- djm@cvs.openbsd.org 2008/06/13 04:40:22

[auth2-pubkey.c auth-rhosts.c] refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not regular files; report from Solar Designer via Colin Watson in bz#1471 ok dtucker@ deraadt@
author: Darren Tucker <dtucker@zip.com.au> 2008-06-13 14:51:28 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2008-06-13 14:51:28 +1000
commit: 06db584e9de9d904a09300f09feed7f82026d241 (patch)
tree: bc1fbff35a49da3ceabd0637ae18265e15e4fa80
parent: 7517b5bd3155a4e29beb6168129a60f022ea9e9f (diff)
3 files changed, 50 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index a6b86f0fd..2b1f01ba9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -157,6 +157,11 @@
   - dtucker@cvs.openbsd.org 2008/06/13 01:38:23
     [misc.c]
     upcast uid to long with matching %ld, prevents warnings in portable
+   - djm@cvs.openbsd.org 2008/06/13 04:40:22
+     [auth2-pubkey.c auth-rhosts.c]
+     refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
+     regular files; report from Solar Designer via Colin Watson in bz#1471
+     ok dtucker@ deraadt
  - (dtucker) [clientloop.c serverloop.c]  channel_register_filter now
    takes 2 more args.  with djm@
  - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch
@@ -4328,4 +4333,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.5001 2008/06/13 04:48:59 dtucker Exp $
+$Id: ChangeLog,v 1.5002 2008/06/13 04:51:28 dtucker Exp $
diff --git a/auth-rhosts.c b/auth-rhosts.c
index cd0a7967a..bbddfb6df 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.42 2008/06/13 04:40:22 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -26,6 +26,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <fcntl.h>
 #include "packet.h"
 #include "buffer.h"
@@ -37,6 +38,7 @@
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
+#include "misc.h"
 /* import */
 extern ServerOptions options;
@@ -55,12 +57,27 @@ check_rhosts_file(const char *filename, const char *hostname,
 {
        FILE *f;
        char buf[1024]; /* Must not be larger than host, user, dummy below. */
+        int fd;
+        struct stat st;
        /* Open the .rhosts file, deny if unreadable */
-        f = fopen(filename, "r");
+        if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1)
-        if (!f)
                return 0;
+        if (fstat(fd, &st) == -1) {
+                close(fd);
+                return 0;
+        }
+        if (!S_ISREG(st.st_mode)) {
+                logit("User %s hosts file %s is not a regular file",
+                    server_user, filename);
+                close(fd);
+                return 0;
+        }
+        unset_nonblock(fd);
+        if ((f = fdopen(fd, "r")) == NULL) {
+                close(fd);
+                return 0;
+        }
        while (fgets(buf, sizeof(buf), f)) {
                /* All three must be at least as big as buf to avoid overflows. */
                char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 9863cd9e6..7f7ddd8cf 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.16 2008/06/13 04:40:22 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <stdarg.h>
@@ -180,7 +181,7 @@ static int
 user_key_allowed2(struct passwd *pw, Key *key, char *file)
 {
        char line[SSH_MAX_PUBKEY_BYTES];
-        int found_key = 0;
+        int found_key = 0, fd;
        FILE *f;
        u_long linenum = 0;
        struct stat st;
@@ -192,16 +193,29 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
        debug("trying public key file %s", file);
-        /* Fail quietly if file does not exist */
+        /*
-        if (stat(file, &st) < 0) {
+         * Open the file containing the authorized keys
-                /* Restore the privileged uid. */
+         * Fail quietly if file does not exist
+         */
+        if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
                restore_uid();
                return 0;
        }
-        /* Open the file containing the authorized keys. */
+        if (fstat(fd, &st) < 0) {
-        f = fopen(file, "r");
+                close(fd);
-        if (!f) {
+                restore_uid();
-                /* Restore the privileged uid. */
+                return 0;
+        }
+        if (!S_ISREG(st.st_mode)) {
+                logit("User %s authorized keys %s is not a regular file",
+                    pw->pw_name, file);
+                close(fd);
+                restore_uid();
+                return 0;
+        }
+        unset_nonblock(fd);
+        if ((f = fdopen(fd, "r")) == NULL) {
+                close(fd);
                restore_uid();
                return 0;
        }
author	Darren Tucker <dtucker@zip.com.au>	2008-06-13 14:51:28 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2008-06-13 14:51:28 +1000
commit	06db584e9de9d904a09300f09feed7f82026d241 (patch)
tree	bc1fbff35a49da3ceabd0637ae18265e15e4fa80
parent	7517b5bd3155a4e29beb6168129a60f022ea9e9f (diff)

diff --git a/ChangeLog b/ChangeLog index a6b86f0fd..2b1f01ba9 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -157,6 +157,11 @@
157	- dtucker@cvs.openbsd.org 2008/06/13 01:38:23	157	- dtucker@cvs.openbsd.org 2008/06/13 01:38:23
158	[misc.c]	158	[misc.c]
159	upcast uid to long with matching %ld, prevents warnings in portable	159	upcast uid to long with matching %ld, prevents warnings in portable
		160	- djm@cvs.openbsd.org 2008/06/13 04:40:22
		161	[auth2-pubkey.c auth-rhosts.c]
		162	refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
		163	regular files; report from Solar Designer via Colin Watson in bz#1471
		164	ok dtucker@ deraadt
160	- (dtucker) [clientloop.c serverloop.c] channel_register_filter now	165	- (dtucker) [clientloop.c serverloop.c] channel_register_filter now
161	takes 2 more args. with djm@	166	takes 2 more args. with djm@
162	- (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch	167	- (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch
@@ -4328,4 +4333,4 @@
4328	OpenServer 6 and add osr5bigcrypt support so when someone migrates	4333	OpenServer 6 and add osr5bigcrypt support so when someone migrates
4329	passwords between UnixWare and OpenServer they will still work. OK dtucker@	4334	passwords between UnixWare and OpenServer they will still work. OK dtucker@
4330		4335
4331	$Id: ChangeLog,v 1.5001 2008/06/13 04:48:59 dtucker Exp $	4336	$Id: ChangeLog,v 1.5002 2008/06/13 04:51:28 dtucker Exp $


