From f9c4884c8effe6dd78ab3ed4e42ed69c4a8652d0 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Tue, 11 Jun 2002 16:37:51 +0000 Subject: [PATCH] - markus@cvs.openbsd.org 2002/06/11 04:14:26 [ssh.c sshconnect.c sshconnect.h] no longer use uidswap.[ch] from the ssh client run less code with euid==0 if ssh is installed setuid root just switch the euid, don't switch the complete set of groups (this is only needed by sshd). ok provos@ --- ChangeLog | 8 +++++++- ssh.c | 20 ++++++++++---------- sshconnect.c | 47 ++++++++++++++++------------------------------- sshconnect.h | 20 ++++++++++++++++++-- 4 files changed, 51 insertions(+), 44 deletions(-) diff --git a/ChangeLog b/ChangeLog index 99448aa9d..9e0b5159a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,12 @@ [channels.c channels.h session.c] move creation of agent socket to session.c; no need for uidswapping in channel.c. + - markus@cvs.openbsd.org 2002/06/11 04:14:26 + [ssh.c sshconnect.c sshconnect.h] + no longer use uidswap.[ch] from the ssh client + run less code with euid==0 if ssh is installed setuid root + just switch the euid, don't switch the complete set of groups + (this is only needed by sshd). ok provos@ 20020609 - (bal) OpenBSD CVS Sync @@ -894,4 +900,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2207 2002/06/11 15:59:02 mouring Exp $ +$Id: ChangeLog,v 1.2208 2002/06/11 16:37:51 mouring Exp $ diff --git a/ssh.c b/ssh.c index 7cadc1873..5693c0d39 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.176 2002/06/08 05:17:01 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.177 2002/06/11 04:14:26 markus Exp $"); #include #include @@ -53,7 +53,6 @@ RCSID("$OpenBSD: ssh.c,v 1.176 2002/06/08 05:17:01 markus Exp $"); #include "xmalloc.h" #include "packet.h" #include "buffer.h" -#include "uidswap.h" #include "channels.h" #include "key.h" #include "authfd.h" @@ -136,6 +135,7 @@ Sensitive sensitive_data; /* Original real UID. */ uid_t original_real_uid; +uid_t original_effective_uid; /* command to be executed */ Buffer command; @@ -217,7 +217,6 @@ main(int ac, char **av) struct stat st; struct passwd *pw; int dummy; - uid_t original_effective_uid; extern int optind, optreset; extern char *optarg; @@ -256,7 +255,7 @@ main(int ac, char **av) * them when the port has been created (actually, when the connection * has been made, as we may need to create the port several times). */ - temporarily_use_uid(pw); + PRIV_END; /* * Set our umask to something reasonable, as some files are created @@ -612,15 +611,12 @@ again: "originating port will not be trusted."); options.rhosts_authentication = 0; } - /* Restore our superuser privileges. */ - restore_uid(); - /* Open a connection to the remote host. */ cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6, options.connection_attempts, - original_effective_uid != 0 || !options.use_privileged_port, - pw, options.proxy_command); + original_effective_uid == 0 && options.use_privileged_port, + options.proxy_command); /* * If we successfully made the connection, load the host private key @@ -637,12 +633,15 @@ again: options.hostbased_authentication)) { sensitive_data.nkeys = 3; sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key)); + + PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, _PATH_HOST_KEY_FILE, "", NULL); sensitive_data.keys[1] = key_load_private_type(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, "", NULL); sensitive_data.keys[2] = key_load_private_type(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, "", NULL); + PRIV_END; if (sensitive_data.keys[0] == NULL && sensitive_data.keys[1] == NULL && @@ -661,7 +660,8 @@ again: * user's home directory if it happens to be on a NFS volume where * root is mapped to nobody. */ - permanently_set_uid(pw); + seteuid(original_real_uid); + setuid(original_real_uid); /* * Now that we are back to our own permissions, create ~/.ssh diff --git a/sshconnect.c b/sshconnect.c index 651e3fcf4..3a93a4fbb 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.124 2002/06/11 04:14:26 markus Exp $"); #include @@ -36,8 +36,11 @@ RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $"); char *client_version_string = NULL; char *server_version_string = NULL; +/* import */ extern Options options; extern char *__progname; +extern uid_t original_real_uid; +extern uid_t original_effective_uid; #ifndef INET6_ADDRSTRLEN /* for non IPv6 machines */ #define INET6_ADDRSTRLEN 46 @@ -58,8 +61,7 @@ sockaddr_ntop(struct sockaddr *sa, socklen_t salen) * Connect to the given ssh server using a proxy command. */ static int -ssh_proxy_connect(const char *host, u_short port, struct passwd *pw, - const char *proxy_command) +ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) { Buffer command; const char *cp; @@ -109,7 +111,8 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw, char *argv[10]; /* Child. Permanently give up superuser privileges. */ - permanently_set_uid(pw); + seteuid(original_real_uid); + setuid(original_real_uid); /* Redirect stdin and stdout. */ close(pin[1]); @@ -159,7 +162,7 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw, * Creates a (possibly privileged) socket for use as the ssh connection. */ static int -ssh_create_socket(struct passwd *pw, int privileged, int family) +ssh_create_socket(int privileged, int family) { int sock, gaierr; struct addrinfo hints, *res; @@ -170,22 +173,18 @@ ssh_create_socket(struct passwd *pw, int privileged, int family) */ if (privileged) { int p = IPPORT_RESERVED - 1; + PRIV_START; sock = rresvport_af(&p, family); + PRIV_END; if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else debug("Allocated local port %d.", p); return sock; } - /* - * Just create an ordinary socket on arbitrary port. We use - * the user's uid to create the socket. - */ - temporarily_use_uid(pw); sock = socket(family, SOCK_STREAM, 0); if (sock < 0) error("socket: %.100s", strerror(errno)); - restore_uid(); /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL) @@ -215,9 +214,9 @@ ssh_create_socket(struct passwd *pw, int privileged, int family) /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. - * If port is 0, the default port will be used. If anonymous is zero, + * If port is 0, the default port will be used. If needpriv is true, * a privileged port will be allocated to make the connection. - * This requires super-user privileges if anonymous is false. + * This requires super-user privileges if needpriv is true. * Connection_attempts specifies the maximum number of tries (one per * second). If proxy_command is non-NULL, it specifies the command (with %h * and %p substituted for host and port, respectively) to use to contact @@ -232,7 +231,7 @@ ssh_create_socket(struct passwd *pw, int privileged, int family) int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int family, int connection_attempts, - int anonymous, struct passwd *pw, const char *proxy_command) + int needpriv, const char *proxy_command) { int gaierr; int on = 1; @@ -248,8 +247,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, */ int full_failure = 1; - debug("ssh_connect: getuid %u geteuid %u anon %d", - (u_int) getuid(), (u_int) geteuid(), anonymous); + debug("ssh_connect: needpriv %d", needpriv); /* Get default port if port has not been set. */ if (port == 0) { @@ -261,7 +259,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } /* If a proxy command is given, connect using it. */ if (proxy_command != NULL) - return ssh_proxy_connect(host, port, pw, proxy_command); + return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ @@ -297,26 +295,14 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, host, ntop, strport); /* Create a socket for connecting. */ - sock = ssh_create_socket(pw, -#ifdef HAVE_CYGWIN - !anonymous, -#else - !anonymous && geteuid() == 0, -#endif - ai->ai_family); + sock = ssh_create_socket(needpriv, ai->ai_family); if (sock < 0) /* Any error is already output */ continue; - /* Connect to the host. We use the user's uid in the - * hope that it will help with tcp_wrappers showing - * the remote uid as root. - */ - temporarily_use_uid(pw); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); - restore_uid(); break; } else { if (errno == ECONNREFUSED) @@ -324,7 +310,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, log("ssh: connect to address %s port %s: %s", sockaddr_ntop(ai->ai_addr, ai->ai_addrlen), strport, strerror(errno)); - restore_uid(); /* * Close the failed socket; there appear to * be some problems when reusing a socket for diff --git a/sshconnect.h b/sshconnect.h index aeb2e51a5..48148833f 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.15 2002/06/09 13:32:01 markus Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.16 2002/06/11 04:14:26 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -35,7 +35,7 @@ struct Sensitive { int ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int, struct passwd *, const char *); + int, const char *); void ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *); @@ -50,4 +50,20 @@ void ssh_userauth2(const char *, const char *, char *, Sensitive *); void ssh_put_password(char *); + +/* + * Macros to raise/lower permissions. + */ +#define PRIV_START do { \ + int save_errno = errno; \ + (void)seteuid(original_effective_uid); \ + errno = save_errno; \ +} while (0) + +#define PRIV_END do { \ + int save_errno = errno; \ + (void)seteuid(original_real_uid); \ + errno = save_errno; \ +} while (0) + #endif