line with the option, now find a first
> # non-comment line just above the comments of the option. The
> # lineno - 2 is here to ignore the line just above the option
> # in case the comment block is separated by an empty line.
> lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
>
> comment_options=${options//,/ or }
> {
> head -n "${lineno}" "${copy}" || die
> cat <<-EOF || die
> # Make sure that all ${comment_options} options are below this Include!
> Include "${EPREFIX}/${includedir}/*.conf"
>
> EOF
> tail -n "+${lineno}" "${copy}" || die
> } >"${src_config}"
> rm -f "${copy}" || die
> }
>
243,248c274,276
< cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
< Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
< EOF
< cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
< Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
< EOF
---
>
> insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
> insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
266a295,298
> # Move sshd's Subsystem option to a drop-in file.
> grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
> sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
>
291a324,327
>
> local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
> fperms 0700 /etc/ssh/sshd_config.d
> fperms 0600 "${sshd_drop_ins[@]#${ED}}"openssh-contrib is the same ( 342a343,373
> insert_include() {
> local src_config=${1} options=${2} includedir=${3}
> local name copy regexp_options regexp lineno comment_options
>
> name=${src_config##*/}
> copy="${T}/${name}"
> cp -a "${src_config}" "${copy}" || die
>
> # Catch "Option ", "#Option " or "# Option ".
> regexp_options=${options//,/'\|'}
> regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
> lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
> # We have found a first line with the option, now find a first
> # non-comment line just above the comments of the option. The
> # lineno - 2 is here to ignore the line just above the option
> # in case the comment block is separated by an empty line.
> lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
>
> comment_options=${options//,/ or }
> {
> head -n "${lineno}" "${copy}" || die
> cat <<-EOF || die
> # Make sure that all ${comment_options} options are below this Include!
> Include "${EPREFIX}/${includedir}/*.conf"
>
> EOF
> tail -n "+${lineno}" "${copy}" || die
> } >"${src_config}"
> rm -f "${copy}" || die
> }
>
356,361c387,389
< cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
< Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
< EOF
< cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
< Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
< EOF
---
>
> insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
> insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
379a408,411
> # Move sshd's Subsystem option to a drop-in file.
> grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
> sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
>
404a437,440
>
> local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
> fperms 0700 /etc/ssh/sshd_config.d
> fperms 0600 "${sshd_drop_ins[@]#${ED}}" |
- Mark the package as stable. - Remove the socket unit's rate limiting. - Fixes to configuration handling. We are trying to upstream these changes, so this package will be eventually moved to portage-stable. But updating it in coreos-overlay for now to drop the use of the obsolete cygwin USE flags. Upstream PR: gentoo/gentoo#31615
- Mark the package as stable. - Remove the socket unit's rate limiting. - Fixes to configuration handling. We are trying to upstream these changes, so this package will be eventually moved to portage-stable. But updating it in coreos-overlay for now to drop the use of the obsolete cygwin USE flags. Upstream PR: gentoo/gentoo#31615
- Mark the package as stable. - Remove the socket unit's rate limiting. - Fixes to configuration handling. We are trying to upstream these changes, so this package will be eventually moved to portage-stable. But updating it in coreos-overlay for now to drop the use of the obsolete cygwin USE flags. Upstream PR: gentoo/gentoo#31615
d42ed1d to
42130ac
Compare
Pull request CI reportReport generated at: 2023-08-08 17:56 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
42130ac to
52b1841
Compare
Pull request CI reportReport generated at: 2023-09-25 14:40 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable. An exception from above paragraph is marking the ebuild as stable on amd64 and arm64.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable. An exception from above paragraph is marking the ebuild as stable on amd64 and arm64.
None of these modifications are Flatcar-specific. We are trying to upstream them in gentoo/gentoo#31615. When they reach Gentoo, we can move net-misc/openssh to portage-stable. An exception from above paragraph is marking the ebuild as stable on amd64 and arm64.
- Put the Insert option before options that introduce conditional blocks to avoid having the drop-in files to be included conditionally. For client configs the options that introduce such blocks are Match and Host options, for daemon configs it is the Match option. - Move the Subsystem option out of the toplevel daemon config into a separate drop-in. That way we can add the drop-in into INSTALL_MASK if we want to provide custom drop-in with a different settings for subsystems. This is necessary as there is no way to override a once-specified subsystem - doing so results in daemon printing an error and quitting. Bug: https://bugs.gentoo.org/907068 Co-authored-by: James Le Cuirot <chewi@gentoo.org> Signed-off-by: Krzesimir Nowak <knowak@microsoft.com> Closes: gentoo#31615 Signed-off-by: James Le Cuirot <chewi@gentoo.org>
52b1841 to
e320d3f
Compare
|
I've reworked this to use sed, which is a lot simpler, although I'm open to using a patch instead. The permissions issue has already been resolved in the meantime. Please see what you think. --- openssh-9.7_p1-r2.ebuild 2024-04-18 18:07:48.688948905 +0100
+++ openssh-9.7_p1-r3.ebuild 2024-05-17 15:11:57.455234035 +0100
@@ -217,15 +217,21 @@
econf "${myconf[@]}"
}
-tweak_ssh_configs() {
- cat <<-EOF >> ssh_config.out || die
+insert_include() {
+ local file=${1} options=${2} includedir=${3}
- Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+ local snippet=$(cat <<-EOF || die
+ # Make sure that all ${options//,/ or } options are below this Include!
