Privilege separation
Dan Yefimov
dan at D00M.integrate.com.ru
Wed Oct 29 03:59:47 EST 2003
Hello!
Please consider including the attached patch in the next release. It
allows one to drop privilege separation code while building openssh by using
'--disable-privsep' switch of configure script. If one doesn't use privilege
separation at all, why don't simply allow him to drop privilege separation
support completely?
--
Sincerely Your, Dan.
-------------- next part --------------
diff -adurN openssh-3.7.1p2.privsep/Makefile.in openssh-3.7.1p2/Makefile.in
--- openssh-3.7.1p2.privsep/Makefile.in Mon Sep 22 05:00:12 2003
+++ openssh-3.7.1p2/Makefile.in Sat Oct 4 22:38:24 2003
@@ -80,8 +80,7 @@
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
- monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
- kexdhs.o kexgexs.o \
+ @PRIVSEP_OBJS@ kexdhs.o kexgexs.o \
auth-krb5.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-sia.o md5crypt.o
diff -adurN openssh-3.7.1p2.privsep/acconfig.h openssh-3.7.1p2/acconfig.h
--- openssh-3.7.1p2.privsep/acconfig.h Tue Sep 16 05:52:19 2003
+++ openssh-3.7.1p2/acconfig.h Sat Oct 4 22:22:14 2003
@@ -202,6 +202,9 @@
/* Define if you don't want to use wtmpx */
#undef DISABLE_WTMPX
+/* Define if you don't want to use privilege separation */
+#undef DISABLE_PRIVSEP
+
/* Some systems need a utmpx entry for /bin/login to work */
#undef LOGIN_NEEDS_UTMPX
diff -adurN openssh-3.7.1p2.privsep/auth-bsdauth.c openssh-3.7.1p2/auth-bsdauth.c
--- openssh-3.7.1p2.privsep/auth-bsdauth.c Thu Jul 4 04:14:18 2002
+++ openssh-3.7.1p2/auth-bsdauth.c Sat Oct 4 23:52:37 2003
@@ -115,6 +115,7 @@
bsdauth_free_ctx
};
+#ifndef DISABLE_PRIVSEP
KbdintDevice mm_bsdauth_device = {
"bsdauth",
bsdauth_init_ctx,
@@ -122,4 +123,5 @@
mm_bsdauth_respond,
bsdauth_free_ctx
};
+#endif /* DISABLE_PRIVSEP */
#endif
diff -adurN openssh-3.7.1p2.privsep/auth-options.c openssh-3.7.1p2/auth-options.c
--- openssh-3.7.1p2.privsep/auth-options.c Tue Jun 3 04:25:48 2003
+++ openssh-3.7.1p2/auth-options.c Sat Oct 4 22:54:42 2003
@@ -280,7 +280,9 @@
/* Process the next option. */
}
+#ifndef DISABLE_PRIVSEP
if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
auth_debug_send();
/* grant access */
@@ -292,7 +294,9 @@
auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
file, linenum, opts);
+#ifndef DISABLE_PRIVSEP
if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
auth_debug_send();
/* deny access */
diff -adurN openssh-3.7.1p2.privsep/auth-pam.c openssh-3.7.1p2/auth-pam.c
--- openssh-3.7.1p2.privsep/auth-pam.c Tue Sep 23 13:24:21 2003
+++ openssh-3.7.1p2/auth-pam.c Sat Oct 4 23:54:05 2003
@@ -419,7 +419,7 @@
case PAM_AUTH_ERR:
if (**prompts != NULL) {
/* drain any accumulated messages */
-#if 0 /* XXX - not compatible with privsep */
+#ifdef DISABLE_PRIVSEP /* XXX - not compatible with privsep */
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(**prompts);
packet_put_cstring("");
@@ -500,6 +500,7 @@
sshpam_free_ctx
};
+#ifndef DISABLE_PRIVSEP
KbdintDevice mm_sshpam_device = {
