Attachment #3047 for bug #2440




/* File containing userauth info, if ExposeAuthInfo set */
static char *auth_info_file = NULL;

/* Directory for auth socket and other private files */
static char *private_temp_dir = NULL;

/* Path for authentication agent forwarding socket. */
static char *auth_sock_name = NULL;

/* removes the per-session temporary directory */
static void
cleanup_private_temp_dir(struct passwd *pw)
{
	if (private_temp_dir != NULL) {
		temporarily_use_uid(pw);
		rmdir(private_temp_dir);
		restore_uid();
		free(private_temp_dir);
		private_temp_dir = NULL;
	}
}

/*
 * establish a per-session private directory to store various
 * things, including the authentication agent socket.
 */
static int
make_private_temp_dir(struct passwd * pw)
{
	char *cp, *path = xstrdup("/tmp/ssh-XXXXXXXXXX");
	int oerrno;

	if (private_temp_dir != NULL)
		return 0;

	temporarily_use_uid(pw);
	cp = mkdtemp(path);
	oerrno = errno;
	restore_uid();

	if (cp == NULL) {
		debug("%s: mkdtemp: %s", __func__, strerror(oerrno));
		free(cp);
		return -1;
	}
	debug3("%s: created %s", __func__, cp);
	private_temp_dir = cp;
	return 0;
}

/* removes the agent forwarding socket */

static void
auth_sock_cleanup_proc(struct passwd *pw)
{
	if (auth_sock_name != NULL) {
		temporarily_use_uid(pw);
		unlink(auth_sock_name);
		rmdir(auth_sock_dir);
		auth_sock_name = NULL;
		restore_uid();
	}

		return 0;
	}

	if (make_private_temp_dir(pw) != 0) {
		error("Agent forwarding disabled: failed to create "
		    "socket directory");
		return 0;
	}

	/* Temporarily drop privileged uid for mkdir/bind. */
	temporarily_use_uid(pw);

	/* Allocate a buffer for the socket name, and format the name. */
	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");

	/* Create private directory for socket */
	if (mkdtemp(auth_sock_dir) == NULL) {
		packet_send_debug("Agent forwarding disabled: "
		    "mkdtemp() failed: %.100s", strerror(errno));
		restore_uid();
		free(auth_sock_dir);
		auth_sock_dir = NULL;
		goto authsock_err;
	}

	xasprintf(&auth_sock_name, "%s/agent.%ld",
	    private_temp_dir, (long) getpid());

	/* Start a Unix listener on auth_sock_name. */
	sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0);


 authsock_err:
	free(auth_sock_name);
	if (auth_sock_dir != NULL) {
		rmdir(auth_sock_dir);
		free(auth_sock_dir);
	}
	if (sock != -1)
		close(sock);
	auth_sock_name = NULL;
	auth_sock_dir = NULL;
	return 0;
}


{
	int fd = -1, success = 0;

	if (!options.expose_userauth_info || info == NULL ||
	    auth_info_file != NULL)
		return;

	if (make_private_temp_dir(pw) != 0) {
		error("%s: could not create directory for ExposeAuthInfo",
		    __func__);
		return;
	}

	xasprintf(&auth_info_file, "%s/sshauth.XXXXXXXXXX", private_temp_dir);
	if ((fd = mkstemp(auth_info_file)) == -1) {
		error("%s: mkstemp: %s", __func__, strerror(errno));
		goto out;

			memcpy(component, path, cp - path);
			component[cp - path] = '\0';
		}

		debug3("%s: checking '%s'", __func__, component);

		if (stat(component, &st) != 0)

{
	static int called = 0;

	debug("do_cleanup: %s", mm_is_monitor() ? "monitor" : "child");

	/* no cleanup if we're in the child for login shell */
	if (is_child)

	 */
	if (!use_privsep || mm_is_monitor())
		session_destroy_all(session_pty_cleanup2);

