NeXT 3.3 vs openssh-2.5.1p1 (Couldn't restore privileges)

[Damien Miller]

On Sun, 25 Feb 2001, Tim Rice wrote:

> See uidswap.c
>
> Have a look at this patch. It might work (it does run) but
> it might be doing the wrong thing security wise.
> I came up with this after looking at uidswap.c
>
> For SCO 3 and NeXT,
> #define SAVED_IDS_DO_NOT_WORK_WITH_SETEUID

Can you give this patch a try?

Index: ChangeLog
===================================================================
RCS file: /var/cvs/openssh/ChangeLog,v
retrieving revision 1.822
diff -u -r1.822 ChangeLog
--- ChangeLog	2001/02/25 23:20:40	1.822
+++ ChangeLog	2001/02/26 09:43:57
@@ -1,5 +1,7 @@
 20010226
  - (bal) Fixed bsd-snprinf.c so it now honors 'BROKEN_SNPRINTF' again.
+ - (djm) Some systems (SCO3, NeXT) have weird saved uid semantics.
+   Based on patch from Tim Rice <tim at multitalents.net>

 20010225
  - (djm) Use %{_libexecdir} rather than hardcoded path in RPM specfile
Index: acconfig.h
===================================================================
RCS file: /var/cvs/openssh/acconfig.h,v
retrieving revision 1.103
diff -u -r1.103 acconfig.h
--- acconfig.h	2001/02/24 21:41:10	1.103
+++ acconfig.h	2001/02/26 09:43:57
@@ -296,6 +296,9 @@
 /* Define if X11 doesn't support AF_UNIX sockets on that system */
 #undef NO_X11_UNIX_SOCKETS

+/* Needed for SCO and NeXT */
+#undef SAVED_IDS_WORK_WITH_SETEUID
+
 @BOTTOM@

 /* ******************* Shouldn't need to edit below this line ************** */
Index: configure.in
===================================================================
RCS file: /var/cvs/openssh/configure.in,v
retrieving revision 1.253
diff -u -r1.253 configure.in
--- configure.in	2001/02/24 21:41:11	1.253
+++ configure.in	2001/02/26 09:43:57
@@ -152,6 +152,7 @@
 	AC_DEFINE(HAVE_NEXT)
 	AC_DEFINE(BROKEN_REALPATH)
 	AC_DEFINE(USE_PIPES)
+	AC_DEFINE(SAVED_IDS_WORK_WITH_SETEUID)
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	CFLAGS="$CFLAGS"
 	;;
@@ -238,6 +239,7 @@
 	AC_DEFINE(HAVE_SCO_PROTECTED_PW)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
+	AC_DEFINE(SAVED_IDS_WORK_WITH_SETEUID)
 	AC_CHECK_FUNCS(getluid setluid)
 	;;
 *-*-sco3.2v5*)
@@ -252,6 +254,7 @@
 	AC_DEFINE(HAVE_SCO_PROTECTED_PW)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
+	AC_DEFINE(SAVED_IDS_WORK_WITH_SETEUID)
 	AC_CHECK_FUNCS(getluid setluid)
 	;;
 *-dec-osf*)
Index: entropy.c
===================================================================
RCS file: /var/cvs/openssh/entropy.c,v
retrieving revision 1.29
diff -u -r1.29 entropy.c
--- entropy.c	2001/02/18 11:34:32	1.29
+++ entropy.c	2001/02/26 09:43:57
@@ -825,13 +825,34 @@
 	prng_seed_saved = 0;

 	/* Give up privs while reading seed file */
+#ifdef SAVED_IDS_WORK_WITH_SETEUID
 	if ((original_uid != original_euid) && (seteuid(original_uid) == -1))
 		fatal("Couldn't give up privileges");
+#else /* SAVED_IDS_WORK_WITH_SETEUID */
+	/*
+	 * Propagate the privileged uid to all of our uids.
+	 * Set the effective uid to the given (unprivileged) uid.
+	 */
+	if (original_uid != original_euid && setuid(original_euid) == -1 ||
+	    seteuid(original_uid) == -1)
+		fatal("Couldn't give up privileges");
+#endif /* SAVED_IDS_WORK_WITH_SETEUID */

 	prng_read_seedfile();

+#ifdef SAVED_IDS_WORK_WITH_SETEUID
 	if ((original_uid != original_euid) && (seteuid(original_euid) == -1))
 		fatal("Couldn't restore privileges");
+#else /* SAVED_IDS_WORK_WITH_SETEUID */
+	/*
+	 * We are unable to restore the real uid to its unprivileged value.
+	 * Propagate the real uid (usually more privileged) to effective uid
+	 * as well.
+	 */
+	if (original_uid != original_euid && seteuid(original_euid) == -1 ||
+	    setuid(original_uid) == -1)
+		fatal("Couldn't restore privileges");
+#endif /* SAVED_IDS_WORK_WITH_SETEUID */

 	fatal_add_cleanup(prng_seed_cleanup, NULL);
 	atexit(prng_write_seedfile);


-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer