[readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm
+ - markus@cvs.openbsd.org 2006/06/08 14:45:49
+ [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
+ do not set the gid, noted by solar; ok djm
20060521
- (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
-/* $OpenBSD: readpass.c,v 1.38 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: readpass.c,v 1.39 2006/06/08 14:45:49 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
return NULL;
}
if (pid == 0) {
- permanently_set_uid(getpwuid(getuid()));
+ permanently_drop_suid(getuid());
close(p[0]);
if (dup2(p[1], STDOUT_FILENO) < 0)
fatal("ssh_askpass: dup2: %s", strerror(errno));
-/* $OpenBSD: sshconnect.c,v 1.183 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.184 2006/06/08 14:45:49 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
char *argv[10];
/* Child. Permanently give up superuser privileges. */
- permanently_set_uid(getpwuid(original_real_uid));
+ permanently_drop_suid(original_real_uid);
/* Redirect stdin and stdout. */
close(pin[1]);
-/* $OpenBSD: sshconnect2.c,v 1.154 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.155 2006/06/08 14:45:49 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
return -1;
}
if (pid == 0) {
- permanently_set_uid(getpwuid(getuid()));
+ permanently_drop_suid(getuid());
close(from[0]);
if (dup2(from[1], STDOUT_FILENO) < 0)
fatal("ssh_keysign: dup2: %s", strerror(errno));
-/* $OpenBSD: uidswap.c,v 1.28 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: uidswap.c,v 1.29 2006/06/08 14:45:49 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
strerror(errno));
}
+void
+permanently_drop_suid(uid_t uid)
+{
+ uid_t old_uid = getuid();
+
+ debug("permanently_drop_suid: %u", (u_int)uid);
+#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
+ if (setresuid(uid, uid, uid) < 0)
+ fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
+#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
+ if (setreuid(uid, uid) < 0)
+ fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
+#else
+# ifndef SETEUID_BREAKS_SETUID
+ if (seteuid(uid) < 0)
+ fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
+# endif
+ if (setuid(uid) < 0)
+ fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
+#endif
+
+#ifndef HAVE_CYGWIN
+ /* Try restoration of UID if changed (test clearing of saved uid) */
+ if (old_uid != uid &&
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ fatal("%s: was able to restore old [e]uid", __func__);
+#endif
+
+ /* Verify UID drop was successful */
+ if (getuid() != uid || geteuid() != uid) {
+ fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
+ __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid);
+ }
+}
+
/*
* Restores to the original (privileged) uid.
*/
-/* $OpenBSD: uidswap.h,v 1.10 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: uidswap.h,v 1.11 2006/06/08 14:45:49 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
void temporarily_use_uid(struct passwd *);
void restore_uid(void);
void permanently_set_uid(struct passwd *);
+void permanently_drop_suid(uid_t);
#endif /* UIDSWAP_H */