Attachment #2945 for bug #2681

View | Details | Raw Unified | Return to bug 2681
Collapse All | Expand All

Lines 250-255 debug3(const char *fmt,...) Link Here

(-)openssh-7.4p1/log.c.log-in-chroot (-2 / +9 lines)
250	void	250	void
251	log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)	251	log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
252	{	252	{
		253	log_init_handler(av0, level, facility, on_stderr, 1);
		254	}
		255
		256	void
		257	log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
253	#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)	258	#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
254	struct syslog_data sdata = SYSLOG_DATA_INIT;	259	struct syslog_data sdata = SYSLOG_DATA_INIT;
255	#endif	260	#endif
Lines 273-280 log_init(char *av0, LogLevel level, Sysl Link Here
273	exit(1);	278	exit(1);
274	}	279	}
275		280
276	log_handler = NULL;	281	if (reset_handler) {
277	log_handler_ctx = NULL;	282	log_handler = NULL;
		283	log_handler_ctx = NULL;
		284	}
278		285
279	log_on_stderr = on_stderr;	286	log_on_stderr = on_stderr;
280	if (on_stderr)	287	if (on_stderr)

Lines 49-54 typedef enum { Link Here

(-)openssh-7.4p1/log.h.log-in-chroot (+1 lines)
49	typedef void (log_handler_fn)(LogLevel, const char , void );	49	typedef void (log_handler_fn)(LogLevel, const char , void );
50		50
51	void log_init(char *, LogLevel, SyslogFacility, int);	51	void log_init(char *, LogLevel, SyslogFacility, int);
		52	void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
52	void log_change_level(LogLevel);	53	void log_change_level(LogLevel);
53	int log_is_on_stderr(void);	54	int log_is_on_stderr(void);
54	void log_redirect_stderr_to(const char *);	55	void log_redirect_stderr_to(const char *);

Lines 307-312 monitor_child_preauth(Authctxt *_authctx Link Here

(-)openssh-7.4p1/monitor.c.log-in-chroot (-3 / +22 lines)
307	close(pmonitor->m_log_sendfd);	307	close(pmonitor->m_log_sendfd);
308	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;	308	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
309		309
		310	pmonitor->m_state = "preauth";
		311
310	authctxt = _authctxt;	312	authctxt = _authctxt;
311	memset(authctxt, 0, sizeof(*authctxt));	313	memset(authctxt, 0, sizeof(*authctxt));
312		314
Lines 405-410 monitor_child_postauth(struct monitor *p Link Here
405	close(pmonitor->m_recvfd);	407	close(pmonitor->m_recvfd);
406	pmonitor->m_recvfd = -1;	408	pmonitor->m_recvfd = -1;
407		409
		410	pmonitor->m_state = "postauth";
		411
408	monitor_set_child_handler(pmonitor->m_pid);	412	monitor_set_child_handler(pmonitor->m_pid);
409	signal(SIGHUP, &monitor_child_handler);	413	signal(SIGHUP, &monitor_child_handler);
410	signal(SIGTERM, &monitor_child_handler);	414	signal(SIGTERM, &monitor_child_handler);
Lines 472-478 monitor_read_log(struct monitor *pmonito Link Here
472	if (log_level_name(level) == NULL)	476	if (log_level_name(level) == NULL)
473	fatal("%s: invalid log level %u (corrupted message?)",	477	fatal("%s: invalid log level %u (corrupted message?)",
474	__func__, level);	478	__func__, level);
475	do_log2(level, "%s [preauth]", msg);	479	do_log2(level, "%s [%s]", msg, pmonitor->m_state);
476		480
477	buffer_free(&logmsg);	481	buffer_free(&logmsg);
478	free(msg);	482	free(msg);
Lines 1719-1731 monitor_init(void) Link Here
1719	mon = xcalloc(1, sizeof(*mon));	1723	mon = xcalloc(1, sizeof(*mon));
1720	monitor_openfds(mon, 1);	1724	monitor_openfds(mon, 1);
1721		1725
		1726	mon->m_state = "";
		1727
1722	return mon;	1728	return mon;
1723	}	1729	}
1724		1730
1725	void	1731	void
1726	monitor_reinit(struct monitor *mon)	1732	monitor_reinit(struct monitor mon, const char chroot_dir)
1727	{	1733	{
1728	monitor_openfds(mon, 0);	1734	struct stat dev_log_stat;
		1735	char *dev_log_path;
		1736	int do_logfds = 0;
		1737
		1738	if (chroot_dir != NULL) {
		1739	xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
		1740
		1741	if (stat(dev_log_path, &dev_log_stat) != 0) {
		1742	debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
		1743	do_logfds = 1;
		1744	}
		1745	free(dev_log_path);
		1746	}
		1747	monitor_openfds(mon, do_logfds);
1729	}	1748	}
1730		1749
1731	#ifdef GSSAPI	1750	#ifdef GSSAPI

Lines 83-92 struct monitor { Link Here

(-)openssh-7.4p1/monitor.h.log-in-chroot (-1 / +2 lines)
83	int m_log_sendfd;	83	int m_log_sendfd;
84	struct kex **m_pkex;	84	struct kex **m_pkex;
85	pid_t m_pid;	85	pid_t m_pid;
		86	char *m_state;
86	};	87	};
87		88
88	struct monitor *monitor_init(void);	89	struct monitor *monitor_init(void);
89	void monitor_reinit(struct monitor *);	90	void monitor_reinit(struct monitor , const char );
90		91
91	struct Authctxt;	92	struct Authctxt;
92	void monitor_child_preauth(struct Authctxt , struct monitor );	93	void monitor_child_preauth(struct Authctxt , struct monitor );





static int is_child = 0;
static int in_chroot = 0;
static int have_dev_log = 1;

/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;

		is_child = 1;

		/* Child.  Reinitialize the log since the pid has changed. */
		log_init_handler(__progname, options.log_level,
		    options.log_facility, log_stderr, have_dev_log);

		/*
		 * Create a new session and process group since the 4.4BSD

		close(ptymaster);

		/* Child.  Reinitialize the log because the pid has changed. */
		log_init_handler(__progname, options.log_level,
		    options.log_facility, log_stderr, have_dev_log);
		/* Close the master side of the pseudo tty. */
		close(ptyfd);


	int ret;
	const char *forced = NULL, *tty = NULL;
	char session_type[1024];
	struct stat dev_log_stat;

	if (options.adm_forced_command) {
		original_command = command;

			tty += 5;
	}

	if (lstat("/dev/log", &dev_log_stat) != 0) {
		have_dev_log = 0;
	}

	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
	    session_type,
	    tty == NULL ? "" : " on ",

	 * descriptors left by system functions.  They will be closed later.
	 */
	endpwent();

	/*
	 * Close any extra open file descriptors so that we don't have them
	 * hanging around in clients.  Note that we want to do this after
	 * initgroups, because at least on Solaris 2.3 it leaves file
	 * descriptors open.
	 */
	closefrom(STDERR_FILENO + 1);
}

/*

			exit(1);
	}

	closefrom(STDERR_FILENO + 1);

	do_rc_files(s, shell);

	/* restore SIGPIPE for child */

		argv[i] = NULL;
		optind = optreset = 1;
		__progname = argv[0];
		exit(sftp_server_main(i, argv, s->pw, have_dev_log));
	}

	/*
	 * Close any extra open file descriptors so that we don't have them
	 * hanging around in clients.  Note that we want to do this after
	 * initgroups, because at least on Solaris 2.3 it leaves file
	 * descriptors open.
	 */
	closefrom(STDERR_FILENO + 1);

	fflush(NULL);

	/* Get the last component of the shell name. */

Lines 97-101 Link Here

(-)openssh-7.4p1/sftp.h.log-in-chroot (-1 / +1 lines)
97		97
98	struct passwd;	98	struct passwd;
99		99
100	int sftp_server_main(int, char *, struct passwd );	100	int sftp_server_main(int, char *, struct passwd , int);
101	void sftp_server_cleanup_exit(int) __attribute__((noreturn));	101	void sftp_server_cleanup_exit(int) __attribute__((noreturn));




}

int
sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
{
	fd_set *rset, *wset;
	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;


	ssh_malloc_init();	/* must be called before any mallocs */
	__progname = ssh_get_progname(argv[0]);
	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);

	pw = pwcopy(user_pw);


		}
	}

	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);

	/*
	 * On platforms where we can, avoid making /proc/self/{mem,maps}

Lines 49-53 main(int argc, char **argv) Link Here

(-)openssh-7.4p1/sftp-server-main.c.log-in-chroot (-1 / +1 lines)
49	return 1;	49	return 1;
50	}	50	}
51		51
52	return (sftp_server_main(argc, argv, user_pw));	52	return (sftp_server_main(argc, argv, user_pw, 0));
53	}	53	}

Lines 650-656 privsep_postauth(Authctxt *authctxt) Link Here

(-)openssh-7.4p1/sshd.c.log-in-chroot (-1 / +6 lines)
650	}	650	}
651		651
652	/* New socket pair */	652	/* New socket pair */
653	monitor_reinit(pmonitor);	653	monitor_reinit(pmonitor, options.chroot_directory);
654		654
655	pmonitor->m_pid = fork();	655	pmonitor->m_pid = fork();
656	if (pmonitor->m_pid == -1)	656	if (pmonitor->m_pid == -1)
Lines 668-673 privsep_postauth(Authctxt *authctxt) Link Here
668		668
669	close(pmonitor->m_sendfd);	669	close(pmonitor->m_sendfd);
670	pmonitor->m_sendfd = -1;	670	pmonitor->m_sendfd = -1;
		671	close(pmonitor->m_log_recvfd);
		672	pmonitor->m_log_recvfd = -1;
		673
		674	if (pmonitor->m_log_sendfd != -1)
		675	set_log_handler(mm_log_handler, pmonitor);
671		676
672	/* Demote the private keys to public keys. */	677	/* Demote the private keys to public keys. */
673	demote_sensitive_data();	678	demote_sensitive_data();

