[openssh-commits] [openssh] 01/01: upstream: Deprecate UsePrivilegedPort now that support for running

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Jul 19 21:44:28 AEST 2018


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 95d41e90eafcd1286a901e8e361e4a37b98aeb52
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Thu Jul 19 10:28:47 2018 +0000

    upstream: Deprecate UsePrivilegedPort now that support for running
    
    ssh(1) setuid has been removed, remove supporting code and clean up
    references to it in the man pages
    
    We have not shipped ssh(1) the setuid bit since 2002.  If ayone
    really needs to make connections from a low port number this can
    be implemented via a small setuid ProxyCommand.
    
    ok markus@ jmc@ djm@
    
    OpenBSD-Commit-ID: d03364610b7123ae4c6792f5274bd147b6de717e
---
 readconf.c   | 12 ++----------
 readconf.h   |  3 +--
 scp.1        |  5 ++---
 sftp.1       |  5 ++---
 ssh.1        |  5 ++---
 ssh.c        | 10 ++--------
 ssh_config.5 | 23 ++---------------------
 sshconnect.c | 24 ++++++++++--------------
 sshconnect.h |  4 ++--
 9 files changed, 25 insertions(+), 66 deletions(-)

diff --git a/readconf.c b/readconf.c
index f40eb380..ce832526 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.293 2018/07/18 11:34:04 dtucker Exp $ */
+/* $OpenBSD: readconf.c,v 1.294 2018/07/19 10:28:47 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -190,6 +190,7 @@ static struct {
 	{ "userknownhostsfile2", oDeprecated },
 	{ "useroaming", oDeprecated },
 	{ "usersh", oDeprecated },
+	{ "useprivilegedport", oDeprecated },
 
 	/* Unsupported options */
 	{ "afstokenpassing", oUnsupported },
@@ -222,7 +223,6 @@ static struct {
 	{ "exitonforwardfailure", oExitOnForwardFailure },
 	{ "xauthlocation", oXAuthLocation },
 	{ "gatewayports", oGatewayPorts },
-	{ "useprivilegedport", oUsePrivilegedPort },
 	{ "passwordauthentication", oPasswordAuthentication },
 	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
 	{ "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -949,10 +949,6 @@ parse_time:
 		intptr = &options->exit_on_forward_failure;
 		goto parse_flag;
 
