Commit Graph

70 Commits

Author SHA1 Message Date
Damien Miller 4626cbaf78 Support Illumos/Solaris fine-grained privileges
Includes a pre-auth privsep sandbox and several pledge()
emulations. bz#2511, patch by Alex Wilson.

ok dtucker@
2016-01-08 14:29:12 +11:00
dtucker@openbsd.org 7ed01a96a1 upstream commit
Revert previous commit.  We still want to call setgroups
 in the case where there are zero groups to remove any that we might otherwise
 inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
 to setgroups is always a static global it's always valid to dereference in
 this case.  ok deraadt@ djm@

Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
2015-06-25 09:50:12 +10:00
dtucker@openbsd.org 882f8bf94f upstream commit
Revert previous commit.  We still want to call setgroups in
 the case where there are zero groups to remove any that we might otherwise
 inherit (as pointed out by grawity at gmail.com) and since the 2nd argument
 to setgroups is always a static global it's always valid to dereference in
 this case.  ok deraadt@ djm@

Upstream-ID: 895b5ac560a10befc6b82afa778641315725fd01
2015-06-25 09:48:41 +10:00
dtucker@openbsd.org 63b78d003b upstream commit
Don't call setgroups if we have zero groups; there's no
 guarantee that it won't try to deref the pointer.  Based on a patch from mail
 at quitesimple.org, ok djm deraadt

Upstream-ID: 2fff85e11d7a9a387ef7fddf41fbfaf566708ab1
2015-06-23 10:34:46 +10:00
Darren Tucker d1680d36e1 xrealloc -> xreallocarray in portable code too. 2015-04-30 09:18:11 +10:00
deraadt@openbsd.org 2ae4f337b2 upstream commit
Replace <sys/param.h> with <limits.h> and other less
 dirty headers where possible.  Annotate <sys/param.h> lines with their
 current reasons.  Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1,
 LOGIN_NAME_MAX, etc.  Change MIN() and MAX() to local definitions of
 MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution.
 These are the files confirmed through binary verification. ok guenther,
 millert, doug (helped with the verification protocol)
2015-01-16 18:24:48 +11:00
Darren Tucker 89c532d843 - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin. Patch
from vinschen at redhat.com
2014-01-18 20:43:49 +11:00
Damien Miller 0600c7020f - dtucker@cvs.openbsd.org 2013/11/08 11:15:19
[bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
     [uidswap.c] Include stdlib.h for free() as per the man page.
2013-11-21 13:55:43 +11:00
Darren Tucker f60845fde2 - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
   sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
   openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
   with the equivalent calls to free.
2013-06-02 08:07:31 +10:00
Darren Tucker f96ff18a92 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
   openbsd-compat/openbsd-compat.h]  Move the fallback code for setting uids
   and gids from uidswap.c to the compat library, which allows it to work with
   the new setresuid calls in auth2-pubkey.  with tim@, ok djm@
2012-11-05 17:04:37 +11:00
Damien Miller 1598d6bc55 - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X.
Patch based on one from vgiffin AT apple.com; ok dtucker@
2009-01-21 16:04:24 +11:00
Damien Miller d783435315 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
     [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
     [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
     [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
     [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
     [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
     [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
     [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
     [serverloop.c session.c session.h sftp-client.c sftp-common.c]
     [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
     [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
     [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
     [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
     [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
     almost entirely get rid of the culture of ".h files that include .h files"
     ok djm, sort of ok stevesk
     makes the pain stop in one easy step
     NB. portable commit contains everything *except* removing includes.h, as
     that will take a fair bit more work as we move headers that are required
     for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-08-05 12:39:39 +10:00
Damien Miller 8dbffe7904 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
[atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
     [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
     [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
     [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
     [uidswap.c xmalloc.c]
     move #include <sys/param.h> out of includes.h
2006-08-05 11:02:17 +10:00
Damien Miller e3476ed03b - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
     [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
     [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
     [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
     [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
     [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
     [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
     [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
     move #include <string.h> out of includes.h
2006-07-24 14:13:33 +10:00
Damien Miller e6b3b610ec - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
[authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
     [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
     [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
     [sshconnect.c sshlogin.c sshpty.c uidswap.c]
     move #include <unistd.h> out of includes.h
2006-07-24 14:01:23 +10:00
Darren Tucker 3997249346 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
[scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
     sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
     includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
     sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
     ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
     move #include <errno.h> out of includes.h; ok markus@
2006-07-12 22:22:46 +10:00
Damien Miller 9f2abc47eb - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
[auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
     [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
     [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
     [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
     [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
     [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
     [uidswap.h]
     move #include <pwd.h> out of includes.h; ok markus@
2006-07-10 20:53:08 +10:00
Damien Miller 427a1d57bb - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
[groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
     move #include <grp.h> out of includes.h
     (portable needed uidswap.c too)
2006-07-10 20:20:33 +10:00
Damien Miller 2e5fe88ebe - markus@cvs.openbsd.org 2006/06/08 14:45:49
[readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
     do not set the gid, noted by solar; ok djm
2006-06-13 13:10:00 +10:00
Damien Miller 6b4069ad56 - markus@cvs.openbsd.org 2006/06/06 10:20:20
[readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
     replace remaining setuid() calls with permanently_set_uid() and
     check seteuid() return values; report Marcus Meissner; ok dtucker djm
2006-06-13 13:05:15 +10:00
Damien Miller 2282c6e305 - djm@cvs.openbsd.org 2006/04/22 04:06:51
[uidswap.c]
     use setres[ug]id() to permanently revoke privileges; ok deraadt@
     (ID Sync only - portable already uses setres[ug]id() whenever possible)
2006-04-23 12:11:57 +10:00
Damien Miller 57c30117c1 - djm@cvs.openbsd.org 2006/03/25 13:17:03
[atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
     [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
     [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
     [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
     [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
     [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
     [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
     [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
     [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
     [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c]
     Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
     Theo nuked - our scripts to sync -portable need them in the files
2006-03-26 14:24:48 +11:00
Damien Miller 36812092ec - djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
     [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
     [uidswap.c]
     change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
     to xrealloc(p, new_nmemb, new_itemsize).

