[ssh-keygen.1]
sshd(8) will never read the private keys, but ssh(1) does;
hugh@mimosa.com
+ - provos@cvs.openbsd.org 2001/06/25 17:54:47
+ [auth.c auth.h auth-rsa.c]
+ terminate secure_filename checking after checking homedir. that way
+ it
20010629
- (bal) Removed net_aton() since we don't use it any more
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.42 2001/06/22 21:55:48 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.43 2001/06/25 17:54:47 provos Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
return 0;
}
if (options.strict_modes &&
- secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) {
+ secure_filename(f, file, pw, line, sizeof(line)) != 0) {
xfree(file);
fclose(f);
log("Authentication refused: %s", line);
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.24 2001/06/23 00:20:57 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.25 2001/06/25 17:54:48 provos Exp $");
#ifdef HAVE_LOGIN_H
#include <login.h>
* Returns 0 on success and -1 on failure
*/
int
-secure_filename(FILE *f, const char *file, uid_t uid, char *err, size_t errlen)
+secure_filename(FILE *f, const char *file, struct passwd *pw,
+ char *err, size_t errlen)
{
+ uid_t uid = pw->pw_uid;
+ char homedir[MAXPATHLEN];
char buf[MAXPATHLEN];
char *cp;
struct stat st;
+ strlcpy(homedir, dirname(pw->pw_dir), sizeof(homedir));
+
if (realpath(file, buf) == NULL) {
snprintf(err, errlen, "realpath %s failed: %s", file,
strerror(errno));
return -1;
}
+ debug3("secure_filename: terminating check at '%s'", homedir);
+
/* for each component of the canonical path, walking upwards */
for (;;) {
if ((cp = dirname(buf)) == NULL) {
}
strlcpy(buf, cp, sizeof(buf));
+ /* If are passed the homedir then we can stop */
+ if (strcmp(buf, homedir) == 0)
+ break;
+
debug3("secure_filename: checking '%s'", buf);
if (stat(buf, &st) < 0 ||
(st.st_uid != 0 && st.st_uid != uid) ||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $OpenBSD: auth.h,v 1.18 2001/06/23 00:20:58 markus Exp $
+ * $OpenBSD: auth.h,v 1.19 2001/06/25 17:54:49 provos Exp $
*/
#ifndef AUTH_H
#define AUTH_H
/* check a file and the path to it */
int
-secure_filename(FILE *f, const char *file, uid_t u, char *err, size_t errlen);
+secure_filename(FILE *f, const char *file, struct passwd *pw,
+ char *err, size_t errlen);
/* helper for hostbased auth */
HostStatus