Attachment #3220 for bug #2950

View | Details | Raw Unified | Return to bug 2950
Collapse All | Expand All

Lines 45-50 Link Here

(-)a/auth-krb5.c (-2 / +7 lines)
45	#include "uidswap.h"	45	#include "uidswap.h"
46	#include "hostfile.h"	46	#include "hostfile.h"
47	#include "auth.h"	47	#include "auth.h"
		48	#include "channels.h"
		49	#include "session.h"
48		50
49	#ifdef KRB5	51	#ifdef KRB5
50	#include <errno.h>	52	#include <errno.h>
Lines 241-251 krb5_cleanup_proc(Authctxt *authctxt) Link Here
241	krb5_error_code	243	krb5_error_code
242	ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {	244	ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
243	int tmpfd, ret, oerrno;	245	int tmpfd, ret, oerrno;
244	char ccname[40];	246	char ccname[PATH_MAX] = {0};
		247	char *path;
245	mode_t old_umask;	248	mode_t old_umask;
246		249
		250	path = session_get_runtime_directory();
247	ret = snprintf(ccname, sizeof(ccname),	251	ret = snprintf(ccname, sizeof(ccname),
248	"FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());	252	"FILE:%s/krb5cc_%d_XXXXXXXXXX", path, geteuid());
		253	free(path);
249	if (ret < 0 \|\| (size_t)ret >= sizeof(ccname))	254	if (ret < 0 \|\| (size_t)ret >= sizeof(ccname))
250	return ENOMEM;	255	return ENOMEM;
251		256




	options.kbd_interactive_authentication = 0;
	options.challenge_response_authentication = 0;
}

#define RUNTIME_SUBDIR "/openssh"

char *
sshpam_get_runtime_directory(void)
{
	int r;
	const char *v = NULL;

	if (!options.use_pam || sshpam_handle == NULL)
		return NULL;

	v = pam_getenv(sshpam_handle, "XDG_RUNTIME_DIR");
	if (v && *v != '\0') {
		char *s = NULL;
		struct stat st;

		r = asprintf(&s, "%s"RUNTIME_SUBDIR, v);
		if (r > 0) {
			r = stat(s, &st);
			if (r < 0 && errno == ENOENT) {
				r = mkdir(s, 0700);
				if (r == 0)
					return s;
			} else if (r == 0) {
				return s;
			}
			free(s);
		}
	}
	return NULL;
}
#endif /* USE_PAM */

Lines 43-47 int sshpam_auth_passwd(Authctxt , const char ); Link Here

(-)a/auth-pam.h (+1 lines)
43	int sshpam_get_maxtries_reached(void);	43	int sshpam_get_maxtries_reached(void);
44	void sshpam_set_maxtries_reached(int);	44	void sshpam_set_maxtries_reached(int);
45	int is_pam_session_open(void);	45	int is_pam_session_open(void);
		46	char *sshpam_get_runtime_directory(void);
46		47
47	#endif /* USE_PAM */	48	#endif /* USE_PAM */




	static char proto[512], data[512];
	FILE *f;
	int got_data = 0, generated = 0, do_unlink = 0, r;
	int remove_xauthdir = 1;
	struct stat st;
	u_int now, x11_timeout_real;


			 * ssh's willingness to forward X11 connections to
			 * avoid nasty fail-open behaviour in the X server.
			 */
			if (create_private_runtime_directory(xauthdir,
			    sizeof(xauthdir), &remove_xauthdir) != 0)
				error("%s: Failed to create runtime directory",
				    __func__);
				return -1;
			}
			do_unlink = 1;
			if ((r = snprintf(xauthfile, sizeof(xauthfile),
			    "%s/xauthfile", xauthdir)) < 0 ||
			    (size_t)r >= sizeof(xauthfile)) {
				error("%s: xauthfile path too long", __func__);
				unlink(xauthfile);
				if (remove_xauthdir)
					rmdir(xauthdir);
				return -1;
			}



	if (do_unlink) {
		unlink(xauthfile);
		if (remove_xauthdir)
			rmdir(xauthdir);
	}

	/* Don't fall back to fake X11 data for untrusted forwarding */




	monotime_tv(&bw->bwstart);
}

#define RUNTIME_SUBDIR "/openssh"

/* Creates private runtime directory in the dir argument. It is either
 * a under $XDG_RUNTIME_DIRECTORY or under /tmp, which needs to be removed
 * when it is no longer needed (the second argument).
 */
int
create_private_runtime_directory(char *dir, size_t len, int *need_rm)
{
	int r;
	const char *v = NULL;

	if (need_rm == NULL)
		return -1;

	*need_rm = 0;

	v = getenv("XDG_RUNTIME_DIR");
	if (v && *v != '\0') {
		struct stat st;

		r = snprintf(dir, len, "%s"RUNTIME_SUBDIR, v);
		if (r > 0) {
			r = stat(dir, &st);
			if (r < 0 && errno == ENOENT) {
				r = mkdir(dir, 0700);
				if (r == 0) {
					return 0;
				}
			} else if (r == 0) {
				return 0;
			}
		}
	}
	mktemp_proto(dir, len);
	if (mkdtemp(dir) == NULL) {
		perror("mkdtemp: private socket directory");
		exit(1);
	}
	*need_rm = 1;
	return 0;
}

/* Make a template filename for mk[sd]temp() */
void
mktemp_proto(char *s, size_t len)

	const char *tmpdir;
	int r;

	tmpdir = getenv("TMPDIR");
	if (tmpdir && *tmpdir != '\0') {
		r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir);
		if (r > 0 && (size_t)r < len)
			return;

Lines 151-156 int parse_ipqos(const char *); Link Here

(-)a/misc.h (+2 lines)
151	const char *iptos2str(int);	151	const char *iptos2str(int);
152	void mktemp_proto(char *, size_t);	152	void mktemp_proto(char *, size_t);
153		153
		154	int create_private_runtime_directory(char dir, size_t len, int need_rm);
		155
154	void child_set_env(char **envp, u_int envsizep, const char *name,	156	void child_set_env(char **envp, u_int envsizep, const char *name,
155	const char *value);	157	const char *value);
156		158

