diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2024-05-17 00:30:25 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2024-05-17 00:30:25 +0000 |
| commit | 2c87a6032f7ec6066283b7550d947561a47cac6c (patch) | |
| tree | cf440344524115f50b312535e60a4f2bdfc52ac8 /usr.bin/ssh/serverloop.c | |
| parent | 047b0d2e6070784d0516688b40c02107e6eb1451 (diff) | |
Start the process of splitting sshd into separate binaries. This step
splits sshd into a listener and a session binary. More splits are
planned.
After this changes, the listener binary will validate the configuration,
load the hostkeys, listen on port 22 and manage MaxStartups only. All
session handling will be performed by a new sshd-session binary that the
listener fork+execs.
This reduces the listener process to the minimum necessary and sets us
up for future work on the sshd-session binary.
feedback/ok markus@ deraadt@
NB. if you're updating via source, please restart sshd after installing,
otherwise you run the risk of locking yourself out.
Diffstat (limited to 'usr.bin/ssh/serverloop.c')
| -rw-r--r-- | usr.bin/ssh/serverloop.c | 44 |
1 files changed, 4 insertions, 40 deletions
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 2e3101ebf7e..689d21e5263 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.239 2024/05/17 00:30:24 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -80,32 +80,17 @@ extern ServerOptions options; /* XXX */ extern Authctxt *the_authctxt; extern struct sshauthopt *auth_opts; -extern int use_privsep; static int no_more_sessions = 0; /* Disallow further sessions. */ static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ -/* Cleanup on signals (!use_privsep case only) */ -static volatile sig_atomic_t received_sigterm = 0; - /* prototypes */ static void server_init_dispatch(struct ssh *); /* requested tunnel forwarding interface(s), shared with session.c */ char *tun_fwd_ifnames = NULL; -/* returns 1 if bind to specified port by specified user is permitted */ -static int -bind_permitted(int port, uid_t uid) -{ - if (use_privsep) - return 1; /* allow system to decide */ - if (port < IPPORT_RESERVED && uid != 0) - return 0; - return 1; -} - static void sigchld_handler(int sig) { @@ -113,12 +98,6 @@ sigchld_handler(int sig) } static void -sigterm_handler(int sig) -{ - received_sigterm = sig; -} - -static void client_alive_check(struct ssh *ssh) { char remote_id[512]; @@ -348,12 +327,6 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) connection_in = ssh_packet_get_connection_in(ssh); connection_out = ssh_packet_get_connection_out(ssh); - if (!use_privsep) { - ssh_signal(SIGTERM, sigterm_handler); - ssh_signal(SIGINT, sigterm_handler); - ssh_signal(SIGQUIT, sigterm_handler); - } - server_init_dispatch(ssh); for (;;) { @@ -377,12 +350,6 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1) error_f("osigset sigprocmask: %s", strerror(errno)); - if (received_sigterm) { - logit("Exiting on signal %d", (int)received_sigterm); - /* Clean up sessions, utmp, etc. */ - cleanup_exit(255); - } - channel_after_poll(ssh, pfd, npfd_active); if (conn_in_ready && process_input(ssh, connection_in) < 0) @@ -492,7 +459,7 @@ server_request_direct_streamlocal(struct ssh *ssh) /* XXX fine grained permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && auth_opts->permit_port_forwarding_flag && - !options.disable_forwarding && (pw->pw_uid == 0 || use_privsep)) { + !options.disable_forwarding) { c = channel_connect_to_path(ssh, target, "direct-streamlocal@openssh.com", "direct-streamlocal"); } else { @@ -781,9 +748,7 @@ server_input_global_request(int type, u_int32_t seq, struct ssh *ssh) (options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || !auth_opts->permit_port_forwarding_flag || options.disable_forwarding || - (!want_reply && fwd.listen_port == 0) || - (fwd.listen_port != 0 && - !bind_permitted(fwd.listen_port, pw->pw_uid))) { + (!want_reply && fwd.listen_port == 0)) { success = 0; ssh_packet_send_debug(ssh, "Server has disabled port forwarding."); } else { @@ -816,8 +781,7 @@ server_input_global_request(int type, u_int32_t seq, struct ssh *ssh) /* check permissions */ if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 || !auth_opts->permit_port_forwarding_flag || - options.disable_forwarding || - (pw->pw_uid != 0 && !use_privsep)) { + options.disable_forwarding) { success = 0; ssh_packet_send_debug(ssh, "Server has disabled " "streamlocal forwarding."); |