Privilege separation

Dan Yefimov dan at D00M.integrate.com.ru
Wed Oct 29 03:59:47 EST 2003


				Hello!
	Please consider including the attached patch in the next release. It 
allows one to drop privilege separation code while building openssh by using 
'--disable-privsep' switch of configure script. If one doesn't use privilege 
separation at all, why don't simply allow him to drop privilege separation 
support completely?
-- 

    Sincerely Your, Dan.
-------------- next part --------------
diff -adurN openssh-3.7.1p2.privsep/Makefile.in openssh-3.7.1p2/Makefile.in
--- openssh-3.7.1p2.privsep/Makefile.in	Mon Sep 22 05:00:12 2003
+++ openssh-3.7.1p2/Makefile.in	Sat Oct  4 22:38:24 2003
@@ -80,8 +80,7 @@
 	auth-chall.o auth2-chall.o groupaccess.o \
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
-	kexdhs.o kexgexs.o \
+	@PRIVSEP_OBJS@ kexdhs.o kexgexs.o \
 	auth-krb5.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-sia.o md5crypt.o
diff -adurN openssh-3.7.1p2.privsep/acconfig.h openssh-3.7.1p2/acconfig.h
--- openssh-3.7.1p2.privsep/acconfig.h	Tue Sep 16 05:52:19 2003
+++ openssh-3.7.1p2/acconfig.h	Sat Oct  4 22:22:14 2003
@@ -202,6 +202,9 @@
 /* Define if you don't want to use wtmpx */
 #undef DISABLE_WTMPX
 
+/* Define if you don't want to use privilege separation */
+#undef DISABLE_PRIVSEP
+
 /* Some systems need a utmpx entry for /bin/login to work */
 #undef LOGIN_NEEDS_UTMPX
 
diff -adurN openssh-3.7.1p2.privsep/auth-bsdauth.c openssh-3.7.1p2/auth-bsdauth.c
--- openssh-3.7.1p2.privsep/auth-bsdauth.c	Thu Jul  4 04:14:18 2002
+++ openssh-3.7.1p2/auth-bsdauth.c	Sat Oct  4 23:52:37 2003
@@ -115,6 +115,7 @@
 	bsdauth_free_ctx
 };
 
+#ifndef DISABLE_PRIVSEP
 KbdintDevice mm_bsdauth_device = {
 	"bsdauth",
 	bsdauth_init_ctx,
@@ -122,4 +123,5 @@
 	mm_bsdauth_respond,
 	bsdauth_free_ctx
 };
+#endif /* DISABLE_PRIVSEP */
 #endif
diff -adurN openssh-3.7.1p2.privsep/auth-options.c openssh-3.7.1p2/auth-options.c
--- openssh-3.7.1p2.privsep/auth-options.c	Tue Jun  3 04:25:48 2003
+++ openssh-3.7.1p2/auth-options.c	Sat Oct  4 22:54:42 2003
@@ -280,7 +280,9 @@
 		/* Process the next option. */
 	}
 
+#ifndef DISABLE_PRIVSEP
 	if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
 		auth_debug_send();
 
 	/* grant access */
@@ -292,7 +294,9 @@
 	auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
 	    file, linenum, opts);
 
+#ifndef DISABLE_PRIVSEP
 	if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
 		auth_debug_send();
 
 	/* deny access */
diff -adurN openssh-3.7.1p2.privsep/auth-pam.c openssh-3.7.1p2/auth-pam.c
--- openssh-3.7.1p2.privsep/auth-pam.c	Tue Sep 23 13:24:21 2003
+++ openssh-3.7.1p2/auth-pam.c	Sat Oct  4 23:54:05 2003
@@ -419,7 +419,7 @@
 		case PAM_AUTH_ERR:
 			if (**prompts != NULL) {
 				/* drain any accumulated messages */
-#if 0 /* XXX - not compatible with privsep */
+#ifdef DISABLE_PRIVSEP /* XXX - not compatible with privsep */
 				packet_start(SSH2_MSG_USERAUTH_BANNER);
 				packet_put_cstring(**prompts);
 				packet_put_cstring("");
@@ -500,6 +500,7 @@
 	sshpam_free_ctx
 };
 
