diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2016-10-23 22:04:05 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2016-10-24 10:42:57 +1100 |
commit | 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5 (patch) | |
tree | a50f4076f566c6182fa931c28fe0ede424aabba3 | |
parent | 0b9ee623d57e5de7e83e66fd61a7ba9a5be98894 (diff) |
upstream commit
Factor out "can bind to low ports" check into its own function. This will
make it easier for Portable to support platforms with permissions models
other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much"
deraadt@.
Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
-rw-r--r-- | misc.c | 10 | ||||
-rw-r--r-- | misc.h | 3 | ||||
-rw-r--r-- | readconf.c | 4 | ||||
-rw-r--r-- | serverloop.c | 6 |
4 files changed, 16 insertions, 7 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: misc.c,v 1.105 2016/07/15 00:24:30 djm Exp $ */ | 1 | /* $OpenBSD: misc.c,v 1.106 2016/10/23 22:04:05 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. |
@@ -1243,3 +1243,11 @@ forward_equals(const struct Forward *a, const struct Forward *b) | |||
1243 | return 1; | 1243 | return 1; |
1244 | } | 1244 | } |
1245 | 1245 | ||
1246 | /* returns 1 if bind to specified port by specified user is permitted */ | ||
1247 | int | ||
1248 | bind_permitted(int port, uid_t uid) | ||
1249 | { | ||
1250 | if (port < IPPORT_RESERVED && uid != 0) | ||
1251 | return 0; | ||
1252 | return 1; | ||
1253 | } | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: misc.h,v 1.59 2016/09/12 01:22:38 deraadt Exp $ */ | 1 | /* $OpenBSD: misc.h,v 1.60 2016/10/23 22:04:05 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -30,6 +30,7 @@ struct Forward { | |||
30 | }; | 30 | }; |
31 | 31 | ||
32 | int forward_equals(const struct Forward *, const struct Forward *); | 32 | int forward_equals(const struct Forward *, const struct Forward *); |
33 | int bind_permitted(int, uid_t); | ||
33 | 34 | ||
34 | /* Common server and client forwarding options. */ | 35 | /* Common server and client forwarding options. */ |
35 | struct ForwardOptions { | 36 | struct ForwardOptions { |
diff --git a/readconf.c b/readconf.c index 351a22c32..1be564856 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.260 2016/08/25 23:56:51 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.261 2016/10/23 22:04:05 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -312,7 +312,7 @@ add_local_forward(Options *options, const struct Forward *newfwd) | |||
312 | extern uid_t original_real_uid; | 312 | extern uid_t original_real_uid; |
313 | int i; | 313 | int i; |
314 | 314 | ||
315 | if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 && | 315 | if (bind_permitted(newfwd->listen_port, original_real_uid) && |
316 | newfwd->listen_path == NULL) | 316 | newfwd->listen_path == NULL) |
317 | fatal("Privileged ports can only be forwarded by root."); | 317 | fatal("Privileged ports can only be forwarded by root."); |
318 | /* Don't add duplicates */ | 318 | /* Don't add duplicates */ |
diff --git a/serverloop.c b/serverloop.c index 87e619fe4..4a9a16d41 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: serverloop.c,v 1.186 2016/09/12 01:22:38 deraadt Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -724,8 +724,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
724 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || | 724 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
725 | no_port_forwarding_flag || | 725 | no_port_forwarding_flag || |
726 | (!want_reply && fwd.listen_port == 0) || | 726 | (!want_reply && fwd.listen_port == 0) || |
727 | (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED && | 727 | (fwd.listen_port != 0 && |
728 | pw->pw_uid != 0)) { | 728 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { |
729 | success = 0; | 729 | success = 0; |
730 | packet_send_debug("Server has disabled port forwarding."); | 730 | packet_send_debug("Server has disabled port forwarding."); |
731 | } else { | 731 | } else { |