summaryrefslogtreecommitdiff
path: root/sshd.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2012-05-18 12:16:05 +0100
committerColin Watson <cjwatson@debian.org>2012-05-18 12:16:05 +0100
commitdabbdfacc9f6995b0739772a47704186dcf34ea5 (patch)
tree0a0b306a637bc85eb719261b74884f0b9573ec41 /sshd.c
parent1e0d51b642cac9a6bfb719e6320905625aa5f943 (diff)
parentdd5ed53e20d218607260916a6b04d1c8c5b3d88f (diff)
* New upstream release (http://www.openssh.org/txt/release-6.0).
- Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (closes: #643312, #650512). - Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental.)
Diffstat (limited to 'sshd.c')
-rw-r--r--sshd.c24
1 files changed, 18 insertions, 6 deletions
diff --git a/sshd.c b/sshd.c
index 9b32cb458..e032c1720 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.385 2011/06/23 09:34:13 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.388 2011/09/30 21:22:49 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -243,6 +243,7 @@ int startup_pipe; /* in child */
243/* variables used for privilege separation */ 243/* variables used for privilege separation */
244int use_privsep = -1; 244int use_privsep = -1;
245struct monitor *pmonitor = NULL; 245struct monitor *pmonitor = NULL;
246int privsep_is_preauth = 1;
246 247
247/* global authentication context */ 248/* global authentication context */
248Authctxt *the_authctxt = NULL; 249Authctxt *the_authctxt = NULL;
@@ -655,10 +656,13 @@ privsep_preauth(Authctxt *authctxt)
655 656
656 /* Wait for the child's exit status */ 657 /* Wait for the child's exit status */
657 while (waitpid(pid, &status, 0) < 0) { 658 while (waitpid(pid, &status, 0) < 0) {
658 if (errno != EINTR) 659 if (errno == EINTR)
659 fatal("%s: waitpid: %s", __func__, 660 continue;
660 strerror(errno)); 661 pmonitor->m_pid = -1;
662 fatal("%s: waitpid: %s", __func__, strerror(errno));
661 } 663 }
664 privsep_is_preauth = 0;
665 pmonitor->m_pid = -1;
662 if (WIFEXITED(status)) { 666 if (WIFEXITED(status)) {
663 if (WEXITSTATUS(status) != 0) 667 if (WEXITSTATUS(status) != 0)
664 fatal("%s: preauth child exited with status %d", 668 fatal("%s: preauth child exited with status %d",
@@ -1512,7 +1516,7 @@ main(int ac, char **av)
1512 * root's environment 1516 * root's environment
1513 */ 1517 */
1514 if (getenv("KRB5CCNAME") != NULL) 1518 if (getenv("KRB5CCNAME") != NULL)
1515 unsetenv("KRB5CCNAME"); 1519 (void) unsetenv("KRB5CCNAME");
1516 1520
1517#ifdef _UNICOS 1521#ifdef _UNICOS
1518 /* Cray can define user privs drop all privs now! 1522 /* Cray can define user privs drop all privs now!
@@ -2476,8 +2480,16 @@ do_ssh2_kex(void)
2476void 2480void
2477cleanup_exit(int i) 2481cleanup_exit(int i)
2478{ 2482{
2479 if (the_authctxt) 2483 if (the_authctxt) {
2480 do_cleanup(the_authctxt); 2484 do_cleanup(the_authctxt);
2485 if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
2486 debug("Killing privsep child %d", pmonitor->m_pid);
2487 if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
2488 errno != ESRCH)
2489 error("%s: kill(%d): %s", __func__,
2490 pmonitor->m_pid, strerror(errno));
2491 }
2492 }
2481#ifdef SSH_AUDIT_EVENTS 2493#ifdef SSH_AUDIT_EVENTS
2482 /* done after do_cleanup so it can cancel the PAM auth 'thread' */ 2494 /* done after do_cleanup so it can cancel the PAM auth 'thread' */
2483 if (!use_privsep || mm_is_monitor()) 2495 if (!use_privsep || mm_is_monitor())