forked from mirrors/nixpkgs
a927709a35
If running NixOS inside a container where the host's root-owned files and directories have been mapped to some other uid (like nobody), the ssh daemon fails to start, producing this error message: fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable. The reason for this is that when openssh is built, we explicitly set `--with-privsep-path=$out/empty`. This commit removes that flag which causes the default directory /var/empty to be used instead. Since NixOS' activation script correctly sets up that directory, the ssh daemon now also works within containers that have a non-root-owned nix store.
92 lines
2.6 KiB
Nix
92 lines
2.6 KiB
Nix
{ stdenv, fetchurl, fetchpatch, zlib, openssl, perl, libedit, pkgconfig, pam
|
|
, etcDir ? null
|
|
, hpnSupport ? false
|
|
, withKerberos ? false
|
|
, withGssapiPatches ? false
|
|
, kerberos
|
|
, linkOpenssl? true
|
|
}:
|
|
|
|
assert withKerberos -> kerberos != null;
|
|
assert withGssapiPatches -> withKerberos;
|
|
|
|
let
|
|
|
|
hpnSrc = fetchurl {
|
|
url = mirror://sourceforge/hpnssh/openssh-6.6p1-hpnssh14v5.diff.gz;
|
|
sha256 = "682b4a6880d224ee0b7447241b684330b731018585f1ba519f46660c10d63950";
|
|
};
|
|
|
|
gssapiSrc = fetchpatch {
|
|
url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian/patches/gssapi.patch?id=46961f5704f8e86cea3e99253faad55aef4d8f35";
|
|
sha256 = "01mf2vx1gavypbdx06mcbmcrkm2smff0h3jfmr61k6h6j3xk88y5";
|
|
};
|
|
|
|
in
|
|
with stdenv.lib;
|
|
stdenv.mkDerivation rec {
|
|
# Please ensure that openssh_with_kerberos still builds when
|
|
# bumping the version here!
|
|
name = "openssh-7.2p2";
|
|
|
|
src = fetchurl {
|
|
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
|
|
sha256 = "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7";
|
|
};
|
|
|
|
prePatch = optionalString hpnSupport
|
|
''
|
|
gunzip -c ${hpnSrc} | patch -p1
|
|
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
|
|
'';
|
|
|
|
patches =
|
|
[
|
|
./locale_archive.patch
|
|
./fix-host-key-algorithms-plus.patch
|
|
./CVE-2015-8325.patch
|
|
]
|
|
++ optional withGssapiPatches gssapiSrc;
|
|
|
|
buildInputs = [ zlib openssl libedit pkgconfig pam ]
|
|
++ optional withKerberos [ kerberos ];
|
|
|
|
# I set --disable-strip because later we strip anyway. And it fails to strip
|
|
# properly when cross building.
|
|
configureFlags = [
|
|
"--sbindir=\${out}/bin"
|
|
"--localstatedir=/var"
|
|
"--with-pid-dir=/run"
|
|
"--with-mantype=man"
|
|
"--with-libedit=yes"
|
|
"--disable-strip"
|
|
(if pam != null then "--with-pam" else "--without-pam")
|
|
] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
|
|
++ optional withKerberos "--with-kerberos5=${kerberos}"
|
|
++ optional stdenv.isDarwin "--disable-libutil"
|
|
++ optional (!linkOpenssl) "--without-openssl";
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
postInstall = ''
|
|
# Install ssh-copy-id, it's very useful.
|
|
cp contrib/ssh-copy-id $out/bin/
|
|
chmod +x $out/bin/ssh-copy-id
|
|
cp contrib/ssh-copy-id.1 $out/share/man/man1/
|
|
'';
|
|
|
|
installTargets = [ "install-nokeys" ];
|
|
installFlags = [
|
|
"sysconfdir=\${out}/etc/ssh"
|
|
];
|
|
|
|
meta = {
|
|
homepage = "http://www.openssh.com/";
|
|
description = "An implementation of the SSH protocol";
|
|
license = stdenv.lib.licenses.bsd2;
|
|
platforms = platforms.unix;
|
|
maintainers = with maintainers; [ eelco ];
|
|
broken = hpnSupport; # probably after 6.7 update
|
|
};
|
|
}
|