[openssh-commits] [openssh] 02/02: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Oct 24 10:43:28 AEDT 2016


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 1c4ef0b808d3d38232aeeb1cebb7e9a43def42c5
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Sun Oct 23 22:04:05 2016 +0000

    upstream commit
    
    Factor out "can bind to low ports" check into its own function.  This will
    make it easier for Portable to support platforms with permissions models
    other than uid==0 (eg bz#2625).  ok djm@, "doesn't offend me too much"
    deraadt at .
    
    Upstream-ID: 86213df4183e92b8f189a6d2dac858c994bfface
---
 misc.c       | 10 +++++++++-
 misc.h       |  3 ++-
 readconf.c   |  4 ++--
 serverloop.c |  6 +++---
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/misc.c b/misc.c
index 9421b4d..07d4179 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.105 2016/07/15 00:24:30 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.106 2016/10/23 22:04:05 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -1243,3 +1243,11 @@ forward_equals(const struct Forward *a, const struct Forward *b)
 	return 1;
 }
 
+/* returns 1 if bind to specified port by specified user is permitted */
+int
+bind_permitted(int port, uid_t uid)
+{
+	if (port < IPPORT_RESERVED && uid != 0)
+		return 0;
+	return 1;
+}
diff --git a/misc.h b/misc.h
index 8f95419..3578e8e 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.59 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: misc.h,v 1.60 2016/10/23 22:04:05 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -30,6 +30,7 @@ struct Forward {
 };
 
 int forward_equals(const struct Forward *, const struct Forward *);
+int bind_permitted(int, uid_t);
 
 /* Common server and client forwarding options. */
 struct ForwardOptions {
diff --git a/readconf.c b/readconf.c
index 351a22c..1be5648 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.260 2016/08/25 23:56:51 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.261 2016/10/23 22:04:05 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -312,7 +312,7 @@ add_local_forward(Options *options, const struct Forward *newfwd)
 	extern uid_t original_real_uid;
 	int i;
 
-	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
+	if (bind_permitted(newfwd->listen_port, original_real_uid) &&
 	    newfwd->listen_path == NULL)
 		fatal("Privileged ports can only be forwarded by root.");
 	/* Don't add duplicates */
diff --git a/serverloop.c b/serverloop.c
index 87e619f..4a9a16d 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.186 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: serverloop.c,v 1.187 2016/10/23 22:04:05 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -724,8 +724,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
 		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
 		    no_port_forwarding_flag ||
 		    (!want_reply && fwd.listen_port == 0) ||
-		    (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
-		    pw->pw_uid != 0)) {
+		    (fwd.listen_port != 0 &&
+		     !bind_permitted(fwd.listen_port, pw->pw_uid))) {
 			success = 0;
 			packet_send_debug("Server has disabled port forwarding.");
 		} else {

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list