[Buildroot] [git commit branch/2018.02.x] package/openssh: Set /var/empty permissions
Peter Korsgaard
peter at korsgaard.com
Mon Feb 18 15:42:39 UTC 2019
commit: https://git.buildroot.net/buildroot/commit/?id=e4174904272e073c0a42d1e1a09dda35e892b33b
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2018.02.x
The openssh privilege separation feature, enabled by default,
requires that the path /var/empty exists and has certain permissions
(not writable by the sshd user). Note that nothing ever gets writting
in this directory, so it works fine on a readonly rootfs.
See README.privsep included as part of the openssh distribution.
Signed-off-by: Chris Lesiak <chris.lesiak at licor.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>
(cherry picked from commit f85665c58562a967e3dcb5f72fa8af0a606c9274)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
package/openssh/openssh.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 07f3e0d663..9175f9589d 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -22,6 +22,10 @@ define OPENSSH_USERS
sshd -1 sshd -1 * - - - SSH drop priv user
endef
+define OPENSSH_PERMISSIONS
+ /var/empty d 755 root root - - - - -
+endef
+
ifeq ($(BR2_TOOLCHAIN_SUPPORTS_PIE),)
OPENSSH_CONF_OPTS += --without-pie
endif
More information about the buildroot
mailing list