upstream commit
Factor out "can bind to low ports" check into its own function. This will make it easier for Portable to support platforms with permissions models other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@. Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
This commit is contained in:
dtucker@openbsd.org
Darren Tucker
parent
0b9ee623d5
commit
1c4ef0b808
10
misc.c
10
misc.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.c,v 1.105 2016/07/15 00:24:30 djm Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.106 2016/10/23 22:04:05 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
|
||||
|
|
@ -1243,3 +1243,11 @@ forward_equals(const struct Forward *a, const struct Forward *b)
|
|||
return 1;
|
||||
}
|
||||
|
||||
/* returns 1 if bind to specified port by specified user is permitted */
|
||||
int
|
||||
bind_permitted(int port, uid_t uid)
|
||||
{
|
||||
if (port < IPPORT_RESERVED && uid != 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
|
|
|||
3
misc.h
3
misc.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.h,v 1.59 2016/09/12 01:22:38 deraadt Exp $ */
|
||||
/* $OpenBSD: misc.h,v 1.60 2016/10/23 22:04:05 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
|
@ -30,6 +30,7 @@ struct Forward {
|
|||
};
|
||||
|
||||
int forward_equals(const struct Forward *, const struct Forward *);
|
||||
int bind_permitted(int, uid_t);
|
||||
|
||||
/* Common server and client forwarding options. */
|
||||
struct ForwardOptions {
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: readconf.c,v 1.260 2016/08/25 23:56:51 djm Exp $ */
|
||||
/* $OpenBSD: readconf.c,v 1.261 2016/10/23 22:04:05 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
|
@ -312,7 +312,7 @@ add_local_forward(Options *options, const struct Forward *newfwd)
|
|||
extern uid_t original_real_uid;
|
||||
int i;
|
||||
|
||||
if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
|
||||
if (bind_permitted(newfwd->listen_port, original_real_uid) &&
|
||||
newfwd->listen_path == NULL)
|
||||
fatal("Privileged ports can only be forwarded by root.");
|
||||
/* Don't add duplicates */
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: serverloop.c,v 1.186 2016/09/12 01:22:38 deraadt Exp $ */
|
||||
/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
|
@ -724,8 +724,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
|
|||
if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
|
||||
no_port_forwarding_flag ||
|
||||
(!want_reply && fwd.listen_port == 0) ||
|
||||
(fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
|
||||
pw->pw_uid != 0)) {
|
||||
(fwd.listen_port != 0 &&
|
||||
!bind_permitted(fwd.listen_port, pw->pw_uid))) {
|
||||
success = 0;
|
||||
packet_send_debug("Server has disabled port forwarding.");
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Reference in New Issue