Bugzilla – Attachment 2941 Details for
Bug 2625
Support Capabilities for ssh client port forwarding
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
remove uid checks for binds (openbsd, probably won't apply cleanly to portable)
openssh-port-bind-perms.patch (text/plain), 6.13 KB, created by
Darren Tucker
on 2017-02-10 16:01:59 AEDT
(
hide
)
Description:
remove uid checks for binds (openbsd, probably won't apply cleanly to portable)
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2017-02-10 16:01:59 AEDT
Size:
6.13 KB
patch
obsolete
>? auth2-pubkey.c.timing >? openssh-port-bind-perms.patch >Index: misc.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/misc.c,v >retrieving revision 1.107 >diff -u -p -r1.107 misc.c >--- misc.c 30 Nov 2016 00:28:31 -0000 1.107 >+++ misc.c 10 Feb 2017 04:56:10 -0000 >@@ -1179,15 +1179,6 @@ forward_equals(const struct Forward *a, > return 1; > } > >-/* returns 1 if bind to specified port by specified user is permitted */ >-int >-bind_permitted(int port, uid_t uid) >-{ >- if (port < IPPORT_RESERVED && uid != 0) >- return 0; >- return 1; >-} >- > /* returns 1 if process is already daemonized, 0 otherwise */ > int > daemonized(void) >Index: misc.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/misc.h,v >retrieving revision 1.61 >diff -u -p -r1.61 misc.h >--- misc.h 30 Nov 2016 00:28:31 -0000 1.61 >+++ misc.h 10 Feb 2017 04:56:10 -0000 >@@ -30,7 +30,6 @@ struct Forward { > }; > > int forward_equals(const struct Forward *, const struct Forward *); >-int bind_permitted(int, uid_t); > int daemonized(void); > > /* Common server and client forwarding options. */ >Index: readconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/readconf.c,v >retrieving revision 1.268 >diff -u -p -r1.268 readconf.c >--- readconf.c 3 Feb 2017 23:01:19 -0000 1.268 >+++ readconf.c 10 Feb 2017 04:56:10 -0000 >@@ -306,12 +306,8 @@ void > add_local_forward(Options *options, const struct Forward *newfwd) > { > struct Forward *fwd; >- extern uid_t original_real_uid; > int i; > >- if (!bind_permitted(newfwd->listen_port, original_real_uid) && >- newfwd->listen_path == NULL) >- fatal("Privileged ports can only be forwarded by root."); > /* Don't add duplicates */ > for (i = 0; i < options->num_local_forwards; i++) { > if (forward_equals(newfwd, options->local_forwards + i)) >Index: serverloop.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v >retrieving revision 1.191 >diff -u -p -r1.191 serverloop.c >--- serverloop.c 1 Feb 2017 02:59:09 -0000 1.191 >+++ serverloop.c 10 Feb 2017 04:56:10 -0000 >@@ -73,6 +73,7 @@ > #include "auth-options.h" > #include "serverloop.h" > #include "ssherr.h" >+#include "uidswap.h" > > extern ServerOptions options; > >@@ -463,10 +464,6 @@ server_request_direct_streamlocal(void) > Channel *c = NULL; > char *target, *originator; > u_short originator_port; >- struct passwd *pw = the_authctxt->pw; >- >- if (pw == NULL || !the_authctxt->valid) >- fatal("server_input_global_request: no/invalid user"); > > target = packet_get_string(NULL); > originator = packet_get_string(NULL); >@@ -478,8 +475,7 @@ server_request_direct_streamlocal(void) > > /* XXX fine grained permissions */ > if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && >- !no_port_forwarding_flag && !options.disable_forwarding && >- (pw->pw_uid == 0 || use_privsep)) { >+ !no_port_forwarding_flag && !options.disable_forwarding) { > c = channel_connect_to_path(target, > "direct-streamlocal@openssh.com", "direct-streamlocal"); > } else { >@@ -575,6 +571,9 @@ server_input_channel_open(int type, u_in > int rchan, reason = SSH2_OPEN_CONNECT_FAILED; > u_int rmaxpack, rwindow, len; > >+ if (the_authctxt->pw == NULL || !the_authctxt->valid) >+ fatal("%s: no/invalid user", __func__); >+ > ctype = packet_get_string(&len); > rchan = packet_get_int(); > rwindow = packet_get_int(); >@@ -585,12 +584,15 @@ server_input_channel_open(int type, u_in > > if (strcmp(ctype, "session") == 0) { > c = server_request_session(); >- } else if (strcmp(ctype, "direct-tcpip") == 0) { >- c = server_request_direct_tcpip(&reason, &errmsg); >- } else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) { >- c = server_request_direct_streamlocal(); >- } else if (strcmp(ctype, "tun@openssh.com") == 0) { >- c = server_request_tun(); >+ } else { >+ temporarily_use_uid(the_authctxt->pw); >+ if (strcmp(ctype, "direct-tcpip") == 0) >+ c = server_request_direct_tcpip(&reason, &errmsg); >+ else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) >+ c = server_request_direct_streamlocal(); >+ else if (strcmp(ctype, "tun@openssh.com") == 0) >+ c = server_request_tun(); >+ restore_uid(); > } > if (c != NULL) { > debug("server_input_channel_open: confirm %s", ctype); >@@ -697,15 +699,15 @@ server_input_global_request(int type, u_ > int want_reply; > int r, success = 0, allocated_listen_port = 0; > struct sshbuf *resp = NULL; >- struct passwd *pw = the_authctxt->pw; > >- if (pw == NULL || !the_authctxt->valid) >- fatal("server_input_global_request: no/invalid user"); >+ if (the_authctxt->pw == NULL || !the_authctxt->valid) >+ fatal("%s: no/invalid user", __func__); > > rtype = packet_get_string(NULL); > want_reply = packet_get_char(); > debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); > >+ temporarily_use_uid(the_authctxt->pw); > /* -R style forwarding */ > if (strcmp(rtype, "tcpip-forward") == 0) { > struct Forward fwd; >@@ -719,9 +721,7 @@ server_input_global_request(int type, u_ > /* check permissions */ > if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || > no_port_forwarding_flag || options.disable_forwarding || >- (!want_reply && fwd.listen_port == 0) || >- (fwd.listen_port != 0 && >- !bind_permitted(fwd.listen_port, pw->pw_uid))) { >+ (!want_reply && fwd.listen_port == 0)) { > success = 0; > packet_send_debug("Server has disabled port forwarding."); > } else { >@@ -756,8 +756,7 @@ server_input_global_request(int type, u_ > > /* check permissions */ > if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 >- || no_port_forwarding_flag || options.disable_forwarding || >- (pw->pw_uid != 0 && !use_privsep)) { >+ || no_port_forwarding_flag || options.disable_forwarding) { > success = 0; > packet_send_debug("Server has disabled " > "streamlocal forwarding."); >@@ -783,6 +782,8 @@ server_input_global_request(int type, u_ > } else if (strcmp(rtype, "hostkeys-prove-00@openssh.com") == 0) { > success = server_input_hostkeys_prove(&resp); > } >+ restore_uid(); >+ > if (want_reply) { > packet_start(success ? > SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2941">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2625
:
2880
|
2883
| 2941