     realloc is particularly prone to integer overflows because it is
     almost always allocating "n * size" bytes, so this is a far safer
     API; ok deraadt@
2006-03-26 14:22:47 +11:00
Damien Miller b0fb6872ed - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
     RCSID() can die
2006-03-26 00:03:21 +11:00
Darren Tucker 2ea9b18918 - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from
vinschen at redhat.com.
2005-02-22 17:57:13 +11:00
Darren Tucker 35beaddc7e - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or
on Cygwin.  Cygwin parts from vinschen at redhat com; ok djm@
2004-10-19 16:33:33 +10:00
Darren Tucker 2359aa985d - (dtucker) [uidswap.c] Minor KNF. ok djm@ 2004-02-24 13:17:30 +11:00
Damien Miller a811d9a9a1 - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime
using sysconf() if available Based on patches from
   holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
2004-02-24 13:05:11 +11:00
Darren Tucker e937be36c3 - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for
setres[ug]id() present but not implemented (eg some Linux/glibc
   combinations).
2003-12-17 18:53:26 +11:00
Damien Miller a8e06cef35 - djm@cvs.openbsd.org 2003/11/21 11:57:03
[everything]
     unexpand and delete whitespace at EOL; ok markus@
     (done locally and RCS IDs synced)
2003-11-21 23:48:55 +11:00
Darren Tucker fbe3b36ca9 - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the
OS does not support permanently dropping privileges.  Patch from
   vinschen at redhat.com.
2003-09-22 12:54:37 +10:00
Darren Tucker 9f18be63ab - (dtucker) [acconfig.h configure.ac uidswap.c] Prefer setuid/setgid on AIX. 2003-09-06 16:44:39 +10:00
Darren Tucker 400b8786d6 - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@ 2003-06-06 10:46:04 +10:00
Damien Miller 5fe46a45c8 - (djm) Implement paranoid priv dropping checks, based on:
"SetUID demystified" - Hao Chen, David Wagner and Drew Dean
   Proceedings of USENIX Security Symposium 2002
2003-06-05 09:53:31 +10:00
Damien Miller 61d3680aca - deraadt@cvs.openbsd.org 2003/05/29 16:58:45
[sshd.c uidswap.c]
     seteuid and setegid; markus ok
2003-06-02 19:09:48 +10:00
Ben Lindstrom 18d2b5d399 - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de 2002-07-30 19:32:07 +00:00
Ben Lindstrom 1fa330cf35 - stevesk@cvs.openbsd.org 2002/07/15 17:15:31
[uidswap.c]
     little more debugging; ok markus@
2002-07-23 21:29:49 +00:00
Ben Lindstrom 837461bf9a - (bal) Build noop setgroups() for cygwin to clean up code (For other
platforms without the setgroups() requirement, you MUST define
   SETGROUPS_NOOP in the configure.ac) Based on patch by vinschen@redhat.com
2002-06-12 16:57:14 +00:00
Ben Lindstrom 10d9936413 - stevesk@cvs.openbsd.org 2002/05/28 21:24:00
[uidswap.c]
     use correct function name in fatal()

