Bugzilla – Attachment 1311 Details for
Bug 1247
ssh-agent prevents use of filesystem permissions to control access to agent socket
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add -P option to ssh-agent to disable strict identity check
ssh-agent-nocheck.diff (text/plain), 2.01 KB, created by
Damien Miller
on 2007-06-22 15:46:22 AEST
(
hide
)
Description:
Add -P option to ssh-agent to disable strict identity check
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2007-06-22 15:46:22 AEST
Size:
2.01 KB
patch
obsolete
>Index: ssh-agent.c >=================================================================== >RCS file: /var/cvs/openssh/ssh-agent.c,v >retrieving revision 1.171 >diff -u -p -r1.171 ssh-agent.c >--- ssh-agent.c 21 Mar 2007 09:45:07 -0000 1.171 >+++ ssh-agent.c 22 Jun 2007 05:44:52 -0000 >@@ -135,6 +135,9 @@ extern char *__progname; > /* Default lifetime (0 == forever) */ > static int lifetime = 0; > >+/* Perform user identity check on auth sock access */ >+static int check_peer_id = 1; >+ > static void > close_socket(SocketEntry *e) > { >@@ -899,6 +902,26 @@ prepare_select(fd_set **fdrp, fd_set **f > return (1); > } > >+static int >+check_peer(int sock) >+{ >+ uid_t euid; >+ gid_t egid; >+ >+ if (check_peer_id == 0) >+ return 0; >+ if (getpeereid(sock, &euid, &egid) < 0) { >+ error("getpeereid %d failed: %s", sock, strerror(errno)); >+ return -1; >+ } >+ if ((euid != 0) && (getuid() != euid)) { >+ error("uid mismatch: peer euid %u != uid %u", (u_int)euid, >+ (u_int)getuid()); >+ return -1; >+ } >+ return 0; >+} >+ > static void > after_select(fd_set *readset, fd_set *writeset) > { >@@ -907,8 +930,6 @@ after_select(fd_set *readset, fd_set *wr > char buf[1024]; > int len, sock; > u_int i; >- uid_t euid; >- gid_t egid; > > for (i = 0; i < sockets_alloc; i++) > switch (sockets[i].type) { >@@ -924,16 +945,7 @@ after_select(fd_set *readset, fd_set *wr > strerror(errno)); > break; > } >- if (getpeereid(sock, &euid, &egid) < 0) { >- error("getpeereid %d failed: %s", >- sock, strerror(errno)); >- close(sock); >- break; >- } >- if ((euid != 0) && (getuid() != euid)) { >- error("uid mismatch: " >- "peer euid %u != uid %u", >- (u_int) euid, (u_int) getuid()); >+ if (check_peer(sock) != 0) { > close(sock); > break; > } >@@ -1065,8 +1077,11 @@ main(int ac, char **av) > init_rng(); > seed_rng(); > >- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { >+ while ((ch = getopt(ac, av, "Pcdksa:t:")) != -1) { > switch (ch) { >+ case 'P': >+ check_peer_id = 0; >+ break; > case 'c': > if (s_flag) > usage();
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1311">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1247
: 1311 |
2046