summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/sshd.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssh/sshd.c')
-rw-r--r--crypto/openssh/sshd.c48
1 files changed, 37 insertions, 11 deletions
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index feea3ce..851fad4 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -42,7 +42,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.246 2002/06/20 23:05:56 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.251 2002/06/25 18:51:04 markus Exp $");
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -219,6 +219,7 @@ static void
close_listen_socks(void)
{
int i;
+
for (i = 0; i < num_listen_socks; i++)
close(listen_socks[i]);
num_listen_socks = -1;
@@ -228,6 +229,7 @@ static void
close_startup_pipes(void)
{
int i;
+
if (startup_pipes)
for (i = 0; i < options.max_startups; i++)
if (startup_pipes[i] != -1)
@@ -260,7 +262,8 @@ sighup_restart(void)
close_listen_socks();
close_startup_pipes();
execv(saved_argv[0], saved_argv);
- log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno));
+ log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
+ strerror(errno));
exit(1);
}
@@ -280,8 +283,8 @@ sigterm_handler(int sig)
static void
main_sigchld_handler(int sig)
{
- pid_t pid;
int save_errno = errno;
+ pid_t pid;
int status;
while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
@@ -341,6 +344,7 @@ static void
key_regeneration_alarm(int sig)
{
int save_errno = errno;
+
signal(SIGALRM, SIG_DFL);
errno = save_errno;
key_do_regen = 1;
@@ -372,7 +376,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
if (client_version_string == NULL) {
/* Send our protocol version identification. */
- if (atomicio(write, sock_out, server_version_string, strlen(server_version_string))
+ if (atomicio(write, sock_out, server_version_string,
+ strlen(server_version_string))
!= strlen(server_version_string)) {
log("Could not write ident string to %s", get_remote_ipaddr());
fatal_cleanup();
@@ -475,7 +480,6 @@ sshd_exchange_identification(int sock_in, int sock_out)
}
}
-
/* Destroy the host and server keys. They will no longer be needed. */
void
destroy_sensitive_data(void)
@@ -526,8 +530,9 @@ static void
privsep_preauth_child(void)
{
u_int32_t rand[256];
- int i;
+ gid_t gidset[2];
struct passwd *pw;
+ int i;
/* Enable challenge-response authentication for privilege separation */
privsep_challenge_enable();
@@ -555,7 +560,17 @@ privsep_preauth_child(void)
/* Drop our privileges */
debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
+#if 0
+ /* XXX not ready, to heavy after chroot */
do_setusercontext(pw);
+#else
+ gidset[0] = pw->pw_gid;
+ if (setgid(pw->pw_gid) < 0)
+ fatal("setgid failed for %u", pw->pw_gid );
+ if (setgroups(1, gidset) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
+ permanently_set_uid(pw);
+#endif
}
static Authctxt*
@@ -609,7 +624,11 @@ privsep_postauth(Authctxt *authctxt)
/* XXX - Remote port forwarding */
x_authctxt = authctxt;
+#ifdef BROKEN_FD_PASSING
+ if (1) {
+#else
if (authctxt->pw->pw_uid == 0 || options.use_login) {
+#endif
/* File descriptor passing is broken or root login */
monitor_apply_keystate(pmonitor);
use_privsep = 0;
@@ -683,6 +702,7 @@ Key *
get_hostkey_by_type(int type)
{
int i;
+
for (i = 0; i < options.num_host_key_files; i++) {
Key *key = sensitive_data.host_keys[i];
if (key != NULL && key->type == type)
@@ -703,6 +723,7 @@ int
get_hostkey_index(Key *key)
{
int i;
+
for (i = 0; i < options.num_host_key_files; i++) {
if (key == sensitive_data.host_keys[i])
return (i);
@@ -991,11 +1012,13 @@ main(int ac, char **av)
* hate software patents. I dont know if this can go? Niels
*/
if (options.server_key_bits >
- BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) - SSH_KEY_BITS_RESERVED &&
- options.server_key_bits <
- BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
+ BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
+ SSH_KEY_BITS_RESERVED && options.server_key_bits <
+ BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
+ SSH_KEY_BITS_RESERVED) {
options.server_key_bits =
- BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) + SSH_KEY_BITS_RESERVED;
+ BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
+ SSH_KEY_BITS_RESERVED;
debug("Forcing server key to %d bits to make it differ from host key.",
options.server_key_bits);
}
@@ -1012,6 +1035,9 @@ main(int ac, char **av)
(S_ISDIR(st.st_mode) == 0))
fatal("Missing privilege separation directory: %s",
_PATH_PRIVSEP_CHROOT_DIR);
+ if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ fatal("Bad owner or mode for %s",
+ _PATH_PRIVSEP_CHROOT_DIR);
}
/* Configuration looks good, so exit if in test mode. */
@@ -1351,7 +1377,7 @@ main(int ac, char **av)
*/
#if 0
/* XXX: this breaks Solaris */
- if (setsid() < 0)
+ if (!debug_flag && !inetd_flag && setsid() < 0)
error("setsid: %.100s", strerror(errno));
#endif
OpenPOWER on IntegriCloud