- djm@cvs.openbsd.org 2004/04/18 23:10:26

     [readconf.c readconf.h ssh-keysign.c ssh.c]
     perform strict ownership and modes checks for ~/.ssh/config files,
     as these can be used to execute arbitrary programs; ok markus@
     NB. ssh will now exit when it detects a config with poor permissions

5 files changed, 34 insertions, 13 deletions

diff --git a/ChangeLog b/ChangeLog
index 2a299a1cb..a06931c6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
      [sshconnect2.c]
      swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what FreeBSD     and NetBSD do.
      ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@
+   - djm@cvs.openbsd.org 2004/04/18 23:10:26
+     [readconf.c readconf.h ssh-keysign.c ssh.c]
+     perform strict ownership and modes checks for ~/.ssh/config files, 
+     as these can be used to execute arbitrary programs; ok markus@
+     NB. ssh will now exit when it detects a config with poor permissions
  - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for above change
 
 20040419
@@ -1009,4 +1014,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3323 2004/04/20 10:10:46 djm Exp $
+$Id: ChangeLog,v 1.3324 2004/04/20 10:11:57 djm Exp $
diff --git a/readconf.c b/readconf.c
index ce0d1f753..096d1a71b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.128 2004/03/05 10:53:58 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.129 2004/04/18 23:10:26 djm Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -779,7 +779,8 @@ parse_int:
  */
 
 int
-read_config_file(const char *filename, const char *host, Options *options)
+read_config_file(const char *filename, const char *host, Options *options, 
+    int checkperm)
 {
         FILE *f;
         char line[1024];
@@ -787,10 +788,24 @@ read_config_file(const char *filename, const char *host, Options *options)
         int bad_options = 0;
 
         /* Open the file. */
-        f = fopen(filename, "r");
-        if (!f)
+        if ((f = fopen(filename, "r")) == NULL)
                 return 0;
 
+        if (checkperm) {
+                struct stat sb;
+                
+                if (fstat(fileno(f), &sb) == -1) {
+                        fatal("fstat %s: %s", filename, strerror(errno));
+                        fclose(f);
+                        return (0);
+                }
+                if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+                    (sb.st_mode & 022) != 0)) {
+                        fatal("Bad owner or permissions on %s", filename);
+                        return 0;
+                }
+        }
+
         debug("Reading configuration data %.200s", filename);
 
         /*
diff --git a/readconf.h b/readconf.h
index 93d833cee..9d70fee67 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $    */
+/*      $OpenBSD: readconf.h,v 1.61 2004/04/18 23:10:26 djm Exp $       */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -108,7 +108,7 @@ typedef struct {
 
 void     initialize_options(Options *);
 void     fill_default_options(Options *);
-int      read_config_file(const char *, const char *, Options *);
+int      read_config_file(const char *, const char *, Options *, int);
 
 int
 process_config_line(Options *, const char *, char *, const char *, int, int *);
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 9e9ebe2f1..e642948a0 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.15 2004/01/19 21:25:15 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.16 2004/04/18 23:10:26 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@@ -168,7 +168,7 @@ main(int argc, char **argv)
         /* verify that ssh-keysign is enabled by the admin */
         original_real_uid = getuid();   /* XXX readconf.c needs this */
         initialize_options(&options);
-        (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
+        (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);
         fill_default_options(&options);
         if (options.enable_ssh_keysign != 1)
                 fatal("ssh-keysign not enabled in %s",
diff --git a/ssh.c b/ssh.c
index e655e68da..53d7f0f56 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.209 2004/03/11 10:21:17 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.210 2004/04/18 23:10:26 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -526,16 +526,17 @@ again:
          * file if the user specifies a config file on the command line.
          */
         if (config != NULL) {
-                if (!read_config_file(config, host, &options))
+                if (!read_config_file(config, host, &options, 0), 0)
                         fatal("Can't open user config file %.100s: "
                             "%.100s", config, strerror(errno));
         } else  {
                 snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
                     _PATH_SSH_USER_CONFFILE);
-                (void)read_config_file(buf, host, &options);
+                (void)read_config_file(buf, host, &options, 1);
 
                 /* Read systemwide configuration file after use config. */
-                (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options);
+                (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, 
+                    &options, 0);
         }
 
         /* Fill configuration defaults. */