[openssh-commits] [openssh] 01/01: Don't check privsep user or path when unprivileged

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Mar 29 12:45:10 AEDT 2017


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit d13281f2964abc5f2e535e1613c77fc61b0c53e7
Author: Darren Tucker <dtucker at zip.com.au>
Date:   Wed Mar 29 12:39:39 2017 +1100

    Don't check privsep user or path when unprivileged
    
    If running with privsep (mandatory now) as a non-privileged user, we
    don't chroot or change to an unprivileged user however we still checked
    the existence of the user and directory.  Don't do those checks if we're
    not going to use them.  Based in part on a patch from Lionel Fourquaux
    via Corinna Vinschen, ok djm@
---
 sshd.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sshd.c b/sshd.c
index 010a2c3..197c4ec 100644
--- a/sshd.c
+++ b/sshd.c
@@ -223,6 +223,7 @@ int startup_pipe;		/* in child */
 int use_privsep = -1;
 struct monitor *pmonitor = NULL;
 int privsep_is_preauth = 1;
+static int privsep_chroot = 1;
 
 /* global authentication context */
 Authctxt *the_authctxt = NULL;
@@ -541,7 +542,7 @@ privsep_preauth_child(void)
 	demote_sensitive_data();
 
 	/* Demote the child */
-	if (getuid() == 0 || geteuid() == 0) {
+	if (privsep_chroot) {
 		/* Change our root directory */
 		if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 			fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -1640,8 +1641,9 @@ main(int ac, char **av)
 	);
 
 	/* Store privilege separation user for later use if required. */
+	privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
-		if (use_privsep || options.kerberos_authentication)
+		if (privsep_chroot || options.kerberos_authentication)
 			fatal("Privilege separation user %s does not exist",
 			    SSH_PRIVSEP_USER);
 	} else {
@@ -1767,7 +1769,7 @@ main(int ac, char **av)
 		    key_type(key));
 	}
 
-	if (use_privsep) {
+	if (privsep_chroot) {
 		struct stat st;
 
 		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list