Return to bug 2681

Lines 160-165 login_cap_t *lc; Link Here

(-)openssh-7.4p1/session.c.log-in-chroot (-15 / +19 lines)
160		160
161	static int is_child = 0;	161	static int is_child = 0;
162	static int in_chroot = 0;	162	static int in_chroot = 0;
		163	static int have_dev_log = 1;
163		164
164	/* Name and directory of socket for authentication agent forwarding. */	165	/* Name and directory of socket for authentication agent forwarding. */
165	static char *auth_sock_name = NULL;	166	static char *auth_sock_name = NULL;
Lines 365-372 do_exec_no_pty(Session s, const char c Link Here
365	is_child = 1;	366	is_child = 1;
366		367
367	/* Child. Reinitialize the log since the pid has changed. */	368	/* Child. Reinitialize the log since the pid has changed. */
368	log_init(__progname, options.log_level,	369	log_init_handler(__progname, options.log_level,
369	options.log_facility, log_stderr);	370	options.log_facility, log_stderr, have_dev_log);
370		371
371	/*	372	/*
372	* Create a new session and process group since the 4.4BSD	373	* Create a new session and process group since the 4.4BSD
Lines 523-530 do_exec_pty(Session s, const char comm Link Here
523	close(ptymaster);	524	close(ptymaster);
524		525
525	/* Child. Reinitialize the log because the pid has changed. */	526	/* Child. Reinitialize the log because the pid has changed. */
526	log_init(__progname, options.log_level,	527	log_init_handler(__progname, options.log_level,
527	options.log_facility, log_stderr);	528	options.log_facility, log_stderr, have_dev_log);
528	/* Close the master side of the pseudo tty. */	529	/* Close the master side of the pseudo tty. */
529	close(ptyfd);	530	close(ptyfd);
530		531
Lines 619-624 do_exec(Session s, const char command) Link Here
619	int ret;	620	int ret;
620	const char forced = NULL, tty = NULL;	621	const char forced = NULL, tty = NULL;
621	char session_type[1024];	622	char session_type[1024];
		623	struct stat dev_log_stat;
622		624
623	if (options.adm_forced_command) {	625	if (options.adm_forced_command) {
624	original_command = command;	626	original_command = command;
Lines 676-681 do_exec(Session s, const char command) Link Here
676	tty += 5;	678	tty += 5;
677	}	679	}
678		680
		681	if (lstat("/dev/log", &dev_log_stat) != 0) {
		682	have_dev_log = 0;
		683	}
		684
679	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",	685	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
680	session_type,	686	session_type,
681	tty == NULL ? "" : " on ",	687	tty == NULL ? "" : " on ",
Lines 1486-1499 child_close_fds(void) Link Here
1486	* descriptors left by system functions. They will be closed later.	1492	* descriptors left by system functions. They will be closed later.
1487	*/	1493	*/
1488	endpwent();	1494	endpwent();
1489
1490	/*
1491	* Close any extra open file descriptors so that we don't have them
1492	* hanging around in clients. Note that we want to do this after
1493	* initgroups, because at least on Solaris 2.3 it leaves file
1494	* descriptors open.
1495	*/
1496	closefrom(STDERR_FILENO + 1);
1497	}	1495	}
1498		1496
1499	/*	1497	/*
Lines 1629-1636 do_child(Session s, const char command Link Here
1629	exit(1);	1627	exit(1);
1630	}	1628	}
1631		1629
1632	closefrom(STDERR_FILENO + 1);
1633
1634	do_rc_files(s, shell);	1630	do_rc_files(s, shell);
1635		1631
1636	/* restore SIGPIPE for child */	1632	/* restore SIGPIPE for child */
Lines 1653-1661 do_child(Session s, const char command Link Here
1653	argv[i] = NULL;	1649	argv[i] = NULL;
1654	optind = optreset = 1;	1650	optind = optreset = 1;
1655	__progname = argv[0];	1651	__progname = argv[0];
1656	exit(sftp_server_main(i, argv, s->pw));	1652	exit(sftp_server_main(i, argv, s->pw, have_dev_log));
1657	}	1653	}
1658		1654
		1655	/*
		1656	* Close any extra open file descriptors so that we don't have them
		1657	* hanging around in clients. Note that we want to do this after
		1658	* initgroups, because at least on Solaris 2.3 it leaves file
		1659	* descriptors open.
		1660	*/
		1661	closefrom(STDERR_FILENO + 1);
		1662
1659	fflush(NULL);	1663	fflush(NULL);
1660		1664
1661	/* Get the last component of the shell name. */	1665	/* Get the last component of the shell name. */

Lines 1497-1503 sftp_server_usage(void) Link Here

(-)openssh-7.4p1/sftp-server.c.log-in-chroot (-3 / +3 lines)
1497	}	1497	}
1498		1498
1499	int	1499	int
1500	sftp_server_main(int argc, char *argv, struct passwd user_pw)	1500	sftp_server_main(int argc, char *argv, struct passwd user_pw, int reset_handler)
1501	{	1501	{
1502	fd_set rset, wset;	1502	fd_set rset, wset;
1503	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;	1503	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
Lines 1511-1517 sftp_server_main(int argc, char **argv, Link Here
1511		1511
1512	ssh_malloc_init(); /* must be called before any mallocs */	1512	ssh_malloc_init(); /* must be called before any mallocs */
1513	__progname = ssh_get_progname(argv[0]);	1513	__progname = ssh_get_progname(argv[0]);
1514	log_init(__progname, log_level, log_facility, log_stderr);	1514	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
1515		1515
1516	pw = pwcopy(user_pw);	1516	pw = pwcopy(user_pw);
1517		1517
Lines 1582-1588 sftp_server_main(int argc, char **argv, Link Here
1582	}	1582	}
1583	}	1583	}
1584		1584
1585	log_init(__progname, log_level, log_facility, log_stderr);	1585	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
1586		1586
1587	/*	1587	/*
1588	* On platforms where we can, avoid making /proc/self/{mem,maps}	1588	* On platforms where we can, avoid making /proc/self/{mem,maps}