4 files changed, 84 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 39a4a89ba..6c8df34b8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-35b2ea77a74348b575d680061f35ec7992b26ec8
+904bc482ad87648a2c799c441dc6a8449f24e15a
-35b2ea77a74348b575d680061f35ec7992b26ec8
+904bc482ad87648a2c799c441dc6a8449f24e15a
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 6c59cebed..4c1ffa30d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ openssh (1:7.4p1-10) UNRELEASED; urgency=medium
  * Move privilege separation directory and PID file from /var/run/ to /run/
    (closes: #760422, #856825).
+  * Unbreak Unix domain socket forwarding for root (closes: #858252).
 -- Colin Watson <cjwatson@debian.org>  Wed, 29 Mar 2017 23:44:13 +0100
diff --git a/debian/patches/series b/debian/patches/series
index 32f913e89..c5fc81486 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,4 @@ restore-authorized_keys2.patch
 ssh-keygen-hash-corruption.patch
 ssh-keyscan-hash-port.patch
 ssh-keygen-null-deref.patch
+unbreak-unix-forwarding-for-root.patch
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch
new file mode 100644
index 000000000..8408a118a
--- /dev/null
+++ b/debian/patches/unbreak-unix-forwarding-for-root.patch
@@ -0,0 +1,80 @@
+From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 4 Jan 2017 05:37:40 +0000
+Subject: upstream commit
+unbreak Unix domain socket forwarding for root; ok
+markus@
+Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
+Bug-Debian: https://bugs.debian.org/858252
+Last-Update: 2017-03-30
+Patch-Name: unbreak-unix-forwarding-for-root.patch
+---
+ serverloop.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+diff --git a/serverloop.c b/serverloop.c
+index c4e4699d..c55d203b 100644
+--- a/serverloop.c
+++ b/serverloop.c
+@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
+        Channel *c = NULL;
+        char *target, *originator;
+        u_short originator_port;
+       struct passwd *pw = the_authctxt->pw;
+
+       if (pw == NULL || !the_authctxt->valid)
+               fatal("server_input_global_request: no/invalid user");
+ 
+        target = packet_get_string(NULL);
+        originator = packet_get_string(NULL);
+@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
+        /* XXX fine grained permissions */
+        if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+            !no_port_forwarding_flag && !options.disable_forwarding &&
+-           use_privsep) {
+           (pw->pw_uid == 0 || use_privsep)) {
+                c = channel_connect_to_path(target,
+                    "direct-streamlocal@openssh.com", "direct-streamlocal");
+        } else {
+@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+        int want_reply;
+        int r, success = 0, allocated_listen_port = 0;
+        struct sshbuf *resp = NULL;
+       struct passwd *pw = the_authctxt->pw;
+
+       if (pw == NULL || !the_authctxt->valid)
+               fatal("server_input_global_request: no/invalid user");
+ 
+        rtype = packet_get_string(NULL);
+        want_reply = packet_get_char();
+@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ 
+        /* -R style forwarding */
+        if (strcmp(rtype, "tcpip-forward") == 0) {
+-               struct passwd *pw;
+                struct Forward fwd;
+ 
+-               pw = the_authctxt->pw;
+-               if (pw == NULL || !the_authctxt->valid)
+-                       fatal("server_input_global_request: no/invalid user");
+                memset(&fwd, 0, sizeof(fwd));
+                fwd.listen_host = packet_get_string(NULL);
+                fwd.listen_port = (u_short)packet_get_int();
+@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+                /* check permissions */
+                if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+                    || no_port_forwarding_flag || options.disable_forwarding ||
+-                   !use_privsep) {
+                   (pw->pw_uid != 0 && !use_privsep)) {
+                        success = 0;
+-                       packet_send_debug("Server has disabled port forwarding.");
+                       packet_send_debug("Server has disabled "
+                           "streamlocal forwarding.");
+                } else {
+                        /* Start listening on the socket */
+                        success = channel_setup_remote_fwd_listener(

