diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-04-08 18:26:59 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-04-08 18:26:59 +0000 |
commit | 3fcf1a22b52ed8e66d2cf548d5d4528f67377af9 (patch) | |
tree | b635cae14328f373bb682395ab066ee819dd77c4 /ssh.c | |
parent | d344763643339b5ddc075cf7b8c8fb4404dc0aa0 (diff) |
- markus@cvs.openbsd.org 2001/04/06 21:00:17
[auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c
ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h]
do gid/groups-swap in addition to uid-swap, should help if /home/group
is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks
to olar@openwall.com is comments. we had many requests for this.
Diffstat (limited to 'ssh.c')
-rw-r--r-- | ssh.c | 33 |
1 files changed, 16 insertions, 17 deletions
@@ -39,7 +39,7 @@ | |||
39 | */ | 39 | */ |
40 | 40 | ||
41 | #include "includes.h" | 41 | #include "includes.h" |
42 | RCSID("$OpenBSD: ssh.c,v 1.106 2001/04/05 21:05:24 markus Exp $"); | 42 | RCSID("$OpenBSD: ssh.c,v 1.107 2001/04/06 21:00:13 markus Exp $"); |
43 | 43 | ||
44 | #include <openssl/evp.h> | 44 | #include <openssl/evp.h> |
45 | #include <openssl/err.h> | 45 | #include <openssl/err.h> |
@@ -265,6 +265,15 @@ main(int ac, char **av) | |||
265 | fatal("setrlimit failed: %.100s", strerror(errno)); | 265 | fatal("setrlimit failed: %.100s", strerror(errno)); |
266 | } | 266 | } |
267 | #endif | 267 | #endif |
268 | /* Get user data. */ | ||
269 | pw = getpwuid(original_real_uid); | ||
270 | if (!pw) { | ||
271 | log("You don't exist, go away!"); | ||
272 | exit(1); | ||
273 | } | ||
274 | /* Take a copy of the returned structure. */ | ||
275 | pw = pwcopy(pw); | ||
276 | |||
268 | /* | 277 | /* |
269 | * Use uid-swapping to give up root privileges for the duration of | 278 | * Use uid-swapping to give up root privileges for the duration of |
270 | * option processing. We will re-instantiate the rights when we are | 279 | * option processing. We will re-instantiate the rights when we are |
@@ -272,7 +281,7 @@ main(int ac, char **av) | |||
272 | * them when the port has been created (actually, when the connection | 281 | * them when the port has been created (actually, when the connection |
273 | * has been made, as we may need to create the port several times). | 282 | * has been made, as we may need to create the port several times). |
274 | */ | 283 | */ |
275 | temporarily_use_uid(original_real_uid); | 284 | temporarily_use_uid(pw); |
276 | 285 | ||
277 | /* | 286 | /* |
278 | * Set our umask to something reasonable, as some files are created | 287 | * Set our umask to something reasonable, as some files are created |
@@ -545,15 +554,6 @@ main(int ac, char **av) | |||
545 | tty_flag = 0; | 554 | tty_flag = 0; |
546 | } | 555 | } |
547 | 556 | ||
548 | /* Get user data. */ | ||
549 | pw = getpwuid(original_real_uid); | ||
550 | if (!pw) { | ||
551 | log("You don't exist, go away!"); | ||
552 | exit(1); | ||
553 | } | ||
554 | /* Take a copy of the returned structure. */ | ||
555 | pw = pwcopy(pw); | ||
556 | |||
557 | /* | 557 | /* |
558 | * Initialize "log" output. Since we are the client all output | 558 | * Initialize "log" output. Since we are the client all output |
559 | * actually goes to stderr. | 559 | * actually goes to stderr. |
@@ -592,6 +592,7 @@ main(int ac, char **av) | |||
592 | "originating port will not be trusted."); | 592 | "originating port will not be trusted."); |
593 | options.rhosts_authentication = 0; | 593 | options.rhosts_authentication = 0; |
594 | } | 594 | } |
595 | |||
595 | /* | 596 | /* |
596 | * If using rsh has been selected, exec it now (without trying | 597 | * If using rsh has been selected, exec it now (without trying |
597 | * anything else). Note that we must release privileges first. | 598 | * anything else). Note that we must release privileges first. |
@@ -604,7 +605,7 @@ main(int ac, char **av) | |||
604 | restore_uid(); | 605 | restore_uid(); |
605 | 606 | ||
606 | /* Switch to the original uid permanently. */ | 607 | /* Switch to the original uid permanently. */ |
607 | permanently_set_uid(original_real_uid); | 608 | permanently_set_uid(pw); |
608 | 609 | ||
609 | /* Execute rsh. */ | 610 | /* Execute rsh. */ |
610 | rsh_connect(host, options.user, &command); | 611 | rsh_connect(host, options.user, &command); |
@@ -618,8 +619,7 @@ main(int ac, char **av) | |||
618 | ok = ssh_connect(host, &hostaddr, options.port, | 619 | ok = ssh_connect(host, &hostaddr, options.port, |
619 | options.connection_attempts, | 620 | options.connection_attempts, |
620 | original_effective_uid != 0 || !options.use_privileged_port, | 621 | original_effective_uid != 0 || !options.use_privileged_port, |
621 | original_real_uid, | 622 | pw, options.proxy_command); |
622 | options.proxy_command); | ||
623 | 623 | ||
624 | /* | 624 | /* |
625 | * If we successfully made the connection, load the host private key | 625 | * If we successfully made the connection, load the host private key |
@@ -646,7 +646,7 @@ main(int ac, char **av) | |||
646 | * process, read the private hostkey and impersonate the host. | 646 | * process, read the private hostkey and impersonate the host. |
647 | * OpenBSD does not allow ptracing of setuid processes. | 647 | * OpenBSD does not allow ptracing of setuid processes. |
648 | */ | 648 | */ |
649 | permanently_set_uid(original_real_uid); | 649 | permanently_set_uid(pw); |
650 | 650 | ||
651 | /* | 651 | /* |
652 | * Now that we are back to our own permissions, create ~/.ssh | 652 | * Now that we are back to our own permissions, create ~/.ssh |
@@ -688,8 +688,7 @@ main(int ac, char **av) | |||
688 | tilde_expand_filename(options.user_hostfile2, original_real_uid); | 688 | tilde_expand_filename(options.user_hostfile2, original_real_uid); |
689 | 689 | ||
690 | /* Log into the remote system. This never returns if the login fails. */ | 690 | /* Log into the remote system. This never returns if the login fails. */ |
691 | ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, | 691 | ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, pw); |
692 | original_real_uid); | ||
693 | 692 | ||
694 | /* We no longer need the host private key. Clear it now. */ | 693 | /* We no longer need the host private key. Clear it now. */ |
695 | if (host_private_key != NULL) | 694 | if (host_private_key != NULL) |