-	case oUsePrivilegedPort:
-		intptr = &options->use_privileged_port;
-		goto parse_flag;
-
 	case oPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
@@ -1822,7 +1818,6 @@ initialize_options(Options * options)
 	options->fwd_opts.gateway_ports = -1;
 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
 	options->fwd_opts.streamlocal_bind_unlink = -1;
-	options->use_privileged_port = -1;
 	options->pubkey_authentication = -1;
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
@@ -1964,8 +1959,6 @@ fill_default_options(Options * options)
 		options->fwd_opts.streamlocal_bind_mask = 0177;
 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
 		options->fwd_opts.streamlocal_bind_unlink = 0;
-	if (options->use_privileged_port == -1)
-		options->use_privileged_port = 0;
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
 	if (options->challenge_response_authentication == -1)
@@ -2599,7 +2592,6 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
 	dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
 	dump_cfg_fmtint(oTunnel, o->tun_open);
-	dump_cfg_fmtint(oUsePrivilegedPort, o->use_privileged_port);
 	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
 	dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);
 	dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys);
diff --git a/readconf.h b/readconf.h
index d8595f07..c5688781 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.126 2018/06/09 03:01:12 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.127 2018/07/19 10:28:47 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -35,7 +35,6 @@ typedef struct {
 	int     exit_on_forward_failure;	/* Exit if bind(2) fails for -L/-R */
 	char   *xauth_location;	/* Location for xauth program */
 	struct ForwardOptions fwd_opts;	/* forwarding options */
-	int     use_privileged_port;	/* Don't use privileged port if false. */
 	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
 	int     challenge_response_authentication;
diff --git a/scp.1 b/scp.1
index be8309b2..92abcaf0 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.79 2018/06/09 06:36:31 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.80 2018/07/19 10:28:47 dtucker Exp $
 .\"
-.Dd $Mdocdate: June 9 2018 $
+.Dd $Mdocdate: July 19 2018 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -177,7 +177,6 @@ For full details of the options listed below, and their possible values, see
 .It StrictHostKeyChecking
 .It TCPKeepAlive
 .It UpdateHostKeys
-.It UsePrivilegedPort
 .It User
 .It UserKnownHostsFile
 .It VerifyHostKeyDNS
diff --git a/sftp.1 b/sftp.1
index 1e21e202..2ae5e354 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.116 2018/06/09 06:36:31 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.117 2018/07/19 10:28:47 dtucker Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 9 2018 $
+.Dd $Mdocdate: July 19 2018 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@@ -247,7 +247,6 @@ For full details of the options listed below, and their possible values, see
 .It StrictHostKeyChecking
 .It TCPKeepAlive
 .It UpdateHostKeys
-.It UsePrivilegedPort
 .It User
 .It UserKnownHostsFile
 .It VerifyHostKeyDNS
diff --git a/ssh.1 b/ssh.1
index 40b4bfb1..b20908a5 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.395 2018/06/09 06:36:31 jmc Exp $
-.Dd $Mdocdate: June 9 2018 $
+.\" $OpenBSD: ssh.1,v 1.396 2018/07/19 10:28:47 dtucker Exp $
+.Dd $Mdocdate: July 19 2018 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -535,7 +535,6 @@ For full details of the options listed below, and their possible values, see
 .It Tunnel
 .It TunnelDevice
 .It UpdateHostKeys
-.It UsePrivilegedPort
 .It User
 .It UserKnownHostsFile
 .It VerifyHostKeyDNS
diff --git a/ssh.c b/ssh.c
index 49a9fab2..a95d0cf9 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.487 2018/07/18 11:34:04 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.488 2018/07/19 10:28:47 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -733,7 +733,6 @@ main(int ac, char **av)
 				fatal("Invalid multiplex command.");
 			break;
 		case 'P':	/* deprecated */
-			options.use_privileged_port = 0;
 			break;
 		case 'Q':
 			cp = NULL;
@@ -1236,10 +1235,6 @@ main(int ac, char **av)
 	}
 	if (options.connection_attempts <= 0)
 		fatal("Invalid number of ConnectionAttempts");
-#ifndef HAVE_CYGWIN
-	if (original_effective_uid != 0)
-		options.use_privileged_port = 0;
-#endif
 
 	if (sshbuf_len(command) != 0 && options.remote_command != NULL)
 		fatal("Cannot execute command-line and remote command.");
@@ -1376,8 +1371,7 @@ main(int ac, char **av)
 	/* Open a connection to the remote host. */
 	if (ssh_connect(ssh, host, addrs, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts,
-	    &timeout_ms, options.tcp_keep_alive,
-	    options.use_privileged_port) != 0)
+	    &timeout_ms, options.tcp_keep_alive) != 0)
  		exit(255);
 
 	if (addrs != NULL)
diff --git a/ssh_config.5 b/ssh_config.5
index df94d60d..0e5bb907 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.279 2018/07/04 13:49:31 djm Exp $
-.Dd $Mdocdate: July 4 2018 $
+.\" $OpenBSD: ssh_config.5,v 1.280 2018/07/19 10:28:47 dtucker Exp $
+.Dd $Mdocdate: July 19 2018 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -258,17 +258,9 @@ or
 Use the specified address on the local machine as the source address of
 the connection.
 Only useful on systems with more than one address.
-Note that this option does not work if
-.Cm UsePrivilegedPort
-is set to
-.Cm yes .
 .It Cm BindInterface
 Use the address of the specified interface on the local machine as the
 source address of the connection.
-Note that this option does not work if
-.Cm UsePrivilegedPort
-is set to
-.Cm yes .
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname
@@ -1603,17 +1595,6 @@ Presently, only
 from OpenSSH 6.8 and greater support the
 .Qq hostkeys at openssh.com
 protocol extension used to inform the client of all the server's hostkeys.
-.It Cm UsePrivilegedPort
-Specifies whether to use a privileged port for outgoing connections.
-The argument must be
-.Cm yes
-or
-.Cm no
-(the default).
-If set to
-.Cm yes ,
-.Xr ssh 1
-must be setuid root.
 .It Cm User
 Specifies the user to log in as.
 This can be useful when a different user name is used on different machines.
diff --git a/sshconnect.c b/sshconnect.c
index 9fa95e1e..3f45e0ba 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.301 2018/07/18 11:34:04 dtucker Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.302 2018/07/19 10:28:47 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -330,10 +330,10 @@ check_ifaddrs(const char *ifname, int af, const struct ifaddrs *ifaddrs,
 #endif
 
