From: mouring Date: Sun, 8 Apr 2001 18:26:59 +0000 (+0000) Subject: - markus@cvs.openbsd.org 2001/04/06 21:00:17 X-Git-Tag: V_2_9_P2~119 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/63bd8c365b56b25157969008ff5b69fb04aa4664 - markus@cvs.openbsd.org 2001/04/06 21:00:17 [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h] do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this. --- diff --git a/ChangeLog b/ChangeLog index 447bddd1..6649ae49 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,12 @@ - markus@cvs.openbsd.org 2001/04/08 11:27:33 [clientloop.c] leave_raw_mode if ssh2 "session" is closed + - markus@cvs.openbsd.org 2001/04/06 21:00:17 + [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c + ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h] + do gid/groups-swap in addition to uid-swap, should help if /home/group + is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks + to olar@openwall.com is comments. we had many requests for this. 20010408 - OpenBSD CVS Sync diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 0edbdb5f..506a5a23 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.22 2001/02/03 10:08:36 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.23 2001/04/06 21:00:04 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -80,7 +80,7 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key pw->pw_name, user_hostfile); } else { /* XXX race between stat and the following open() */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); host_status = check_host_in_hostfile(user_hostfile, canonical_hostname, client_key, found, NULL); restore_uid(); diff --git a/auth-rhosts.c b/auth-rhosts.c index 9b018c9d..c71e9b55 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.21 2001/02/08 19:30:51 itojun Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.22 2001/04/06 21:00:06 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -161,7 +161,7 @@ auth_rhosts(struct passwd *pw, const char *client_user) if (pw == NULL) return 0; /* Switch to the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* * Quick check: if the user has no .shosts or .rhosts files, return * failure immediately without doing costly lookups from name @@ -223,7 +223,7 @@ auth_rhosts(struct passwd *pw, const char *client_user) return 0; } /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* Check all .rhosts files (currently .shosts and .rhosts). */ for (rhosts_file_index = 0; rhosts_files[rhosts_file_index]; diff --git a/auth-rsa.c b/auth-rsa.c index 30e5a54c..59bee18b 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.39 2001/03/01 02:45:10 deraadt Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.40 2001/04/06 21:00:07 markus Exp $"); #include #include @@ -135,7 +135,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) return 0; /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, diff --git a/auth2.c b/auth2.c index 8c9eb17a..d676270b 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.50 2001/04/04 20:32:56 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.51 2001/04/06 21:00:08 markus Exp $"); #include @@ -590,7 +590,7 @@ user_key_allowed(struct passwd *pw, Key *key) return 0; /* Temporarily use the user's uid. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* The authorized keys. */ snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir, diff --git a/channels.c b/channels.c index 6ca31b84..d5526fb8 100644 --- a/channels.c +++ b/channels.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.101 2001/04/05 10:42:48 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.102 2001/04/06 21:00:10 markus Exp $"); #include #include @@ -2410,7 +2410,7 @@ auth_input_request_forwarding(struct passwd * pw) fatal("Protocol error: authentication forwarding requested twice."); /* Temporarily drop privileged uid for mkdir/bind. */ - temporarily_use_uid(pw->pw_uid); + temporarily_use_uid(pw); /* Allocate a buffer for the socket name, and format the name. */ channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); diff --git a/session.c b/session.c index 5264ac18..8da79933 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.70 2001/04/05 15:48:18 stevesk Exp $"); +RCSID("$OpenBSD: session.c,v 1.71 2001/04/06 21:00:12 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -365,7 +365,7 @@ do_authenticated1(Authctxt *authctxt) /* Setup to always have a local .Xauthority. */ xauthfile = xmalloc(MAXPATHLEN); strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); - temporarily_use_uid(s->pw->pw_uid); + temporarily_use_uid(s->pw); if (mkdtemp(xauthfile) == NULL) { restore_uid(); error("private X11 dir: mkdtemp %s failed: %s", @@ -1152,7 +1152,7 @@ do_child(Session *s, const char *command) #endif /* Permanently switch to the desired uid. */ - permanently_set_uid(pw->pw_uid); + permanently_set_uid(pw); # endif /* HAVE_LOGIN_CAP */ } #endif /* HAVE_OSF_SIA */ @@ -1710,7 +1710,7 @@ session_x11_req(Session *s) } xauthfile = xmalloc(MAXPATHLEN); strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); - temporarily_use_uid(s->pw->pw_uid); + temporarily_use_uid(s->pw); if (mkdtemp(xauthfile) == NULL) { restore_uid(); error("private X11 dir: mkdtemp %s failed: %s", diff --git a/ssh.c b/ssh.c index 278e7eda..294bcf39 100644 --- a/ssh.c +++ b/ssh.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.106 2001/04/05 21:05:24 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.107 2001/04/06 21:00:13 markus Exp $"); #include #include @@ -265,6 +265,15 @@ main(int ac, char **av) fatal("setrlimit failed: %.100s", strerror(errno)); } #endif + /* Get user data. */ + pw = getpwuid(original_real_uid); + if (!pw) { + log("You don't exist, go away!"); + exit(1); + } + /* Take a copy of the returned structure. */ + pw = pwcopy(pw); + /* * Use uid-swapping to give up root privileges for the duration of * option processing. We will re-instantiate the rights when we are @@ -272,7 +281,7 @@ main(int ac, char **av) * them when the port has been created (actually, when the connection * has been made, as we may need to create the port several times). */ - temporarily_use_uid(original_real_uid); + temporarily_use_uid(pw); /* * Set our umask to something reasonable, as some files are created @@ -545,15 +554,6 @@ main(int ac, char **av) tty_flag = 0; } - /* Get user data. */ - pw = getpwuid(original_real_uid); - if (!pw) { - log("You don't exist, go away!"); - exit(1); - } - /* Take a copy of the returned structure. */ - pw = pwcopy(pw); - /* * Initialize "log" output. Since we are the client all output * actually goes to stderr. @@ -592,6 +592,7 @@ main(int ac, char **av) "originating port will not be trusted."); options.rhosts_authentication = 0; } + /* * If using rsh has been selected, exec it now (without trying * anything else). Note that we must release privileges first. @@ -604,7 +605,7 @@ main(int ac, char **av) restore_uid(); /* Switch to the original uid permanently. */ - permanently_set_uid(original_real_uid); + permanently_set_uid(pw); /* Execute rsh. */ rsh_connect(host, options.user, &command); @@ -618,8 +619,7 @@ main(int ac, char **av) ok = ssh_connect(host, &hostaddr, options.port, options.connection_attempts, original_effective_uid != 0 || !options.use_privileged_port, - original_real_uid, - options.proxy_command); + pw, options.proxy_command); /* * If we successfully made the connection, load the host private key @@ -646,7 +646,7 @@ main(int ac, char **av) * process, read the private hostkey and impersonate the host. * OpenBSD does not allow ptracing of setuid processes. */ - permanently_set_uid(original_real_uid); + permanently_set_uid(pw); /* * Now that we are back to our own permissions, create ~/.ssh @@ -688,8 +688,7 @@ main(int ac, char **av) tilde_expand_filename(options.user_hostfile2, original_real_uid); /* Log into the remote system. This never returns if the login fails. */ - ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, - original_real_uid); + ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, pw); /* We no longer need the host private key. Clear it now. */ if (host_private_key != NULL) diff --git a/sshconnect.c b/sshconnect.c index 754ac124..85427b44 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.102 2001/04/05 10:42:55 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.103 2001/04/06 21:00:14 markus Exp $"); #include @@ -45,7 +45,7 @@ extern int IPv4or6; * Connect to the given ssh server using a proxy command. */ int -ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid, +ssh_proxy_connect(const char *host, u_short port, struct passwd *pw, const char *proxy_command) { Buffer command; @@ -96,7 +96,7 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid, char *argv[10]; /* Child. Permanently give up superuser privileges. */ - permanently_set_uid(original_real_uid); + permanently_set_uid(pw); /* Redirect stdin and stdout. */ close(pin[1]); @@ -145,7 +145,7 @@ ssh_proxy_connect(const char *host, u_short port, uid_t original_real_uid, * Creates a (possibly privileged) socket for use as the ssh connection. */ int -ssh_create_socket(uid_t original_real_uid, int privileged, int family) +ssh_create_socket(struct passwd *pw, int privileged, int family) { int sock; @@ -165,7 +165,7 @@ ssh_create_socket(uid_t original_real_uid, int privileged, int family) * Just create an ordinary socket on arbitrary port. We use * the user's uid to create the socket. */ - temporarily_use_uid(original_real_uid); + temporarily_use_uid(pw); sock = socket(family, SOCK_STREAM, 0); if (sock < 0) error("socket: %.100s", strerror(errno)); @@ -188,7 +188,7 @@ ssh_create_socket(uid_t original_real_uid, int privileged, int family) int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int connection_attempts, - int anonymous, uid_t original_real_uid, + int anonymous, struct passwd *pw, const char *proxy_command) { int gaierr; @@ -212,7 +212,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, } /* If a proxy command is given, connect using it. */ if (proxy_command != NULL) - return ssh_proxy_connect(host, port, original_real_uid, proxy_command); + return ssh_proxy_connect(host, port, pw, proxy_command); /* No proxy command. */ @@ -248,7 +248,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, host, ntop, strport); /* Create a socket for connecting. */ - sock = ssh_create_socket(original_real_uid, + sock = ssh_create_socket(pw, #ifdef HAVE_CYGWIN !anonymous, #else @@ -262,7 +262,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, * hope that it will help with tcp_wrappers showing * the remote uid as root. */ - temporarily_use_uid(original_real_uid); + temporarily_use_uid(pw); if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); @@ -739,16 +739,11 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, */ void ssh_login(Key *own_host_key, const char *orighost, - struct sockaddr *hostaddr, uid_t original_real_uid) + struct sockaddr *hostaddr, struct passwd *pw) { - struct passwd *pw; char *host, *cp; char *server_user, *local_user; - /* Get local user name. Use it as server user if no user name was given. */ - pw = getpwuid(original_real_uid); - if (!pw) - fatal("User id %u not found from user database.", original_real_uid); local_user = xstrdup(pw->pw_name); server_user = options.user ? options.user : local_user; diff --git a/sshconnect.h b/sshconnect.h index 3a71d9c2..45caf739 100644 --- a/sshconnect.h +++ b/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.7 2001/03/26 08:07:09 markus Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.8 2001/04/06 21:00:15 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -37,7 +37,7 @@ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int connection_attempts, - int anonymous, uid_t original_real_uid, + int anonymous, struct passwd *pw, const char *proxy_command); /* @@ -51,7 +51,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, void ssh_login(Key *host_key, const char *host, - struct sockaddr * hostaddr, uid_t original_real_uid); + struct sockaddr * hostaddr, struct passwd *pw); void diff --git a/uidswap.c b/uidswap.c index bdfa484f..7cfacd4a 100644 --- a/uidswap.c +++ b/uidswap.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: uidswap.c,v 1.13 2001/01/21 19:06:01 markus Exp $"); +RCSID("$OpenBSD: uidswap.c,v 1.14 2001/04/06 21:00:16 markus Exp $"); #include "log.h" #include "uidswap.h" @@ -26,57 +26,80 @@ RCSID("$OpenBSD: uidswap.c,v 1.13 2001/01/21 19:06:01 markus Exp $"); * POSIX saved uids or not. */ -#if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS) /* Lets assume that posix saved ids also work with seteuid, even though that is not part of the posix specification. */ -#define SAVED_IDS_WORK_WITH_SETEUID + /* Saved effective uid. */ -static uid_t saved_euid = 0; -#endif - +static int privileged = 0; +static int temporarily_use_uid_effective = 0; +static uid_t saved_euid = 0; +static gid_t saved_egid; +static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; +static int saved_egroupslen = -1, user_groupslen = -1; + /* * Temporarily changes to the given uid. If the effective user * id is not