Lines 170-175 static char *auth_info_file = NULL; Link Here

(-)a/session.c (-14 / +48 lines)
170	/* Name and directory of socket for authentication agent forwarding. */	170	/* Name and directory of socket for authentication agent forwarding. */
171	static char *auth_sock_name = NULL;	171	static char *auth_sock_name = NULL;
172	static char *auth_sock_dir = NULL;	172	static char *auth_sock_dir = NULL;
		173	int remove_auth_sock_dir = 1;
173		174
174	/* removes the agent forwarding socket */	175	/* removes the agent forwarding socket */
175		176
Lines 179-186 auth_sock_cleanup_proc(struct passwd *pw) Link Here
179	if (auth_sock_name != NULL) {	180	if (auth_sock_name != NULL) {
180	temporarily_use_uid(pw);	181	temporarily_use_uid(pw);
181	unlink(auth_sock_name);	182	unlink(auth_sock_name);
182	rmdir(auth_sock_dir);	183	free(auth_sock_name);
183	auth_sock_name = NULL;	184	auth_sock_name = NULL;
		185
		186	if (remove_auth_sock_dir)
		187	rmdir(auth_sock_dir);
		188	free(auth_sock_dir);
		189	auth_sock_dir = NULL;
184	restore_uid();	190	restore_uid();
185	}	191	}
186	}	192	}
Lines 189-194 static int Link Here
189	auth_input_request_forwarding(struct ssh ssh, struct passwd pw)	195	auth_input_request_forwarding(struct ssh ssh, struct passwd pw)
190	{	196	{
191	Channel *nc;	197	Channel *nc;
		198	char *path;
192	int sock = -1;	199	int sock = -1;
193		200
194	if (auth_sock_name != NULL) {	201	if (auth_sock_name != NULL) {
Lines 199-215 auth_input_request_forwarding(struct ssh ssh, struct passwd pw) Link Here
199	/* Temporarily drop privileged uid for mkdir/bind. */	206	/* Temporarily drop privileged uid for mkdir/bind. */
200	temporarily_use_uid(pw);	207	temporarily_use_uid(pw);
201		208
202	/* Allocate a buffer for the socket name, and format the name. */	209	path = session_get_runtime_directory();
203	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");	210	if (strcmp(path, "/tmp") == 0) {
204		211	/* Allocate a buffer for the socket name, and format the name. */
205	/* Create private directory for socket */	212	auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX");
206	if (mkdtemp(auth_sock_dir) == NULL) {	213
207	packet_send_debug("Agent forwarding disabled: "	214	/* Create private directory for socket */
208	"mkdtemp() failed: %.100s", strerror(errno));	215	if (mkdtemp(auth_sock_dir) == NULL) {
209	restore_uid();	216	packet_send_debug("Agent forwarding disabled: "
210	free(auth_sock_dir);	217	"mkdtemp() failed: %.100s", strerror(errno));
211	auth_sock_dir = NULL;	218	restore_uid();
212	goto authsock_err;	219	free(auth_sock_dir);
		220	auth_sock_dir = NULL;
		221	goto authsock_err;
		222	}
		223	free(path);
		224	} else {
		225	/* This is already private directory */
		226	auth_sock_dir = path;
		227	remove_auth_sock_dir = 0;
213	}	228	}
214		229
215	xasprintf(&auth_sock_name, "%s/agent.%ld",	230	xasprintf(&auth_sock_name, "%s/agent.%ld",
Lines 236-242 auth_input_request_forwarding(struct ssh ssh, struct passwd pw) Link Here
236	authsock_err:	251	authsock_err:
237	free(auth_sock_name);	252	free(auth_sock_name);
238	if (auth_sock_dir != NULL) {	253	if (auth_sock_dir != NULL) {
239	rmdir(auth_sock_dir);	254	if (remove_auth_sock_dir)
		255	rmdir(auth_sock_dir);
240	free(auth_sock_dir);	256	free(auth_sock_dir);
241	}	257	}
242	if (sock != -1)	258	if (sock != -1)
Lines 259-274 display_loginmsg(void) Link Here
259	sshbuf_reset(loginmsg);	275	sshbuf_reset(loginmsg);
260	}	276	}
261		277
		278	char *
		279	session_get_runtime_directory(void)
		280	{
		281	char *auth_info_file = NULL;
		282
		283	#ifdef USE_PAM
		284	auth_info_file = sshpam_get_runtime_directory();
		285	if (auth_info_file != NULL)
		286	return auth_info_file;
		287	#endif /* USE_PAM */
		288	return xstrdup("/tmp");
		289	}
		290
		291	#define SSH_AUTH_TEMPLATE "sshauth.XXXXXXXXXXXXXXX"
		292
262	static void	293	static void
263	prepare_auth_info_file(struct passwd pw, struct sshbuf info)	294	prepare_auth_info_file(struct passwd pw, struct sshbuf info)
264	{	295	{
265	int fd = -1, success = 0;	296	int fd = -1, success = 0;
		297	char *path = NULL;
266		298
267	if (!options.expose_userauth_info \|\| info == NULL)	299	if (!options.expose_userauth_info \|\| info == NULL)
268	return;	300	return;
269		301
270	temporarily_use_uid(pw);	302	temporarily_use_uid(pw);
271	auth_info_file = xstrdup("/tmp/sshauth.XXXXXXXXXXXXXXX");	303	path = session_get_runtime_directory();
		304	xasprintf(&auth_info_file, "%s/" SSH_AUTH_TEMPLATE, path);
		305	free(path);
272	if ((fd = mkstemp(auth_info_file)) == -1) {	306	if ((fd = mkstemp(auth_info_file)) == -1) {
273	error("%s: mkstemp: %s", __func__, strerror(errno));	307	error("%s: mkstemp: %s", __func__, strerror(errno));
274	goto out;	308	goto out;

Lines 80-84 void session_close(struct ssh , Session ); Link Here

(-)a/session.h (+1 lines)
80	void do_setusercontext(struct passwd *);	80	void do_setusercontext(struct passwd *);
81		81
82	const char session_get_remote_name_or_ip(struct ssh , u_int, int);	82	const char session_get_remote_name_or_ip(struct ssh , u_int, int);
		83	char *session_get_runtime_directory(void);
83		84
84	#endif	85	#endif




/* pathname and directory for AUTH_SOCKET */
char socket_name[PATH_MAX];
char socket_dir[PATH_MAX];
int remove_socket_dir = 1;

/* PKCS#11 path whitelist */
static char *pkcs11_whitelist;

	debug("%s: cleanup", __func__);
	if (socket_name[0])
		unlink(socket_name);
	if (socket_dir[0] && remove_socket_dir)
		rmdir(socket_dir);
}



	if (agentsocket == NULL) {
		/* Create private directory for agent socket */
		if (create_private_runtime_directory(socket_dir,
		    sizeof(socket_dir), &remove_socket_dir) != 0)
			fatal("%s: Failed to create private runtime directory",
			    __progname);
		}
		snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir,
		    (long)parent_pid);
	} else {