+#ifndef DISABLE_PRIVSEP
 KbdintDevice mm_sshpam_device = {
 	"pam",
 	mm_sshpam_init_ctx,
@@ -507,6 +508,7 @@
 	mm_sshpam_respond,
 	mm_sshpam_free_ctx
 };
+#endif /* DISABLE_PRIVSEP */
 
 /*
  * This replaces auth-pam.c
@@ -673,8 +675,10 @@
 	pam_conv.conv = pam_chauthtok_conv;
 	pam_conv.appdata_ptr = NULL;
 
+#ifndef DISABLE_PRIVSEP
 	if (use_privsep)
 		fatal("Password expired (unable to change with privsep)");
+#endif /* DISABLE_PRIVSEP */
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
 	    (const void *)&pam_conv);
 	if (sshpam_err != PAM_SUCCESS)
diff -adurN openssh-3.7.1p2.privsep/auth-rhosts.c openssh-3.7.1p2/auth-rhosts.c
--- openssh-3.7.1p2.privsep/auth-rhosts.c	Tue Jun  3 04:25:48 2003
+++ openssh-3.7.1p2/auth-rhosts.c	Sat Oct  4 23:02:16 2003
@@ -26,7 +26,9 @@
 
 /* import */
 extern ServerOptions options;
+#ifndef DISABLE_PRIVSEP
 extern int use_privsep;
+#endif /* DISABLE_PRIVSEP */
 
 /*
  * This function processes an rhosts-style file (.rhosts, .shosts, or
@@ -293,7 +295,9 @@
 
 	auth_debug_reset();
 	ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
+#ifndef DISABLE_PRIVSEP
 	if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
 		auth_debug_send();
 	return ret;
 }
diff -adurN openssh-3.7.1p2.privsep/auth-skey.c openssh-3.7.1p2/auth-skey.c
--- openssh-3.7.1p2.privsep/auth-skey.c	Thu Jul  4 04:14:18 2002
+++ openssh-3.7.1p2/auth-skey.c	Sat Oct  4 23:53:15 2003
@@ -93,6 +93,7 @@
 	skey_free_ctx
 };
 
+#ifndef DISABLE_PRIVSEP
 KbdintDevice mm_skey_device = {
 	"skey",
 	skey_init_ctx,
@@ -100,4 +101,5 @@
 	mm_skey_respond,
 	skey_free_ctx
 };
+#endif /* DISABLE_PRIVSEP */
 #endif /* SKEY */
diff -adurN openssh-3.7.1p2.privsep/auth.h openssh-3.7.1p2/auth.h
--- openssh-3.7.1p2.privsep/auth.h	Wed Sep  3 06:11:30 2003
+++ openssh-3.7.1p2/auth.h	Sat Oct  4 22:49:24 2003
@@ -133,7 +133,9 @@
 
 char	*auth2_read_banner(void);
 
+#ifndef DISABLE_PRIVSEP
 void	privsep_challenge_enable(void);
+#endif /* DISABLE_PRIVSEP */
 
 int	auth2_challenge(Authctxt *, char *);
 void	auth2_challenge_stop(Authctxt *);
diff -adurN openssh-3.7.1p2.privsep/auth1.c openssh-3.7.1p2/auth1.c
--- openssh-3.7.1p2.privsep/auth1.c	Wed Sep  3 01:32:46 2003
+++ openssh-3.7.1p2/auth1.c	Sat Oct  4 23:08:43 2003
@@ -304,8 +304,12 @@
 		authctxt->pw = fakepw();
 	}
 
+#ifndef DISABLE_PRIVSEP
 	setproctitle("%s%s", authctxt->pw ? user : "unknown",
 	    use_privsep ? " [net]" : "");
+#else
+	setproctitle("%s", authctxt->pw ? user : "unknown");
+#endif /* DISABLE_PRIVSEP */
 
 #ifdef USE_PAM
 	if (options.use_pam)
@@ -317,7 +321,11 @@
 	 * the server. (Unless you are running Windows)
 	 */
 #ifndef HAVE_CYGWIN
+#ifndef DISABLE_PRIVSEP
 	if (!use_privsep && getuid() != 0 && authctxt->pw &&
+#else
+	if (getuid() != 0 && authctxt->pw &&
+#endif /* DISABLE_PRIVSEP */
 	    authctxt->pw->pw_uid != getuid())
 		packet_disconnect("Cannot change user when server not running as root.");
 #endif
diff -adurN openssh-3.7.1p2.privsep/auth2-chall.c openssh-3.7.1p2/auth2-chall.c
--- openssh-3.7.1p2.privsep/auth2-chall.c	Mon May 26 15:36:13 2003
+++ openssh-3.7.1p2/auth2-chall.c	Sat Oct  4 23:49:13 2003
@@ -323,6 +323,7 @@
 	xfree(method);
 }
 
