From 3fcf1a22b52ed8e66d2cf548d5d4528f67377af9 Mon Sep 17 00:00:00 2001
From: Ben Lindstrom <mouring@eviladmin.org>
Date: Sun, 8 Apr 2001 18:26:59 +0000
Subject:    - markus@cvs.openbsd.org 2001/04/06 21:00:17      [auth-rh-rsa.c
 auth-rhosts.c auth-rsa.c auth2.c channels.c session.c       ssh.c
 sshconnect.c sshconnect.h uidswap.c uidswap.h]      do gid/groups-swap in
 addition to uid-swap, should help if /home/group      is chmod 750 + chgrp
 grp /home/group/, work be deraadt and me, thanks      to olar@openwall.com is
 comments.  we had many requests for this.

---
 ssh.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

(limited to 'ssh.c')

diff --git a/ssh.c b/ssh.c
index 278e7eda4..294bcf39d 100644
--- a/ssh.c
+++ b/ssh.c
@@ -39,7 +39,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.106 2001/04/05 21:05:24 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.107 2001/04/06 21:00:13 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -265,6 +265,15 @@ main(int ac, char **av)
 			fatal("setrlimit failed: %.100s", strerror(errno));
 	}
 #endif
+	/* Get user data. */
+	pw = getpwuid(original_real_uid);
+	if (!pw) {
+		log("You don't exist, go away!");
+		exit(1);
+	}
+	/* Take a copy of the returned structure. */
+	pw = pwcopy(pw);
+
 	/*
 	 * Use uid-swapping to give up root privileges for the duration of
 	 * option processing.  We will re-instantiate the rights when we are
@@ -272,7 +281,7 @@ main(int ac, char **av)
 	 * them when the port has been created (actually, when the connection
 	 * has been made, as we may need to create the port several times).
 	 */
-	temporarily_use_uid(original_real_uid);
+	temporarily_use_uid(pw);
 
 	/*
 	 * Set our umask to something reasonable, as some files are created
@@ -545,15 +554,6 @@ main(int ac, char **av)
 		tty_flag = 0;
 	}
 
-	/* Get user data. */
-	pw = getpwuid(original_real_uid);
-	if (!pw) {
-		log("You don't exist, go away!");
-		exit(1);
-	}
-	/* Take a copy of the returned structure. */
-	pw = pwcopy(pw);
-
 	/*
 	 * Initialize "log" output.  Since we are the client all output
 	 * actually goes to stderr.
@@ -592,6 +592,7 @@ main(int ac, char **av)
 		    "originating port will not be trusted.");
 		options.rhosts_authentication = 0;
 	}
+
 	/*
 	 * If using rsh has been selected, exec it now (without trying
 	 * anything else).  Note that we must release privileges first.
@@ -604,7 +605,7 @@ main(int ac, char **av)
 		restore_uid();
 
 		/* Switch to the original uid permanently. */
-		permanently_set_uid(original_real_uid);
+		permanently_set_uid(pw);
 
 		/* Execute rsh. */
 		rsh_connect(host, options.user, &command);
@@ -618,8 +619,7 @@ main(int ac, char **av)
 	ok = ssh_connect(host, &hostaddr, options.port,
 	    options.connection_attempts,
 	    original_effective_uid != 0 || !options.use_privileged_port,
-	    original_real_uid,
-	    options.proxy_command);
+	    pw, options.proxy_command);
 
 	/*
 	 * If we successfully made the connection, load the host private key
@@ -646,7 +646,7 @@ main(int ac, char **av)
 	 * process, read the private hostkey and impersonate the host.
 	 * OpenBSD does not allow ptracing of setuid processes.
 	 */
-	permanently_set_uid(original_real_uid);
+	permanently_set_uid(pw);
 
 	/*
 	 * Now that we are back to our own permissions, create ~/.ssh
@@ -688,8 +688,7 @@ main(int ac, char **av)
 	    tilde_expand_filename(options.user_hostfile2, original_real_uid);
 
 	/* Log into the remote system.  This never returns if the login fails. */
-	ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr,
-	    original_real_uid);
+	ssh_login(host_private_key, host, (struct sockaddr *)&hostaddr, pw);
 
 	/* We no longer need the host private key.  Clear it now. */
 	if (host_private_key != NULL)
-- 
cgit v1.2.3