nixpkgs-suyu/pkgs/tools/networking/openssh/default.nix
Rickard Nilsson 4f8f1c30cb openssh: Use the default privilege separation dir (/var/empty)
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)

If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:

fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.

The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
2016-07-16 10:15:58 +02:00

94 lines
2.7 KiB
Nix

{ stdenv, fetchurl, fetchpatch, zlib, openssl, perl, libedit, pkgconfig, pam
, etcDir ? null
, hpnSupport ? false
, withKerberos ? false
, withGssapiPatches ? false
, kerberos
, linkOpenssl? true
}:
assert withKerberos -> kerberos != null;
assert withGssapiPatches -> withKerberos;
let
hpnSrc = fetchurl {
url = mirror://sourceforge/hpnssh/openssh-6.6p1-hpnssh14v5.diff.gz;
sha256 = "682b4a6880d224ee0b7447241b684330b731018585f1ba519f46660c10d63950";
};
gssapiSrc = fetchpatch {
url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian/patches/gssapi.patch?id=46961f5704f8e86cea3e99253faad55aef4d8f35";
sha256 = "01mf2vx1gavypbdx06mcbmcrkm2smff0h3jfmr61k6h6j3xk88y5";
};
in
with stdenv.lib;
stdenv.mkDerivation rec {
# Please ensure that openssh_with_kerberos still builds when
# bumping the version here!
name = "openssh-7.2p2";
src = fetchurl {
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
sha256 = "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7";
};
prePatch = optionalString hpnSupport
''
gunzip -c ${hpnSrc} | patch -p1
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
'';
patches =
[
./locale_archive.patch
./fix-host-key-algorithms-plus.patch
./CVE-2015-8325.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch
]
++ optional withGssapiPatches gssapiSrc;
buildInputs = [ zlib openssl libedit pkgconfig pam ]
++ optional withKerberos [ kerberos ];
# I set --disable-strip because later we strip anyway. And it fails to strip
# properly when cross building.
configureFlags = [
"--sbindir=\${out}/bin"
"--localstatedir=/var"
"--with-pid-dir=/run"
"--with-mantype=man"
"--with-libedit=yes"
"--disable-strip"
(if pam != null then "--with-pam" else "--without-pam")
] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
++ optional withKerberos "--with-kerberos5=${kerberos}"
++ optional stdenv.isDarwin "--disable-libutil"
++ optional (!linkOpenssl) "--without-openssl";
enableParallelBuilding = true;
postInstall = ''
# Install ssh-copy-id, it's very useful.
cp contrib/ssh-copy-id $out/bin/
chmod +x $out/bin/ssh-copy-id
cp contrib/ssh-copy-id.1 $out/share/man/man1/
'';
installTargets = [ "install-nokeys" ];
installFlags = [
"sysconfdir=\${out}/etc/ssh"
];
meta = {
homepage = "http://www.openssh.com/";
description = "An implementation of the SSH protocol";
license = stdenv.lib.licenses.bsd2;
platforms = platforms.unix;
maintainers = with maintainers; [ eelco ];
broken = hpnSupport; # probably after 6.7 update
};
}