Attachment #2941 for bug #2625




	return 1;
}

/* returns 1 if bind to specified port by specified user is permitted */
int
bind_permitted(int port, uid_t uid)
{
	if (port < IPPORT_RESERVED && uid != 0)
		return 0;
	return 1;
}

/* returns 1 if process is already daemonized, 0 otherwise */
int
daemonized(void)

Lines 30-36 struct Forward { Link Here

(-)misc.h (-1 lines)
30	};	30	};
31		31
32	int forward_equals(const struct Forward , const struct Forward );	32	int forward_equals(const struct Forward , const struct Forward );
33	int bind_permitted(int, uid_t);
34	int daemonized(void);	33	int daemonized(void);
35		34
36	/* Common server and client forwarding options. */	35	/* Common server and client forwarding options. */




add_local_forward(Options *options, const struct Forward *newfwd)
{
	struct Forward *fwd;
	extern uid_t original_real_uid;
	int i;

	if (!bind_permitted(newfwd->listen_port, original_real_uid) &&
	    newfwd->listen_path == NULL)
		fatal("Privileged ports can only be forwarded by root.");
	/* Don't add duplicates */
	for (i = 0; i < options->num_local_forwards; i++) {
		if (forward_equals(newfwd, options->local_forwards + i))




#include "auth-options.h"
#include "serverloop.h"
#include "ssherr.h"
#include "uidswap.h"

extern ServerOptions options;


	Channel *c = NULL;
	char *target, *originator;
	u_short originator_port;
	struct passwd *pw = the_authctxt->pw;

	if (pw == NULL || !the_authctxt->valid)
		fatal("server_input_global_request: no/invalid user");

	target = packet_get_string(NULL);
	originator = packet_get_string(NULL);


	/* XXX fine grained permissions */
	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
	    !no_port_forwarding_flag && !options.disable_forwarding) {
	    (pw->pw_uid == 0 || use_privsep)) {
		c = channel_connect_to_path(target,
		    "direct-streamlocal@openssh.com", "direct-streamlocal");
	} else {

	int rchan, reason = SSH2_OPEN_CONNECT_FAILED;
	u_int rmaxpack, rwindow, len;

	if (the_authctxt->pw == NULL || !the_authctxt->valid)
		fatal("%s: no/invalid user", __func__);

	ctype = packet_get_string(&len);
	rchan = packet_get_int();
	rwindow = packet_get_int();


	if (strcmp(ctype, "session") == 0) {
		c = server_request_session();
	} else {
		temporarily_use_uid(the_authctxt->pw);
		if (strcmp(ctype, "direct-tcpip") == 0)
			c = server_request_direct_tcpip(&reason, &errmsg);
		else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0)
			c = server_request_direct_streamlocal();
		else if (strcmp(ctype, "tun@openssh.com") == 0)
			c = server_request_tun();
		restore_uid();
	}
	if (c != NULL) {
		debug("server_input_channel_open: confirm %s", ctype);

	int want_reply;
	int r, success = 0, allocated_listen_port = 0;
	struct sshbuf *resp = NULL;
	struct passwd *pw = the_authctxt->pw;

	if (the_authctxt->pw == NULL || !the_authctxt->valid)
		fatal("%s: no/invalid user", __func__);

	rtype = packet_get_string(NULL);
	want_reply = packet_get_char();
	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);

	temporarily_use_uid(the_authctxt->pw);
	/* -R style forwarding */
	if (strcmp(rtype, "tcpip-forward") == 0) {
		struct Forward fwd;

		/* check permissions */
		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
		    no_port_forwarding_flag || options.disable_forwarding ||
		    (!want_reply && fwd.listen_port == 0)) {
		    (fwd.listen_port != 0 &&
		     !bind_permitted(fwd.listen_port, pw->pw_uid))) {
			success = 0;
			packet_send_debug("Server has disabled port forwarding.");
		} else {


		/* check permissions */
		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
		    || no_port_forwarding_flag || options.disable_forwarding) {
		    (pw->pw_uid != 0 && !use_privsep)) {
			success = 0;
			packet_send_debug("Server has disabled "
			    "streamlocal forwarding.");

