summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog1
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/unbreak-unix-forwarding-for-root.patch80
4 files changed, 84 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 39a4a89ba..6c8df34b8 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
235b2ea77a74348b575d680061f35ec7992b26ec8 2904bc482ad87648a2c799c441dc6a8449f24e15a
335b2ea77a74348b575d680061f35ec7992b26ec8 3904bc482ad87648a2c799c441dc6a8449f24e15a
4971a7653746a6972b907dfe0ce139c06e4a6f482 4971a7653746a6972b907dfe0ce139c06e4a6f482
5971a7653746a6972b907dfe0ce139c06e4a6f482 5971a7653746a6972b907dfe0ce139c06e4a6f482
6openssh_7.4p1.orig.tar.gz 6openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 6c59cebed..4c1ffa30d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ openssh (1:7.4p1-10) UNRELEASED; urgency=medium
2 2
3 * Move privilege separation directory and PID file from /var/run/ to /run/ 3 * Move privilege separation directory and PID file from /var/run/ to /run/
4 (closes: #760422, #856825). 4 (closes: #760422, #856825).
5 * Unbreak Unix domain socket forwarding for root (closes: #858252).
5 6
6 -- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100 7 -- Colin Watson <cjwatson@debian.org> Wed, 29 Mar 2017 23:44:13 +0100
7 8
diff --git a/debian/patches/series b/debian/patches/series
index 32f913e89..c5fc81486 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,4 @@ restore-authorized_keys2.patch
33ssh-keygen-hash-corruption.patch 33ssh-keygen-hash-corruption.patch
34ssh-keyscan-hash-port.patch 34ssh-keyscan-hash-port.patch
35ssh-keygen-null-deref.patch 35ssh-keygen-null-deref.patch
36unbreak-unix-forwarding-for-root.patch
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch
new file mode 100644
index 000000000..8408a118a
--- /dev/null
+++ b/debian/patches/unbreak-unix-forwarding-for-root.patch
@@ -0,0 +1,80 @@
1From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 4 Jan 2017 05:37:40 +0000
4Subject: upstream commit
5
6unbreak Unix domain socket forwarding for root; ok
7markus@
8
9Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
10
11Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
12Bug-Debian: https://bugs.debian.org/858252
13Last-Update: 2017-03-30
14
15Patch-Name: unbreak-unix-forwarding-for-root.patch
16---
17 serverloop.c | 19 ++++++++++++-------
18 1 file changed, 12 insertions(+), 7 deletions(-)
19
20diff --git a/serverloop.c b/serverloop.c
21index c4e4699d..c55d203b 100644
22--- a/serverloop.c
23+++ b/serverloop.c
24@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
25 Channel *c = NULL;
26 char *target, *originator;
27 u_short originator_port;
28+ struct passwd *pw = the_authctxt->pw;
29+
30+ if (pw == NULL || !the_authctxt->valid)
31+ fatal("server_input_global_request: no/invalid user");
32
33 target = packet_get_string(NULL);
34 originator = packet_get_string(NULL);
35@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
36 /* XXX fine grained permissions */
37 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
38 !no_port_forwarding_flag && !options.disable_forwarding &&
39- use_privsep) {
40+ (pw->pw_uid == 0 || use_privsep)) {
41 c = channel_connect_to_path(target,
42 "direct-streamlocal@openssh.com", "direct-streamlocal");
43 } else {
44@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
45 int want_reply;
46 int r, success = 0, allocated_listen_port = 0;
47 struct sshbuf *resp = NULL;
48+ struct passwd *pw = the_authctxt->pw;
49+
50+ if (pw == NULL || !the_authctxt->valid)
51+ fatal("server_input_global_request: no/invalid user");
52
53 rtype = packet_get_string(NULL);
54 want_reply = packet_get_char();
55@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
56
57 /* -R style forwarding */
58 if (strcmp(rtype, "tcpip-forward") == 0) {
59- struct passwd *pw;
60 struct Forward fwd;
61
62- pw = the_authctxt->pw;
63- if (pw == NULL || !the_authctxt->valid)
64- fatal("server_input_global_request: no/invalid user");
65 memset(&fwd, 0, sizeof(fwd));
66 fwd.listen_host = packet_get_string(NULL);
67 fwd.listen_port = (u_short)packet_get_int();
68@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
69 /* check permissions */
70 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
71 || no_port_forwarding_flag || options.disable_forwarding ||
72- !use_privsep) {
73+ (pw->pw_uid != 0 && !use_privsep)) {
74 success = 0;
75- packet_send_debug("Server has disabled port forwarding.");
76+ packet_send_debug("Server has disabled "
77+ "streamlocal forwarding.");
78 } else {
79 /* Start listening on the socket */
80 success = channel_setup_remote_fwd_listener(