From be0d4aa57315afcb114022d0e7d8dcc7a24ed94d Mon Sep 17 00:00:00 2001 From: dtucker Date: Wed, 18 Jul 2018 11:34:04 +0000 Subject: [PATCH] Remove support for running ssh(1) setuid and fatal if attempted. Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@ djm@ --- usr.bin/ssh/Makefile.inc | 3 +-- usr.bin/ssh/misc.c | 3 +-- usr.bin/ssh/readconf.c | 5 +--- usr.bin/ssh/readpass.c | 3 +-- usr.bin/ssh/ssh-keysign/Makefile | 3 ++- usr.bin/ssh/ssh.c | 40 ++++++-------------------------- usr.bin/ssh/sshconnect.c | 28 +++------------------- usr.bin/ssh/sshconnect.h | 21 +---------------- usr.bin/ssh/sshconnect2.c | 3 +-- usr.bin/ssh/sshd/Makefile | 4 ++-- usr.bin/ssh/uidswap.c | 10 +------- usr.bin/ssh/uidswap.h | 3 +-- 12 files changed, 22 insertions(+), 104 deletions(-) diff --git a/usr.bin/ssh/Makefile.inc b/usr.bin/ssh/Makefile.inc index 8e82c64af39..c568ffc079a 100644 --- a/usr.bin/ssh/Makefile.inc +++ b/usr.bin/ssh/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.59 2018/07/09 21:56:06 markus Exp $ +# $OpenBSD: Makefile.inc,v 1.60 2018/07/18 11:34:04 dtucker Exp $ .include @@ -110,7 +110,6 @@ SRCS_PROT+= ttymodes.c SRCS_UTL+= addrmatch.c SRCS_UTL+= match.c -SRCS_UTL+= uidswap.c .if (${OPENSSL:L} == "yes") SRCS_PKCS11+= ssh-pkcs11.c diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index bcd1198b6ef..e2e1be9735a 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.129 2018/06/09 03:01:12 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.130 2018/07/18 11:34:04 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -58,7 +58,6 @@ #include "ssh.h" #include "sshbuf.h" #include "ssherr.h" -#include "uidswap.h" /* remove newline at end of string */ char * diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 53f56c6968f..3454608770c 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.292 2018/07/04 13:49:31 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.293 2018/07/18 11:34:04 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -483,9 +483,6 @@ execute_in_shell(const char *cmd) if ((pid = fork()) == 0) { char *argv[4]; - /* Child. Permanently give up superuser privileges. */ - permanently_drop_suid(original_real_uid); - /* Redirect child stdin and stdout. Leave stderr */ if (dup2(devnull, STDIN_FILENO) == -1) fatal("dup2: %s", strerror(errno)); diff --git a/usr.bin/ssh/readpass.c b/usr.bin/ssh/readpass.c index 9243a0e90c0..521a4cc10a6 100644 --- a/usr.bin/ssh/readpass.c +++ b/usr.bin/ssh/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.51 2015/12/11 00:20:04 mmcc Exp $ */ +/* $OpenBSD: readpass.c,v 1.52 2018/07/18 11:34:04 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -69,7 +69,6 @@ ssh_askpass(char *askpass, const char *msg) return NULL; } if (pid == 0) { - permanently_drop_suid(getuid()); close(p[0]); if (dup2(p[1], STDOUT_FILENO) < 0) fatal("ssh_askpass: dup2: %s", strerror(errno)); diff --git a/usr.bin/ssh/ssh-keysign/Makefile b/usr.bin/ssh/ssh-keysign/Makefile index 296fa440db4..ef3ea8f390d 100644 --- a/usr.bin/ssh/ssh-keysign/Makefile +++ b/usr.bin/ssh/ssh-keysign/Makefile @@ -1,9 +1,10 @@ -# $OpenBSD: Makefile,v 1.13 2018/01/08 15:37:38 markus Exp $ +# $OpenBSD: Makefile,v 1.14 2018/07/18 11:34:05 dtucker Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-keysign.c readconf.c SRCS+= atomicio.c cleanup.c fatal.c msg.c +SRCS+= uidswap.c SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_PKT} \ ${SRCS_UTL} PROG= ssh-keysign diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index aeaae37936a..7192be01772 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.486 2018/07/16 22:25:01 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.487 2018/07/18 11:34:04 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -94,7 +94,6 @@ #include "sshpty.h" #include "match.h" #include "msg.h" -#include "uidswap.h" #include "version.h" #include "ssherr.h" #include "myproposal.h" @@ -599,22 +598,11 @@ main(int ac, char **av) original_real_uid = getuid(); original_effective_uid = geteuid(); - /* - * Use uid-swapping to give up root privileges for the duration of - * option processing. We will re-instantiate the rights when we are - * ready to create the privileged port, and will permanently drop - * them when the port has been created (actually, when the connection - * has been made, as we may need to create the port several times). - */ - PRIV_END; - - /* If we are installed setuid root be careful to not drop core. */ - if (original_real_uid != original_effective_uid) { - struct rlimit rlim; - rlim.rlim_cur = rlim.rlim_max = 0; - if (setrlimit(RLIMIT_CORE, &rlim) < 0) - fatal("setrlimit failed: %.100s", strerror(errno)); - } + if (getuid() != geteuid()) + fatal("ssh setuid not supported."); + if (getgid() != getegid()) + fatal("ssh setgid not supported."); + /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { @@ -1414,22 +1402,8 @@ main(int ac, char **av) L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 9); } } - /* - * Get rid of any extra privileges that we may have. We will no - * longer need them. Also, extra privileges could make it very hard - * to read identity files and other non-world-readable files from the - * user's home directory if it happens to be on a NFS volume where - * root is mapped to nobody. - */ - if (original_effective_uid == 0) { - PRIV_START; - permanently_set_uid(pw); - } - /* - * Now that we are back to our own permissions, create ~/.ssh - * directory if it doesn't already exist. - */ + /* Create ~/.ssh * directory if it doesn't already exist. */ if (config == NULL) { r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 6c818910978..f3a6718de63 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.300 2018/07/11 18:53:29 markus Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.301 2018/07/18 11:34:04 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -40,7 +40,6 @@ #include "ssh.h" #include "sshbuf.h" #include "packet.h" -#include "uidswap.h" #include "compat.h" #include "sshkey.h" #include "sshconnect.h" @@ -117,9 +116,6 @@ ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, u_short port, if ((pid = fork()) == 0) { char *argv[10]; - /* Child. Permanently give up superuser privileges. */ - permanently_drop_suid(original_real_uid); - close(sp[1]); /* Redirect stdin and stdout. */ if (sp[0] != 0) { @@ -199,9 +195,6 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, if ((pid = fork()) == 0) { char *argv[10]; - /* Child. Permanently give up superuser privileges. */ - permanently_drop_suid(original_real_uid); - /* Redirect stdin and stdout. */ close(pin[1]); if (pin[0] != 0) { @@ -327,7 +320,7 @@ check_ifaddrs(const char *ifname, int af, const struct ifaddrs *ifaddrs, static int ssh_create_socket(int privileged, struct addrinfo *ai) { - int sock, r, oerrno; + int sock, r; struct sockaddr_storage bindaddr; socklen_t bindaddrlen = 0; struct addrinfo hints, *res = NULL; @@ -388,22 +381,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai) ssh_gai_strerror(r)); goto fail; } - /* - * If we are running as root and want to connect to a privileged - * port, bind our own socket to a privileged port. - */ - if (privileged) { - PRIV_START; - r = bindresvport_sa(sock, - bindaddrlen == 0 ? NULL : (struct sockaddr *)&bindaddr); - oerrno = errno; - PRIV_END; - if (r < 0) { - error("bindresvport_sa %s: %s", ntop, - strerror(oerrno)); - goto fail; - } - } else if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { + if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { error("bind %s: %s", ntop, strerror(errno)); goto fail; } diff --git a/usr.bin/ssh/sshconnect.h b/usr.bin/ssh/sshconnect.h index 6bba62ad0a4..05a1fb327bb 100644 --- a/usr.bin/ssh/sshconnect.h +++ b/usr.bin/ssh/sshconnect.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.h,v 1.33 2018/07/16 11:05:41 dtucker Exp $ */ +/* $OpenBSD: sshconnect.h,v 1.34 2018/07/18 11:34:04 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -57,22 +57,3 @@ void ssh_put_password(char *); int ssh_local_cmd(const char *); void maybe_add_key_to_agent(char *, const struct sshkey *, char *, char *); - -/* - * Macros to raise/lower permissions. - */ -#define PRIV_START do { \ - int save_errno = errno; \ - if (seteuid(original_effective_uid) != 0) \ - fatal("PRIV_START: seteuid: %s", \ - strerror(errno)); \ - errno = save_errno; \ -} while (0) - -#define PRIV_END do { \ - int save_errno = errno; \ - if (seteuid(original_real_uid) != 0) \ - fatal("PRIV_END: seteuid: %s", \ - strerror(errno)); \ - errno = save_errno; \ -} while (0) diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index bfc0f336f4d..4e5e95dd9d1 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.281 2018/07/16 11:05:41 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.282 2018/07/18 11:34:04 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1804,7 +1804,6 @@ ssh_keysign(struct sshkey *key, u_char **sigp, size_t *lenp, if (pid == 0) { /* keep the socket on exec */ fcntl(sock, F_SETFD, 0); - permanently_drop_suid(getuid()); close(from[0]); if (dup2(from[1], STDOUT_FILENO) < 0) fatal("%s: dup2: %s", __func__, strerror(errno)); diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile index 787e515cc19..c8ad0a11149 100644 --- a/usr.bin/ssh/sshd/Makefile +++ b/usr.bin/ssh/sshd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.97 2018/07/11 18:53:29 markus Exp $ +# $OpenBSD: Makefile,v 1.98 2018/07/18 11:34:05 dtucker Exp $ .PATH: ${.CURDIR}/.. @@ -8,7 +8,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c sshpty.c sshlogin.c servconf.c \ auth2-none.c auth2-passwd.c auth2-pubkey.c monitor.c monitor_wrap.c \ sftp-server.c sftp-common.c sandbox-pledge.c SRCS+= atomicio.c authfd.c compat.c dns.c fatal.c \ - hostfile.c msg.c readpass.c utf8.c + hostfile.c msg.c readpass.c utf8.c uidswap.c SRCS+= ${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXS} ${SRCS_KEY} ${SRCS_KEYP} \ ${SRCS_KRL} ${SRCS_PROT} ${SRCS_PKT} ${SRCS_UTL} ${SRCS_PKCS11} diff --git a/usr.bin/ssh/uidswap.c b/usr.bin/ssh/uidswap.c index 23e8f47cac9..03ed375e987 100644 --- a/usr.bin/ssh/uidswap.c +++ b/usr.bin/ssh/uidswap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.c,v 1.40 2018/06/15 07:01:11 djm Exp $ */ +/* $OpenBSD: uidswap.c,v 1.41 2018/07/18 11:34:04 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -127,11 +127,3 @@ permanently_set_uid(struct passwd *pw) if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) fatal("setresuid %u: %s", (u_int)pw->pw_uid, strerror(errno)); } - -void -permanently_drop_suid(uid_t uid) -{ - debug("permanently_drop_suid: %u", (u_int)uid); - if (setresuid(uid, uid, uid) != 0) - fatal("setresuid %u: %s", (u_int)uid, strerror(errno)); -} diff --git a/usr.bin/ssh/uidswap.h b/usr.bin/ssh/uidswap.h index 1c1163d7545..4ac91aa0471 100644 --- a/usr.bin/ssh/uidswap.h +++ b/usr.bin/ssh/uidswap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: uidswap.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: uidswap.h,v 1.14 2018/07/18 11:34:05 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -15,4 +15,3 @@ void temporarily_use_uid(struct passwd *); void restore_uid(void); void permanently_set_uid(struct passwd *); -void permanently_drop_suid(uid_t); -- 2.20.1