diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2016-10-23 22:04:06 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2016-10-23 22:04:06 +0000 |
| commit | a66befdfb5c63f511ccbf4392a52e8814321abd4 (patch) | |
| tree | c058becbfc5906571466ef4d96800171d9de5551 /usr.bin | |
| parent | 14d74a64eb6829aa7a909f39670d651e78e1b7db (diff) | |
Factor out "can bind to low ports" check into its own function. This will make
it easier for Portable to support platforms with permissions models other than
uid==0 (eg bz#2625). ok djm@, "doesn't offend me too much" deraadt@.
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/misc.c | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/misc.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/readconf.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/serverloop.c | 6 |
4 files changed, 16 insertions, 7 deletions
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index 0856543e5d7..578ddef1097 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.105 2016/07/15 00:24:30 djm Exp $ */ +/* $OpenBSD: misc.c,v 1.106 2016/10/23 22:04:05 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -1179,3 +1179,11 @@ forward_equals(const struct Forward *a, const struct Forward *b) return 1; } +/* returns 1 if bind to specified port by specified user is permitted */ +int +bind_permitted(int port, uid_t uid) +{ + if (port < IPPORT_RESERVED && uid != 0) + return 0; + return 1; +} diff --git a/usr.bin/ssh/misc.h b/usr.bin/ssh/misc.h index 24b8fcd252c..45c9ea68a7d 100644 --- a/usr.bin/ssh/misc.h +++ b/usr.bin/ssh/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.59 2016/09/12 01:22:38 deraadt Exp $ */ +/* $OpenBSD: misc.h,v 1.60 2016/10/23 22:04:05 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -30,6 +30,7 @@ struct Forward { }; int forward_equals(const struct Forward *, const struct Forward *); +int bind_permitted(int, uid_t); /* Common server and client forwarding options. */ struct ForwardOptions { diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 7c7029a2585..9c163865c28 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.260 2016/08/25 23:56:51 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.261 2016/10/23 22:04:05 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -297,7 +297,7 @@ add_local_forward(Options *options, const struct Forward *newfwd) extern uid_t original_real_uid; int i; - if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 && + if (bind_permitted(newfwd->listen_port, original_real_uid) && newfwd->listen_path == NULL) fatal("Privileged ports can only be forwarded by root."); /* Don't add duplicates */ diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 53e9de64e6f..15d7d400265 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.186 2016/09/12 01:22:38 deraadt Exp $ */ +/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -712,8 +712,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || no_port_forwarding_flag || (!want_reply && fwd.listen_port == 0) || - (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED && - pw->pw_uid != 0)) { + (fwd.listen_port != 0 && + !bind_permitted(fwd.listen_port, pw->pw_uid))) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { |