tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: Remove uid checks from low port binds. Now that ssh 

cannot be setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave a sanity
check for the !privsep case so long as the code is stil there.  with & ok
djm@

OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
This commit is contained in:
dtucker@openbsd.org 2018-07-27 05:13:02 +00:00 committed by Damien Miller
parent c12033e102
commit 73ddb25bae
4 changed files with 15 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
misc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.130 2018/07/18 11:34:04 dtucker Exp $ */
/* $OpenBSD: misc.c,v 1.131 2018/07/27 05:13:02 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@ -1576,15 +1576,6 @@ forward_equals(const struct Forward *a, const struct Forward *b)
return 1;
}
/* returns 1 if bind to specified port by specified user is permitted */
int
bind_permitted(int port, uid_t uid)
{
if (port < IPPORT_RESERVED && uid != 0)
return 0;
return 1;
}
/* returns 1 if process is already daemonized, 0 otherwise */
int
daemonized(void)

3
misc.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.h,v 1.73 2018/06/09 03:01:12 djm Exp $ */
/* $OpenBSD: misc.h,v 1.74 2018/07/27 05:13:02 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -31,7 +31,6 @@ struct Forward {
};
int forward_equals(const struct Forward *, const struct Forward *);
int bind_permitted(int, uid_t);
int daemonized(void);
/* Common server and client forwarding options. */

5
readconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.294 2018/07/19 10:28:47 dtucker Exp $ */
/* $OpenBSD: readconf.c,v 1.295 2018/07/27 05:13:02 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -323,9 +323,6 @@ add_local_forward(Options *options, const struct Forward *newfwd)
extern uid_t original_real_uid;
int i;
if (!bind_permitted(newfwd->listen_port, original_real_uid) &&
newfwd->listen_path == NULL)
fatal("Privileged ports can only be forwarded by root.");
/* Don't add duplicates */
for (i = 0; i < options->num_local_forwards; i++) {
if (forward_equals(newfwd, options->local_forwards + i))

13
serverloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: serverloop.c,v 1.208 2018/07/11 18:53:29 markus Exp $ */
/* $OpenBSD: serverloop.c,v 1.209 2018/07/27 05:13:02 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -103,6 +103,17 @@ static void server_init_dispatch(void);
/* requested tunnel forwarding interface(s), shared with session.c */
char *tun_fwd_ifnames = NULL;
/* returns 1 if bind to specified port by specified user is permitted */
static int
bind_permitted(int port, uid_t uid)
{
if (use_privsep)
return 1; /* allow system to decide */
if (port < IPPORT_RESERVED && uid != 0)
return 0;
return 1;
}
/*
* we write to this pipe if a SIGCHLD is caught in order to avoid
* the race between select() and child_terminated