Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
Control: found -1 1:6.7p1-1
Control: forwarded -1 https://bugzilla.mindrot.org/show_bug.cgi?id=1789
On Thu, Oct 09, 2014 at 04:56:48PM +0200, Mike Gabriel wrote:
> I just checked debian/changelog and the 6.7 release announcement. The
> following issue hasn't been addressed yet in Debian, nor by upstream.
>
> If on the SSH client side a session is running with pam_namespace.so
> in use, it is impossible to do X11 port forwarding. The ssh client
> tries to connect to /tmp/.X11-unix/X<displayport> which is out of
> reach with pam_namespace sessions.
>
> Instead, ssh client should connect the X11 forwarding end point to the
> X11 socket in kernel namespace (@/tmp/.X11-unix/X<displayport>).
>
> A patch is available in the Fedora OpenSSH package [1].
[...]
> [1] http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-5.5p1-x11.patch
It appears (after a bit of trawling through git history plus some
guesswork; I wish Fedora had better conventions for patch headers the
way that Debian does ...) that this is
https://bugzilla.redhat.com/show_bug.cgi?id=598671, and the upstream bug
is https://bugzilla.mindrot.org/show_bug.cgi?id=1789. By the way the
patch in Fedora's git repository does not match the latest one attached
to the upstream bug.
I'm a bit wary given upstream's fairly strenuous objections. In cases
where I feel I know something better than upstream I do sometimes decide
to carry a patch anyway of course, but in this case I'm far from a
relevant expert. Do you think that perhaps somebody could re-engage
with that upstream bug and see if they can work through the objections?
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: