summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog1
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/unbreak-unix-forwarding-for-root.patch80
-rw-r--r--serverloop.c19
5 files changed, 96 insertions, 9 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 39a4a89ba..6c8df34b8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
235b2ea77a74348b575d680061f35ec7992b26ec8 2904bc482ad87648a2c799c441dc6a8449f24e15a
335b2ea77a74348b575d680061f35ec7992b26ec8 3904bc482ad87648a2c799c441dc6a8449f24e15a
4971a7653746a6972b907dfe0ce139c06e4a6f482 4971a7653746a6972b907dfe0ce139c06e4a6f482
5971a7653746a6972b907dfe0ce139c06e4a6f482 5971a7653746a6972b907dfe0ce139c06e4a6f482
6openssh_7.4p1.orig.tar.gz 6openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 6c59cebed..4c1ffa30d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ openssh (1:7.4p1-10) UNRELEASED; urgency=medium
2 2
3 * Move privilege separation directory and PID file from /var/run/ to /run/ 3 * Move privilege separation directory and PID file from /var/run/ to /run/
4 (closes: #760422, #856825). 4 (closes: #760422, #856825).
5 * Unbreak Unix domain socket forwarding for root (closes: #858252).
5 6
6 -- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100 7 -- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100
7 8
diff --git a/debian/patches/series b/debian/patches/series
index 32f913e89..c5fc81486 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,4 @@ restore-authorized_keys2.patch
33ssh-keygen-hash-corruption.patch 33ssh-keygen-hash-corruption.patch
34ssh-keyscan-hash-port.patch 34ssh-keyscan-hash-port.patch
35ssh-keygen-null-deref.patch 35ssh-keygen-null-deref.patch
36unbreak-unix-forwarding-for-root.patch
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch
new file mode 100644
index 000000000..8408a118a
--- /dev/null
+++ b/debian/patches/unbreak-unix-forwarding-for-root.patch
@@ -0,0 +1,80 @@
1From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 4 Jan 2017 05:37:40 +0000
4Subject: upstream commit
5
6unbreak Unix domain socket forwarding for root; ok
7markus@
8
9Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
10
11Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
12Bug-Debian: https://bugs.debian.org/858252
13Last-Update: 2017-03-30
14
15Patch-Name: unbreak-unix-forwarding-for-root.patch
16---
17 serverloop.c | 19 ++++++++++++-------
18 1 file changed, 12 insertions(+), 7 deletions(-)
19
20diff --git a/serverloop.c b/serverloop.c
21index c4e4699d..c55d203b 100644
22--- a/serverloop.c
23+++ b/serverloop.c
24@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
25 Channel *c = NULL;
26 char *target, *originator;
27 u_short originator_port;
28+ struct passwd *pw = the_authctxt->pw;
29+
30+ if (pw == NULL || !the_authctxt->valid)
31+ fatal("server_input_global_request: no/invalid user");
32
33 target = packet_get_string(NULL);
34 originator = packet_get_string(NULL);
35@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
36 /* XXX fine grained permissions */
37 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
38 !no_port_forwarding_flag && !options.disable_forwarding &&
39- use_privsep) {
40+ (pw->pw_uid == 0 || use_privsep)) {
41 c = channel_connect_to_path(target,
42 "direct-streamlocal@openssh.com", "direct-streamlocal");
43 } else {
44@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
45 int want_reply;
46 int r, success = 0, allocated_listen_port = 0;
47 struct sshbuf *resp = NULL;
48+ struct passwd *pw = the_authctxt->pw;
49+
50+ if (pw == NULL || !the_authctxt->valid)
51+ fatal("server_input_global_request: no/invalid user");
52
53 rtype = packet_get_string(NULL);
54 want_reply = packet_get_char();
55@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
56
57 /* -R style forwarding */
58 if (strcmp(rtype, "tcpip-forward") == 0) {
59- struct passwd *pw;
60 struct Forward fwd;
61
62- pw = the_authctxt->pw;
63- if (pw == NULL || !the_authctxt->valid)
64- fatal("server_input_global_request: no/invalid user");
