- markus@cvs.openbsd.org 2002/06/11 04:14:26

     [ssh.c sshconnect.c sshconnect.h]
     no longer use uidswap.[ch] from the ssh client
     run less code with euid==0 if ssh is installed setuid root
     just switch the euid, don't switch the complete set of groups
     (this is only needed by sshd). ok provos@

4 files changed, 51 insertions, 44 deletions

diff --git a/ChangeLog b/ChangeLog
index 99448aa9d..9e0b5159a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -29,6 +29,12 @@
      [channels.c channels.h session.c]
      move creation of agent socket to session.c; no need for uidswapping
      in channel.c.
+   - markus@cvs.openbsd.org 2002/06/11 04:14:26
+     [ssh.c sshconnect.c sshconnect.h]
+     no longer use uidswap.[ch] from the ssh client
+     run less code with euid==0 if ssh is installed setuid root
+     just switch the euid, don't switch the complete set of groups
+     (this is only needed by sshd). ok provos@
 
 20020609
  - (bal) OpenBSD CVS Sync
@@ -894,4 +900,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2207 2002/06/11 15:59:02 mouring Exp $
+$Id: ChangeLog,v 1.2208 2002/06/11 16:37:51 mouring Exp $
diff --git a/ssh.c b/ssh.c
index 7cadc1873..5693c0d39 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.176 2002/06/08 05:17:01 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.177 2002/06/11 04:14:26 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -53,7 +53,6 @@ RCSID("$OpenBSD: ssh.c,v 1.176 2002/06/08 05:17:01 markus Exp $");
 #include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
-#include "uidswap.h"
 #include "channels.h"
 #include "key.h"
 #include "authfd.h"
@@ -136,6 +135,7 @@ Sensitive sensitive_data;
 
 /* Original real UID. */
 uid_t original_real_uid;
+uid_t original_effective_uid;
 
 /* command to be executed */
 Buffer command;
@@ -217,7 +217,6 @@ main(int ac, char **av)
         struct stat st;
         struct passwd *pw;
         int dummy;
-        uid_t original_effective_uid;
         extern int optind, optreset;
         extern char *optarg;
 
@@ -256,7 +255,7 @@ main(int ac, char **av)
          * them when the port has been created (actually, when the connection
          * has been made, as we may need to create the port several times).
          */
-        temporarily_use_uid(pw);
+        PRIV_END;
 
         /*
          * Set our umask to something reasonable, as some files are created
@@ -612,15 +611,12 @@ again:
                     "originating port will not be trusted.");
                 options.rhosts_authentication = 0;
         }
-        /* Restore our superuser privileges. */
-        restore_uid();
-
         /* Open a connection to the remote host. */
 
         cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6,
             options.connection_attempts,
-            original_effective_uid != 0 || !options.use_privileged_port,
-            pw, options.proxy_command);
+            original_effective_uid == 0 && options.use_privileged_port,
+            options.proxy_command);
 
         /*
          * If we successfully made the connection, load the host private key
@@ -637,12 +633,15 @@ again:
             options.hostbased_authentication)) {
                 sensitive_data.nkeys = 3;
                 sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+
+                PRIV_START;
                 sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
                     _PATH_HOST_KEY_FILE, "", NULL);
                 sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
                     _PATH_HOST_DSA_KEY_FILE, "", NULL);
                 sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
                     _PATH_HOST_RSA_KEY_FILE, "", NULL);
+                PRIV_END;
 
                 if (sensitive_data.keys[0] == NULL &&
                     sensitive_data.keys[1] == NULL &&
@@ -661,7 +660,8 @@ again:
          * user's home directory if it happens to be on a NFS volume where
          * root is mapped to nobody.
          */
-        permanently_set_uid(pw);
+        seteuid(original_real_uid);
+        setuid(original_real_uid);
 
         /*
          * Now that we are back to our own permissions, create ~/.ssh
diff --git a/sshconnect.c b/sshconnect.c
index 651e3fcf4..3a93a4fbb 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.124 2002/06/11 04:14:26 markus Exp $");
 
 #include <openssl/bn.h>
 
@@ -36,8 +36,11 @@ RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $");
 char *client_version_string = NULL;
 char *server_version_string = NULL;
 
+/* import */
 extern Options options;
 extern char *__progname;
+extern uid_t original_real_uid;
+extern uid_t original_effective_uid;
 
 #ifndef INET6_ADDRSTRLEN                /* for non IPv6 machines */
 #define INET6_ADDRSTRLEN 46
@@ -58,8 +61,7 @@ sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
  * Connect to the given ssh server using a proxy command.
  */
 static int
-ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
-                  const char *proxy_command)
+ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
 {
         Buffer command;
         const char *cp;
@@ -109,7 +111,8 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
                 char *argv[10];
 
                 /* Child.  Permanently give up superuser privileges. */
-                permanently_set_uid(pw);
+                seteuid(original_real_uid);
+                setuid(original_real_uid);
 
