summaryrefslogtreecommitdiff
path: root/debian/patches/unbreak-unix-forwarding-for-root.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/unbreak-unix-forwarding-for-root.patch')
-rw-r--r--debian/patches/unbreak-unix-forwarding-for-root.patch80
1 files changed, 80 insertions, 0 deletions
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch
new file mode 100644
index 000000000..8408a118a
--- /dev/null
+++ b/debian/patches/unbreak-unix-forwarding-for-root.patch
@@ -0,0 +1,80 @@
1From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 4 Jan 2017 05:37:40 +0000
4Subject: upstream commit
5
6unbreak Unix domain socket forwarding for root; ok
7markus@
8
9Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
10
11Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
12Bug-Debian: https://bugs.debian.org/858252
13Last-Update: 2017-03-30
14
15Patch-Name: unbreak-unix-forwarding-for-root.patch
16---
17 serverloop.c | 19 ++++++++++++-------
18 1 file changed, 12 insertions(+), 7 deletions(-)
19
20diff --git a/serverloop.c b/serverloop.c
21index c4e4699d..c55d203b 100644
22--- a/serverloop.c
23+++ b/serverloop.c
24@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
25 Channel *c = NULL;
26 char *target, *originator;
27 u_short originator_port;
28+ struct passwd *pw = the_authctxt->pw;
29+
30+ if (pw == NULL || !the_authctxt->valid)
31+ fatal("server_input_global_request: no/invalid user");
32
33 target = packet_get_string(NULL);
34 originator = packet_get_string(NULL);
35@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
36 /* XXX fine grained permissions */
37 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
38 !no_port_forwarding_flag && !options.disable_forwarding &&
39- use_privsep) {
40+ (pw->pw_uid == 0 || use_privsep)) {
41 c = channel_connect_to_path(target,
42 "direct-streamlocal@openssh.com", "direct-streamlocal");
43 } else {
44@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
45 int want_reply;
46 int r, success = 0, allocated_listen_port = 0;
47 struct sshbuf *resp = NULL;
48+ struct passwd *pw = the_authctxt->pw;
49+
50+ if (pw == NULL || !the_authctxt->valid)
51+ fatal("server_input_global_request: no/invalid user");
52
53 rtype = packet_get_string(NULL);
54 want_reply = packet_get_char();
55@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
56
57 /* -R style forwarding */
58 if (strcmp(rtype, "tcpip-forward") == 0) {
59- struct passwd *pw;
60 struct Forward fwd;
61
62- pw = the_authctxt->pw;
63- if (pw == NULL || !the_authctxt->valid)
64- fatal("server_input_global_request: no/invalid user");
65 memset(&fwd, 0, sizeof(fwd));
66 fwd.listen_host = packet_get_string(NULL);
67 fwd.listen_port = (u_short)packet_get_int();
68@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
69 /* check permissions */
70 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
71 || no_port_forwarding_flag || options.disable_forwarding ||
72- !use_privsep) {
73+ (pw->pw_uid != 0 && !use_privsep)) {
74 success = 0;
75- packet_send_debug("Server has disabled port forwarding.");
76+ packet_send_debug("Server has disabled "
77+ "streamlocal forwarding.");
78 } else {
79 /* Start listening on the socket */
80 success = channel_setup_remote_fwd_listener(