- djm@cvs.openbsd.org 2008/06/13 04:40:22

[auth2-pubkey.c auth-rhosts.c]
     refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
     regular files; report from Solar Designer via Colin Watson in bz#1471
     ok dtucker@ deraadt@

ChangeLog

@@ -157,6 +157,11 @@
    - dtucker@cvs.openbsd.org 2008/06/13 01:38:23
      [misc.c]
      upcast uid to long with matching %ld, prevents warnings in portable
+   - djm@cvs.openbsd.org 2008/06/13 04:40:22
+     [auth2-pubkey.c auth-rhosts.c]
+     refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
+     regular files; report from Solar Designer via Colin Watson in bz#1471
+     ok dtucker@ deraadt
   - (dtucker) [clientloop.c serverloop.c]  channel_register_filter now
     takes 2 more args.  with djm@
   - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch
@@ -4328,4 +4333,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5001 2008/06/13 04:48:59 dtucker Exp $
+$Id: ChangeLog,v 1.5002 2008/06/13 04:51:28 dtucker Exp $

auth-rhosts.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.42 2008/06/13 04:40:22 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -26,6 +26,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <fcntl.h>
 
 #include "packet.h"
 #include "buffer.h"
@@ -37,6 +38,7 @@
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
+#include "misc.h"
 
 /* import */
 extern ServerOptions options;
@@ -55,12 +57,27 @@ check_rhosts_file(const char *filename, const char *hostname,
 {
 	FILE *f;
 	char buf[1024];	/* Must not be larger than host, user, dummy below. */
+	int fd;
+	struct stat st;
 
 	/* Open the .rhosts file, deny if unreadable */
-	f = fopen(filename, "r");
+	if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1)
-	if (!f)
 		return 0;
-
+	if (fstat(fd, &st) == -1) {
+		close(fd);
+		return 0;
+	}
+	if (!S_ISREG(st.st_mode)) {
+		logit("User %s hosts file %s is not a regular file",
+		    server_user, filename);
+		close(fd);
+		return 0;
+	}
+	unset_nonblock(fd);
+	if ((f = fdopen(fd, "r")) == NULL) {
+		close(fd);
+		return 0;
+	}
 	while (fgets(buf, sizeof(buf), f)) {
 		/* All three must be at least as big as buf to avoid overflows. */
 		char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;

auth2-pubkey.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.16 2008/06/13 04:40:22 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 
+#include <fcntl.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <stdarg.h>
@@ -180,7 +181,7 @@ static int
 user_key_allowed2(struct passwd *pw, Key *key, char *file)
 {
 	char line[SSH_MAX_PUBKEY_BYTES];
-	int found_key = 0;
+	int found_key = 0, fd;
 	FILE *f;
 	u_long linenum = 0;
 	struct stat st;
@@ -192,16 +193,29 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 
 	debug("trying public key file %s", file);
 
-	/* Fail quietly if file does not exist */
+	/*
-	if (stat(file, &st) < 0) {
+	 * Open the file containing the authorized keys
-		/* Restore the privileged uid. */
+	 * Fail quietly if file does not exist
+	 */
+	if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
 		restore_uid();
 		return 0;
 	}
-	/* Open the file containing the authorized keys. */
+	if (fstat(fd, &st) < 0) {
-	f = fopen(file, "r");
+		close(fd);
-	if (!f) {
+		restore_uid();
-		/* Restore the privileged uid. */
+		return 0;
+	}
+	if (!S_ISREG(st.st_mode)) {
+		logit("User %s authorized keys %s is not a regular file",
+		    pw->pw_name, file);
+		close(fd);
+		restore_uid();
+		return 0;
+	}
+	unset_nonblock(fd);
+	if ((f = fdopen(fd, "r")) == NULL) {
+		close(fd);
 		restore_uid();
 		return 0;
 	}