 /*
- * Creates a (possibly privileged) socket for use as the ssh connection.
+ * Creates a ocket for use as the ssh connection.
  */
 static int
-ssh_create_socket(int privileged, struct addrinfo *ai)
+ssh_create_socket(struct addrinfo *ai)
 {
 	int sock, r;
 	struct sockaddr_storage bindaddr;
@@ -352,8 +352,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
 
 	/* Bind the socket to an alternative local IP address */
-	if (options.bind_address == NULL && options.bind_interface == NULL &&
-	    !privileged)
+	if (options.bind_address == NULL && options.bind_interface == NULL)
 		return sock;
 
 	if (options.bind_address != NULL) {
@@ -492,9 +491,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
 /*
  * Opens a TCP/IP connection to the remote server on the given host.
  * The address of the remote host will be returned in hostaddr.
- * If port is 0, the default port will be used.  If needpriv is true,
- * a privileged port will be allocated to make the connection.
- * This requires super-user privileges if needpriv is true.
+ * If port is 0, the default port will be used.
  * Connection_attempts specifies the maximum number of tries (one per
  * second).  If proxy_command is non-NULL, it specifies the command (with %h
  * and %p substituted for host and port, respectively) to use to contact
@@ -503,14 +500,14 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
 static int
 ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
     struct sockaddr_storage *hostaddr, u_short port, int family,
-    int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv)
+    int connection_attempts, int *timeout_ms, int want_keepalive)
 {
 	int on = 1;
 	int oerrno, sock = -1, attempt;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
 	struct addrinfo *ai;
 
-	debug2("%s: needpriv %d", __func__, needpriv);
+	debug2("%s", __func__);
 	memset(ntop, 0, sizeof(ntop));
 	memset(strport, 0, sizeof(strport));
 
@@ -542,7 +539,7 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
 				host, ntop, strport);
 
 			/* Create a socket for connecting. */
-			sock = ssh_create_socket(needpriv, ai);
+			sock = ssh_create_socket(ai);
 			if (sock < 0) {
 				/* Any error is already output */
 				errno = 0;
@@ -592,12 +589,11 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
 int
 ssh_connect(struct ssh *ssh, const char *host, struct addrinfo *addrs,
     struct sockaddr_storage *hostaddr, u_short port, int family,
-    int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv)
+    int connection_attempts, int *timeout_ms, int want_keepalive)
 {
 	if (options.proxy_command == NULL) {
 		return ssh_connect_direct(ssh, host, addrs, hostaddr, port,
-		    family, connection_attempts, timeout_ms, want_keepalive,
-		    needpriv);
+		    family, connection_attempts, timeout_ms, want_keepalive);
 	} else if (strcmp(options.proxy_command, "-") == 0) {
 		if ((ssh_packet_set_connection(ssh,
 		    STDIN_FILENO, STDOUT_FILENO)) == NULL)
diff --git a/sshconnect.h b/sshconnect.h
index 05a1fb32..890d8573 100644
--- a/sshconnect.h
+++ b/sshconnect.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.h,v 1.34 2018/07/18 11:34:04 dtucker Exp $ */
+/* $OpenBSD: sshconnect.h,v 1.35 2018/07/19 10:28:47 dtucker Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -34,7 +34,7 @@ struct addrinfo;
 struct ssh;
 
 int	 ssh_connect(struct ssh *, const char *, struct addrinfo *,
-	    struct sockaddr_storage *, u_short, int, int, int *, int, int);
+	    struct sockaddr_storage *, u_short, int, int, int *, int);
 void	 ssh_kill_proxy_command(void);
 
 void	 ssh_login(Sensitive *, const char *, struct sockaddr *, u_short,

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list