From 632f2669564d910cb7ad39a9aded3b7a6b0e829a Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 13 Jun 2008 04:51:28 +0000 Subject: [PATCH] - djm@cvs.openbsd.org 2008/06/13 04:40:22 [auth2-pubkey.c auth-rhosts.c] refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not regular files; report from Solar Designer via Colin Watson in bz#1471 ok dtucker@ deraadt@ --- ChangeLog | 5 +++++ auth-rhosts.c | 25 +++++++++++++++++++++---- auth2-pubkey.c | 32 +++++++++++++++++++++++--------- 3 files changed, 49 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4aa15d8b..54e0e4d9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -157,6 +157,11 @@ - dtucker@cvs.openbsd.org 2008/06/13 01:38:23 [misc.c] upcast uid to long with matching %ld, prevents warnings in portable + - djm@cvs.openbsd.org 2008/06/13 04:40:22 + [auth2-pubkey.c auth-rhosts.c] + refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not + regular files; report from Solar Designer via Colin Watson in bz#1471 + ok dtucker@ deraadt - (dtucker) [clientloop.c serverloop.c] channel_register_filter now takes 2 more args. with djm@ - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch diff --git a/auth-rhosts.c b/auth-rhosts.c index cd0a7967..bbddfb6d 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth-rhosts.c,v 1.42 2008/06/13 04:40:22 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -26,6 +26,7 @@ #include #include #include +#include #include "packet.h" #include "buffer.h" @@ -37,6 +38,7 @@ #include "key.h" #include "hostfile.h" #include "auth.h" +#include "misc.h" /* import */ extern ServerOptions options; @@ -55,12 +57,27 @@ check_rhosts_file(const char *filename, const char *hostname, { FILE *f; char buf[1024]; /* Must not be larger than host, user, dummy below. */ + int fd; + struct stat st; /* Open the .rhosts file, deny if unreadable */ - f = fopen(filename, "r"); - if (!f) + if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1) return 0; - + if (fstat(fd, &st) == -1) { + close(fd); + return 0; + } + if (!S_ISREG(st.st_mode)) { + logit("User %s hosts file %s is not a regular file", + server_user, filename); + close(fd); + return 0; + } + unset_nonblock(fd); + if ((f = fdopen(fd, "r")) == NULL) { + close(fd); + return 0; + } while (fgets(buf, sizeof(buf), f)) { /* All three must be at least as big as buf to avoid overflows. */ char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp; diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 9863cd9e..7f7ddd8c 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.16 2008/06/13 04:40:22 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -28,6 +28,7 @@ #include #include +#include #include #include #include @@ -180,7 +181,7 @@ static int user_key_allowed2(struct passwd *pw, Key *key, char *file) { char line[SSH_MAX_PUBKEY_BYTES]; - int found_key = 0; + int found_key = 0, fd; FILE *f; u_long linenum = 0; struct stat st; @@ -192,16 +193,29 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) debug("trying public key file %s", file); - /* Fail quietly if file does not exist */ - if (stat(file, &st) < 0) { - /* Restore the privileged uid. */ + /* + * Open the file containing the authorized keys + * Fail quietly if file does not exist + */ + if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) { restore_uid(); return 0; } - /* Open the file containing the authorized keys. */ - f = fopen(file, "r"); - if (!f) { - /* Restore the privileged uid. */ + if (fstat(fd, &st) < 0) { + close(fd); + restore_uid(); + return 0; + } + if (!S_ISREG(st.st_mode)) { + logit("User %s authorized keys %s is not a regular file", + pw->pw_name, file); + close(fd); + restore_uid(); + return 0; + } + unset_nonblock(fd); + if ((f = fdopen(fd, "r")) == NULL) { + close(fd); restore_uid(); return 0; } -- 2.45.1