upstream commit

always call privsep_preauth_child() regardless of whether sshd was started by root; it does important priming before sandboxing and failing to call it could result in sandbox violations later; ok markus@ Upstream-ID: c8a6d0d56c42f3faab38460dc917ca0d1705d383
author: djm@openbsd.org <djm@openbsd.org> 2015-11-16 22:51:05 +0000
committer: Damien Miller <djm@mindrot.org> 2015-11-17 11:22:14 +1100
commit: 5b4010d9b923cf1b46c9c7b1887c013c2967e204 (patch)
tree: a07af51c808c445f6329a2adb503d1193006d853 /sshd.c
parent: 3a9f84b58b0534bbb485f1eeab75665e2d03371f (diff)
1 files changed, 19 insertions, 23 deletions
diff --git a/sshd.c b/sshd.c
index b19cc34c7..a823999b3 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.459 2015/09/04 08:21:47 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.460 2015/11/16 22:51:05 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -632,25 +632,23 @@ privsep_preauth_child(void)
        /* Demote the private keys to public keys. */
        demote_sensitive_data();
-        /* Change our root directory */
+        /* Demote the child */
-        if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+        if (getuid() == 0 || geteuid() == 0) {
-                fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+                /* Change our root directory */
-                    strerror(errno));
+                if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
-        if (chdir("/") == -1)
+                        fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-                fatal("chdir(\"/\"): %s", strerror(errno));
+                            strerror(errno));
+                if (chdir("/") == -1)
-        /* Drop our privileges */
+                        fatal("chdir(\"/\"): %s", strerror(errno));
-        debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
-            (u_int)privsep_pw->pw_gid);
+                /* Drop our privileges */
-#if 0
+                debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
-        /* XXX not ready, too heavy after chroot */
+                    (u_int)privsep_pw->pw_gid);
-        do_setusercontext(privsep_pw);
+                gidset[0] = privsep_pw->pw_gid;
-#else
+                if (setgroups(1, gidset) < 0)
-        gidset[0] = privsep_pw->pw_gid;
+                        fatal("setgroups: %.100s", strerror(errno));
-        if (setgroups(1, gidset) < 0)
+                permanently_set_uid(privsep_pw);
-                fatal("setgroups: %.100s", strerror(errno));
+        }
-        permanently_set_uid(privsep_pw);
-#endif
 }
 static int
@@ -716,9 +714,7 @@ privsep_preauth(Authctxt *authctxt)
                /* Arrange for logging to be sent to the monitor */
                set_log_handler(mm_log_handler, pmonitor);
-                /* Demote the child */
+                privsep_preauth_child();
-                if (getuid() == 0 || geteuid() == 0)
-                        privsep_preauth_child();
                setproctitle("%s", "[net]");
                if (box != NULL)
                        ssh_sandbox_child(box);
author	djm@openbsd.org <djm@openbsd.org>	2015-11-16 22:51:05 +0000
committer	Damien Miller <djm@mindrot.org>	2015-11-17 11:22:14 +1100
commit	5b4010d9b923cf1b46c9c7b1887c013c2967e204 (patch)
tree	a07af51c808c445f6329a2adb503d1193006d853 /sshd.c
parent	3a9f84b58b0534bbb485f1eeab75665e2d03371f (diff)

diff --git a/sshd.c b/sshd.c index b19cc34c7..a823999b3 100644 --- a/sshd.c +++ b/sshd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshd.c,v 1.459 2015/09/04 08:21:47 dtucker Exp $ */	1	/* $OpenBSD: sshd.c,v 1.460 2015/11/16 22:51:05 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -632,25 +632,23 @@ privsep_preauth_child(void)
632	/* Demote the private keys to public keys. */	632	/* Demote the private keys to public keys. */
633	demote_sensitive_data();	633	demote_sensitive_data();
634		634
635	/* Change our root directory */	635	/* Demote the child */
636	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)	636	if (getuid() == 0 \|\| geteuid() == 0) {
637	fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,	637	/* Change our root directory */
638	strerror(errno));	638	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
639	if (chdir("/") == -1)	639	fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
640	fatal("chdir(\"/\"): %s", strerror(errno));	640	strerror(errno));
641		641	if (chdir("/") == -1)
642	/* Drop our privileges */	642	fatal("chdir(\"/\"): %s", strerror(errno));
643	debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,	643
644	(u_int)privsep_pw->pw_gid);	644	/* Drop our privileges */
645	#if 0	645	debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
646	/* XXX not ready, too heavy after chroot */	646	(u_int)privsep_pw->pw_gid);
647	do_setusercontext(privsep_pw);	647	gidset[0] = privsep_pw->pw_gid;
648	#else	648	if (setgroups(1, gidset) < 0)
649	gidset[0] = privsep_pw->pw_gid;	649	fatal("setgroups: %.100s", strerror(errno));
650	if (setgroups(1, gidset) < 0)	650	permanently_set_uid(privsep_pw);
651	fatal("setgroups: %.100s", strerror(errno));	651	}
652	permanently_set_uid(privsep_pw);
653	#endif
654	}	652	}
655		653
656	static int	654	static int
@@ -716,9 +714,7 @@ privsep_preauth(Authctxt *authctxt)
716	/* Arrange for logging to be sent to the monitor */	714	/* Arrange for logging to be sent to the monitor */
717	set_log_handler(mm_log_handler, pmonitor);	715	set_log_handler(mm_log_handler, pmonitor);
718		716
719	/* Demote the child */	717	privsep_preauth_child();
720	if (getuid() == 0 \|\| geteuid() == 0)
721	privsep_preauth_child();
722	setproctitle("%s", "[net]");	718	setproctitle("%s", "[net]");
723	if (box != NULL)	719	if (box != NULL)
724	ssh_sandbox_child(box);	720	ssh_sandbox_child(box);