From aedf215b9091eefdc27052ad48f03fbede25bfbb Mon Sep 17 00:00:00 2001
From: Bernhard Kaindl <43588962+bernhardkaindl@users.noreply.github.com>
Date: Fri, 17 Jun 2022 20:09:52 +0200
Subject: [PATCH] openssh: don't suid-install ssh-keysign (not used by default)
 (#31083)

---
 var/spack/repos/builtin/packages/openssh/package.py | 4 ++++
 1 file changed, 4 insertions(+)
 mode change 100644 => 100755 var/spack/repos/builtin/packages/openssh/package.py

diff --git a/var/spack/repos/builtin/packages/openssh/package.py b/var/spack/repos/builtin/packages/openssh/package.py
old mode 100644
new mode 100755
index 77dba88357..2f5441631a
--- a/var/spack/repos/builtin/packages/openssh/package.py
+++ b/var/spack/repos/builtin/packages/openssh/package.py
@@ -65,6 +65,10 @@ def determine_version(cls, exe):
         match = re.search(r'OpenSSH_([^, ]+)', output)
         return match.group(1) if match else None
 
+    def patch(self):
+        # #29938: skip set-suid (also see man ssh-key-sign: it's not enabled by default)
+        filter_file(r'\$\(INSTALL\) -m 4711', '$(INSTALL) -m711', 'Makefile.in')
+
     def configure_args(self):
         # OpenSSH's privilege separation path defaults to /var/empty. At
         # least newer versions want to create the directory during the