	} else if (strcmp(rtype, "hostkeys-prove-00@openssh.com") == 0) {
		success = server_input_hostkeys_prove(&resp);
	}
	restore_uid();

	if (want_reply) {
		packet_start(success ?
		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);

Return to bug 2625

Lines 1179-1193 forward_equals(const struct Forward *a, Link Here

(-)misc.c (-9 lines)
1179	return 1;	1179	return 1;
1180	}	1180	}
1181		1181
1182	/* returns 1 if bind to specified port by specified user is permitted */
1183	int
1184	bind_permitted(int port, uid_t uid)
1185	{
1186	if (port < IPPORT_RESERVED && uid != 0)
1187	return 0;
1188	return 1;
1189	}
1190
1191	/* returns 1 if process is already daemonized, 0 otherwise */	1182	/* returns 1 if process is already daemonized, 0 otherwise */
1192	int	1183	int
1193	daemonized(void)	1184	daemonized(void)

Lines 306-317 void Link Here

(-)readconf.c (-4 lines)
306	add_local_forward(Options options, const struct Forward newfwd)	306	add_local_forward(Options options, const struct Forward newfwd)
307	{	307	{
308	struct Forward *fwd;	308	struct Forward *fwd;
309	extern uid_t original_real_uid;
310	int i;	309	int i;
311		310
312	if (!bind_permitted(newfwd->listen_port, original_real_uid) &&
313	newfwd->listen_path == NULL)
314	fatal("Privileged ports can only be forwarded by root.");
315	/* Don't add duplicates */	311	/* Don't add duplicates */
316	for (i = 0; i < options->num_local_forwards; i++) {	312	for (i = 0; i < options->num_local_forwards; i++) {
317	if (forward_equals(newfwd, options->local_forwards + i))	313	if (forward_equals(newfwd, options->local_forwards + i))

Lines 73-78 Link Here

(-)serverloop.c (-20 / +21 lines)
73	#include "auth-options.h"	73	#include "auth-options.h"
74	#include "serverloop.h"	74	#include "serverloop.h"
75	#include "ssherr.h"	75	#include "ssherr.h"
		76	#include "uidswap.h"
76		77
77	extern ServerOptions options;	78	extern ServerOptions options;
78		79
Lines 463-472 server_request_direct_streamlocal(void) Link Here
463	Channel *c = NULL;	464	Channel *c = NULL;
464	char target, originator;	465	char target, originator;
465	u_short originator_port;	466	u_short originator_port;
466	struct passwd *pw = the_authctxt->pw;
467
468	if (pw == NULL \|\| !the_authctxt->valid)
469	fatal("server_input_global_request: no/invalid user");
470		467
471	target = packet_get_string(NULL);	468	target = packet_get_string(NULL);
472	originator = packet_get_string(NULL);	469	originator = packet_get_string(NULL);
Lines 478-485 server_request_direct_streamlocal(void) Link Here
478		475
479	/* XXX fine grained permissions */	476	/* XXX fine grained permissions */
480	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&	477	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
481	!no_port_forwarding_flag && !options.disable_forwarding &&	478	!no_port_forwarding_flag && !options.disable_forwarding) {
482	(pw->pw_uid == 0 \|\| use_privsep)) {
483	c = channel_connect_to_path(target,	479	c = channel_connect_to_path(target,
484	"direct-streamlocal@openssh.com", "direct-streamlocal");	480	"direct-streamlocal@openssh.com", "direct-streamlocal");
485	} else {	481	} else {
Lines 575-580 server_input_channel_open(int type, u_in Link Here
575	int rchan, reason = SSH2_OPEN_CONNECT_FAILED;	571	int rchan, reason = SSH2_OPEN_CONNECT_FAILED;
576	u_int rmaxpack, rwindow, len;	572	u_int rmaxpack, rwindow, len;
577		573
		574	if (the_authctxt->pw == NULL \|\| !the_authctxt->valid)
		575	fatal("%s: no/invalid user", __func__);
		576
578	ctype = packet_get_string(&len);	577	ctype = packet_get_string(&len);
579	rchan = packet_get_int();	578	rchan = packet_get_int();
580	rwindow = packet_get_int();	579	rwindow = packet_get_int();
Lines 585-596 server_input_channel_open(int type, u_in Link Here
585		584
586	if (strcmp(ctype, "session") == 0) {	585	if (strcmp(ctype, "session") == 0) {
587	c = server_request_session();	586	c = server_request_session();
588	} else if (strcmp(ctype, "direct-tcpip") == 0) {	587	} else {
589	c = server_request_direct_tcpip(&reason, &errmsg);	588	temporarily_use_uid(the_authctxt->pw);
590	} else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) {	589	if (strcmp(ctype, "direct-tcpip") == 0)
591	c = server_request_direct_streamlocal();	590	c = server_request_direct_tcpip(&reason, &errmsg);
592	} else if (strcmp(ctype, "tun@openssh.com") == 0) {	591	else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0)
593	c = server_request_tun();	592	c = server_request_direct_streamlocal();
		593	else if (strcmp(ctype, "tun@openssh.com") == 0)
		594	c = server_request_tun();
		595	restore_uid();
594	}	596	}
595	if (c != NULL) {	597	if (c != NULL) {
596	debug("server_input_channel_open: confirm %s", ctype);	598	debug("server_input_channel_open: confirm %s", ctype);
Lines 697-711 server_input_global_request(int type, u_ Link Here
697	int want_reply;	699	int want_reply;
698	int r, success = 0, allocated_listen_port = 0;	700	int r, success = 0, allocated_listen_port = 0;
699	struct sshbuf *resp = NULL;	701	struct sshbuf *resp = NULL;
700	struct passwd *pw = the_authctxt->pw;
701		702
702	if (pw == NULL \|\| !the_authctxt->valid)	703	if (the_authctxt->pw == NULL \|\| !the_authctxt->valid)
703	fatal("server_input_global_request: no/invalid user");	704	fatal("%s: no/invalid user", __func__);
704		705
705	rtype = packet_get_string(NULL);	706	rtype = packet_get_string(NULL);
706	want_reply = packet_get_char();	707	want_reply = packet_get_char();
707	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);	708	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
708		709
		710	temporarily_use_uid(the_authctxt->pw);
709	/* -R style forwarding */	711	/* -R style forwarding */
710	if (strcmp(rtype, "tcpip-forward") == 0) {	712	if (strcmp(rtype, "tcpip-forward") == 0) {
711	struct Forward fwd;	713	struct Forward fwd;
Lines 719-727 server_input_global_request(int type, u_ Link Here
719	/* check permissions */	721	/* check permissions */
720	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 \|\|	722	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 \|\|
721	no_port_forwarding_flag \|\| options.disable_forwarding \|\|	723	no_port_forwarding_flag \|\| options.disable_forwarding \|\|
722	(!want_reply && fwd.listen_port == 0) \|\|	724	(!want_reply && fwd.listen_port == 0)) {
723	(fwd.listen_port != 0 &&
724	!bind_permitted(fwd.listen_port, pw->pw_uid))) {
725	success = 0;	725	success = 0;
726	packet_send_debug("Server has disabled port forwarding.");	726	packet_send_debug("Server has disabled port forwarding.");
727	} else {	727	} else {
Lines 756-763 server_input_global_request(int type, u_ Link Here
756		756
757	/* check permissions */	757	/* check permissions */
758	if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0	758	if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
759	\|\| no_port_forwarding_flag \|\| options.disable_forwarding \|\|	759	\|\| no_port_forwarding_flag \|\| options.disable_forwarding) {
760	(pw->pw_uid != 0 && !use_privsep)) {
761	success = 0;	760	success = 0;
762	packet_send_debug("Server has disabled "	761	packet_send_debug("Server has disabled "
763	"streamlocal forwarding.");	762	"streamlocal forwarding.");
Lines 783-788 server_input_global_request(int type, u_ Link Here
783	} else if (strcmp(rtype, "hostkeys-prove-00@openssh.com") == 0) {	782	} else if (strcmp(rtype, "hostkeys-prove-00@openssh.com") == 0) {
784	success = server_input_hostkeys_prove(&resp);	783	success = server_input_hostkeys_prove(&resp);
785	}	784	}
		785	restore_uid();
		786
786	if (want_reply) {	787	if (want_reply) {
787	packet_start(success ?	788	packet_start(success ?
788	SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);	789	SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);