Return to bug 2950

Lines 1356-1359 sshpam_set_maxtries_reached(int reached) Link Here

(-)a/auth-pam.c (+32 lines)
1356	options.kbd_interactive_authentication = 0;	1356	options.kbd_interactive_authentication = 0;
1357	options.challenge_response_authentication = 0;	1357	options.challenge_response_authentication = 0;
1358	}	1358	}
		1359
		1360	#define RUNTIME_SUBDIR "/openssh"
		1361
		1362	char *
		1363	sshpam_get_runtime_directory(void)
		1364	{
		1365	int r;
		1366	const char *v = NULL;
		1367
		1368	if (!options.use_pam \|\| sshpam_handle == NULL)
		1369	return NULL;
		1370
		1371	v = pam_getenv(sshpam_handle, "XDG_RUNTIME_DIR");
		1372	if (v && *v != '\0') {
		1373	char *s = NULL;
		1374	struct stat st;
		1375
		1376	r = asprintf(&s, "%s"RUNTIME_SUBDIR, v);
		1377	if (r > 0) {
		1378	r = stat(s, &st);
		1379	if (r < 0 && errno == ENOENT) {
		1380	r = mkdir(s, 0700);
		1381	if (r == 0)
		1382	return s;
		1383	} else if (r == 0) {
		1384	return s;
		1385	}
		1386	free(s);
		1387	}
		1388	}
		1389	return NULL;
		1390	}
1359	#endif /* USE_PAM */	1391	#endif /* USE_PAM */

Lines 1468-1473 bandwidth_limit(struct bwlimit *bw, size_t read_len) Link Here

(-)a/misc.c (-1 / +45 lines)
1468	monotime_tv(&bw->bwstart);	1468	monotime_tv(&bw->bwstart);
1469	}	1469	}
1470		1470
		1471	#define RUNTIME_SUBDIR "/openssh"
		1472
		1473	/* Creates private runtime directory in the dir argument. It is either
		1474	* a under $XDG_RUNTIME_DIRECTORY or under /tmp, which needs to be removed
		1475	* when it is no longer needed (the second argument).
		1476	*/
		1477	int
		1478	create_private_runtime_directory(char dir, size_t len, int need_rm)
		1479	{
		1480	int r;
		1481	const char *v = NULL;
		1482
		1483	if (need_rm == NULL)
		1484	return -1;
		1485
		1486	*need_rm = 0;
		1487
		1488	v = getenv("XDG_RUNTIME_DIR");
		1489	if (v && *v != '\0') {
		1490	struct stat st;
		1491
		1492	r = snprintf(dir, len, "%s"RUNTIME_SUBDIR, v);
		1493	if (r > 0) {
		1494	r = stat(dir, &st);
		1495	if (r < 0 && errno == ENOENT) {
		1496	r = mkdir(dir, 0700);
		1497	if (r == 0) {
		1498	return 0;
		1499	}
		1500	} else if (r == 0) {
		1501	return 0;
		1502	}
		1503	}
		1504	}
		1505	mktemp_proto(dir, len);
		1506	if (mkdtemp(dir) == NULL) {
		1507	perror("mkdtemp: private socket directory");
		1508	exit(1);
		1509	}
		1510	*need_rm = 1;
		1511	return 0;
		1512	}
		1513
1471	/* Make a template filename for mk[sd]temp() */	1514	/* Make a template filename for mk[sd]temp() */
1472	void	1515	void
1473	mktemp_proto(char *s, size_t len)	1516	mktemp_proto(char *s, size_t len)
Lines 1475-1481 mktemp_proto(char *s, size_t len) Link Here
1475	const char *tmpdir;	1518	const char *tmpdir;
1476	int r;	1519	int r;
1477		1520
1478	if ((tmpdir = getenv("TMPDIR")) != NULL) {	1521	tmpdir = getenv("TMPDIR");
		1522	if (tmpdir && *tmpdir != '\0') {
1479	r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir);	1523	r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir);
1480	if (r > 0 && (size_t)r < len)	1524	if (r > 0 && (size_t)r < len)
1481	return;	1525	return;