+ Include "${includedir}/*.conf"
EOF
- cat <<-EOF >> sshd_config.out || die
+ )
- Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
- EOF
+ # Catch "Option ", "#Option " or "# Option ".
+ local regexp_options=${options//,/|}
+
+ # Insert the snippet before the comment block immediately preceeding the
+ # first matching option. There may be blank lines in-between.
+ sed -i -z -r "s:\n(#[^\n]*\n)*\s*#?\s*(${regexp_options})\b:\n${snippet//$'\n'/\\n}\n\0:" "${file}" || die
}
create_config_dropins() {
@@ -258,6 +264,11 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
+ # Move sshd's Subsystem option to a drop-in file.
+ sed -i "/[Ss]ubsystem/{
+ w ${WORKDIR}/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf
+ d }" "${S}"/sshd_config || die
+
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
@@ -287,7 +298,10 @@
src_compile() {
default
- tweak_ssh_configs
+
+ insert_include "${S}"/ssh_config 'Host,Match' "${EPREFIX}"/etc/ssh/ssh_config.d
+ insert_include "${S}"/sshd_config 'Match' "${EPREFIX}"/etc/ssh/sshd_config.d
+
create_config_dropins
}
|
Pull request CI reportReport generated at: 2024-05-17 15:50 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
- Put the Insert option before options that introduce conditional blocks to avoid having the drop-in files to be included conditionally. For client configs the options that introduce such blocks are Match and Host options, for daemon configs it is the Match option. - Move the Subsystem option out of the toplevel daemon config into a separate drop-in. That way we can add the drop-in into INSTALL_MASK if we want to provide custom drop-in with a different settings for subsystems. This is necessary as there is no way to override a once-specified subsystem - doing so results in daemon printing an error and quitting. Bug: https://bugs.gentoo.org/907068 Co-authored-by: James Le Cuirot <chewi@gentoo.org> Signed-off-by: Krzesimir Nowak <knowak@microsoft.com> Closes: gentoo#31615 Signed-off-by: James Le Cuirot <chewi@gentoo.org>
e320d3f to
cfa3ebb
Compare
Pull request CI reportReport generated at: 2024-06-10 15:46 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
- Put the Include option before options that introduce conditional blocks to avoid having the drop-in files to be included conditionally. For client configs the options that introduce such blocks are Match and Host options, for daemon configs it is the Match option. - Move the Subsystem option out of the top-level daemon config into a separate drop-in. That way we can add the drop-in into INSTALL_MASK if we want to provide custom drop-in with a different settings for subsystems. This is necessary as there is no way to override a once-specified subsystem - doing so results in daemon printing an error and quitting. Bug: https://bugs.gentoo.org/907068 Closes: gentoo#31615 Signed-off-by: James Le Cuirot <chewi@gentoo.org>
|
Right, since this was going nowhere, I've redone it as a patch. Simpler and safer. Here's the new ebuild diff. --- openssh-9.7_p1-r3.ebuild 2024-06-10 16:02:00.897892259 +0100
+++ openssh-9.7_p1-r4.ebuild 2024-06-10 16:39:15.468810717 +0100
@@ -78,6 +78,7 @@
PATCHES=(
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
+ "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
)
pkg_pretend() {
@@ -217,17 +218,6 @@
econf "${myconf[@]}"
}
-tweak_ssh_configs() {
- cat <<-EOF >> ssh_config.out || die
-
- Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
- EOF
- cat <<-EOF >> sshd_config.out || die
-
- Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
- EOF
-}
-
create_config_dropins() {
local locale_vars=(
# These are language variables that POSIX defines.
@@ -266,6 +256,11 @@
AcceptEnv COLORTERM
EOF
+ cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
+ # override default of no subsystems
+ Subsystem sftp ${EPREFIX}/usr/libexec/sftp-server
+ EOF
+
if use pam ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
@@ -287,7 +282,6 @@
src_compile() {
default
- tweak_ssh_configs
create_config_dropins
} |
Pull request CI reportReport generated at: 2024-06-10 16:36 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Fix permissions of the daemon drop-ins directory and files inside it. They should be accessible only for root.
Put the Insert option before options that introduce conditional blocks to avoid having the drop-in files to be included conditionally. For client configs the options that introduce such blocks are Match and Host options, for daemon configs it is the Match option.
Move the Subsystem option out of the toplevel daemon config into a separate drop-in. That way we can add the drop-in into INSTALL_MASK if we want to provide custom drop-in with a different settings for subsystems. This is necessary as there is no way to override a once-specified subsystem - doing so results in daemon printing an error and quitting.
Bug: https://bugs.gentoo.org/906639
Bug: https://bugs.gentoo.org/907068
Signed-off-by: Krzesimir Nowak knowak@microsoft.com
The diffs between the ebuilds are (for net-misc/openssh, the contrib package has mostly the same diff):