diff options
author | Damien Miller <djm@mindrot.org> | 2006-06-13 05:10:00 +0200 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-06-13 05:10:00 +0200 |
commit | 2e5fe88ebe5a09477a655a36b047063282bfd86c (patch) | |
tree | bde219ce55421476bab60c5209522dbd3d66d2a1 | |
parent | - markus@cvs.openbsd.org 2006/06/06 10:20:20 (diff) | |
download | openssh-2e5fe88ebe5a09477a655a36b047063282bfd86c.tar.xz openssh-2e5fe88ebe5a09477a655a36b047063282bfd86c.zip |
- markus@cvs.openbsd.org 2006/06/08 14:45:49
[readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
do not set the gid, noted by solar; ok djm
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | readpass.c | 4 | ||||
-rw-r--r-- | sshconnect.c | 4 | ||||
-rw-r--r-- | sshconnect2.c | 4 | ||||
-rw-r--r-- | uidswap.c | 37 | ||||
-rw-r--r-- | uidswap.h | 3 |
6 files changed, 48 insertions, 9 deletions
@@ -42,6 +42,9 @@ [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c] replace remaining setuid() calls with permanently_set_uid() and check seteuid() return values; report Marcus Meissner; ok dtucker djm + - markus@cvs.openbsd.org 2006/06/08 14:45:49 + [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h] + do not set the gid, noted by solar; ok djm 20060521 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor @@ -4675,4 +4678,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4341 2006/06/13 03:05:15 djm Exp $ +$Id: ChangeLog,v 1.4342 2006/06/13 03:10:00 djm Exp $ diff --git a/readpass.c b/readpass.c index 60e4a902f..34d70b07a 100644 --- a/readpass.c +++ b/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.38 2006/06/06 10:20:20 markus Exp $ */ +/* $OpenBSD: readpass.c,v 1.39 2006/06/08 14:45:49 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -61,7 +61,7 @@ ssh_askpass(char *askpass, const char *msg) return NULL; } if (pid == 0) { - permanently_set_uid(getpwuid(getuid())); + permanently_drop_suid(getuid()); close(p[0]); if (dup2(p[1], STDOUT_FILENO) < 0) fatal("ssh_askpass: dup2: %s", strerror(errno)); diff --git a/sshconnect.c b/sshconnect.c index 41ad82f9f..c76572662 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.183 2006/06/06 10:20:20 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.184 2006/06/08 14:45:49 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -97,7 +97,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) char *argv[10]; /* Child. Permanently give up superuser privileges. */ - permanently_set_uid(getpwuid(original_real_uid)); + permanently_drop_suid(original_real_uid); /* Redirect stdin and stdout. */ close(pin[1]); diff --git a/sshconnect2.c b/sshconnect2.c index c97738c7b..4f96dcfc4 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.154 2006/06/06 10:20:20 markus Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.155 2006/06/08 14:45:49 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -1253,7 +1253,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp, return -1; } if (pid == 0) { - permanently_set_uid(getpwuid(getuid())); + permanently_drop_suid(getuid()); close(from[0]); if (dup2(from[1], STDOUT_FILENO) < 0) fatal("ssh_keysign: dup2: %s", strerror(errno)); @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.c,v 1.28 2006/06/06 10:20:20 markus Exp $ */ +/* $OpenBSD: uidswap.c,v 1.29 2006/06/08 14:45:49 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -123,6 +123,41 @@ temporarily_use_uid(struct passwd *pw) strerror(errno)); } +void +permanently_drop_suid(uid_t uid) +{ + uid_t old_uid = getuid(); + + debug("permanently_drop_suid: %u", (u_int)uid); +#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) + if (setresuid(uid, uid, uid) < 0) + fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); +#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) + if (setreuid(uid, uid) < 0) + fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno)); +#else +# ifndef SETEUID_BREAKS_SETUID + if (seteuid(uid) < 0) + fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno)); +# endif + if (setuid(uid) < 0) + fatal("setuid %u: %.100s", (u_int)uid, strerror(errno)); +#endif + +#ifndef HAVE_CYGWIN + /* Try restoration of UID if changed (test clearing of saved uid) */ + if (old_uid != uid && + (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) + fatal("%s: was able to restore old [e]uid", __func__); +#endif + + /* Verify UID drop was successful */ + if (getuid() != uid || geteuid() != uid) { + fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", + __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid); + } +} + /* * Restores to the original (privileged) uid. */ @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.h,v 1.10 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: uidswap.h,v 1.11 2006/06/08 14:45:49 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -18,5 +18,6 @@ void temporarily_use_uid(struct passwd *); void restore_uid(void); void permanently_set_uid(struct passwd *); +void permanently_drop_suid(uid_t); #endif /* UIDSWAP_H */ |