Lines 143-148 pid_t cleanup_pid = 0; Link Here

(-)a/ssh-agent.c (-6 / +6 lines)
143	/* pathname and directory for AUTH_SOCKET */	143	/* pathname and directory for AUTH_SOCKET */
144	char socket_name[PATH_MAX];	144	char socket_name[PATH_MAX];
145	char socket_dir[PATH_MAX];	145	char socket_dir[PATH_MAX];
		146	int remove_socket_dir = 1;
146		147
147	/* PKCS#11 path whitelist */	148	/* PKCS#11 path whitelist */
148	static char *pkcs11_whitelist;	149	static char *pkcs11_whitelist;
Lines 1016-1022 cleanup_socket(void) Link Here
1016	debug("%s: cleanup", __func__);	1017	debug("%s: cleanup", __func__);
1017	if (socket_name[0])	1018	if (socket_name[0])
1018	unlink(socket_name);	1019	unlink(socket_name);
1019	if (socket_dir[0])	1020	if (socket_dir[0] && remove_socket_dir)
1020	rmdir(socket_dir);	1021	rmdir(socket_dir);
1021	}	1022	}
1022		1023
Lines 1203-1213 main(int ac, char **av) Link Here
1203		1204
1204	if (agentsocket == NULL) {	1205	if (agentsocket == NULL) {
1205	/* Create private directory for agent socket */	1206	/* Create private directory for agent socket */
1206	mktemp_proto(socket_dir, sizeof(socket_dir));	1207	if (create_private_runtime_directory(socket_dir,
1207	if (mkdtemp(socket_dir) == NULL) {	1208	sizeof(socket_dir), &remove_socket_dir) != 0)
1208	perror("mkdtemp: private socket dir");	1209	fatal("%s: Failed to create private runtime directory",
1209	exit(1);	1210	__progname);
1210	}
1211	snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir,	1211	snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir,
1212	(long)parent_pid);	1212	(long)parent_pid);
1213	} else {	1213	} else {

Lines 284-289 client_x11_get_proto(struct ssh ssh, const char display, Link Here

(-)a/clientloop.c (-8 / +9 lines)
284	static char proto[512], data[512];	284	static char proto[512], data[512];
285	FILE *f;	285	FILE *f;
286	int got_data = 0, generated = 0, do_unlink = 0, r;	286	int got_data = 0, generated = 0, do_unlink = 0, r;
		287	int remove_xauthdir = 1;
287	struct stat st;	288	struct stat st;
288	u_int now, x11_timeout_real;	289	u_int now, x11_timeout_real;
289		290
Lines 327-345 client_x11_get_proto(struct ssh ssh, const char display, Link Here
327	* ssh's willingness to forward X11 connections to	328	* ssh's willingness to forward X11 connections to
328	* avoid nasty fail-open behaviour in the X server.	329	* avoid nasty fail-open behaviour in the X server.
329	*/	330	*/
330	mktemp_proto(xauthdir, sizeof(xauthdir));	331	if (create_private_runtime_directory(xauthdir,
331	if (mkdtemp(xauthdir) == NULL) {	332	sizeof(xauthdir), &remove_xauthdir) != 0)
332	error("%s: mkdtemp: %s",	333	error("%s: Failed to create runtime directory",
333	__func__, strerror(errno));	334	__func__);
334	return -1;
335	}
336	do_unlink = 1;	335	do_unlink = 1;
337	if ((r = snprintf(xauthfile, sizeof(xauthfile),	336	if ((r = snprintf(xauthfile, sizeof(xauthfile),
338	"%s/xauthfile", xauthdir)) < 0 \|\|	337	"%s/xauthfile", xauthdir)) < 0 \|\|
339	(size_t)r >= sizeof(xauthfile)) {	338	(size_t)r >= sizeof(xauthfile)) {
340	error("%s: xauthfile path too long", __func__);	339	error("%s: xauthfile path too long", __func__);
341	unlink(xauthfile);	340	unlink(xauthfile);
342	rmdir(xauthdir);	341	if (remove_xauthdir)
		342	rmdir(xauthdir);
343	return -1;	343	return -1;
344	}	344	}
345		345
Lines 405-411 client_x11_get_proto(struct ssh ssh, const char display, Link Here
405		405
406	if (do_unlink) {	406	if (do_unlink) {
407	unlink(xauthfile);	407	unlink(xauthfile);
408	rmdir(xauthdir);	408	if (remove_xauthdir)
		409	rmdir(xauthdir);
409	}	410	}
410		411
411	/* Don't fall back to fake X11 data for untrusted forwarding */	412	/* Don't fall back to fake X11 data for untrusted forwarding */