Bugzilla – Attachment 2406 Details for
Bug 2107
seccomp sandbox breaks GSSAPI
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Cache supported oids before privilege separation
cache-supported-oids.diff (text/plain), 3.26 KB, created by
Damien Miller
on 2014-02-06 10:54:39 AEDT
(
hide
)
Description:
Cache supported oids before privilege separation
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2014-02-06 10:54:39 AEDT
Size:
3.26 KB
patch
obsolete
>? _buildit >? regress/setuid-allowed >Index: auth2-gss.c >=================================================================== >RCS file: /var/cvs/openssh/auth2-gss.c,v >retrieving revision 1.23 >diff -u -p -r1.23 auth2-gss.c >--- auth2-gss.c 1 Jun 2013 21:31:18 -0000 1.23 >+++ auth2-gss.c 5 Feb 2014 23:52:50 -0000 >@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt) > gss_OID_desc goid = {0, NULL}; > Gssctxt *ctxt = NULL; > int mechs; >- gss_OID_set supported; > int present; > OM_uint32 ms; > u_int len; >@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt) > return (0); > } > >- ssh_gssapi_supported_oids(&supported); > do { > mechs--; > >@@ -90,14 +88,11 @@ userauth_gssapi(Authctxt *authctxt) > doid[1] == len - 2) { > goid.elements = doid + 2; > goid.length = len - 2; >- gss_test_oid_set_member(&ms, &goid, supported, >- &present); >+ ssh_gssapi_test_oid_supported(&ms, &goid, &present); > } else { > logit("Badly formed OID received"); > } > } while (mechs > 0 && !present); >- >- gss_release_oid_set(&ms, &supported); > > if (!present) { > free(doid); >Index: gss-serv.c >=================================================================== >RCS file: /var/cvs/openssh/gss-serv.c,v >retrieving revision 1.27 >diff -u -p -r1.27 gss-serv.c >--- gss-serv.c 4 Feb 2014 00:20:15 -0000 1.27 >+++ gss-serv.c 5 Feb 2014 23:52:50 -0000 >@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= { > &gssapi_null_mech, > }; > >+/* >+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the >+ * list of supported mechanisms before privsep is set up. >+ */ >+static gss_OID_set supported_oids; >+ >+void >+ssh_gssapi_prepare_supported_oids(void) >+{ >+ ssh_gssapi_supported_oids(&supported_oids); >+} >+ >+OM_uint32 >+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present) >+{ >+ if (supported_oids == NULL) >+ ssh_gssapi_prepare_supported_oids(); >+ return gss_test_oid_set_member(ms, member, supported_oids, present); >+} > > /* > * Acquire credentials for a server running on the current host. >Index: ssh-gss.h >=================================================================== >RCS file: /var/cvs/openssh/ssh-gss.h,v >retrieving revision 1.13 >diff -u -p -r1.13 ssh-gss.h >--- ssh-gss.h 25 Feb 2013 00:24:44 -0000 1.13 >+++ ssh-gss.h 5 Feb 2014 23:52:50 -0000 >@@ -104,6 +104,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, > void ssh_gssapi_set_oid(Gssctxt *, gss_OID); > void ssh_gssapi_supported_oids(gss_OID_set *); > ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *); >+void ssh_gssapi_prepare_supported_oids(void); >+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); > > OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); > OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, >Index: sshd.c >=================================================================== >RCS file: /var/cvs/openssh/sshd.c,v >retrieving revision 1.446 >diff -u -p -r1.446 sshd.c >--- sshd.c 4 Feb 2014 00:20:16 -0000 1.446 >+++ sshd.c 5 Feb 2014 23:52:50 -0000 >@@ -618,6 +618,10 @@ privsep_preauth_child(void) > /* Enable challenge-response authentication for privilege separation */ > privsep_challenge_enable(); > >+ /* Cache supported mechanism OIDs for later use */ >+ if (options.gss_authentication) >+ ssh_gssapi_prepare_supported_oids(); >+ > arc4random_stir(); > arc4random_buf(rnd, sizeof(rnd)); > RAND_seed(rnd, sizeof(rnd));
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2107
:
2273
| 2406 |
3168