+#ifndef DISABLE_PRIVSEP
 void
 privsep_challenge_enable(void)
 {
@@ -350,3 +351,4 @@
 #endif
 #endif
 }
+#endif /* DISABLE_PRIVSEP */
diff -adurN openssh-3.7.1p2.privsep/auth2-gss.c openssh-3.7.1p2/auth2-gss.c
--- openssh-3.7.1p2.privsep/auth2-gss.c	Tue Sep  2 16:59:01 2003
+++ openssh-3.7.1p2/auth2-gss.c	Sat Oct  4 23:17:47 2003
@@ -130,7 +130,11 @@
 	OM_uint32 maj_status, min_status;
 	u_int len;
 
+#ifndef DISABLE_PRIVSEP
 	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+#else
+	if (authctxt == NULL || authctxt->methoddata == NULL)
+#endif /* DISABLE_PRIVSEP */
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -179,7 +183,11 @@
 	OM_uint32 maj_status;
 	u_int len;
 
+#ifndef DISABLE_PRIVSEP
 	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+#else
+	if (authctxt == NULL || authctxt->methoddata == NULL)
+#endif /* DISABLE_PRIVSEP */
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
@@ -216,7 +224,11 @@
 	Gssctxt *gssctxt;
 	int authenticated;
 
+#ifndef DISABLE_PRIVSEP
 	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+#else
+	if (authctxt == NULL || authctxt->methoddata == NULL)
+#endif /* DISABLE_PRIVSEP */
 		fatal("No authentication or GSSAPI context");
 
 	gssctxt = authctxt->methoddata;
diff -adurN openssh-3.7.1p2.privsep/auth2.c openssh-3.7.1p2/auth2.c
--- openssh-3.7.1p2.privsep/auth2.c	Wed Sep  3 01:32:46 2003
+++ openssh-3.7.1p2/auth2.c	Sat Oct  4 23:21:44 2003
@@ -174,13 +174,19 @@
 				PRIVSEP(start_pam(user));
 #endif
 		}
+#ifndef DISABLE_PRIVSEP
 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
 		    use_privsep ? " [net]" : "");
+#else
+		setproctitle("%s", authctxt->pw ? user : "unknown");
+#endif /* DISABLE_PRIVSEP */
 		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
+#ifndef DISABLE_PRIVSEP
 		if (use_privsep)
 			mm_inform_authserv(service, style);
+#endif /* DISABLE_PRIVSEP */
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of username or service not allowed: "
diff -adurN openssh-3.7.1p2.privsep/configure.ac openssh-3.7.1p2/configure.ac
--- openssh-3.7.1p2.privsep/configure.ac	Tue Sep 23 13:24:21 2003
+++ openssh-3.7.1p2/configure.ac	Sat Oct  4 22:24:32 2003
@@ -2455,6 +2455,12 @@
 		fi
 	]
 )
+AC_ARG_ENABLE(privsep,
+	[  --disable-privsep    disable use of privilege separation. [no]],
+	[ AC_DEFINE(DISABLE_PRIVSEP, 1, [Define if you don't want to use privilege separation]) ],
+	[ PRIVSEP_OBJS="monitor.o monitor_mm.o monitor_wrap.o monitor_fdpass.o" ]
+)
+AC_SUBST(PRIVSEP_OBJS)
 AC_ARG_WITH(lastlog,
   [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
 	[
diff -adurN openssh-3.7.1p2.privsep/monitor.h openssh-3.7.1p2/monitor.h
--- openssh-3.7.1p2.privsep/monitor.h	Tue Sep  2 16:51:17 2003
+++ openssh-3.7.1p2/monitor.h	Sat Oct  4 22:42:59 2003
@@ -28,6 +28,7 @@
 #ifndef _MONITOR_H_
 #define _MONITOR_H_
 
+#ifndef DISABLE_PRIVSEP
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
 	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
@@ -87,4 +88,5 @@
 void mm_request_receive(int, Buffer *);
 void mm_request_receive_expect(int, enum monitor_reqtype, Buffer *);
 
+#endif /* DISABLE_PRIVSEP */
 #endif /* _MONITOR_H_ */
diff -adurN openssh-3.7.1p2.privsep/monitor_fdpass.h openssh-3.7.1p2/monitor_fdpass.h
--- openssh-3.7.1p2.privsep/monitor_fdpass.h	Wed Jun 26 03:04:11 2002
+++ openssh-3.7.1p2/monitor_fdpass.h	Sat Oct  4 22:44:24 2003
@@ -28,7 +28,9 @@
 #ifndef _MM_FDPASS_H_
 #define _MM_FDPASS_H_
 
+#ifndef DISABLE_PRIVSEP
 void mm_send_fd(int, int);
 int mm_receive_fd(int);
 
+#endif /* DISABLE_PRIVSEP */
 #endif /* _MM_FDPASS_H_ */
diff -adurN openssh-3.7.1p2.privsep/monitor_mm.h openssh-3.7.1p2/monitor_mm.h
--- openssh-3.7.1p2.privsep/monitor_mm.h	Thu Sep 12 04:43:31 2002
+++ openssh-3.7.1p2/monitor_mm.h	Sat Oct  4 22:45:11 2003
@@ -29,6 +29,7 @@
 #define _MM_H_
 #include "openbsd-compat/sys-tree.h"
 
+#ifndef DISABLE_PRIVSEP
 struct mm_share {
 	RB_ENTRY(mm_share) next;
 	void *address;
@@ -63,4 +64,5 @@
 void mm_free(struct mm_master *, void *);
 
 void mm_memvalid(struct mm_master *, void *, size_t);
+#endif /* DISABLE_PRIVSEP */
 #endif /* _MM_H_ */
diff -adurN openssh-3.7.1p2.privsep/monitor_wrap.h openssh-3.7.1p2/monitor_wrap.h
--- openssh-3.7.1p2.privsep/monitor_wrap.h	Tue Sep  2 16:51:17 2003
+++ openssh-3.7.1p2/monitor_wrap.h	Sat Oct  4 22:46:55 2003
@@ -30,6 +30,7 @@
 #include "key.h"
 #include "buffer.h"
 
+#ifndef DISABLE_PRIVSEP
 extern int use_privsep;
 #define PRIVSEP(x)	(use_privsep ? mm_##x : x)
 
@@ -102,4 +103,7 @@
 void mm_zfree(struct mm_master *, void *);
 void mm_init_compression(struct mm_master *);
 
+#else /* DISABLE_PRIVSEP */
+#define PRIVSEP(x)	x
+#endif /* DISABLE_PRIVSEP */
 #endif /* _MM_H_ */
diff -adurN openssh-3.7.1p2.privsep/servconf.c openssh-3.7.1p2/servconf.c
--- openssh-3.7.1p2.privsep/servconf.c	Tue Sep 23 13:24:21 2003
+++ openssh-3.7.1p2/servconf.c	Sun Oct  5 00:44:06 2003
@@ -29,8 +29,10 @@
 
 /* AF_UNSPEC or AF_INET or AF_INET6 */
 extern int IPv4or6;
+#ifndef DISABLE_PRIVSEP
 /* Use of privilege separation or not */
 extern int use_privsep;
+#endif /* DISABLE_PRIVSEP */
 
 /* Initializes the server options to their default values. */
 
@@ -101,8 +103,10 @@
 	options->authorized_keys_file = NULL;
 	options->authorized_keys_file2 = NULL;
 
+#ifndef DISABLE_PRIVSEP
 	/* Needs to be accessable in many places */
 	use_privsep = -1;
+#endif /* DISABLE_PRIVSEP */
 }
 
 void
@@ -225,6 +229,7 @@
 	if (options->authorized_keys_file == NULL)
 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
 
+#ifndef DISABLE_PRIVSEP
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
@@ -237,6 +242,7 @@
 		options->compression = 0;
 	}
 #endif
+#endif /* DISABLE_PRIVSEP */
 
 }
 
@@ -732,8 +738,13 @@
 		goto parse_flag;
 
 	case sUsePrivilegeSeparation:
+#ifndef DISABLE_PRIVSEP
 		intptr = &use_privsep;
 		goto parse_flag;
+#else
+		/* Ignore the whole line */
+		return 0;
+#endif /* DISABLE_PRIVSEP */
 
