- dtucker@cvs.openbsd.org 2009/11/10 04:30:45
[sshconnect2.c channels.c sshconnect.c] Set close-on-exec on various descriptors so they don't get leaked to child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
This commit is contained in:
parent
f788a91624
commit
6e7fe1c01b
|
@ -47,6 +47,10 @@
|
||||||
[sshd_config.5]
|
[sshd_config.5]
|
||||||
clarify that StrictModes does not apply to ChrootDirectory. Permissions
|
clarify that StrictModes does not apply to ChrootDirectory. Permissions
|
||||||
and ownership are always checked when chrooting. bz#1532
|
and ownership are always checked when chrooting. bz#1532
|
||||||
|
- dtucker@cvs.openbsd.org 2009/11/10 04:30:45
|
||||||
|
[sshconnect2.c channels.c sshconnect.c]
|
||||||
|
Set close-on-exec on various descriptors so they don't get leaked to
|
||||||
|
child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
|
||||||
|
|
||||||
20091226
|
20091226
|
||||||
- (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
|
- (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
|
||||||
|
|
10
channels.c
10
channels.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: channels.c,v 1.297 2009/10/28 16:38:18 reyk Exp $ */
|
/* $OpenBSD: channels.c,v 1.298 2009/11/10 04:30:44 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -53,6 +53,7 @@
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
@ -231,7 +232,12 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
|
||||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||||
channel_max_fd = MAX(channel_max_fd, efd);
|
channel_max_fd = MAX(channel_max_fd, efd);
|
||||||
|
|
||||||
/* XXX set close-on-exec -markus */
|
if (rfd != -1)
|
||||||
|
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||||
|
if (wfd != -1 && wfd != rfd)
|
||||||
|
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||||
|
if (efd != -1 && efd != rfd && efd != wfd)
|
||||||
|
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||||
|
|
||||||
c->rfd = rfd;
|
c->rfd = rfd;
|
||||||
c->wfd = wfd;
|
c->wfd = wfd;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect.c,v 1.215 2009/10/28 16:38:18 reyk Exp $ */
|
/* $OpenBSD: sshconnect.c,v 1.216 2009/11/10 04:30:45 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -28,6 +28,7 @@
|
||||||
|
|
||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#ifdef HAVE_PATHS_H
|
#ifdef HAVE_PATHS_H
|
||||||
#include <paths.h>
|
#include <paths.h>
|
||||||
|
@ -192,8 +193,11 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
|
||||||
}
|
}
|
||||||
sock = socket_rdomain(ai->ai_family, ai->ai_socktype, ai->ai_protocol,
|
sock = socket_rdomain(ai->ai_family, ai->ai_socktype, ai->ai_protocol,
|
||||||
options.rdomain);
|
options.rdomain);
|
||||||
if (sock < 0)
|
if (sock < 0) {
|
||||||
error("socket: %.100s", strerror(errno));
|
error("socket: %.100s", strerror(errno));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
fcntl(sock, F_SETFD, FD_CLOEXEC);
|
||||||
|
|
||||||
/* Bind the socket to an alternative local IP address */
|
/* Bind the socket to an alternative local IP address */
|
||||||
if (options.bind_address == NULL)
|
if (options.bind_address == NULL)
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect2.c,v 1.173 2009/10/24 11:13:54 andreas Exp $ */
|
/* $OpenBSD: sshconnect2.c,v 1.174 2009/11/10 04:30:45 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||||
|
@ -32,6 +32,7 @@
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
|
@ -1527,6 +1528,8 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (pid == 0) {
|
if (pid == 0) {
|
||||||
|
/* keep the socket on exec */
|
||||||
|
fcntl(packet_get_connection_in(), F_SETFD, 0);
|
||||||
permanently_drop_suid(getuid());
|
permanently_drop_suid(getuid());
|
||||||
close(from[0]);
|
close(from[0]);
|
||||||
if (dup2(from[1], STDOUT_FILENO) < 0)
|
if (dup2(from[1], STDOUT_FILENO) < 0)
|
||||||
|
|
Loading…
Reference in New Issue