Attachment #2771 for bug #2511

Lines 110-116 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ Link Here

(-)a/Makefile.in (-1 / +2 lines)
110	sftp-server.o sftp-common.o \	110	sftp-server.o sftp-common.o \
111	roaming_common.o roaming_serv.o \	111	roaming_common.o roaming_serv.o \
112	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \	112	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
113	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o	113	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
		114	sandbox-solaris.o
114		115
115	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	116	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
116	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5	117	MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5

Lines 469-474 AC_CHECK_HEADERS([sys/un.h], [], [], [ Link Here

(-)a/configure.ac (-2 / +36 lines)
469	SIA_MSG="no"	469	SIA_MSG="no"
470	SPC_MSG="no"	470	SPC_MSG="no"
471	SP_MSG="no"	471	SP_MSG="no"
		472	SPP_MSG="no"
		473
		474	# Support for Solaris/Illumos privileges (this test is used by both
		475	# the --with-solaris-privs option and --with-sandbox=solaris).
		476	SOLARIS_PRIVS="no"
472		477
473	# Check for some target-specific stuff	478	# Check for some target-specific stuff
474	case "$host" in	479	case "$host" in
Lines 575-580 case "$host" in Link Here
575	LIBS="$LIBS /usr/lib/textreadmode.o"	580	LIBS="$LIBS /usr/lib/textreadmode.o"
576	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])	581	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
577	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])	582	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
		583	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
		584	[Define to disable UID restoration test])
578	AC_DEFINE([DISABLE_SHADOW], [1],	585	AC_DEFINE([DISABLE_SHADOW], [1],
579	[Define if you want to disable shadow passwords])	586	[Define if you want to disable shadow passwords])
580	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],	587	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
Lines 889-901 mips-sony-bsd\|mips-sony-newsos4) Link Here
889	else	896	else
890	AC_MSG_RESULT([no])	897	AC_MSG_RESULT([no])
891	fi	898	fi
		899	AC_CHECK_FUNC([setppriv],
		900	[ AC_CHECK_HEADERS([priv.h], [
		901	SOLARIS_PRIVS="yes"
		902	])
		903	])
892	AC_ARG_WITH([solaris-contracts],	904	AC_ARG_WITH([solaris-contracts],
893	[ --with-solaris-contracts Enable Solaris process contracts (experimental)],	905	[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
894	[	906	[
895	AC_CHECK_LIB([contract], [ct_tmpl_activate],	907	AC_CHECK_LIB([contract], [ct_tmpl_activate],
896	[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],	908	[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
897	[Define if you have Solaris process contracts])	909	[Define if you have Solaris process contracts])
898	SSHDLIBS="$SSHDLIBS -lcontract"	910	LIBS="$LIBS -lcontract"
899	SPC_MSG="yes" ], )	911	SPC_MSG="yes" ], )
900	],	912	],
901	)	913	)
Lines 905-914 mips-sony-bsd\|mips-sony-newsos4) Link Here
905	AC_CHECK_LIB([project], [setproject],	917	AC_CHECK_LIB([project], [setproject],
906	[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],	918	[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
907	[Define if you have Solaris projects])	919	[Define if you have Solaris projects])
908	SSHDLIBS="$SSHDLIBS -lproject"	920	LIBS="$LIBS -lproject"
909	SP_MSG="yes" ], )	921	SP_MSG="yes" ], )
910	],	922	],
911	)	923	)
		924	AC_ARG_WITH([solaris-privs],
		925	[ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
		926	[
		927	AC_MSG_CHECKING([for Solaris/Illumos privilege support])
		928	if test "x$SOLARIS_PRIVS" = "xyes" ; then
		929	AC_MSG_RESULT([found])
		930	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
		931	[Define to disable UID restoration test])
		932	AC_DEFINE([USE_SOLARIS_PRIVS], [1],
		933	[Define if you have Solaris privileges])
		934	SPP_MSG="yes"
		935	else
		936	AC_MSG_RESULT([not found])
		937	AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
		938	fi
		939	],
		940	)
912	TEST_SHELL=$SHELL # let configure find us a capable shell	941	TEST_SHELL=$SHELL # let configure find us a capable shell
913	;;	942	;;
914	--sunos4*)	943	--sunos4*)
Lines 3155-3160 elif test "x$sandbox_arg" = "xrlimit" \|\| \ Link Here
3155	AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])	3184	AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3156	SANDBOX_STYLE="rlimit"	3185	SANDBOX_STYLE="rlimit"
3157	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])	3186	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
		3187	elif test "x$sandbox_arg" = "xsolaris" \|\| \
		3188	( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
		3189	SANDBOX_STYLE="solaris"
		3190	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
3158	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \	3191	elif test -z "$sandbox_arg" \|\| test "x$sandbox_arg" = "xno" \|\| \
3159	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then	3192	test "x$sandbox_arg" = "xnone" \|\| test "x$sandbox_arg" = "xnull" ; then
3160	SANDBOX_STYLE="none"	3193	SANDBOX_STYLE="none"
Lines 4944-4949 echo " MD5 password support: $MD5_MSG" Link Here
4944	echo " libedit support: $LIBEDIT_MSG"	4977	echo " libedit support: $LIBEDIT_MSG"
4945	echo " Solaris process contract support: $SPC_MSG"	4978	echo " Solaris process contract support: $SPC_MSG"
4946	echo " Solaris project support: $SP_MSG"	4979	echo " Solaris project support: $SP_MSG"
		4980	echo " Solaris privilege support: $SPP_MSG"
4947	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"	4981	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
4948	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"	4982	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
4949	echo " BSD Auth support: $BSD_AUTH_MSG"	4983	echo " BSD Auth support: $BSD_AUTH_MSG"

Lines 1853-1858 mux_client_request_session(int fd) Link Here

(-)a/mux.c (+2 lines)
1853		1853
1854	if (pledge("stdio proc tty", NULL) == -1)	1854	if (pledge("stdio proc tty", NULL) == -1)
1855	fatal("%s pledge(): %s", __func__, strerror(errno));	1855	fatal("%s pledge(): %s", __func__, strerror(errno));
		1856	platform_drop_mux_privs();
1856		1857
1857	debug3("%s: session request sent", __func__);	1858	debug3("%s: session request sent", __func__);
1858		1859
Lines 2001-2006 mux_client_request_stdio_fwd(int fd) Link Here
2001		2002
2002	if (pledge("stdio proc tty", NULL) == -1)	2003	if (pledge("stdio proc tty", NULL) == -1)
2003	fatal("%s pledge(): %s", __func__, strerror(errno));	2004	fatal("%s pledge(): %s", __func__, strerror(errno));
		2005	platform_drop_mux_privs();
2004		2006
2005	debug3("%s: stdio forward request sent", __func__);	2007	debug3("%s: stdio forward request sent", __func__);
2006		2008




	}
}
#endif /* USE_SOLARIS_PROJECTS */

#ifdef USE_SOLARIS_PRIVS
# ifdef HAVE_PRIV_H
#  include <priv.h>
# endif

void
solaris_drop_privs_pinfo_net_fork_exec(void)
{
	priv_set_t *pset = NULL;

	if ((pset = priv_allocset()) == NULL)
		fatal("priv_allocset: %s", strerror(errno));

	/* Start with "basic" and drop everything we don't need. */
	priv_basicset(pset);

	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
	    priv_delset(pset, PRIV_PROC_FORK) != 0 ||
	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
		fatal("priv_delset: %s", strerror(errno));

	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
		fatal("setppriv: %s", strerror(errno));

	priv_freeset(pset);
}

void
solaris_drop_privs_pinfo_net(void)
{
	priv_set_t *pset = NULL;

	if ((pset = priv_allocset()) == NULL)
		fatal("priv_allocset: %s", strerror(errno));

	/* Start with "basic" and drop everything we don't need. */
	priv_basicset(pset);

	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
		fatal("priv_delset: %s", strerror(errno));

	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
		fatal("setppriv: %s", strerror(errno));

	priv_freeset(pset);
}

void
solaris_drop_privs_pinfo_net_exec(void)
{
	priv_set_t *pset = NULL;

	if ((pset = priv_allocset()) == NULL)
		fatal("priv_allocset: %s", strerror(errno));

	/* Start with "basic" and drop everything we don't need. */
	priv_basicset(pset);

	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 ||
	    priv_delset(pset, PRIV_NET_ACCESS) != 0 ||
	    priv_delset(pset, PRIV_PROC_EXEC) != 0 ||
	    priv_delset(pset, PRIV_PROC_INFO) != 0 ||
	    priv_delset(pset, PRIV_PROC_SESSION) != 0)
		fatal("priv_delset: %s", strerror(errno));

	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
		fatal("setppriv: %s", strerror(errno));

	priv_freeset(pset);
}

#endif

Lines 26-30 void solaris_contract_pre_fork(void); Link Here

(-)a/openbsd-compat/port-solaris.h (+3 lines)
26	void solaris_contract_post_fork_child(void);	26	void solaris_contract_post_fork_child(void);
27	void solaris_contract_post_fork_parent(pid_t pid);	27	void solaris_contract_post_fork_parent(pid_t pid);
28	void solaris_set_default_project(struct passwd *);	28	void solaris_set_default_project(struct passwd *);
		29	void solaris_drop_privs_pinfo_net_fork_exec(void);
		30	void solaris_drop_privs_pinfo_net(void);
		31	void solaris_drop_privs_pinfo_net_exec(void);
29		32
30	#endif	33	#endif




#endif
	return 0;
}

/*
 * Drop any fine-grained privileges that are not needed for post-startup
 * operation of ssh-agent
 *
 * Should be as close as possible to pledge("stdio cpath unix exec proc", ...)
 */
void
platform_drop_agent_privs(void)
{
#ifdef USE_SOLARIS_PRIVS
	solaris_drop_privs_pinfo_net();
#endif
}

/*
 * Drop any fine-grained privileges that are not needed for post-startup
 * operation of sftp-server
 */
void
platform_drop_sftp_server_privs(void)
{
#ifdef USE_SOLARIS_PRIVS
	solaris_drop_privs_pinfo_net_fork_exec();
#endif
}

/*
 * Drop any fine-grained privileges that are not needed for the post-startup
 * operation of the SSH client mux
 *
 * Should be as close as possible to pledge("stdio proc tty", ...)
 */
void
platform_drop_mux_privs(void)
{
#ifdef USE_SOLARIS_PRIVS
	solaris_drop_privs_pinfo_net_exec();
#endif
}

Lines 31-33 void platform_setusercontext_post_groups(struct passwd *); Link Here

(-)a/platform.h (+3 lines)
31	char platform_get_krb5_client(const char );	31	char platform_get_krb5_client(const char );
32	char platform_krb5_get_principal_name(const char );	32	char platform_krb5_get_principal_name(const char );
33	int platform_sys_dir_uid(uid_t);	33	int platform_sys_dir_uid(uid_t);
		34	void platform_drop_agent_privs(void);
		35	void platform_drop_sftp_server_privs(void);
		36	void platform_drop_mux_privs(void);




/*
 * Copyright (c) 2015 Joyent, Inc
 * Author: Alex Wilson <alex.wilson@joyent.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#ifdef SANDBOX_SOLARIS
#ifndef USE_SOLARIS_PRIVS
# error "--with-solaris-privs must be used with the Solaris sandbox"
#endif

#include <sys/types.h>

#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#ifdef HAVE_PRIV_H
# include <priv.h>
#endif

#include "log.h"
#include "ssh-sandbox.h"
#include "xmalloc.h"

struct ssh_sandbox {
	priv_set_t *pset;
};

struct ssh_sandbox *
ssh_sandbox_init(struct monitor *monitor)
{
	struct ssh_sandbox *box = NULL;

	box = xcalloc(1, sizeof(*box));
	box->pset = priv_allocset();

	if (box->pset == NULL) {
		free(box);
		return NULL;
	}

	/* Start with "basic" and drop everything we don't need. */
	priv_basicset(box->pset);

	/* Drop everything except the ability to use already-opened files */
	if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 ||
	    priv_delset(box->pset, PRIV_NET_ACCESS) != 0 ||
	    priv_delset(box->pset, PRIV_PROC_EXEC) != 0 ||
	    priv_delset(box->pset, PRIV_PROC_FORK) != 0 ||
	    priv_delset(box->pset, PRIV_PROC_INFO) != 0 ||
	    priv_delset(box->pset, PRIV_PROC_SESSION) != 0) {
		free(box);
		return NULL;
	}

	/* These may not be available on older Solaris-es */
# if defined(PRIV_FILE_READ) && defined(PRIV_FILE_WRITE)
	if (priv_delset(box->pset, PRIV_FILE_READ) != 0 ||
	    priv_delset(box->pset, PRIV_FILE_WRITE) != 0) {
		free(box);
		return NULL;
	}
# endif

	return box;
}

void
ssh_sandbox_child(struct ssh_sandbox *box)
{
	if (setppriv(PRIV_SET, PRIV_PERMITTED, box->pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_LIMIT, box->pset) != 0 ||
	    setppriv(PRIV_SET, PRIV_INHERITABLE, box->pset) != 0)
		fatal("setppriv: %s", strerror(errno));
}

void
ssh_sandbox_parent_finish(struct ssh_sandbox *box)
{
	priv_freeset(box->pset);
	box->pset = NULL;
	free(box);
}

void
ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
{
	/* Nothing to do here */
}

#endif /* SANDBOX_SOLARIS */

Lines 1598-1603 sftp_server_main(int argc, char *argv, struct passwd user_pw) Link Here

(-)a/sftp-server.c (+3 lines)
1598	fatal("unable to make the process undumpable");	1598	fatal("unable to make the process undumpable");
1599	#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */	1599	#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
1600		1600
		1601	/* Drop any fine-grained privileges we don't need */
		1602	platform_drop_sftp_server_privs();
		1603
1601	if ((cp = getenv("SSH_CONNECTION")) != NULL) {	1604	if ((cp = getenv("SSH_CONNECTION")) != NULL) {
1602	client_addr = xstrdup(cp);	1605	client_addr = xstrdup(cp);
1603	if ((cp = strchr(client_addr, ' ')) == NULL) {	1606	if ((cp = strchr(client_addr, ' ')) == NULL) {

Lines 1416-1421 skip: Link Here

(-)a/ssh-agent.c (+1 lines)
1416		1416
1417	if (pledge("stdio cpath unix exec proc", NULL) != 0)	1417	if (pledge("stdio cpath unix exec proc", NULL) != 0)
1418	fatal("%s: pledge: %s", __progname, strerror(errno));	1418	fatal("%s: pledge: %s", __progname, strerror(errno));
		1419	platform_drop_agent_privs();
1419		1420
1420	while (1) {	1421	while (1) {
1421	prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);	1422	prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);

Lines 134-140 temporarily_use_uid(struct passwd *pw) Link Here

(-)a/uidswap.c (-7 / +12 lines)
134	void	134	void
135	permanently_drop_suid(uid_t uid)	135	permanently_drop_suid(uid_t uid)
136	{	136	{
137	#ifndef HAVE_CYGWIN	137	#ifndef NO_UID_RESTORATION_TEST
138	uid_t old_uid = getuid();	138	uid_t old_uid = getuid();
139	#endif	139	#endif
140		140
Lines 142-149 permanently_drop_suid(uid_t uid) Link Here
142	if (setresuid(uid, uid, uid) < 0)	142	if (setresuid(uid, uid, uid) < 0)
143	fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));	143	fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
144		144
145	#ifndef HAVE_CYGWIN	145	#ifndef NO_UID_RESTORATION_TEST
146	/* Try restoration of UID if changed (test clearing of saved uid) */	146	/*
		147	* Try restoration of UID if changed (test clearing of saved uid).
		148	*
		149	* Note that we don't do this on Cygwin, or on Solaris-based platforms
		150	* where fine-grained privileges are available (the user might be
		151	* deliberately allowed the right to setuid back to root).
		152	*/
147	if (old_uid != uid &&	153	if (old_uid != uid &&
148	(setuid(old_uid) != -1 \|\| seteuid(old_uid) != -1))	154	(setuid(old_uid) != -1 \|\| seteuid(old_uid) != -1))
149	fatal("%s: was able to restore old [e]uid", __func__);	155	fatal("%s: was able to restore old [e]uid", __func__);
Lines 199-205 restore_uid(void) Link Here
199	void	205	void
200	permanently_set_uid(struct passwd *pw)	206	permanently_set_uid(struct passwd *pw)
201	{	207	{
202	#ifndef HAVE_CYGWIN	208	#ifndef NO_UID_RESTORATION_TEST
203	uid_t old_uid = getuid();	209	uid_t old_uid = getuid();
204	gid_t old_gid = getgid();	210	gid_t old_gid = getgid();
205	#endif	211	#endif
Lines 227-233 permanently_set_uid(struct passwd *pw) Link Here
227	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)	233	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
228	fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));	234	fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
229		235
230	#ifndef HAVE_CYGWIN	236	#ifndef NO_UID_RESTORATION_TEST
231	/* Try restoration of GID if changed (test clearing of saved gid) */	237	/* Try restoration of GID if changed (test clearing of saved gid) */
232	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&	238	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
233	(setgid(old_gid) != -1 \|\| setegid(old_gid) != -1))	239	(setgid(old_gid) != -1 \|\| setegid(old_gid) != -1))
Lines 241-247 permanently_set_uid(struct passwd *pw) Link Here
241	(u_int)pw->pw_gid);	247	(u_int)pw->pw_gid);
242	}	248	}
243		249
244	#ifndef HAVE_CYGWIN	250	#ifndef NO_UID_RESTORATION_TEST
245	/* Try restoration of UID if changed (test clearing of saved uid) */	251	/* Try restoration of UID if changed (test clearing of saved uid) */
246	if (old_uid != pw->pw_uid &&	252	if (old_uid != pw->pw_uid &&
247	(setuid(old_uid) != -1 \|\| seteuid(old_uid) != -1))	253	(setuid(old_uid) != -1 \|\| seteuid(old_uid) != -1))
248	-

Return to bug 2511

Lines 227-229 solaris_set_default_project(struct passwd *pw) Link Here

(-)a/openbsd-compat/port-solaris.c (+85 lines)
227	}	227	}
228	}	228	}
229	#endif /* USE_SOLARIS_PROJECTS */	229	#endif /* USE_SOLARIS_PROJECTS */
		230
		231	#ifdef USE_SOLARIS_PRIVS
		232	# ifdef HAVE_PRIV_H
		233	# include <priv.h>
		234	# endif
		235
		236	void
		237	solaris_drop_privs_pinfo_net_fork_exec(void)
		238	{
		239	priv_set_t *pset = NULL;
		240
		241	if ((pset = priv_allocset()) == NULL)
		242	fatal("priv_allocset: %s", strerror(errno));
		243
		244	/* Start with "basic" and drop everything we don't need. */
		245	priv_basicset(pset);
		246
		247	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 \|\|
		248	priv_delset(pset, PRIV_NET_ACCESS) != 0 \|\|
		249	priv_delset(pset, PRIV_PROC_EXEC) != 0 \|\|
		250	priv_delset(pset, PRIV_PROC_FORK) != 0 \|\|
		251	priv_delset(pset, PRIV_PROC_INFO) != 0 \|\|
		252	priv_delset(pset, PRIV_PROC_SESSION) != 0)
		253	fatal("priv_delset: %s", strerror(errno));
		254
		255	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 \|\|
		256	setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 \|\|
		257	setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
		258	fatal("setppriv: %s", strerror(errno));
		259
		260	priv_freeset(pset);
		261	}
		262
		263	void
		264	solaris_drop_privs_pinfo_net(void)
		265	{
		266	priv_set_t *pset = NULL;
		267
		268	if ((pset = priv_allocset()) == NULL)
		269	fatal("priv_allocset: %s", strerror(errno));
		270
		271	/* Start with "basic" and drop everything we don't need. */
		272	priv_basicset(pset);
		273
		274	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 \|\|
		275	priv_delset(pset, PRIV_NET_ACCESS) != 0 \|\|
		276	priv_delset(pset, PRIV_PROC_INFO) != 0 \|\|
		277	priv_delset(pset, PRIV_PROC_SESSION) != 0)
		278	fatal("priv_delset: %s", strerror(errno));
		279
		280	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 \|\|
		281	setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 \|\|
		282	setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
		283	fatal("setppriv: %s", strerror(errno));
		284
		285	priv_freeset(pset);
		286	}
		287
		288	void
		289	solaris_drop_privs_pinfo_net_exec(void)
		290	{
		291	priv_set_t *pset = NULL;
		292
		293	if ((pset = priv_allocset()) == NULL)
294	fatal("priv_allocset: %s", strerror(errno));
295
296	/* Start with "basic" and drop everything we don't need. */
297	priv_basicset(pset);
298
299	if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 \|\|
300	priv_delset(pset, PRIV_NET_ACCESS) != 0 \|\|
301	priv_delset(pset, PRIV_PROC_EXEC) != 0 \|\|
302	priv_delset(pset, PRIV_PROC_INFO) != 0 \|\|
303	priv_delset(pset, PRIV_PROC_SESSION) != 0)
304	fatal("priv_delset: %s", strerror(errno));
305
306	if (setppriv(PRIV_SET, PRIV_PERMITTED, pset) != 0 \|\|
307	setppriv(PRIV_SET, PRIV_LIMIT, pset) != 0 \|\|
308	setppriv(PRIV_SET, PRIV_INHERITABLE, pset) != 0)
309	fatal("setppriv: %s", strerror(errno));
310
311	priv_freeset(pset);
312	}
313
314	#endif

Lines 213-215 platform_sys_dir_uid(uid_t uid) Link Here

(-)a/platform.c (+40 lines)
213	#endif	213	#endif
214	return 0;	214	return 0;
215	}	215	}
		216
		217	/*
		218	* Drop any fine-grained privileges that are not needed for post-startup
		219	* operation of ssh-agent
		220	*
		221	* Should be as close as possible to pledge("stdio cpath unix exec proc", ...)
		222	*/
		223	void
		224	platform_drop_agent_privs(void)
		225	{
		226	#ifdef USE_SOLARIS_PRIVS
		227	solaris_drop_privs_pinfo_net();
		228	#endif
		229	}
		230
		231	/*
		232	* Drop any fine-grained privileges that are not needed for post-startup
		233	* operation of sftp-server
		234	*/
		235	void
		236	platform_drop_sftp_server_privs(void)
		237	{
		238	#ifdef USE_SOLARIS_PRIVS
		239	solaris_drop_privs_pinfo_net_fork_exec();
		240	#endif
		241	}
		242
		243	/*
		244	* Drop any fine-grained privileges that are not needed for the post-startup
		245	* operation of the SSH client mux
		246	*
		247	* Should be as close as possible to pledge("stdio proc tty", ...)
		248	*/
		249	void
		250	platform_drop_mux_privs(void)
		251	{
		252	#ifdef USE_SOLARIS_PRIVS
		253	solaris_drop_privs_pinfo_net_exec();
		254	#endif
		255	}

Line 0 Link Here

(-)a/sandbox-solaris.c (+107 lines)
		1	/*
		2	* Copyright (c) 2015 Joyent, Inc
		3	* Author: Alex Wilson <alex.wilson@joyent.com>
		4	*
		5	* Permission to use, copy, modify, and distribute this software for any
		6	* purpose with or without fee is hereby granted, provided that the above
		7	* copyright notice and this permission notice appear in all copies.
		8	*
		9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	*/
		17
		18	#include "includes.h"
		19
		20	#ifdef SANDBOX_SOLARIS
		21	#ifndef USE_SOLARIS_PRIVS
		22	# error "--with-solaris-privs must be used with the Solaris sandbox"
		23	#endif
		24
		25	#include <sys/types.h>
		26
		27	#include <errno.h>
		28	#include <stdarg.h>
		29	#include <stdio.h>
		30	#include <stdlib.h>
		31	#include <string.h>
		32	#include <unistd.h>
		33	#ifdef HAVE_PRIV_H
		34	# include <priv.h>
		35	#endif
		36
		37	#include "log.h"
		38	#include "ssh-sandbox.h"
		39	#include "xmalloc.h"
		40
		41	struct ssh_sandbox {
		42	priv_set_t *pset;
		43	};
		44
		45	struct ssh_sandbox *
		46	ssh_sandbox_init(struct monitor *monitor)
		47	{
		48	struct ssh_sandbox *box = NULL;
		49
		50	box = xcalloc(1, sizeof(*box));
		51	box->pset = priv_allocset();
		52
		53	if (box->pset == NULL) {
		54	free(box);
		55	return NULL;
		56	}
		57
		58	/* Start with "basic" and drop everything we don't need. */
		59	priv_basicset(box->pset);
		60
		61	/* Drop everything except the ability to use already-opened files */
		62	if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 \|\|
		63	priv_delset(box->pset, PRIV_NET_ACCESS) != 0 \|\|
		64	priv_delset(box->pset, PRIV_PROC_EXEC) != 0 \|\|
65	priv_delset(box->pset, PRIV_PROC_FORK) != 0 \|\|
66	priv_delset(box->pset, PRIV_PROC_INFO) != 0 \|\|
67	priv_delset(box->pset, PRIV_PROC_SESSION) != 0) {
68	free(box);
69	return NULL;
70	}
71
72	/* These may not be available on older Solaris-es */
73	# if defined(PRIV_FILE_READ) && defined(PRIV_FILE_WRITE)
74	if (priv_delset(box->pset, PRIV_FILE_READ) != 0 \|\|
75	priv_delset(box->pset, PRIV_FILE_WRITE) != 0) {
76	free(box);
77	return NULL;
78	}
79	# endif
80
81	return box;
82	}
83
84	void
85	ssh_sandbox_child(struct ssh_sandbox *box)
86	{
87	if (setppriv(PRIV_SET, PRIV_PERMITTED, box->pset) != 0 \|\|
88	setppriv(PRIV_SET, PRIV_LIMIT, box->pset) != 0 \|\|
89	setppriv(PRIV_SET, PRIV_INHERITABLE, box->pset) != 0)
90	fatal("setppriv: %s", strerror(errno));
91	}
92
93	void
94	ssh_sandbox_parent_finish(struct ssh_sandbox *box)
95	{
96	priv_freeset(box->pset);
97	box->pset = NULL;
98	free(box);
99	}
100
101	void
102	ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
103	{
104	/* Nothing to do here */
105	}
106
107	#endif /* SANDBOX_SOLARIS */