	/*
	 * Must be called after cleanup of auth info file, xauthority file
	 * and agent socket
	 */
	cleanup_private_temp_dir(authctxt->pw);
}

/* Return a name for the remote host that fits inside utmp_size */

Return to bug 2440

Lines 146-164 static int in_chroot = 0; Link Here

(-)a/session.c (-28 / +69 lines)
146	/* File containing userauth info, if ExposeAuthInfo set */	146	/* File containing userauth info, if ExposeAuthInfo set */
147	static char *auth_info_file = NULL;	147	static char *auth_info_file = NULL;
148		148
149	/* Name and directory of socket for authentication agent forwarding. */	149	/* Directory for auth socket and other private files */
		150	static char *private_temp_dir = NULL;
		151
		152	/* Path for authentication agent forwarding socket. */
150	static char *auth_sock_name = NULL;	153	static char *auth_sock_name = NULL;
151	static char *auth_sock_dir = NULL;	154
		155	/* removes the per-session temporary directory */
		156	static void
		157	cleanup_private_temp_dir(struct passwd *pw)
		158	{
		159	if (private_temp_dir != NULL) {
		160	temporarily_use_uid(pw);
		161	rmdir(private_temp_dir);
		162	restore_uid();
		163	free(private_temp_dir);
		164	private_temp_dir = NULL;
		165	}
		166	}
		167
		168	/*
		169	* establish a per-session private directory to store various
		170	* things, including the authentication agent socket.
		171	*/
		172	static int
		173	make_private_temp_dir(struct passwd * pw)
		174	{
		175	char cp, path = xstrdup("/tmp/ssh-XXXXXXXXXX");
		176	int oerrno;
		177
		178	if (private_temp_dir != NULL)
		179	return 0;
		180
		181	temporarily_use_uid(pw);
		182	cp = mkdtemp(path);
		183	oerrno = errno;
		184	restore_uid();
		185
		186	if (cp == NULL) {
		187	debug("%s: mkdtemp: %s", __func__, strerror(oerrno));
		188	free(cp);
		189	return -1;
		190	}
		191	debug3("%s: created %s", __func__, cp);
		192	private_temp_dir = cp;
		193	return 0;
		194	}
152		195
153	/* removes the agent forwarding socket */	196	/* removes the agent forwarding socket */
154
155	static void	197	static void
156	auth_sock_cleanup_proc(struct passwd *pw)	198	auth_sock_cleanup_proc(struct passwd *pw)
157	{	199	{
158	if (auth_sock_name != NULL) {	200	if (auth_sock_name != NULL) {
159	temporarily_use_uid(pw);	201	temporarily_use_uid(pw);
160	unlink(auth_sock_name);	202	unlink(auth_sock_name);
161	rmdir(auth_sock_dir);
162	auth_sock_name = NULL;	203	auth_sock_name = NULL;
163	restore_uid();	204	restore_uid();
164	}	205	}
Lines 175-198 auth_input_request_forwarding(struct passwd * pw) Link Here
175	return 0;	216	return 0;
176	}	217	}
177		218
		219	if (make_private_temp_dir(pw) != 0) {
		220	error("Agent forwarding disabled: failed to create "
		221	"socket directory");
		222	return 0;
		223	}
		224
178	/* Temporarily drop privileged uid for mkdir/bind. */	225	/* Temporarily drop privileged uid for mkdir/bind. */
179	temporarily_use_uid(pw);	226	temporarily_use_uid(pw);
180		227
181	/* Allocate a buffer for the socket name, and format the name. */
182	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
183
184	/* Create private directory for socket */
185	if (mkdtemp(auth_sock_dir) == NULL) {
186	packet_send_debug("Agent forwarding disabled: "
187	"mkdtemp() failed: %.100s", strerror(errno));
188	restore_uid();
