summaryrefslogtreecommitdiff
path: root/sshconnect.c
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2002-06-11 16:37:51 +0000
committerBen Lindstrom <mouring@eviladmin.org>2002-06-11 16:37:51 +0000
commitf9c4884c8effe6dd78ab3ed4e42ed69c4a8652d0 (patch)
treebf92c1c3374176a70d0a2dd9ea23d97e13d5ee57 /sshconnect.c
parent8bb6f36c8fab33f7ca59b9c56e11d54caf36f965 (diff)
- markus@cvs.openbsd.org 2002/06/11 04:14:26
[ssh.c sshconnect.c sshconnect.h] no longer use uidswap.[ch] from the ssh client run less code with euid==0 if ssh is installed setuid root just switch the euid, don't switch the complete set of groups (this is only needed by sshd). ok provos@
Diffstat (limited to 'sshconnect.c')
-rw-r--r--sshconnect.c47
1 files changed, 16 insertions, 31 deletions
diff --git a/sshconnect.c b/sshconnect.c
index 651e3fcf..3a93a4fb 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.124 2002/06/11 04:14:26 markus Exp $");
#include <openssl/bn.h>
@@ -36,8 +36,11 @@ RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $");
char *client_version_string = NULL;
char *server_version_string = NULL;
+/* import */
extern Options options;
extern char *__progname;
+extern uid_t original_real_uid;
+extern uid_t original_effective_uid;
#ifndef INET6_ADDRSTRLEN /* for non IPv6 machines */
#define INET6_ADDRSTRLEN 46
@@ -58,8 +61,7 @@ sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
* Connect to the given ssh server using a proxy command.
*/
static int
-ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
- const char *proxy_command)
+ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
{
Buffer command;
const char *cp;
@@ -109,7 +111,8 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
char *argv[10];
/* Child. Permanently give up superuser privileges. */
- permanently_set_uid(pw);
+ seteuid(original_real_uid);
+ setuid(original_real_uid);
/* Redirect stdin and stdout. */
close(pin[1]);
@@ -159,7 +162,7 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
static int
-ssh_create_socket(struct passwd *pw, int privileged, int family)
+ssh_create_socket(int privileged, int family)
{
int sock, gaierr;
struct addrinfo hints, *res;
@@ -170,22 +173,18 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
*/
if (privileged) {
int p = IPPORT_RESERVED - 1;
+ PRIV_START;
sock = rresvport_af(&p, family);
+ PRIV_END;
if (sock < 0)
error("rresvport: af=%d %.100s", family, strerror(errno));
else
debug("Allocated local port %d.", p);
return sock;
}
- /*
- * Just create an ordinary socket on arbitrary port. We use
- * the user's uid to create the socket.
- */
- temporarily_use_uid(pw);
sock = socket(family, SOCK_STREAM, 0);
if (sock < 0)
error("socket: %.100s", strerror(errno));
- restore_uid();
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL)
@@ -215,9 +214,9 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
/*
* Opens a TCP/IP connection to the remote server on the given host.
* The address of the remote host will be returned in hostaddr.
- * If port is 0, the default port will be used. If anonymous is zero,
+ * If port is 0, the default port will be used. If needpriv is true,
* a privileged port will be allocated to make the connection.
- * This requires super-user privileges if anonymous is false.
+ * This requires super-user privileges if needpriv is true.
* Connection_attempts specifies the maximum number of tries (one per
* second). If proxy_command is non-NULL, it specifies the command (with %h
* and %p substituted for host and port, respectively) to use to contact
@@ -232,7 +231,7 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
int
ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
u_short port, int family, int connection_attempts,
- int anonymous, struct passwd *pw, const char *proxy_command)
+ int needpriv, const char *proxy_command)
{
int gaierr;
int on = 1;
@@ -248,8 +247,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
*/
int full_failure = 1;
- debug("ssh_connect: getuid %u geteuid %u anon %d",
- (u_int) getuid(), (u_int) geteuid(), anonymous);
+ debug("ssh_connect: needpriv %d", needpriv);
/* Get default port if port has not been set. */
if (port == 0) {
@@ -261,7 +259,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
}
/* If a proxy command is given, connect using it. */
if (proxy_command != NULL)
- return ssh_proxy_connect(host, port, pw, proxy_command);
+ return ssh_proxy_connect(host, port, proxy_command);
/* No proxy command. */
@@ -297,26 +295,14 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
host, ntop, strport);
/* Create a socket for connecting. */
- sock = ssh_create_socket(pw,
-#ifdef HAVE_CYGWIN
- !anonymous,
-#else
- !anonymous && geteuid() == 0,
-#endif
- ai->ai_family);
+ sock = ssh_create_socket(needpriv, ai->ai_family);
if (sock < 0)
/* Any error is already output */
continue;
- /* Connect to the host. We use the user's uid in the
- * hope that it will help with tcp_wrappers showing
- * the remote uid as root.
- */
- temporarily_use_uid(pw);
if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
/* Successful connection. */
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
- restore_uid();
break;
} else {
if (errno == ECONNREFUSED)
@@ -324,7 +310,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
log("ssh: connect to address %s port %s: %s",
sockaddr_ntop(ai->ai_addr, ai->ai_addrlen),
strport, strerror(errno));
- restore_uid();
/*
* Close the failed socket; there appear to
* be some problems when reusing a socket for