Bugzilla – Attachment 2046 Details for
Bug 1247
ssh-agent prevents use of filesystem permissions to control access to agent socket
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Alternate but incredibly similar patch implementing option as -U
openssh-5.8p2-ssh-agent-dontbestrict.patch (text/plain), 2.69 KB, created by
Matthew Miller
on 2011-05-19 23:47:28 AEST
(
hide
)
Description:
Alternate but incredibly similar patch implementing option as -U
Filename:
MIME Type:
Creator:
Matthew Miller
Created:
2011-05-19 23:47:28 AEST
Size:
2.69 KB
patch
obsolete
>diff -ur openssh-5.8p2.orig/ssh-agent.1 openssh-5.8p2.dontbestrict//ssh-agent.1 >--- openssh-5.8p2.orig/ssh-agent.1 2010-11-30 19:50:35.000000000 -0500 >+++ openssh-5.8p2.dontbestrict//ssh-agent.1 2011-05-18 11:10:00.000000000 -0400 >@@ -46,6 +46,7 @@ > .Op Fl d > .Op Fl a Ar bind_address > .Op Fl t Ar life >+.Op Fl U > .Op Ar command Op Ar arg ... > .Nm ssh-agent > .Op Fl c | s >@@ -102,6 +103,13 @@ > .Xr ssh-add 1 > overrides this value. > Without this option the default maximum lifetime is forever. >+.It Fl U >+Disables strict checking of the EUID of processes accessing the >+.Ux Ns -domain >+socket >+to which the agent is bound. This allows the user accessing >+the agent to be different from the account under which the >+agent runs, protected only by file permissions. > .El > .Pp > If a commandline is given, this is executed as a subprocess of the agent. >diff -ur openssh-5.8p2.orig/ssh-agent.c openssh-5.8p2.dontbestrict//ssh-agent.c >--- openssh-5.8p2.orig/ssh-agent.c 2010-11-30 19:50:35.000000000 -0500 >+++ openssh-5.8p2.dontbestrict//ssh-agent.c 2011-05-18 10:25:33.000000000 -0400 >@@ -137,6 +137,9 @@ > /* Default lifetime (0 == forever) */ > static int lifetime = 0; > >+/* Flag for allowing mismatched peer EUIDs */ >+static int U_flag = 0; >+ > static void > close_socket(SocketEntry *e) > { >@@ -1023,11 +1026,18 @@ > break; > } > if ((euid != 0) && (getuid() != euid)) { >- error("uid mismatch: " >- "peer euid %u != uid %u", >- (u_int) euid, (u_int) getuid()); >- close(sock); >- break; >+ if (U_flag) { >+ verbose("uid mismatch (permitted by -U): " >+ "peer euid %u != uid %u", >+ (u_int) euid, (u_int) getuid()); >+ >+ } else { >+ error("uid mismatch: " >+ "peer euid %u != uid %u", >+ (u_int) euid, (u_int) getuid()); >+ close(sock); >+ break; >+ } > } > new_socket(AUTH_CONNECTION, sock); > } >@@ -1116,6 +1126,7 @@ > fprintf(stderr, " -d Debug mode.\n"); > fprintf(stderr, " -a socket Bind agent socket to given name.\n"); > fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); >+ fprintf(stderr, " -U Disable strict matching of peer EUID.\n"); > exit(1); > } > >@@ -1157,7 +1168,7 @@ > init_rng(); > seed_rng(); > >- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { >+ while ((ch = getopt(ac, av, "cdksa:t:U")) != -1) { > switch (ch) { > case 'c': > if (s_flag) >@@ -1186,6 +1197,9 @@ > usage(); > } > break; >+ case 'U': >+ U_flag++; >+ break; > default: > usage(); > } >@@ -1193,7 +1207,7 @@ > ac -= optind; > av += optind; > >- if (ac > 0 && (c_flag || k_flag || s_flag || d_flag)) >+ if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || U_flag)) > usage(); > > if (ac == 0 && !c_flag && !s_flag) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2046">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1247
:
1311
| 2046