diff --git a/auth-rhosts.c b/auth-rhosts.c index cd0a7967a..bbddfb6df 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */	1	/* $OpenBSD: auth-rhosts.c,v 1.42 2008/06/13 04:40:22 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -26,6 +26,7 @@
26	#include <stdio.h>	26	#include <stdio.h>
27	#include <string.h>	27	#include <string.h>
28	#include <stdarg.h>	28	#include <stdarg.h>
		29	#include <fcntl.h>
29		30
30	#include "packet.h"	31	#include "packet.h"
31	#include "buffer.h"	32	#include "buffer.h"
@@ -37,6 +38,7 @@
37	#include "key.h"	38	#include "key.h"
38	#include "hostfile.h"	39	#include "hostfile.h"
39	#include "auth.h"	40	#include "auth.h"
		41	#include "misc.h"
40		42
41	/* import */	43	/* import */
42	extern ServerOptions options;	44	extern ServerOptions options;
@@ -55,12 +57,27 @@ check_rhosts_file(const char filename, const char hostname,
55	{	57	{
56	FILE *f;	58	FILE *f;
57	char buf[1024]; /* Must not be larger than host, user, dummy below. */	59	char buf[1024]; /* Must not be larger than host, user, dummy below. */
		60	int fd;
		61	struct stat st;
58		62
59	/* Open the .rhosts file, deny if unreadable */	63	/* Open the .rhosts file, deny if unreadable */
60	f = fopen(filename, "r");	64	if ((fd = open(filename, O_RDONLY\|O_NONBLOCK)) == -1)
61	if (!f)
62	return 0;	65	return 0;
63		66	if (fstat(fd, &st) == -1) {
		67	close(fd);
		68	return 0;
		69	}
		70	if (!S_ISREG(st.st_mode)) {
		71	logit("User %s hosts file %s is not a regular file",
		72	server_user, filename);
		73	close(fd);
		74	return 0;
		75	}
		76	unset_nonblock(fd);
		77	if ((f = fdopen(fd, "r")) == NULL) {
		78	close(fd);
		79	return 0;
		80	}
64	while (fgets(buf, sizeof(buf), f)) {	81	while (fgets(buf, sizeof(buf), f)) {
65	/* All three must be at least as big as buf to avoid overflows. */	82	/* All three must be at least as big as buf to avoid overflows. */
66	char hostbuf[1024], userbuf[1024], dummy[1024], host, user, *cp;	83	char hostbuf[1024], userbuf[1024], dummy[1024], host, user, *cp;


diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 9863cd9e6..7f7ddd8cf 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.16 2008/06/13 04:40:22 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -28,6 +28,7 @@
28	#include <sys/types.h>	28	#include <sys/types.h>
29	#include <sys/stat.h>	29	#include <sys/stat.h>
30		30
		31	#include <fcntl.h>
31	#include <pwd.h>	32	#include <pwd.h>
32	#include <stdio.h>	33	#include <stdio.h>
33	#include <stdarg.h>	34	#include <stdarg.h>
@@ -180,7 +181,7 @@ static int
180	user_key_allowed2(struct passwd pw, Key key, char *file)	181	user_key_allowed2(struct passwd pw, Key key, char *file)
181	{	182	{
182	char line[SSH_MAX_PUBKEY_BYTES];	183	char line[SSH_MAX_PUBKEY_BYTES];
183	int found_key = 0;	184	int found_key = 0, fd;
184	FILE *f;	185	FILE *f;
185	u_long linenum = 0;	186	u_long linenum = 0;
186	struct stat st;	187	struct stat st;
@@ -192,16 +193,29 @@ user_key_allowed2(struct passwd pw, Key key, char *file)
192		193
193	debug("trying public key file %s", file);	194	debug("trying public key file %s", file);
194		195
195	/* Fail quietly if file does not exist */	196	/*
196	if (stat(file, &st) < 0) {	197	* Open the file containing the authorized keys
197	/* Restore the privileged uid. */	198	* Fail quietly if file does not exist
		199	*/
		200	if ((fd = open(file, O_RDONLY\|O_NONBLOCK)) == -1) {
198	restore_uid();	201	restore_uid();
199	return 0;	202	return 0;
200	}	203	}
201	/* Open the file containing the authorized keys. */	204	if (fstat(fd, &st) < 0) {
202	f = fopen(file, "r");	205	close(fd);
203	if (!f) {	206	restore_uid();
204	/* Restore the privileged uid. */	207	return 0;
		208	}
		209	if (!S_ISREG(st.st_mode)) {
		210	logit("User %s authorized keys %s is not a regular file",
		211	pw->pw_name, file);
		212	close(fd);
		213	restore_uid();
		214	return 0;
		215	}
		216	unset_nonblock(fd);
		217	if ((f = fdopen(fd, "r")) == NULL) {
		218	close(fd);
205	restore_uid();	219	restore_uid();
206	return 0;	220	return 0;
207	}	221	}