root, this does nothing. This call cannot be nested. */ void -temporarily_use_uid(uid_t uid) +temporarily_use_uid(struct passwd *pw) { -#ifdef SAVED_IDS_WORK_WITH_SETEUID - /* Save the current euid. */ - saved_euid = geteuid(); - - /* Set the effective uid to the given (unprivileged) uid. */ - if (seteuid(uid) == -1) - debug("seteuid %u: %.100s", (u_int) uid, strerror(errno)); -#else /* SAVED_IDS_WORK_WITH_SETEUID */ - /* Propagate the privileged uid to all of our uids. */ - if (setuid(geteuid()) < 0) - debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); - - /* Set the effective uid to the given (unprivileged) uid. */ - if (seteuid(uid) == -1) - debug("seteuid %u: %.100s", (u_int) uid, strerror(errno)); -#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + /* Save the current euid, and egroups. */ + saved_euid = geteuid(); + debug("temporarily_use_uid: %d/%d (e=%d)", + pw->pw_uid, pw->pw_gid, saved_euid); + if (saved_euid != 0) { + privileged = 0; + return; + } + privileged = 1; + temporarily_use_uid_effective = 1; + saved_egid = getegid(); + saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + if (saved_egroupslen < 0) + fatal("getgroups: %.100s", strerror(errno)); + + /* set and save the user's groups */ + if (user_groupslen == -1) { + if (initgroups(pw->pw_name, pw->pw_gid) < 0) + fatal("initgroups: %s: %.100s", pw->pw_name, + strerror(errno)); + user_groupslen = getgroups(NGROUPS_MAX, user_groups); + if (user_groupslen < 0) + fatal("getgroups: %.100s", strerror(errno)); + } + /* Set the effective uid to the given (unprivileged) uid. */ + if (setgroups(user_groupslen, user_groups) < 0) + fatal("setgroups: %.100s", strerror(errno)); + pw->pw_gid = pw->pw_gid; + if (setegid(pw->pw_gid) < 0) + fatal("setegid %u: %.100s", (u_int) pw->pw_gid, + strerror(errno)); + if (seteuid(pw->pw_uid) == -1) + fatal("seteuid %u: %.100s", (u_int) pw->pw_uid, + strerror(errno)); } - + /* * Restores to the original uid. */ void restore_uid(void) { -#ifdef SAVED_IDS_WORK_WITH_SETEUID + debug("restore_uid"); + /* it's a no-op unless privileged */ + if (!privileged) + return; + if (!temporarily_use_uid_effective) + fatal("restore_uid: temporarily_use_uid not effective"); /* Set the effective uid back to the saved uid. */ if (seteuid(saved_euid) < 0) - debug("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno)); -#else /* SAVED_IDS_WORK_WITH_SETEUID */ - /* - * We are unable to restore the real uid to its unprivileged value. - * Propagate the real uid (usually more privileged) to effective uid - * as well. - */ - setuid(getuid()); -#endif /* SAVED_IDS_WORK_WITH_SETEUID */ + fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno)); + if (setgroups(saved_egroupslen, saved_egroups) < 0) + fatal("setgroups: %.100s", strerror(errno)); + if (setegid(saved_egid) < 0) + fatal("setegid %u: %.100s", (u_int) saved_egid, strerror(errno)); + temporarily_use_uid_effective = 0; } /* @@ -84,8 +107,12 @@ restore_uid(void) * called while temporarily_use_uid is effective. */ void -permanently_set_uid(uid_t uid) +permanently_set_uid(struct passwd *pw) { - if (setuid(uid) < 0) - debug("setuid %u: %.100s", (u_int) uid, strerror(errno)); + if (temporarily_use_uid_effective) + fatal("restore_uid: temporarily_use_uid effective"); + if (setuid(pw->pw_uid) < 0) + fatal("setuid %u: %.100s", (u_int) pw->pw_uid, strerror(errno)); + if (setgid(pw->pw_gid) < 0) + fatal("setgid %u: %.100s", (u_int) pw->pw_gid, strerror(errno)); } diff --git a/uidswap.h b/uidswap.h index ab1a79c8..228e5a5e 100644 --- a/uidswap.h +++ b/uidswap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.h,v 1.6 2001/01/29 01:58:19 niklas Exp $ */ +/* $OpenBSD: uidswap.h,v 1.7 2001/04/06 21:00:17 markus Exp $ */ /* * Author: Tatu Ylonen @@ -19,7 +19,7 @@ * Temporarily changes to the given uid. If the effective user id is not * root, this does nothing. This call cannot be nested. */ -void temporarily_use_uid(uid_t uid); +void temporarily_use_uid(struct passwd *pw); /* * Restores the original effective user id after temporarily_use_uid(). @@ -31,6 +31,6 @@ void restore_uid(void); * Permanently sets all uids to the given uid. This cannot be called while * temporarily_use_uid is effective. This must also clear any saved uids. */ -void permanently_set_uid(uid_t uid); +void permanently_set_uid(struct passwd *pw); #endif /* UIDSWAP_H */