diff options
| -rw-r--r-- | debian/.git-dpm | 4 | ||||
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rw-r--r-- | debian/patches/unbreak-unix-forwarding-for-root.patch | 80 | ||||
| -rw-r--r-- | serverloop.c | 19 |
5 files changed, 96 insertions, 9 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index 39a4a89ba..6c8df34b8 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
| 2 | 35b2ea77a74348b575d680061f35ec7992b26ec8 | 2 | 904bc482ad87648a2c799c441dc6a8449f24e15a |
| 3 | 35b2ea77a74348b575d680061f35ec7992b26ec8 | 3 | 904bc482ad87648a2c799c441dc6a8449f24e15a |
| 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
| 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
| 6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 6c59cebed..4c1ffa30d 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -2,6 +2,7 @@ openssh (1:7.4p1-10) UNRELEASED; urgency=medium | |||
| 2 | 2 | ||
| 3 | * Move privilege separation directory and PID file from /var/run/ to /run/ | 3 | * Move privilege separation directory and PID file from /var/run/ to /run/ |
| 4 | (closes: #760422, #856825). | 4 | (closes: #760422, #856825). |
| 5 | * Unbreak Unix domain socket forwarding for root (closes: #858252). | ||
| 5 | 6 | ||
| 6 | -- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100 | 7 | -- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100 |
| 7 | 8 | ||
diff --git a/debian/patches/series b/debian/patches/series index 32f913e89..c5fc81486 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
| @@ -33,3 +33,4 @@ restore-authorized_keys2.patch | |||
| 33 | ssh-keygen-hash-corruption.patch | 33 | ssh-keygen-hash-corruption.patch |
| 34 | ssh-keyscan-hash-port.patch | 34 | ssh-keyscan-hash-port.patch |
| 35 | ssh-keygen-null-deref.patch | 35 | ssh-keygen-null-deref.patch |
| 36 | unbreak-unix-forwarding-for-root.patch | ||
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch new file mode 100644 index 000000000..8408a118a --- /dev/null +++ b/debian/patches/unbreak-unix-forwarding-for-root.patch | |||
| @@ -0,0 +1,80 @@ | |||
| 1 | From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
| 3 | Date: Wed, 4 Jan 2017 05:37:40 +0000 | ||
| 4 | Subject: upstream commit | ||
| 5 | |||
| 6 | unbreak Unix domain socket forwarding for root; ok | ||
| 7 | markus@ | ||
| 8 | |||
| 9 | Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2 | ||
| 10 | |||
| 11 | Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3 | ||
| 12 | Bug-Debian: https://bugs.debian.org/858252 | ||
| 13 | Last-Update: 2017-03-30 | ||
| 14 | |||
| 15 | Patch-Name: unbreak-unix-forwarding-for-root.patch | ||
| 16 | --- | ||
| 17 | serverloop.c | 19 ++++++++++++------- | ||
| 18 | 1 file changed, 12 insertions(+), 7 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/serverloop.c b/serverloop.c | ||
| 21 | index c4e4699d..c55d203b 100644 | ||
| 22 | --- a/serverloop.c | ||
| 23 | +++ b/serverloop.c | ||
| 24 | @@ -468,6 +468,10 @@ server_request_direct_streamlocal(void) | ||
| 25 | Channel *c = NULL; | ||
| 26 | char *target, *originator; | ||
| 27 | u_short originator_port; | ||
| 28 | + struct passwd *pw = the_authctxt->pw; | ||
| 29 | + | ||
| 30 | + if (pw == NULL || !the_authctxt->valid) | ||
| 31 | + fatal("server_input_global_request: no/invalid user"); | ||
| 32 | |||
| 33 | target = packet_get_string(NULL); | ||
| 34 | originator = packet_get_string(NULL); | ||
| 35 | @@ -480,7 +484,7 @@ server_request_direct_streamlocal(void) | ||
| 36 | /* XXX fine grained permissions */ | ||
| 37 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && | ||
| 38 | !no_port_forwarding_flag && !options.disable_forwarding && | ||
| 39 | - use_privsep) { | ||
| 40 | + (pw->pw_uid == 0 || use_privsep)) { | ||
| 41 | c = channel_connect_to_path(target, | ||
| 42 | "direct-streamlocal@openssh.com", "direct-streamlocal"); | ||
| 43 | } else { | ||
| 44 | @@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | ||
| 45 | int want_reply; | ||
| 46 | int r, success = 0, allocated_listen_port = 0; | ||
| 47 | struct sshbuf *resp = NULL; | ||
| 48 | + struct passwd *pw = the_authctxt->pw; | ||
| 49 | + | ||
| 50 | + if (pw == NULL || !the_authctxt->valid) | ||
| 51 | + fatal("server_input_global_request: no/invalid user"); | ||
| 52 | |||
| 53 | rtype = packet_get_string(NULL); | ||
| 54 | want_reply = packet_get_char(); | ||
| 55 | @@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | ||
| 56 | |||
| 57 | /* -R style forwarding */ | ||
| 58 | if (strcmp(rtype, "tcpip-forward") == 0) { | ||
| 59 | - struct passwd *pw; | ||
| 60 | struct Forward fwd; | ||
| 61 | |||
| 62 | - pw = the_authctxt->pw; | ||
| 63 | - if (pw == NULL || !the_authctxt->valid) | ||
