Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ssh apply ftp://ftp.openbsd.org/pub/OpenBSD/patc...
details: https://anonhg.NetBSD.org/src/rev/2055d0a31175
branches: trunk
changeset: 511188:2055d0a31175
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Jun 14 02:45:30 2001 +0000
description:
apply ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/006_sshcookie.patch.
sshd(8) allows users to delete arbitrary files named "cookies"
if X11 forwarding is enabled. X11 forwarding is disabled by
default.
diffstat:
crypto/dist/ssh/channels.c | 23 +++++++-----
crypto/dist/ssh/channels.h | 4 +-
crypto/dist/ssh/session.c | 82 ++-------------------------------------------
3 files changed, 22 insertions(+), 87 deletions(-)
diffs (221 lines):
diff -r a3eef5fffc7b -r 2055d0a31175 crypto/dist/ssh/channels.c
--- a/crypto/dist/ssh/channels.c Thu Jun 14 02:42:31 2001 +0000
+++ b/crypto/dist/ssh/channels.c Thu Jun 14 02:45:30 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: channels.c,v 1.11 2001/05/15 15:26:07 itojun Exp $ */
+/* $NetBSD: channels.c,v 1.12 2001/06/14 02:45:30 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -2637,10 +2637,17 @@
/* removes the agent forwarding socket */
void
-cleanup_socket(void)
+auth_sock_cleanup_proc(void *_pw)
{
- unlink(channel_forwarded_auth_socket_name);
- rmdir(channel_forwarded_auth_socket_dir);
+ struct passwd *pw = _pw;
+
+ if (channel_forwarded_auth_socket_name) {
+ temporarily_use_uid(pw);
+ unlink(channel_forwarded_auth_socket_name);
+ rmdir(channel_forwarded_auth_socket_dir);
+ channel_forwarded_auth_socket_name = NULL;
+ restore_uid();
+ }
}
/*
@@ -2680,11 +2687,9 @@
snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
channel_forwarded_auth_socket_dir, (int) getpid());
- if (atexit(cleanup_socket) < 0) {
- int saved = errno;
- cleanup_socket();
- packet_disconnect("socket: %.100s", strerror(saved));
- }
+ /* delete agent socket on fatal() */
+ fatal_add_cleanup(auth_sock_cleanup_proc, pw);
+
/* Create the socket. */
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0)
diff -r a3eef5fffc7b -r 2055d0a31175 crypto/dist/ssh/channels.h
--- a/crypto/dist/ssh/channels.h Thu Jun 14 02:42:31 2001 +0000
+++ b/crypto/dist/ssh/channels.h Thu Jun 14 02:45:30 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: channels.h,v 1.1.1.7 2001/05/15 15:02:26 itojun Exp $ */
+/* $NetBSD: channels.h,v 1.2 2001/06/14 02:45:30 itojun Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -294,6 +294,8 @@
*/
char *auth_get_socket_name(void);
+void auth_sock_cleanup_proc(void *_pw);
+
/*
* This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
* This starts forwarding authentication requests.
diff -r a3eef5fffc7b -r 2055d0a31175 crypto/dist/ssh/session.c
--- a/crypto/dist/ssh/session.c Thu Jun 14 02:42:31 2001 +0000
+++ b/crypto/dist/ssh/session.c Thu Jun 14 02:45:30 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: session.c,v 1.14 2001/06/14 02:42:31 itojun Exp $ */
+/* $NetBSD: session.c,v 1.15 2001/06/14 02:45:31 itojun Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
* All rights reserved
@@ -128,9 +128,6 @@
extern int startup_pipe;
extern void destroy_sensitive_data(void);
-/* Local Xauthority file. */
-static char *xauthfile;
-
/* original command from peer. */
char *original_command = NULL;
@@ -174,27 +171,10 @@
do_authenticated2(authctxt);
else
do_authenticated1(authctxt);
-}
-/*
- * Remove local Xauthority file.
- */
-void
-xauthfile_cleanup_proc(void *ignore)
-{
- debug("xauthfile_cleanup_proc called");
-
- if (xauthfile != NULL) {
- char *p;
- unlink(xauthfile);
- p = strrchr(xauthfile, '/');
- if (p != NULL) {
- *p = '\0';
- rmdir(xauthfile);
- }
- xfree(xauthfile);
- xauthfile = NULL;
- }
+ /* remove agent socket */
+ if (auth_get_socket_name())
+ auth_sock_cleanup_proc(authctxt->pw);
}
/*
@@ -229,7 +209,7 @@
{
Session *s;
char *command;
- int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0;
+ int success, type, n_bytes, plen, screen_flag, have_pty = 0;
int compression_level = 0, enable_compression_after_reply = 0;
u_int proto_len, data_len, dlen;
@@ -350,25 +330,6 @@
if (s->display == NULL)
break;
- /* Setup to always have a local .Xauthority. */
- xauthfile = xmalloc(MAXPATHLEN);
- strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
- temporarily_use_uid(s->pw);
- if (mkdtemp(xauthfile) == NULL) {
- restore_uid();
- error("private X11 dir: mkdtemp %s failed: %s",
- xauthfile, strerror(errno));
- xfree(xauthfile);
- xauthfile = NULL;
- /* XXXX remove listening channels */
- break;
- }
- strlcat(xauthfile, "/cookies", MAXPATHLEN);
- fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
- if (fd >= 0)
- close(fd);
- restore_uid();
- fatal_add_cleanup(xauthfile_cleanup_proc, NULL);
success = 1;
break;
@@ -467,9 +428,6 @@
if (command != NULL)
xfree(command);
- /* Cleanup user's local Xauthority file. */
- if (xauthfile)
- xauthfile_cleanup_proc(NULL);
return;
default:
@@ -1048,8 +1006,6 @@
}
#endif /* KRB5 */
- if (xauthfile)
- child_set_env(&env, &envsize, "XAUTHORITY", xauthfile);
if (auth_get_socket_name() != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());
@@ -1448,7 +1404,6 @@
int
session_x11_req(Session *s)
{
- int fd;
if (no_x11_forwarding_flag) {
debug("X11 forwarding disabled in user configuration file.");
return 0;
@@ -1457,11 +1412,6 @@
debug("X11 forwarding disabled in server configuration file.");
return 0;
}
- if (xauthfile != NULL) {
- debug("X11 fwd already started.");
- return 0;
- }
-
debug("Received request for X11 forwarding with auth spoofing.");
if (s->display != NULL)
packet_disconnect("Protocol error: X11 display already set.");
@@ -1478,26 +1428,6 @@
xfree(s->auth_data);
return 0;
}
- xauthfile = xmalloc(MAXPATHLEN);
- strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
- temporarily_use_uid(s->pw);
- if (mkdtemp(xauthfile) == NULL) {
- restore_uid();
- error("private X11 dir: mkdtemp %s failed: %s",
- xauthfile, strerror(errno));
- xfree(xauthfile);
- xauthfile = NULL;
- xfree(s->auth_proto);
- xfree(s->auth_data);
- /* XXXX remove listening channels */
- return 0;
- }
- strlcat(xauthfile, "/cookies", MAXPATHLEN);
- fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
- if (fd >= 0)
- close(fd);
- restore_uid();
- fatal_add_cleanup(xauthfile_cleanup_proc, s);
return 1;
}
@@ -1791,6 +1721,4 @@
{
server_loop2();
- if (xauthfile)
- xauthfile_cleanup_proc(NULL);
}
Home |
Main Index |
Thread Index |
Old Index