- markus@cvs.openbsd.org 2006/06/08 14:45:49

     [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
     do not set the gid, noted by solar; ok djm

diff --git a/ChangeLog b/ChangeLog
index 06cf6ca6700c930fac946090f9b6974ef0dfe6f7..335913a4c6bc2842edf339f687712344796aedaa 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,9 @@
      [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
      replace remaining setuid() calls with permanently_set_uid() and
      check seteuid() return values; report Marcus Meissner; ok dtucker djm
+   - markus@cvs.openbsd.org 2006/06/08 14:45:49
+     [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
+     do not set the gid, noted by solar; ok djm
 
 20060521
  - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor

diff --git a/readpass.c b/readpass.c
index 60e4a902f2d637e6db5bb9a37dddb44bd1d49c3f..34d70b07a6e5d4dba6ae18fd84a8d169150776bc 100644 (file)
--- a/readpass.c
+++ b/readpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readpass.c,v 1.38 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: readpass.c,v 1.39 2006/06/08 14:45:49 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -61,7 +61,7 @@ ssh_askpass(char *askpass, const char *msg)
                return NULL;
        }
        if (pid == 0) {
-               permanently_set_uid(getpwuid(getuid()));
+               permanently_drop_suid(getuid());
                close(p[0]);
                if (dup2(p[1], STDOUT_FILENO) < 0)
                        fatal("ssh_askpass: dup2: %s", strerror(errno));

diff --git a/sshconnect.c b/sshconnect.c
index 41ad82f9f78d515678bfc9d4cad2305c52b50184..c76572662fca6eaf8b764d3aae63edb09225fc6e 100644 (file)
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.183 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.184 2006/06/08 14:45:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -97,7 +97,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
                char *argv[10];
 
                /* Child.  Permanently give up superuser privileges. */
-               permanently_set_uid(getpwuid(original_real_uid));
+               permanently_drop_suid(original_real_uid);
 
                /* Redirect stdin and stdout. */
                close(pin[1]);

diff --git a/sshconnect2.c b/sshconnect2.c
index c97738c7b76d3133d486adafa7905497d35248c6..4f96dcfc46a5a23fd470da984829d2e31f1c7161 100644 (file)
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.154 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.155 2006/06/08 14:45:49 markus Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -1253,7 +1253,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
                return -1;
        }
        if (pid == 0) {
-               permanently_set_uid(getpwuid(getuid()));
+               permanently_drop_suid(getuid());
                close(from[0]);
                if (dup2(from[1], STDOUT_FILENO) < 0)
                        fatal("ssh_keysign: dup2: %s", strerror(errno));

diff --git a/uidswap.c b/uidswap.c
index ba2d209427286b832245bee3b25c53297b17aca4..e5b0595ac0651d12fe4e2084dccf505a24e87798 100644 (file)
--- a/uidswap.c
+++ b/uidswap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: uidswap.c,v 1.28 2006/06/06 10:20:20 markus Exp $ */
+/* $OpenBSD: uidswap.c,v 1.29 2006/06/08 14:45:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -123,6 +123,41 @@ temporarily_use_uid(struct passwd *pw)
                    strerror(errno));
 }
 
+void
+permanently_drop_suid(uid_t uid)
+{
+       uid_t old_uid = getuid();
+
+       debug("permanently_drop_suid: %u", (u_int)uid);
+#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
+       if (setresuid(uid, uid, uid) < 0)
+               fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
+#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
+       if (setreuid(uid, uid) < 0)
+               fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
+#else
+# ifndef SETEUID_BREAKS_SETUID
+       if (seteuid(uid) < 0)
+               fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
+# endif
+       if (setuid(uid) < 0)
+               fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
+#endif
+
+#ifndef HAVE_CYGWIN
+       /* Try restoration of UID if changed (test clearing of saved uid) */
+       if (old_uid != uid &&
+           (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+               fatal("%s: was able to restore old [e]uid", __func__);
+#endif
+
+       /* Verify UID drop was successful */
+       if (getuid() != uid || geteuid() != uid) {
+               fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
+                   __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid);
+       }
+}
+
 /*
  * Restores to the original (privileged) uid.
  */

diff --git a/uidswap.h b/uidswap.h
index 967ea9c4d3240480c6cc6d048c5bec2b99d0b26b..f827782d5b212b6fd3db84375ed16829a4c43cd6 100644 (file)
--- a/uidswap.h
+++ b/uidswap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: uidswap.h,v 1.10 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: uidswap.h,v 1.11 2006/06/08 14:45:49 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -18,5 +18,6 @@
 void    temporarily_use_uid(struct passwd *);
 void    restore_uid(void);
 void    permanently_set_uid(struct passwd *);
+void    permanently_drop_suid(uid_t);
 
 #endif                         /* UIDSWAP_H */