[See the patch above, I saw it before apply the next patch. <sigh>]
2002-06-06 20:44:06 +00:00
Ben Lindstrom ca8943e6de - (bal) Corrected debug() in uidswap.c to match upstream. 2002-06-06 20:42:04 +00:00
Ben Lindstrom abff1dd050 - stevesk@cvs.openbsd.org 2002/05/28 17:28:02
[uidswap.c]
     format spec change/casts and some KNF; ok markus@
2002-06-06 20:38:49 +00:00
Ben Lindstrom af40bc6a72 - (bal) mispelling in uidswap.c (portable only) 2002-04-03 03:36:54 +00:00
Ben Lindstrom 1e259bb0bf - (bal) CVS ID sync of uidswap.c 2002-04-02 20:53:39 +00:00
Damien Miller 9f0f5c64bc - deraadt@cvs.openbsd.org 2001/12/19 07:18:56
[auth1.c auth2.c auth2-chall.c auth-bsdauth.c auth.c authfile.c auth.h]
     [auth-krb4.c auth-rhosts.c auth-skey.c bufaux.c canohost.c channels.c]
     [cipher.c clientloop.c compat.c compress.c deattack.c key.c log.c mac.c]
     [match.c misc.c nchan.c packet.c readconf.c rijndael.c rijndael.h scard.c]
     [servconf.c servconf.h serverloop.c session.c sftp.c sftp-client.c]
     [sftp-glob.c sftp-int.c sftp-server.c ssh-add.c ssh-agent.c ssh.c]
     [sshconnect1.c sshconnect2.c sshconnect.c sshd.8 sshd.c sshd_config]
     [ssh-keygen.c sshlogin.c sshpty.c sshtty.c ttymodes.c uidswap.c]
     basic KNF done while i was looking for something else
2001-12-21 14:45:46 +11:00
Ben Lindstrom 049e0dd6cf - markus@cvs.openbsd.org 2001/08/08 21:34:19
[uidswap.c]
     undo last change; does not work for sshd
2001-08-15 23:17:22 +00:00
Ben Lindstrom a66039373b - markus@cvs.openbsd.org 2001/08/08 18:20:15
[uidswap.c]
     permanently_set_uid is a noop if user is not privilegued;
     fixes bug on solaris; from sbi@uchicago.edu
2001-08-15 23:14:49 +00:00
Ben Lindstrom 5428bea574 - (bal) White Space and #ifdef sync with OpenBSD 2001-05-06 02:53:25 +00:00
Ben Lindstrom 0f85348e89 - (bal) Cygwin lacks setgroups() API. Patch by Corinna Vinschen
<vinschen@redhat.com>
2001-04-27 02:10:15 +00:00
Ben Lindstrom 4468b260cf - (bal) Fixed uidswap.c so it should work on non-posix complient systems.
patch based on 2.5.2 version by djm.
2001-04-26 23:03:37 +00:00
Ben Lindstrom 768f975b13 - (bal) Whitespace resync w/ OpenBSD for uidswap.c 2001-04-25 06:27:11 +00:00