- markus@cvs.openbsd.org 2001/06/04 21:59:43

     [channels.c channels.h session.c]
     switch uid when cleaning up tmp files and sockets; reported by
     zen-parse@gmx.net on bugtraq

diff --git a/ChangeLog b/ChangeLog
index 7011515d8ca9183103b7645aba0c498e42991f9a..5552ef5c6e1ecd197b31dffae916e22c21ab6f0b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -35,6 +35,10 @@
      the challenge response device decides how to handle non-existing 
      users.
      -> fake challenges for skey and cryptocard
+   - markus@cvs.openbsd.org 2001/06/04 21:59:43
+     [channels.c channels.h session.c]
+     switch uid when cleaning up tmp files and sockets; reported by 
+     zen-parse@gmx.net on bugtraq
 
 20010606
  - OpenBSD CVS Sync

diff --git a/channels.c b/channels.c
index 110613896616c64eabc77002a5c3d359fe8b2785..32c23be1fc626e0ce0491e21ec3d61912d98160f 100644 (file)
--- a/channels.c
+++ b/channels.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.122 2001/06/03 14:55:38 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.123 2001/06/04 21:59:42 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -2777,12 +2777,16 @@ auth_get_socket_name()
 /* removes the agent forwarding socket */
 
 void
-auth_sock_cleanup_proc(void *ignored)
+auth_sock_cleanup_proc(void *_pw)
 {
+       struct passwd *pw = _pw;
+
        if (auth_sock_name) {
+               temporarily_use_uid(pw);
                unlink(auth_sock_name);
                rmdir(auth_sock_dir);
                auth_sock_name = NULL;
+               restore_uid();
        }
 }
 
@@ -2826,7 +2830,7 @@ auth_input_request_forwarding(struct passwd * pw)
                 auth_sock_dir, (int) getpid());
 
        /* delete agent socket on fatal() */
-       fatal_add_cleanup(auth_sock_cleanup_proc, NULL);
+       fatal_add_cleanup(auth_sock_cleanup_proc, pw);
 
        /* Create the socket. */
        sock = socket(AF_UNIX, SOCK_STREAM, 0);
@@ -2856,7 +2860,7 @@ auth_input_request_forwarding(struct passwd * pw)
            0, xstrdup("auth socket"), 1);
        if (nc == NULL) {
                error("auth_input_request_forwarding: channel_new failed");
-               auth_sock_cleanup_proc(NULL);
+               auth_sock_cleanup_proc(pw);
                close(sock);
                return 0;
        }

diff --git a/channels.h b/channels.h
index c1815d58d6262d71578b2cbdbfae0b7e1b869072..3de9627ab99e6c8e44b30e132eb4fee95414b253 100644 (file)
--- a/channels.h
+++ b/channels.h
@@ -32,7 +32,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: channels.h,v 1.36 2001/06/03 14:55:39 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.37 2001/06/04 21:59:42 markus Exp $"); */
 
 #ifndef CHANNEL_H
 #define CHANNEL_H
@@ -223,7 +223,7 @@ void        deny_input_open(int type, int plen, void *ctxt);
 
 void    auth_request_forwarding(void);
 char   *auth_get_socket_name(void);
-void   auth_sock_cleanup_proc(void *ignored);
+void   auth_sock_cleanup_proc(void *pw);
 int     auth_input_request_forwarding(struct passwd * pw);
 void    auth_input_open_request(int type, int plen, void *ctxt);
 

diff --git a/session.c b/session.c
index ce9b2002b840bae85b8b466adf8feb1f036ac122..c65c7e6639eedef3a838c0b6918852eadd9406ea 100644 (file)
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.79 2001/06/03 14:55:39 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.80 2001/06/04 21:59:43 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -132,7 +132,7 @@ void        do_pre_login(Session *s);
 void   do_child(Session *s, const char *command);
 void   do_motd(void);
 int    check_quietlogin(Session *s, const char *command);
-void   xauthfile_cleanup_proc(void *ignore);
+void   xauthfile_cleanup_proc(void *pw);
 
 void   do_authenticated1(Authctxt *authctxt);
 void   do_authenticated2(Authctxt *authctxt);
@@ -200,21 +200,23 @@ do_authenticated(Authctxt *authctxt)
 
        /* remote user's local Xauthority file and agent socket */
        if (xauthfile)
-               xauthfile_cleanup_proc(NULL);
+               xauthfile_cleanup_proc(authctxt->pw);
        if (auth_get_socket_name())
-               auth_sock_cleanup_proc(NULL);
+               auth_sock_cleanup_proc(authctxt->pw);
 }
 
 /*
  * Remove local Xauthority file.
  */
 void
-xauthfile_cleanup_proc(void *ignore)
+xauthfile_cleanup_proc(void *_pw)
 {
-       debug("xauthfile_cleanup_proc called");
+       struct passwd *pw = _pw;
+       char *p;
 
+       debug("xauthfile_cleanup_proc called");
        if (xauthfile != NULL) {
-               char *p;
+               temporarily_use_uid(pw);
                unlink(xauthfile);
                p = strrchr(xauthfile, '/');
                if (p != NULL) {
@@ -223,6 +225,7 @@ xauthfile_cleanup_proc(void *ignore)
                }
                xfree(xauthfile);
                xauthfile = NULL;
+               restore_uid();
        }
 }
 
@@ -399,7 +402,7 @@ do_authenticated1(Authctxt *authctxt)
                        if (fd >= 0)
                                close(fd);
                        restore_uid();
-                       fatal_add_cleanup(xauthfile_cleanup_proc, NULL);
+                       fatal_add_cleanup(xauthfile_cleanup_proc, s->pw);
                        success = 1;
                        break;
 
@@ -1811,7 +1814,7 @@ session_x11_req(Session *s)
        if (fd >= 0)
                close(fd);
        restore_uid();
-       fatal_add_cleanup(xauthfile_cleanup_proc, s);
+       fatal_add_cleanup(xauthfile_cleanup_proc, s->pw);
        return 1;
 }