summaryrefslogtreecommitdiff
path: root/ssh.c
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2001-04-08 18:26:59 +0000
committerBen Lindstrom <mouring@eviladmin.org>2001-04-08 18:26:59 +0000
commit3fcf1a22b52ed8e66d2cf548d5d4528f67377af9 (patch)
treeb635cae14328f373bb682395ab066ee819dd77c4 /ssh.c
parentd344763643339b5ddc075cf7b8c8fb4404dc0aa0 (diff)
- markus@cvs.openbsd.org 2001/04/06 21:00:17
[auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h] do gid/groups-swap in addition to uid-swap, should help if /home/group is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks to olar@openwall.com is comments. we had many requests for this.
Diffstat (limited to 'ssh.c')
-rw-r--r--ssh.c33
1 files changed, 16 insertions, 17 deletions
diff --git a/ssh.c b/ssh.c
index 278e7eda4..294bcf39d 100644
--- a/ssh.c
+++ b/ssh.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: ssh.c,v 1.106 2001/04/05 21:05:24 markus Exp $"); 42RCSID("$OpenBSD: ssh.c,v 1.107 2001/04/06 21:00:13 markus Exp $");
43 43
44#include <openssl/evp.h> 44#include <openssl/evp.h>
45#include <openssl/err.h> 45#include <openssl/err.h>
@@ -265,6 +265,15 @@ main(int ac, char **av)
265 fatal("setrlimit failed: %.100s", strerror(errno)); 265 fatal("setrlimit failed: %.100s", strerror(errno));
266 } 266 }
267#endif 267#endif
268 /* Get user data. */
269 pw = getpwuid(original_real_uid);
270 if (!pw) {
271 log("You don't exist, go away!");
272 exit(1);
273 }
274 /* Take a copy of the returned structure. */
275 pw = pwcopy(pw);
276
268 /* 277 /*
269 * Use uid-swapping to give up root privileges for the duration of 278 * Use uid-swapping to give up root privileges for the duration of
270 * option processing. We will re-instantiate the rights when we are 279 * option processing. We will re-instantiate the rights when we are
@@ -272,7 +281,7 @@ main(int ac, char **av)
272 * them when the port has been created (actually, when the connection 281 * them when the port has been created (actually, when the connection
273 * has been made, as we may need to create the port several times). 282 * has been made, as we may need to create the port several times).
274 */ 283 */
275 temporarily_use_uid(original_real_uid); 284 temporarily_use_uid(pw);
276 285
277 /* 286 /*
278 * Set our umask to something reasonable, as some files are created 287 * Set our umask to something reasonable, as some files are created
@@ -545,15 +554,6 @@ main(int ac, char **av)
545 tty_flag = 0; 554 tty_flag = 0;
546 } 555 }
547 556
548 /* Get user data. */
549 pw = getpwuid(original_real_uid);
550 if (!pw) {
551 log("You don't exist, go away!");
552 exit(1);
553 }
554 /* Take a copy of the returned structure. */
555 pw = pwcopy(pw);
556
557 /* 557 /*
558 * Initialize "log" output. Since we are the client all output 558 * Initialize "log" output. Since we are the client all output
559 * actually goes to stderr. 559 * actually goes to stderr.
@@ -592,6 +592,7 @@ main(int ac, char **av)
592 "originating port will not be trusted."); 592 "originating port will not be trusted.");
593 options.rhosts_authentication = 0; 593 options.rhosts_authentication = 0;
594 } 594 }
595
595 /* 596 /*
596 * If using rsh has been selected, exec it now (without trying 597 * If using rsh has been selected, exec it now (without trying
597 * anything else). Note that we must release privileges first. 598 * anything else). Note that we must release privileges first.
@@ -604,7 +605,7 @@ main(int ac, char **av)
604 restore_uid(); 605 restore_uid();
605 606
606 /* Switch to the original uid permanently. */ 607 /* Switch to the original uid permanently. */
607 permanently_set_uid(original_real_uid); 608 permanently_set_uid(pw);
608 609
609 /* Execute rsh. */ 610 /* Execute rsh. */
610 rsh_connect(host, options.user, &command); 611 rsh_connect(host, options.user, &command);
@@ -618,8 +619,7 @@ main(int ac, char **av)
618 ok = ssh_connect(host, &hostaddr, options.port, 619 ok = ssh_connect(host, &hostaddr, options.port,
619 options.connection_attempts, 620 options.connection_attempts,
620 original_effective_uid != 0 || !options.use_privileged_port, 621 original_effective_uid != 0 || !options.use_privileged_port,
621 original_real_uid, 622 pw, options.proxy_command);
622 options.proxy_command);
623 623
624 /* 624 /*
625 * If we successfully made the connection, load the host private key 625 * If we successfully made the connection, load the host private key
@@ -646,7 +646,7 @@ main(int ac, char **av)
646 * process, read the private hostkey and impersonate the host. 646 * process, read the private hostkey and impersonate the host.
647 * OpenBSD does not allow ptracing of setuid processes. 647 * OpenBSD does not allow ptracing of setuid processes.
648 */ 648 */
649 permanently_set_uid(original_real_uid); 649 permanently_set_uid(pw);
650 650
651 /* 651 /*
652 * Now that we are back to our own permissions, create ~/.ssh 652 * Now that we are back to our own permissions, create ~/.ssh
@@ -688,8 +688,7 @@ main(int ac, char **av)
688 tilde_expand_filename(options.user_hostfile2, original_real_uid); 688 tilde_expand_filename(options.user_hostfile2, original_real_uid);
689 689
690 /* Log into the remote system. This never returns if the login fails. */ 690 /* Log into the remote system. This never returns if the login fails. */
691 ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, 691 ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, pw);
692 original_real_uid);
693 692
694 /* We no longer need the host private key. Clear it now. */ 693 /* We no longer need the host private key. Clear it now. */
695 if (host_private_key != NULL) 694 if (host_private_key != NULL)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 01:49:14 +0000