+20040815
+ - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since
+ it does the right thing on all platforms. ok djm@
+
20040814
- (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c]
Explicitly set umask for mkstemp; ok djm@
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o moduli.o mpaux.o nchan.o packet.o \
readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o \
- atomicio.o key.o dispatch.o kex.o mac.o uuencode.o misc.o \
+ atomicio.o key.o dispatch.o kex.o mac.o uidswap.c uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
entropy.o scard-opensc.o gss-genr.o
sshconnect.o sshconnect1.o sshconnect2.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
- sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o \
+ sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
#include "canohost.h"
#include "pathnames.h"
#include "readconf.h"
+#include "uidswap.h"
/* XXX readconf.c needs these */
uid_t original_real_uid;
key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
- seteuid(getuid());
- setuid(getuid());
+ if ((pw = getpwuid(getuid())) == NULL)
+ fatal("getpwuid failed");
+ pw = pwcopy(pw);
+
+ permanently_set_uid(pw);
init_rng();
seed_rng();
if (key_fd[0] == -1 && key_fd[1] == -1)
fatal("could not open any host key");
- if ((pw = getpwuid(getuid())) == NULL)
- fatal("getpwuid failed");
- pw = pwcopy(pw);
-
SSLeay_add_all_algorithms();
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
#include "match.h"
#include "msg.h"
#include "monitor_fdpass.h"
+#include "uidswap.h"
#ifdef SMARTCARD
#include "scard.h"
* user's home directory if it happens to be on a NFS volume where
* root is mapped to nobody.
*/
- seteuid(original_real_uid);
- setuid(original_real_uid);
+ if (original_effective_uid == 0) {
+ PRIV_START;
+ permanently_set_uid(pw);
+ }
/*
* Now that we are back to our own permissions, create ~/.ssh