tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

pledges ssh client:   - mux client: which is used when
 ControlMaster is in use.     will end with "stdio proc tty" (proc is to
 permit sending SIGWINCH to mux master on window resize)

  - client loop: several levels of pledging depending of your used options

ok deraadt@

Upstream-ID: 21676155a700e51f2ce911e33538e92a2cd1d94b
This commit is contained in:
semarie@openbsd.org 2015-12-03 17:00:18 +00:00 committed by Damien Miller
parent bcce47466b
commit b91926a976
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
/* $OpenBSD: clientloop.c,v 1.277 2015/12/03 17:00:18 semarie Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1485,6 +1485,36 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
debug("Entering interactive session.");
if (options.forward_x11 || options.permit_local_command) {
debug("pledge: exec");
if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else if (options.update_hostkeys) {
debug("pledge: filesystem full");
if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else if (! option_clear_or_none(options.proxy_command)) {
debug("pledge: proc");
if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else if (options.control_master &&
! option_clear_or_none(options.control_path)) {
debug("pledge: filesystem create");
if (pledge("stdio cpath unix inet dns tty",
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else {
debug("pledge: network");
if (pledge("stdio unix inet dns tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
}
start_time = get_current_time();
/* Initialize variables. */

11
mux.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mux.c,v 1.55 2015/10/15 23:51:40 djm Exp $ */
/* $OpenBSD: mux.c,v 1.56 2015/12/03 17:00:18 semarie Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@ -1851,6 +1851,9 @@ mux_client_request_session(int fd)
mm_send_fd(fd, STDERR_FILENO) == -1)
fatal("%s: send fds failed", __func__);
if (pledge("stdio proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
debug3("%s: session request sent", __func__);
/* Read their reply */
@ -1996,6 +1999,9 @@ mux_client_request_stdio_fwd(int fd)
mm_send_fd(fd, STDOUT_FILENO) == -1)
fatal("%s: send fds failed", __func__);
if (pledge("stdio proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
debug3("%s: stdio forward request sent", __func__);
/* Read their reply */
@ -2159,6 +2165,9 @@ muxclient(const char *path)
}
set_nonblock(sock);
if (pledge("stdio sendfd proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
if (mux_client_hello_exchange(sock) != 0) {
error("%s: master hello exchange failed", __func__);
close(sock);