Attachment #2046 for bug #1247

Lines 46-51 Link Here

(-)openssh-5.8p2.orig/ssh-agent.1 (+8 lines)
46	.Op Fl d	46	.Op Fl d
47	.Op Fl a Ar bind_address	47	.Op Fl a Ar bind_address
48	.Op Fl t Ar life	48	.Op Fl t Ar life
		49	.Op Fl U
49	.Op Ar command Op Ar arg ...	50	.Op Ar command Op Ar arg ...
50	.Nm ssh-agent	51	.Nm ssh-agent
51	.Op Fl c \| s	52	.Op Fl c \| s
Lines 102-107 Link Here
102	.Xr ssh-add 1	103	.Xr ssh-add 1
103	overrides this value.	104	overrides this value.
104	Without this option the default maximum lifetime is forever.	105	Without this option the default maximum lifetime is forever.
		106	.It Fl U
		107	Disables strict checking of the EUID of processes accessing the
		108	.Ux Ns -domain
		109	socket
		110	to which the agent is bound. This allows the user accessing
		111	the agent to be different from the account under which the
		112	agent runs, protected only by file permissions.
105	.El	113	.El
106	.Pp	114	.Pp
107	If a commandline is given, this is executed as a subprocess of the agent.	115	If a commandline is given, this is executed as a subprocess of the agent.

Lines 137-142 Link Here

(-)openssh-5.8p2.orig/ssh-agent.c (-7 / +21 lines)
137	/* Default lifetime (0 == forever) */	137	/* Default lifetime (0 == forever) */
138	static int lifetime = 0;	138	static int lifetime = 0;
139		139
		140	/* Flag for allowing mismatched peer EUIDs */
		141	static int U_flag = 0;
		142
140	static void	143	static void
141	close_socket(SocketEntry *e)	144	close_socket(SocketEntry *e)
142	{	145	{
Lines 1023-1033 Link Here
1023	break;	1026	break;
1024	}	1027	}
1025	if ((euid != 0) && (getuid() != euid)) {	1028	if ((euid != 0) && (getuid() != euid)) {
1026	error("uid mismatch: "	1029	if (U_flag) {
1027	"peer euid %u != uid %u",	1030	verbose("uid mismatch (permitted by -U): "
1028	(u_int) euid, (u_int) getuid());	1031	"peer euid %u != uid %u",
1029	close(sock);	1032	(u_int) euid, (u_int) getuid());
1030	break;	1033
		1034	} else {
		1035	error("uid mismatch: "
		1036	"peer euid %u != uid %u",
		1037	(u_int) euid, (u_int) getuid());
		1038	close(sock);
		1039	break;
		1040	}
1031	}	1041	}
1032	new_socket(AUTH_CONNECTION, sock);	1042	new_socket(AUTH_CONNECTION, sock);
1033	}	1043	}
Lines 1116-1121 Link Here
1116	fprintf(stderr, " -d Debug mode.\n");	1126	fprintf(stderr, " -d Debug mode.\n");
1117	fprintf(stderr, " -a socket Bind agent socket to given name.\n");	1127	fprintf(stderr, " -a socket Bind agent socket to given name.\n");
1118	fprintf(stderr, " -t life Default identity lifetime (seconds).\n");	1128	fprintf(stderr, " -t life Default identity lifetime (seconds).\n");
		1129	fprintf(stderr, " -U Disable strict matching of peer EUID.\n");
1119	exit(1);	1130	exit(1);
1120	}	1131	}
1121		1132
Lines 1157-1163 Link Here
1157	init_rng();	1168	init_rng();
1158	seed_rng();	1169	seed_rng();
1159		1170
1160	while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {	1171	while ((ch = getopt(ac, av, "cdksa:t:U")) != -1) {
1161	switch (ch) {	1172	switch (ch) {
1162	case 'c':	1173	case 'c':
1163	if (s_flag)	1174	if (s_flag)
Lines 1186-1191 Link Here
1186	usage();	1197	usage();
1187	}	1198	}
1188	break;	1199	break;
		1200	case 'U':
		1201	U_flag++;
		1202	break;
1189	default:	1203	default:
1190	usage();	1204	usage();
1191	}	1205	}
Lines 1193-1199 Link Here
1193	ac -= optind;	1207	ac -= optind;
1194	av += optind;	1208	av += optind;
1195		1209
1196	if (ac > 0 && (c_flag \|\| k_flag \|\| s_flag \|\| d_flag))	1210	if (ac > 0 && (c_flag \|\| k_flag \|\| s_flag \|\| d_flag \|\| U_flag))
1197	usage();	1211	usage();
1198		1212
1199	if (ac == 0 && !c_flag && !s_flag) {	1213	if (ac == 0 && !c_flag && !s_flag) {

Return to bug 1247