65 memset(&fwd, 0, sizeof(fwd));
66 fwd.listen_host = packet_get_string(NULL);
67 fwd.listen_port = (u_short)packet_get_int();
68@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
69 /* check permissions */
70 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
71 || no_port_forwarding_flag || options.disable_forwarding ||
72- !use_privsep) {
73+ (pw->pw_uid != 0 && !use_privsep)) {
74 success = 0;
75- packet_send_debug("Server has disabled port forwarding.");
76+ packet_send_debug("Server has disabled "
77+ "streamlocal forwarding.");
78 } else {
79 /* Start listening on the socket */
80 success = channel_setup_remote_fwd_listener(
diff --git a/serverloop.c b/serverloop.c
index c4e4699da..c55d203bc 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
468 Channel *c = NULL; 468 Channel *c = NULL;
469 char *target, *originator; 469 char *target, *originator;
470 u_short originator_port; 470 u_short originator_port;
471 struct passwd *pw = the_authctxt->pw;
472
473 if (pw == NULL || !the_authctxt->valid)
474 fatal("server_input_global_request: no/invalid user");
471 475
472 target = packet_get_string(NULL); 476 target = packet_get_string(NULL);
473 originator = packet_get_string(NULL); 477 originator = packet_get_string(NULL);
@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
480 /* XXX fine grained permissions */ 484 /* XXX fine grained permissions */
481 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && 485 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
482 !no_port_forwarding_flag && !options.disable_forwarding && 486 !no_port_forwarding_flag && !options.disable_forwarding &&
483 use_privsep) { 487 (pw->pw_uid == 0 || use_privsep)) {
484 c = channel_connect_to_path(target, 488 c = channel_connect_to_path(target,
485 "direct-streamlocal@openssh.com", "direct-streamlocal"); 489 "direct-streamlocal@openssh.com", "direct-streamlocal");
486 } else { 490 } else {
@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
702 int want_reply; 706 int want_reply;
703 int r, success = 0, allocated_listen_port = 0; 707 int r, success = 0, allocated_listen_port = 0;
704 struct sshbuf *resp = NULL; 708 struct sshbuf *resp = NULL;
709 struct passwd *pw = the_authctxt->pw;
710
711 if (pw == NULL || !the_authctxt->valid)
712 fatal("server_input_global_request: no/invalid user");
705 713
706 rtype = packet_get_string(NULL); 714 rtype = packet_get_string(NULL);
707 want_reply = packet_get_char(); 715 want_reply = packet_get_char();
@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
709 717
710 /* -R style forwarding */ 718 /* -R style forwarding */
711 if (strcmp(rtype, "tcpip-forward") == 0) { 719 if (strcmp(rtype, "tcpip-forward") == 0) {
712 struct passwd *pw;
713 struct Forward fwd; 720 struct Forward fwd;
714 721
715 pw = the_authctxt->pw;
716 if (pw == NULL || !the_authctxt->valid)
717 fatal("server_input_global_request: no/invalid user");
718 memset(&fwd, 0, sizeof(fwd)); 722 memset(&fwd, 0, sizeof(fwd));
719 fwd.listen_host = packet_get_string(NULL); 723 fwd.listen_host = packet_get_string(NULL);
720 fwd.listen_port = (u_short)packet_get_int(); 724 fwd.listen_port = (u_short)packet_get_int();
@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
762 /* check permissions */ 766 /* check permissions */
763 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 767 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
764 || no_port_forwarding_flag || options.disable_forwarding || 768 || no_port_forwarding_flag || options.disable_forwarding ||
765 !use_privsep) { 769 (pw->pw_uid != 0 && !use_privsep)) {
766 success = 0; 770 success = 0;
767 packet_send_debug("Server has disabled port forwarding."); 771 packet_send_debug("Server has disabled "
772 "streamlocal forwarding.");
768 } else { 773 } else {
769 /* Start listening on the socket */ 774 /* Start listening on the socket */
770 success = channel_setup_remote_fwd_listener( 775 success = channel_setup_remote_fwd_listener(