| 64 | - fatal("server_input_global_request: no/invalid user"); | ||
| 65 | memset(&fwd, 0, sizeof(fwd)); | ||
| 66 | fwd.listen_host = packet_get_string(NULL); | ||
| 67 | fwd.listen_port = (u_short)packet_get_int(); | ||
| 68 | @@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | ||
| 69 | /* check permissions */ | ||
| 70 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 | ||
| 71 | || no_port_forwarding_flag || options.disable_forwarding || | ||
| 72 | - !use_privsep) { | ||
| 73 | + (pw->pw_uid != 0 && !use_privsep)) { | ||
| 74 | success = 0; | ||
| 75 | - packet_send_debug("Server has disabled port forwarding."); | ||
| 76 | + packet_send_debug("Server has disabled " | ||
| 77 | + "streamlocal forwarding."); | ||
| 78 | } else { | ||
| 79 | /* Start listening on the socket */ | ||
| 80 | success = channel_setup_remote_fwd_listener( | ||
diff --git a/serverloop.c b/serverloop.c index c4e4699da..c55d203bc 100644 --- a/serverloop.c +++ b/serverloop.c | |||
| @@ -468,6 +468,10 @@ server_request_direct_streamlocal(void) | |||
| 468 | Channel *c = NULL; | 468 | Channel *c = NULL; |
| 469 | char *target, *originator; | 469 | char *target, *originator; |
| 470 | u_short originator_port; | 470 | u_short originator_port; |
| 471 | struct passwd *pw = the_authctxt->pw; | ||
| 472 | |||
| 473 | if (pw == NULL || !the_authctxt->valid) | ||
| 474 | fatal("server_input_global_request: no/invalid user"); | ||
| 471 | 475 | ||
| 472 | target = packet_get_string(NULL); | 476 | target = packet_get_string(NULL); |
| 473 | originator = packet_get_string(NULL); | 477 | originator = packet_get_string(NULL); |
| @@ -480,7 +484,7 @@ server_request_direct_streamlocal(void) | |||
| 480 | /* XXX fine grained permissions */ | 484 | /* XXX fine grained permissions */ |
| 481 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && | 485 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && |
| 482 | !no_port_forwarding_flag && !options.disable_forwarding && | 486 | !no_port_forwarding_flag && !options.disable_forwarding && |
| 483 | use_privsep) { | 487 | (pw->pw_uid == 0 || use_privsep)) { |
| 484 | c = channel_connect_to_path(target, | 488 | c = channel_connect_to_path(target, |
| 485 | "direct-streamlocal@openssh.com", "direct-streamlocal"); | 489 | "direct-streamlocal@openssh.com", "direct-streamlocal"); |
| 486 | } else { | 490 | } else { |
| @@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
| 702 | int want_reply; | 706 | int want_reply; |
| 703 | int r, success = 0, allocated_listen_port = 0; | 707 | int r, success = 0, allocated_listen_port = 0; |
| 704 | struct sshbuf *resp = NULL; | 708 | struct sshbuf *resp = NULL; |
| 709 | struct passwd *pw = the_authctxt->pw; | ||
| 710 | |||
| 711 | if (pw == NULL || !the_authctxt->valid) | ||
| 712 | fatal("server_input_global_request: no/invalid user"); | ||
| 705 | 713 | ||
| 706 | rtype = packet_get_string(NULL); | 714 | rtype = packet_get_string(NULL); |
| 707 | want_reply = packet_get_char(); | 715 | want_reply = packet_get_char(); |
| @@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
| 709 | 717 | ||
| 710 | /* -R style forwarding */ | 718 | /* -R style forwarding */ |
| 711 | if (strcmp(rtype, "tcpip-forward") == 0) { | 719 | if (strcmp(rtype, "tcpip-forward") == 0) { |
| 712 | struct passwd *pw; | ||
| 713 | struct Forward fwd; | 720 | struct Forward fwd; |
| 714 | 721 | ||
| 715 | pw = the_authctxt->pw; | ||
| 716 | if (pw == NULL || !the_authctxt->valid) | ||
| 717 | fatal("server_input_global_request: no/invalid user"); | ||
| 718 | memset(&fwd, 0, sizeof(fwd)); | 722 | memset(&fwd, 0, sizeof(fwd)); |
| 719 | fwd.listen_host = packet_get_string(NULL); | 723 | fwd.listen_host = packet_get_string(NULL); |
| 720 | fwd.listen_port = (u_short)packet_get_int(); | 724 | fwd.listen_port = (u_short)packet_get_int(); |
| @@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
| 762 | /* check permissions */ | 766 | /* check permissions */ |
| 763 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 | 767 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 |
| 764 | || no_port_forwarding_flag || options.disable_forwarding || | 768 | || no_port_forwarding_flag || options.disable_forwarding || |
| 765 | !use_privsep) { | 769 | (pw->pw_uid != 0 && !use_privsep)) { |
| 766 | success = 0; | 770 | success = 0; |
| 767 | packet_send_debug("Server has disabled port forwarding."); | 771 | packet_send_debug("Server has disabled " |
| 772 | "streamlocal forwarding."); | ||
| 768 | } else { | 773 | } else { |
| 769 | /* Start listening on the socket */ | 774 | /* Start listening on the socket */ |
| 770 | success = channel_setup_remote_fwd_listener( | 775 | success = channel_setup_remote_fwd_listener( |