From aa5b3f831417bac9538d2b6f21d55fef278e8926 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 3 Dec 2012 09:50:54 +1100 Subject: - djm@cvs.openbsd.org 2012/12/02 20:46:11 [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@ --- session.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'session.c') diff --git a/session.c b/session.c index 65bf28776..643e7fc59 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ +/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt) setproctitle("%s", authctxt->pw->pw_name); /* setup the channel layer */ - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (no_port_forwarding_flag || + (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) + channel_disable_adm_local_opens(); + else channel_permit_all_opens(); auth_debug_send(); @@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt) debug("Port forwarding not permitted for this authentication."); break; } - if (!options.allow_tcp_forwarding) { + if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) { debug("Port forwarding not permitted."); break; } -- cgit v1.2.3 From 585284019020eccaf0ce744df198bd56b6aa109f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 15 Mar 2013 11:22:37 +1100 Subject: - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to occur after UID switch; patch from John Marshall via des AT des.no; ok dtucker@ --- ChangeLog | 3 +++ session.c | 5 +++++ 2 files changed, 8 insertions(+) (limited to 'session.c') diff --git a/ChangeLog b/ChangeLog index 9f6fc7058..f9f2166b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ des.no - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] Add a usleep replacement for platforms that lack it; ok dtucker + - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to + occur after UID switch; patch from John Marshall via des AT des.no; + ok dtucker@ 20120312 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh] diff --git a/session.c b/session.c index 643e7fc59..19eaa20c3 100644 --- a/session.c +++ b/session.c @@ -1520,6 +1520,11 @@ do_setusercontext(struct passwd *pw) perror("unable to set user context (setuser)"); exit(1); } + /* + * FreeBSD's setusercontext() will not apply the user's + * own umask setting unless running with the user's UID. + */ + (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); #else /* Permanently switch to the desired uid. */ permanently_set_uid(pw); -- cgit v1.2.3