                 /* Redirect stdin and stdout. */
                 close(pin[1]);
@@ -159,7 +162,7 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
  * Creates a (possibly privileged) socket for use as the ssh connection.
  */
 static int
-ssh_create_socket(struct passwd *pw, int privileged, int family)
+ssh_create_socket(int privileged, int family)
 {
         int sock, gaierr;
         struct addrinfo hints, *res;
@@ -170,22 +173,18 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
          */
         if (privileged) {
                 int p = IPPORT_RESERVED - 1;
+                PRIV_START;
                 sock = rresvport_af(&p, family);
+                PRIV_END;
                 if (sock < 0)
                         error("rresvport: af=%d %.100s", family, strerror(errno));
                 else
                         debug("Allocated local port %d.", p);
                 return sock;
         }
-        /*
-         * Just create an ordinary socket on arbitrary port.  We use
-         * the user's uid to create the socket.
-         */
-        temporarily_use_uid(pw);
         sock = socket(family, SOCK_STREAM, 0);
         if (sock < 0)
                 error("socket: %.100s", strerror(errno));
-        restore_uid();
 
         /* Bind the socket to an alternative local IP address */
         if (options.bind_address == NULL)
@@ -215,9 +214,9 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
 /*
  * Opens a TCP/IP connection to the remote server on the given host.
  * The address of the remote host will be returned in hostaddr.
- * If port is 0, the default port will be used.  If anonymous is zero,
+ * If port is 0, the default port will be used.  If needpriv is true,
  * a privileged port will be allocated to make the connection.
- * This requires super-user privileges if anonymous is false.
+ * This requires super-user privileges if needpriv is true.
  * Connection_attempts specifies the maximum number of tries (one per
  * second).  If proxy_command is non-NULL, it specifies the command (with %h
  * and %p substituted for host and port, respectively) to use to contact
@@ -232,7 +231,7 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
 int
 ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
     u_short port, int family, int connection_attempts,
-    int anonymous, struct passwd *pw, const char *proxy_command)
+    int needpriv, const char *proxy_command)
 {
         int gaierr;
         int on = 1;
@@ -248,8 +247,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
          */
         int full_failure = 1;
 
-        debug("ssh_connect: getuid %u geteuid %u anon %d",
-            (u_int) getuid(), (u_int) geteuid(), anonymous);
+        debug("ssh_connect: needpriv %d", needpriv);
 
         /* Get default port if port has not been set. */
         if (port == 0) {
@@ -261,7 +259,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
         }
         /* If a proxy command is given, connect using it. */
         if (proxy_command != NULL)
-                return ssh_proxy_connect(host, port, pw, proxy_command);
+                return ssh_proxy_connect(host, port, proxy_command);
 
         /* No proxy command. */
 
@@ -297,26 +295,14 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                                 host, ntop, strport);
 
                         /* Create a socket for connecting. */
-                        sock = ssh_create_socket(pw,
-#ifdef HAVE_CYGWIN
-                            !anonymous,
-#else
-                            !anonymous && geteuid() == 0,
-#endif
-                            ai->ai_family);
+                        sock = ssh_create_socket(needpriv, ai->ai_family);
                         if (sock < 0)
                                 /* Any error is already output */
                                 continue;
 
-                        /* Connect to the host.  We use the user's uid in the
-                         * hope that it will help with tcp_wrappers showing
-                         * the remote uid as root.
-                         */
-                        temporarily_use_uid(pw);
                         if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
                                 /* Successful connection. */
                                 memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
-                                restore_uid();
                                 break;
                         } else {
                                 if (errno == ECONNREFUSED)
@@ -324,7 +310,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                                 log("ssh: connect to address %s port %s: %s",
                                     sockaddr_ntop(ai->ai_addr, ai->ai_addrlen),
                                     strport, strerror(errno));
-                                restore_uid();
                                 /*
                                  * Close the failed socket; there appear to
                                  * be some problems when reusing a socket for
diff --git a/sshconnect.h b/sshconnect.h
index aeb2e51a5..48148833f 100644
--- a/sshconnect.h
+++ b/sshconnect.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sshconnect.h,v 1.15 2002/06/09 13:32:01 markus Exp $  */
+/*      $OpenBSD: sshconnect.h,v 1.16 2002/06/11 04:14:26 markus Exp $  */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -35,7 +35,7 @@ struct Sensitive {
 
 int
 ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
-    int, struct passwd *, const char *);
+    int, const char *);
 
 void
 ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *);
@@ -50,4 +50,20 @@ void	 ssh_userauth2(const char *, const char *, char *, Sensitive *);
 
 void     ssh_put_password(char *);
 
+
+/*
+ * Macros to raise/lower permissions.
+ */
+#define PRIV_START do {                         \
+        int save_errno = errno;                 \
+        (void)seteuid(original_effective_uid);  \
+        errno = save_errno;                     \
+} while (0)
+
+#define PRIV_END do {                           \
+        int save_errno = errno;                 \
+        (void)seteuid(original_real_uid);       \
+        errno = save_errno;                     \
+} while (0)
+
 #endif