189	free(auth_sock_dir);
190	auth_sock_dir = NULL;
191	goto authsock_err;
192	}
193
194	xasprintf(&auth_sock_name, "%s/agent.%ld",	228	xasprintf(&auth_sock_name, "%s/agent.%ld",
195	auth_sock_dir, (long) getpid());	229	private_temp_dir, (long) getpid());
196		230
197	/* Start a Unix listener on auth_sock_name. */	231	/* Start a Unix listener on auth_sock_name. */
198	sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0);	232	sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0);
Lines 214-227 auth_input_request_forwarding(struct passwd * pw) Link Here
214		248
215	authsock_err:	249	authsock_err:
216	free(auth_sock_name);	250	free(auth_sock_name);
217	if (auth_sock_dir != NULL) {
218	rmdir(auth_sock_dir);
219	free(auth_sock_dir);
220	}
221	if (sock != -1)	251	if (sock != -1)
222	close(sock);	252	close(sock);
223	auth_sock_name = NULL;	253	auth_sock_name = NULL;
224	auth_sock_dir = NULL;
225	return 0;	254	return 0;
226	}	255	}
227		256
Lines 240-250 prepare_auth_info_file(struct passwd pw, struct sshbuf info) Link Here
240	{	269	{
241	int fd = -1, success = 0;	270	int fd = -1, success = 0;
242		271
243	if (!options.expose_userauth_info \|\| info == NULL)	272	if (!options.expose_userauth_info \|\| info == NULL \|\|
		273	auth_info_file != NULL)
244	return;	274	return;
245		275
246	temporarily_use_uid(pw);	276	if (make_private_temp_dir(pw) != 0) {
247	auth_info_file = xstrdup("/tmp/sshauth.XXXXXXXXXXXXXXX");	277	error("%s: could not create directory for ExposeAuthInfo",
		278	__func__);
		279	return;
		280	}
		281
		282	xasprintf(&auth_info_file, "%s/sshauth.XXXXXXXXXX", private_temp_dir);
248	if ((fd = mkstemp(auth_info_file)) == -1) {	283	if ((fd = mkstemp(auth_info_file)) == -1) {
249	error("%s: mkstemp: %s", __func__, strerror(errno));	284	error("%s: mkstemp: %s", __func__, strerror(errno));
250	goto out;	285	goto out;
Lines 1000-1006 safely_chroot(const char *path, uid_t uid) Link Here
1000	memcpy(component, path, cp - path);	1035	memcpy(component, path, cp - path);
1001	component[cp - path] = '\0';	1036	component[cp - path] = '\0';
1002	}	1037	}
1003		1038
1004	debug3("%s: checking '%s'", __func__, component);	1039	debug3("%s: checking '%s'", __func__, component);
1005		1040
1006	if (stat(component, &st) != 0)	1041	if (stat(component, &st) != 0)
Lines 2114-2120 do_cleanup(Authctxt *authctxt) Link Here
2114	{	2149	{
2115	static int called = 0;	2150	static int called = 0;
2116		2151
2117	debug("do_cleanup");	2152	debug("do_cleanup: %s", mm_is_monitor() ? "monitor" : "child");
2118		2153
2119	/* no cleanup if we're in the child for login shell */	2154	/* no cleanup if we're in the child for login shell */
2120	if (is_child)	2155	if (is_child)
Lines 2156-2161 do_cleanup(Authctxt *authctxt) Link Here
2156	*/	2191	*/
2157	if (!use_privsep \|\| mm_is_monitor())	2192	if (!use_privsep \|\| mm_is_monitor())
2158	session_destroy_all(session_pty_cleanup2);	2193	session_destroy_all(session_pty_cleanup2);
		2194
		2195	/*
		2196	* Must be called after cleanup of auth info file, xauthority file
		2197	* and agent socket
		2198	*/
		2199	cleanup_private_temp_dir(authctxt->pw);
2159	}	2200	}
2160		2201
2161	/* Return a name for the remote host that fits inside utmp_size */	2202	/* Return a name for the remote host that fits inside utmp_size */