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
diff -adurN openssh-3.7.1p2.privsep/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.privsep/session.c	Tue Sep 23 12:59:08 2003
+++ openssh-3.7.1p2/session.c	Sat Oct  4 23:36:50 2003
@@ -692,7 +692,9 @@
 	}
 
 	/* Record that there was a login on that tty from the remote host. */
+#ifndef DISABLE_PRIVSEP
 	if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
 		record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
 		    get_remote_name_or_ip(utmp_len,
 		    options.use_dns),
@@ -1668,7 +1670,9 @@
 	 * time in case we call fatal() (e.g., the connection gets closed).
 	 */
 	fatal_add_cleanup(session_pty_cleanup, (void *)s);
+#ifndef DISABLE_PRIVSEP
 	if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
 		pty_setowner(s->pw, s->tty);
 
 	/* Set window size from the packet. */
diff -adurN openssh-3.7.1p2.privsep/sshd.c openssh-3.7.1p2/sshd.c
--- openssh-3.7.1p2.privsep/sshd.c	Tue Sep  2 16:51:17 2003
+++ openssh-3.7.1p2/sshd.c	Sat Oct  4 23:44:14 2003
@@ -197,9 +197,11 @@
 int *startup_pipes = NULL;
 int startup_pipe;		/* in child */
 
+#ifndef DISABLE_PRIVSEP
 /* variables used for privilege separation */
 int use_privsep;
 struct monitor *pmonitor;
+#endif /* DISABLE_PRIVSEP */
 
 /* message to be displayed after login */
 Buffer loginmsg;
@@ -526,6 +528,7 @@
 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
 }
 
+#ifndef DISABLE_PRIVSEP
 static void
 privsep_preauth_child(void)
 {
@@ -674,6 +677,7 @@
 	/* It is safe now to apply the key state */
 	monitor_apply_keystate(pmonitor);
 }
+#endif /* DISABLE_PRIVSEP */
 
 static char *
 list_hostkey_types(void)
@@ -1034,6 +1038,7 @@
 		}
 	}
 
+#ifndef DISABLE_PRIVSEP
 	if (use_privsep) {
 		struct passwd *pw;
 		struct stat st;
@@ -1056,6 +1061,7 @@
 			fatal("%s must be owned by root and not group or "
 			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
 	}
+#endif /* DISABLE_PRIVSEP */
 
 	/* Configuration looks good, so exit if in test mode. */
 	if (test_flag)
@@ -1468,9 +1474,11 @@
         /* prepare buffers to collect authentication messages */
 	buffer_init(&loginmsg);
 
+#ifndef DISABLE_PRIVSEP
 	if (use_privsep)
 		if ((authctxt = privsep_preauth()) != NULL)
 			goto authenticated;
+#endif /* DISABLE_PRIVSEP */
 
 	/* perform the key exchange */
 	/* authenticate user and start session */
@@ -1481,6 +1489,7 @@
 		do_ssh1_kex();
 		authctxt = do_authentication();
 	}
+#ifndef DISABLE_PRIVSEP
 	/*
 	 * If we use privilege separation, the unprivileged child transfers
 	 * the current keystate and exits
@@ -1501,6 +1510,7 @@
 		if (!compat20)
 			destroy_sensitive_data();
 	}
+#endif /* DISABLE_PRIVSEP */
 
 	/* Perform session preparation. */
 	do_authenticated(authctxt);
@@ -1515,8 +1525,10 @@
 
 	packet_close();
 
+#ifndef DISABLE_PRIVSEP
 	if (use_privsep)
 		mm_terminate();
+#endif /* DISABLE_PRIVSEP */
 
 	exit(0);
 }
@@ -1722,8 +1734,10 @@
 	/* Destroy the private and public keys. No longer. */
 	destroy_sensitive_data();
 
+#ifndef DISABLE_PRIVSEP
 	if (use_privsep)
 		mm_ssh1_session_id(session_id);
+#endif /* DISABLE_PRIVSEP */
 
 	/* Destroy the decrypted integer.  It is no longer needed. */
 	BN_clear_free(session_key_int);


More information about the openssh-unix-dev mailing list