diff --git a/debian/.git-dpm b/debian/.git-dpm index 39a4a89ba..6c8df34b8 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	35b2ea77a74348b575d680061f35ec7992b26ec8	2	904bc482ad87648a2c799c441dc6a8449f24e15a
3	35b2ea77a74348b575d680061f35ec7992b26ec8	3	904bc482ad87648a2c799c441dc6a8449f24e15a
4	971a7653746a6972b907dfe0ce139c06e4a6f482	4	971a7653746a6972b907dfe0ce139c06e4a6f482
5	971a7653746a6972b907dfe0ce139c06e4a6f482	5	971a7653746a6972b907dfe0ce139c06e4a6f482
6	openssh_7.4p1.orig.tar.gz	6	openssh_7.4p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 6c59cebed..4c1ffa30d 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -2,6 +2,7 @@ openssh (1:7.4p1-10) UNRELEASED; urgency=medium
2		2
3	* Move privilege separation directory and PID file from /var/run/ to /run/	3	* Move privilege separation directory and PID file from /var/run/ to /run/
4	(closes: #760422, #856825).	4	(closes: #760422, #856825).
		5	* Unbreak Unix domain socket forwarding for root (closes: #858252).
5		6
6	-- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100	7	-- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100
7		8


diff --git a/debian/patches/series b/debian/patches/series index 32f913e89..c5fc81486 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -33,3 +33,4 @@ restore-authorized_keys2.patch
33	ssh-keygen-hash-corruption.patch	33	ssh-keygen-hash-corruption.patch
34	ssh-keyscan-hash-port.patch	34	ssh-keyscan-hash-port.patch
35	ssh-keygen-null-deref.patch	35	ssh-keygen-null-deref.patch
		36	unbreak-unix-forwarding-for-root.patch


diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch new file mode 100644 index 000000000..8408a118a --- /dev/null +++ b/debian/patches/unbreak-unix-forwarding-for-root.patch
@@ -0,0 +1,80 @@
		1	From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Wed, 4 Jan 2017 05:37:40 +0000
		4	Subject: upstream commit
		5
		6	unbreak Unix domain socket forwarding for root; ok
		7	markus@
		8
		9	Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
		10
		11	Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
		12	Bug-Debian: https://bugs.debian.org/858252
		13	Last-Update: 2017-03-30
		14
		15	Patch-Name: unbreak-unix-forwarding-for-root.patch
		16	---
		17	serverloop.c \| 19 ++++++++++++-------
		18	1 file changed, 12 insertions(+), 7 deletions(-)
		19
		20	diff --git a/serverloop.c b/serverloop.c
		21	index c4e4699d..c55d203b 100644
		22	--- a/serverloop.c
		23	+++ b/serverloop.c
		24	@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
		25	Channel *c = NULL;
		26	char target, originator;
		27	u_short originator_port;
		28	+ struct passwd *pw = the_authctxt->pw;
		29	+
		30	+ if (pw == NULL \|\| !the_authctxt->valid)
		31	+ fatal("server_input_global_request: no/invalid user");
		32
		33	target = packet_get_string(NULL);
		34	originator = packet_get_string(NULL);
		35	@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
		36	/* XXX fine grained permissions */
		37	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
		38	!no_port_forwarding_flag && !options.disable_forwarding &&
		39	- use_privsep) {
		40	+ (pw->pw_uid == 0 \|\| use_privsep)) {
		41	c = channel_connect_to_path(target,
		42	"direct-streamlocal@openssh.com", "direct-streamlocal");
		43	} else {
		44	@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
		45	int want_reply;
		46	int r, success = 0, allocated_listen_port = 0;
		47	struct sshbuf *resp = NULL;
		48	+ struct passwd *pw = the_authctxt->pw;
		49	+
		50	+ if (pw == NULL \|\| !the_authctxt->valid)
		51	+ fatal("server_input_global_request: no/invalid user");
		52
		53	rtype = packet_get_string(NULL);
		54	want_reply = packet_get_char();
		55	@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
		56
		57	/* -R style forwarding */
		58	if (strcmp(rtype, "tcpip-forward") == 0) {
		59	- struct passwd *pw;
		60	struct Forward fwd;
		61
		62	- pw = the_authctxt->pw;
		63	- if (pw == NULL \|\| !the_authctxt->valid)
		64	- fatal("server_input_global_request: no/invalid user");
		65	memset(&fwd, 0, sizeof(fwd));
		66	fwd.listen_host = packet_get_string(NULL);
		67	fwd.listen_port = (u_short)packet_get_int();
		68	@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
		69	/* check permissions */
		70	if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
		71	\|\| no_port_forwarding_flag \|\| options.disable_forwarding \|\|
		72	- !use_privsep) {
		73	+ (pw->pw_uid != 0 && !use_privsep)) {
		74	success = 0;
		75	- packet_send_debug("Server has disabled port forwarding.");
		76	+ packet_send_debug("Server has disabled "
		77	+ "streamlocal forwarding.");
		78	} else {
		79	/* Start listening on the socket */
		80	success = channel_setup_remote_fwd_listener(