upstream commit

Factor out "can bind to low ports" check into its own function. This will make it easier for Portable to support platforms with permissions models other than uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@. Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
author: dtucker@openbsd.org <dtucker@openbsd.org> 2016-10-23 22:04:05 +0000
committer: Darren Tucker <dtucker@zip.com.au> 2016-10-24 10:42:57 +1100
commit: 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5 (patch)
tree: a50f4076f566c6182fa931c28fe0ede424aabba3 /serverloop.c
parent: 0b9ee623d57e5de7e83e66fd61a7ba9a5be98894 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/serverloop.c b/serverloop.c
index 87e619fe4..4a9a16d41 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.186 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -724,8 +724,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
                    no_port_forwarding_flag ||
                    (!want_reply && fwd.listen_port == 0) ||
-                    (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
+                    (fwd.listen_port != 0 &&
-                    pw->pw_uid != 0)) {
+                     !bind_permitted(fwd.listen_port, pw->pw_uid))) {
                        success = 0;
                        packet_send_debug("Server has disabled port forwarding.");
                } else {
author	dtucker@openbsd.org <dtucker@openbsd.org>	2016-10-23 22:04:05 +0000
committer	Darren Tucker <dtucker@zip.com.au>	2016-10-24 10:42:57 +1100
commit	1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5 (patch)
tree	a50f4076f566c6182fa931c28fe0ede424aabba3 /serverloop.c
parent	0b9ee623d57e5de7e83e66fd61a7ba9a5be98894 (diff)

diff --git a/serverloop.c b/serverloop.c index 87e619fe4..4a9a16d41 100644 --- a/serverloop.c +++ b/serverloop.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: serverloop.c,v 1.186 2016/09/12 01:22:38 deraadt Exp $ */	1	/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -724,8 +724,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
724	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 \|\|	724	if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 \|\|
725	no_port_forwarding_flag \|\|	725	no_port_forwarding_flag \|\|
726	(!want_reply && fwd.listen_port == 0) \|\|	726	(!want_reply && fwd.listen_port == 0) \|\|
727	(fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&	727	(fwd.listen_port != 0 &&
728	pw->pw_uid != 0)) {	728	!bind_permitted(fwd.listen_port, pw->pw_uid))) {
729	success = 0;	729	success = 0;
730	packet_send_debug("Server has disabled port forwarding.");	730	packet_send_debug("Server has disabled port forwarding.");
731	} else {	731	} else {