From fc03662803220691e1118101a111ce687bd5dae0 Mon Sep 17 00:00:00 2001
From: Timothée Ravier <travier@redhat.com>
Date: Jan 18 2021 17:17:13 +0000
Subject: Use /usr/share/empty.ssh instead of /var/empty/sshd


This has the following advantages:
  * Removes a dependency on a directory stored in /var
  * /usr is mounted read only on ostree based systems (CoreOS, Silverblue)

This also removes the tmpfiles config.

---

diff --git a/openssh.rpmlintrc b/openssh.rpmlintrc
index 0a7a50e..2404235 100644
--- a/openssh.rpmlintrc
+++ b/openssh.rpmlintrc
@@ -13,9 +13,8 @@ addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
 # sshd config and sysconfig is not supposed to be world readable
 addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
 
-# The /var/empty/sshd is supposed to have the given permissions
-addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
-addFilter(r'non-standard-dir-in-var empty')
+# /usr/share/empty.sshd is required to have the given permissions
+addFilter(r'non-standard-dir-perm /usr/share/empty.sshd 711')
 
 # Spelling false-positives
 addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
diff --git a/openssh.spec b/openssh.spec
index 578a2eb..e521f60 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.4p1
-%global openssh_rel 4
+%global openssh_rel 5
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 1
 
@@ -74,7 +74,6 @@ Source10: sshd.socket
 Source11: sshd.service
 Source12: sshd-keygen@.service
 Source13: sshd-keygen
-Source14: sshd.tmpfiles
 Source15: sshd-keygen.target
 
 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
@@ -438,7 +437,7 @@ fi
 	--datadir=%{_datadir}/openssh \
 	--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
-	--with-privsep-path=%{_var}/empty/sshd \
+	--with-privsep-path=%{_datadir}/empty.sshd \
 	--disable-strip \
 	--without-zlib-version-check \
 	--with-ssl-engine \
@@ -515,7 +514,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
 %make_install
 
 install -d $RPM_BUILD_ROOT/etc/pam.d/
@@ -535,7 +533,7 @@ install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
 install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
-install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
+install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
 
 %if ! %{no_gnome_askpass}
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@@ -566,7 +564,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
 getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
 getent passwd sshd >/dev/null || \
   useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-  -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+  -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
 
 %post server
 %systemd_post sshd.service sshd.socket
@@ -624,7 +622,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
 
 %files server
-%dir %attr(0711,root,root) %{_var}/empty/sshd
+%dir %attr(0711,root,root) %{_datadir}/empty.sshd
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
@@ -642,7 +640,6 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
-%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
 
 %files keycat
 %doc HOWTO.ssh-keycat
@@ -669,6 +666,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Wed Dec 16 2020 Timothée Ravier <travier@redhat.com> - 8.4p1-5 + 0.10.4-1
+- Use /usr/share/empty.sshd instead of /var/empty/sshd
+
 * Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
 - Remove "PasswordAuthentication yes" from vendor configuration as it is
   already default and it might be hard to override.
diff --git a/sshd.tmpfiles b/sshd.tmpfiles
deleted file mode 100644
index c35a2b8..0000000
--- a/sshd.tmpfiles
+++ /dev/null
@@ -1 +0,0 @@
-d /var/empty/sshd 711 root root -