From e08938b52a4a233e5939168ac5a504d3fe9d1162 Mon Sep 17 00:00:00 2001 From: dinoex Date: Sat, 9 Jun 2001 08:22:21 +0000 Subject: - Switch to the user's uid before attempting to unlink the auth forwarding file, nullifying the effects of a race. - Bump PORTREVISION Submitted by: green@FreeBSD.org Approved by: dwcjr@inethouston.net --- security/hpn-ssh/Makefile | 1 + security/hpn-ssh/files/patch-cookie | 193 ++++++++++++++++++++++++++++++++++++ 2 files changed, 194 insertions(+) create mode 100644 security/hpn-ssh/files/patch-cookie (limited to 'security/hpn-ssh') diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile index 3c4a987258a4..645e7dd9828d 100644 --- a/security/hpn-ssh/Makefile +++ b/security/hpn-ssh/Makefile @@ -7,6 +7,7 @@ PORTNAME= openssh PORTVERSION= 2.9p1 +PORTREVISION= 1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/security/hpn-ssh/files/patch-cookie b/security/hpn-ssh/files/patch-cookie new file mode 100644 index 000000000000..92cc4ab7570d --- /dev/null +++ b/security/hpn-ssh/files/patch-cookie @@ -0,0 +1,193 @@ +--- channels.c.orig Tue Apr 17 14:55:03 2001 ++++ channels.c Sat Jun 9 06:43:41 2001 +@@ -1612,7 +1612,7 @@ + switch (channels[i].type) { + case SSH_CHANNEL_AUTH_SOCKET: + close(channels[i].sock); +- unlink(channels[i].path); ++ /* auth_sock_cleanup_proc deletes the socket */ + channel_free(i); + break; + case SSH_CHANNEL_PORT_LISTENER: +@@ -2524,10 +2524,17 @@ + /* removes the agent forwarding socket */ + + void +-cleanup_socket(void) ++auth_sock_cleanup_proc(void *_pw) + { +- unlink(channel_forwarded_auth_socket_name); +- rmdir(channel_forwarded_auth_socket_dir); ++ struct passwd *pw = _pw; ++ ++ if (channel_forwarded_auth_socket_name) { ++ temporarily_use_uid(pw); ++ unlink(channel_forwarded_auth_socket_name); ++ rmdir(channel_forwarded_auth_socket_dir); ++ channel_forwarded_auth_socket_name = NULL; ++ restore_uid(); ++ } + } + + /* +@@ -2566,11 +2573,9 @@ + snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", + channel_forwarded_auth_socket_dir, (int) getpid()); + +- if (atexit(cleanup_socket) < 0) { +- int saved = errno; +- cleanup_socket(); +- packet_disconnect("socket: %.100s", strerror(saved)); +- } ++ /* delete agent socket on fatal() */ ++ fatal_add_cleanup(auth_sock_cleanup_proc, pw); ++ + /* Create the socket. */ + sock = socket(AF_UNIX, SOCK_STREAM, 0); + if (sock < 0) +--- channels.h.orig Sat Apr 14 00:46:53 2001 ++++ channels.h Sat Jun 9 06:43:41 2001 +@@ -303,6 +303,7 @@ + void auth_input_open_request(int type, int plen, void *ctxt); + + /* XXX */ ++void auth_sock_cleanup_proc(void *pw); + int channel_connect_to(const char *host, u_short host_port); + int channel_connect_by_listen_adress(u_short listen_port); + int x11_connect_display(void); +--- session.c.orig Sat Jun 9 06:43:40 2001 ++++ session.c Sat Jun 9 06:43:41 2001 +@@ -101,6 +101,7 @@ + void do_child(Session *s, const char *command); + void do_motd(void); + int check_quietlogin(Session *s, const char *command); ++void xauthfile_cleanup_proc(void *pw); + + void do_authenticated1(Authctxt *authctxt); + void do_authenticated2(Authctxt *authctxt); +@@ -160,18 +161,26 @@ + do_authenticated2(authctxt); + else + do_authenticated1(authctxt); ++ ++ /* remote user's local Xauthority file and agent socket */ ++ if (xauthfile) ++ xauthfile_cleanup_proc(authctxt->pw); ++ if (auth_get_socket_name()) ++ auth_sock_cleanup_proc(authctxt->pw); + } + + /* + * Remove local Xauthority file. + */ + void +-xauthfile_cleanup_proc(void *ignore) ++xauthfile_cleanup_proc(void *_pw) + { +- debug("xauthfile_cleanup_proc called"); ++ struct passwd *pw = _pw; ++ char *p; + ++ debug("xauthfile_cleanup_proc called"); + if (xauthfile != NULL) { +- char *p; ++ temporarily_use_uid(pw); + unlink(xauthfile); + p = strrchr(xauthfile, '/'); + if (p != NULL) { +@@ -180,6 +189,7 @@ + } + xfree(xauthfile); + xauthfile = NULL; ++ restore_uid(); + } + } + +@@ -218,6 +228,7 @@ + int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0; + int compression_level = 0, enable_compression_after_reply = 0; + u_int proto_len, data_len, dlen; ++ struct stat st; + + s = session_new(); + s->pw = authctxt->pw; +@@ -300,7 +311,8 @@ + packet_send_debug("X11 forwarding disabled in server configuration file."); + break; + } +- if (!options.xauth_location) { ++ if (!options.xauth_location || ++ (stat(options.xauth_location, &st) == -1)) { + packet_send_debug("No xauth program; cannot forward with spoofing."); + break; + } +@@ -354,7 +366,7 @@ + if (fd >= 0) + close(fd); + restore_uid(); +- fatal_add_cleanup(xauthfile_cleanup_proc, NULL); ++ fatal_add_cleanup(xauthfile_cleanup_proc, s->pw); + success = 1; + break; + +@@ -408,9 +420,6 @@ + + if (command != NULL) + xfree(command); +- /* Cleanup user's local Xauthority file. */ +- if (xauthfile) +- xauthfile_cleanup_proc(NULL); + return; + + default: +@@ -1113,10 +1122,11 @@ + #endif /* __FreeBSD__ */ + /* ignore _PATH_SSH_USER_RC for subsystems */ + if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { ++ snprintf(cmd, sizeof cmd, "%s -c '%s %s'", ++ shell, _PATH_BSHELL, _PATH_SSH_USER_RC); + if (debug_flag) +- fprintf(stderr, "Running %s %s\n", _PATH_BSHELL, +- _PATH_SSH_USER_RC); +- f = popen(_PATH_BSHELL " " _PATH_SSH_USER_RC, "w"); ++ fprintf(stderr, "Running %s\n", cmd); ++ f = popen(cmd, "w"); + if (f) { + if (do_xauth) + fprintf(f, "%s %s\n", s->auth_proto, +@@ -1433,6 +1443,7 @@ + session_x11_req(Session *s) + { + int fd; ++ struct stat st; + if (no_x11_forwarding_flag) { + debug("X11 forwarding disabled in user configuration file."); + return 0; +@@ -1441,6 +1452,11 @@ + debug("X11 forwarding disabled in server configuration file."); + return 0; + } ++ if (!options.xauth_location || ++ (stat(options.xauth_location, &st) == -1)) { ++ packet_send_debug("No xauth program; cannot forward with spoofing."); ++ return 0; ++ } + if (xauthfile != NULL) { + debug("X11 fwd already started."); + return 0; +@@ -1481,7 +1497,7 @@ + if (fd >= 0) + close(fd); + restore_uid(); +- fatal_add_cleanup(xauthfile_cleanup_proc, s); ++ fatal_add_cleanup(xauthfile_cleanup_proc, s->pw); + return 1; + } + +@@ -1775,6 +1791,4 @@ + { + + server_loop2(); +- if (xauthfile) +- xauthfile_cleanup_proc(NULL); + } -- cgit