Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libpam-chroot [ Reason ] This version includes fixes to build properly the package including: - Installing the PAM module in the correct location (#980047) - Supporting cross bulding of source (949080) - Document that libpam-chroot is not recommended to be used with OpenSSH as it is difficult to setup and there are better alternatives (527564) [ Impact ] Users cannot use the package as it is as the pam_chroot library is not installed in the correct location. Users trying to follow the instructions in the README file to setup OpenSSH will end up with a non-working setup. If the unblock is not granted this is not, however, a major issue as not many users use this package and chroot functionalities are, in general, not that much used anymore as people have in general now moved to containers. [ Tests ] Tested locally in the developer's machine. [ Risks ] Very low risk changes introduced in the package. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock libpam-chroot/0.9-5 Thank you for your support, Javier
diff -u libpam-chroot-0.9/Makefile libpam-chroot-0.9/Makefile --- libpam-chroot-0.9/Makefile +++ libpam-chroot-0.9/Makefile @@ -5,6 +5,8 @@ CPPFLAGS=-I. LDFLAGS=-shared DESTDIR=/ +LIBDIR=$(DESTDIR)/lib/security +INSTALL?=install OUT=pam_chroot.so CONF=chroot.conf @@ -20,3 +22,3 @@ install: - install -s -o0 -g0 -m755 $(OUT) $(DESTDIR)/lib/security + $(INSTALL) -s -o0 -g0 -m755 $(OUT) $(LIBDIR) install -m640 $(CONF) $(DESTDIR)/etc/security diff -u libpam-chroot-0.9/debian/README.Debian libpam-chroot-0.9/debian/README.Debian --- libpam-chroot-0.9/debian/README.Debian +++ libpam-chroot-0.9/debian/README.Debian @@ -73,15 +73,22 @@ Setting up OpenSSH with libpam-chroot ------------------------------------- +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! NOTE: OpenSSH supports, since the 4.9 release, the definition of chrooted enviroments. For more information see the 'ChrootDirectory' -directive in sshd_config (5). +directive in sshd_config (5). + +Setting up OpenSSH libpam-chroot is *not* recommended and most likely will not +work. The following information is provided for those users that want to tinker +with pam-chroot and SSH. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Many systems want to setup a restricted remote access to a system in which users are confined to their user directories, but are unable to -"see" the whole system. If you want to develop this using OpenSSH you -will need to: +"see" the whole system. If you want to develop this using OpenSSH +and libpam-chroot you will need to: 0) Setup a chroot environment for your users. Make sure that environment includes the standard tools they will need (like their @@ -147,7 +154,29 @@ pam-chroot at all. +4) In order for chroots to work with newer OpenSSH versions the chroot +directory of a user needs to include both the /proc filesystem and +the /dev/pts + + - If /proc is not mounted in the chroot, SSH access will be interrupted + with the message: + + Connection reset by peer + Connection to <server-ip> closed. + + To mount /proc do the following: + mount -t proc /proc <chroot_directory>/proc + + - If /dev/pts is not mounted, the SSH login will freeze after + authentication with the message: + + PTY allocation request failed on channel 0 + + To mount /dev do the following: + mount --rbind /dev <chroot_directory>/dev + + -- Javier Fernandez-Sanguino <j...@debian.org> - Wed, 27 Oct 2010 02:01:26 +0200 + Thu, 03 Jun 2021 13:26:58 +0200 diff -u libpam-chroot-0.9/debian/changelog libpam-chroot-0.9/debian/changelog --- libpam-chroot-0.9/debian/changelog +++ libpam-chroot-0.9/debian/changelog @@ -1,3 +1,19 @@ +libpam-chroot (0.9-5) unstable; urgency=high + + * debian/rules: Install the PAM module in the right location + (Closes: #980047) + * Fix FTCBFS: (Closes: #949080, #437385) + + Let dh_auto_build pass cross tools to make. + + Make install substitutable. + + Pass a non-stripping install to make install. + Thanks Helmut Grohne for the patch + * debian/README.Debian: discourage users from using this module with + OpenSSH as this feature is available already in the daemon (see option + ChrootDirectory) and the setup might not work due to changes in OpenSSH + (Closes: #527564) + + -- Javier Fernandez-Sanguino Pen~a <j...@debian.org> Thu, 03 Jun 2021 12:57:43 +0200 + libpam-chroot (0.9-4.3) unstable; urgency=medium * Non-maintainer upload. diff -u libpam-chroot-0.9/debian/dirs libpam-chroot-0.9/debian/dirs --- libpam-chroot-0.9/debian/dirs +++ libpam-chroot-0.9/debian/dirs @@ -1,2 +1 @@ etc/security -lib/security diff -u libpam-chroot-0.9/debian/rules libpam-chroot-0.9/debian/rules --- libpam-chroot-0.9/debian/rules +++ libpam-chroot-0.9/debian/rules @@ -8,13 +8,16 @@ # This is the debhelper compatability version to use. # export DH_COMPAT=5 +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + + build: build-arch build-indep build-arch: build-stamp build-indep: build-stamp build-stamp: dh_testdir - $(MAKE) + dh_auto_build touch build-stamp clean: @@ -28,9 +31,9 @@ dh_testdir dh_testroot dh_installdirs - + mkdir -p $(CURDIR)/debian/libpam-chroot/lib/$(DEB_HOST_MULTIARCH) # Add here commands to install the package into debian/libpam-chroot - $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-chroot + $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-chroot LIBDIR=$(CURDIR)/debian/libpam-chroot/lib/$(DEB_HOST_MULTIARCH) INSTALL="install --strip-program=true" # Build architecture-independent files here.