diff options
| author | Damien Miller <djm@mindrot.org> | 2004-03-03 11:08:59 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2004-03-03 11:08:59 +1100 |
| commit | 6c4914afccb0c188a2c412d12dfb1b73e362e07e (patch) | |
| tree | 720ddd294683bd12f98f7b98c55830c5349ef2b0 | |
| parent | ad4a188e46485656bbb650fd389203b6da438a24 (diff) | |
- (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
ok dtucker
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | configure.ac | 12 | ||||
| -rw-r--r-- | ssh-agent.c | 9 |
3 files changed, 20 insertions, 7 deletions
| @@ -1,3 +1,7 @@ | |||
| 1 | 20030303 | ||
| 2 | - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent | ||
| 3 | ok dtucker | ||
| 4 | |||
| 1 | 20040229 | 5 | 20040229 |
| 2 | - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188 | 6 | - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188 |
| 3 | 7 | ||
| @@ -841,4 +845,4 @@ | |||
| 841 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 845 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 842 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 846 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 843 | 847 | ||
| 844 | $Id: ChangeLog,v 1.3271 2004/02/29 23:53:37 tim Exp $ | 848 | $Id: ChangeLog,v 1.3272 2004/03/03 00:08:59 djm Exp $ |
diff --git a/configure.ac b/configure.ac index 7e22ad983..fc765b472 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $Id: configure.ac,v 1.203 2004/02/29 23:53:37 tim Exp $ | 1 | # $Id: configure.ac,v 1.204 2004/03/03 00:08:59 djm Exp $ |
| 2 | 2 | ||
| 3 | AC_INIT | 3 | AC_INIT |
| 4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
| @@ -494,10 +494,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ | |||
| 494 | netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ | 494 | netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ |
| 495 | rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ | 495 | rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ |
| 496 | strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ | 496 | strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ |
| 497 | sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \ | 497 | sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \ |
| 498 | sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ | 498 | sys/select.h sys/stat.h sys/stream.h sys/stropts.h \ |
| 499 | sys/un.h time.h tmpdir.h ttyent.h usersec.h \ | 499 | sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \ |
| 500 | util.h utime.h utmp.h utmpx.h vis.h) | 500 | ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) |
| 501 | 501 | ||
| 502 | # Checks for libraries. | 502 | # Checks for libraries. |
| 503 | AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) | 503 | AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) |
| @@ -797,7 +797,7 @@ AC_CHECK_FUNCS(\ | |||
| 797 | getpeereid _getpty getrlimit getttyent glob inet_aton \ | 797 | getpeereid _getpty getrlimit getttyent glob inet_aton \ |
| 798 | inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ | 798 | inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ |
| 799 | mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ | 799 | mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ |
| 800 | pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ | 800 | pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \ |
| 801 | setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ | 801 | setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ |
| 802 | setproctitle setregid setreuid setrlimit \ | 802 | setproctitle setregid setreuid setrlimit \ |
| 803 | setsid setvbuf sigaction sigvec snprintf socketpair strerror \ | 803 | setsid setvbuf sigaction sigvec snprintf socketpair strerror \ |
diff --git a/ssh-agent.c b/ssh-agent.c index e5232fc9b..f5fce6b2a 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
| @@ -57,6 +57,10 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $"); | |||
| 57 | #include "scard.h" | 57 | #include "scard.h" |
| 58 | #endif | 58 | #endif |
| 59 | 59 | ||
| 60 | #if defined(HAVE_SYS_PRCTL_H) | ||
| 61 | #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */ | ||
| 62 | #endif | ||
| 63 | |||
| 60 | typedef enum { | 64 | typedef enum { |
| 61 | AUTH_UNUSED, | 65 | AUTH_UNUSED, |
| 62 | AUTH_SOCKET, | 66 | AUTH_SOCKET, |
| @@ -1023,6 +1027,11 @@ main(int ac, char **av) | |||
| 1023 | setegid(getgid()); | 1027 | setegid(getgid()); |
| 1024 | setgid(getgid()); | 1028 | setgid(getgid()); |
| 1025 | 1029 | ||
| 1030 | #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) | ||
| 1031 | /* Disable ptrace on Linux without sgid bit */ | ||
| 1032 | prctl(PR_SET_DUMPABLE, 0); | ||
| 1033 | #endif | ||
| 1034 | |||
| 1026 | SSLeay_add_all_algorithms(); | 1035 | SSLeay_add_all_algorithms(); |
| 1027 | 1036 | ||
| 1028 | __progname = ssh_get_progname(av[0]); | 1037 | __progname = ssh_get_progname(av[0]); |