"pam",
mm_sshpam_init_ctx,
@@ -507,6 +508,7 @@
mm_sshpam_respond,
mm_sshpam_free_ctx
};
+#endif /* DISABLE_PRIVSEP */
/*
* This replaces auth-pam.c
@@ -673,8 +675,10 @@
pam_conv.conv = pam_chauthtok_conv;
pam_conv.appdata_ptr = NULL;
+#ifndef DISABLE_PRIVSEP
if (use_privsep)
fatal("Password expired (unable to change with privsep)");
+#endif /* DISABLE_PRIVSEP */
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&pam_conv);
if (sshpam_err != PAM_SUCCESS)
diff -adurN openssh-3.7.1p2.privsep/auth-rhosts.c openssh-3.7.1p2/auth-rhosts.c
--- openssh-3.7.1p2.privsep/auth-rhosts.c Tue Jun 3 04:25:48 2003
+++ openssh-3.7.1p2/auth-rhosts.c Sat Oct 4 23:02:16 2003
@@ -26,7 +26,9 @@
/* import */
extern ServerOptions options;
+#ifndef DISABLE_PRIVSEP
extern int use_privsep;
+#endif /* DISABLE_PRIVSEP */
/*
* This function processes an rhosts-style file (.rhosts, .shosts, or
@@ -293,7 +295,9 @@
auth_debug_reset();
ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
+#ifndef DISABLE_PRIVSEP
if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
auth_debug_send();
return ret;
}
diff -adurN openssh-3.7.1p2.privsep/auth-skey.c openssh-3.7.1p2/auth-skey.c
--- openssh-3.7.1p2.privsep/auth-skey.c Thu Jul 4 04:14:18 2002
+++ openssh-3.7.1p2/auth-skey.c Sat Oct 4 23:53:15 2003
@@ -93,6 +93,7 @@
skey_free_ctx
};
+#ifndef DISABLE_PRIVSEP
KbdintDevice mm_skey_device = {
"skey",
skey_init_ctx,
@@ -100,4 +101,5 @@
mm_skey_respond,
skey_free_ctx
};
+#endif /* DISABLE_PRIVSEP */
#endif /* SKEY */
diff -adurN openssh-3.7.1p2.privsep/auth.h openssh-3.7.1p2/auth.h
--- openssh-3.7.1p2.privsep/auth.h Wed Sep 3 06:11:30 2003
+++ openssh-3.7.1p2/auth.h Sat Oct 4 22:49:24 2003
@@ -133,7 +133,9 @@
char *auth2_read_banner(void);
+#ifndef DISABLE_PRIVSEP
void privsep_challenge_enable(void);
+#endif /* DISABLE_PRIVSEP */
int auth2_challenge(Authctxt *, char *);
void auth2_challenge_stop(Authctxt *);
diff -adurN openssh-3.7.1p2.privsep/auth1.c openssh-3.7.1p2/auth1.c
--- openssh-3.7.1p2.privsep/auth1.c Wed Sep 3 01:32:46 2003
+++ openssh-3.7.1p2/auth1.c Sat Oct 4 23:08:43 2003
@@ -304,8 +304,12 @@
authctxt->pw = fakepw();
}
+#ifndef DISABLE_PRIVSEP
setproctitle("%s%s", authctxt->pw ? user : "unknown",
use_privsep ? " [net]" : "");
+#else
+ setproctitle("%s", authctxt->pw ? user : "unknown");
+#endif /* DISABLE_PRIVSEP */
#ifdef USE_PAM
if (options.use_pam)
@@ -317,7 +321,11 @@
* the server. (Unless you are running Windows)
*/
#ifndef HAVE_CYGWIN
+#ifndef DISABLE_PRIVSEP
if (!use_privsep && getuid() != 0 && authctxt->pw &&
+#else
+ if (getuid() != 0 && authctxt->pw &&
+#endif /* DISABLE_PRIVSEP */
authctxt->pw->pw_uid != getuid())
packet_disconnect("Cannot change user when server not running as root.");
#endif
diff -adurN openssh-3.7.1p2.privsep/auth2-chall.c openssh-3.7.1p2/auth2-chall.c
--- openssh-3.7.1p2.privsep/auth2-chall.c Mon May 26 15:36:13 2003
+++ openssh-3.7.1p2/auth2-chall.c Sat Oct 4 23:49:13 2003
@@ -323,6 +323,7 @@
xfree(method);
}
+#ifndef DISABLE_PRIVSEP
void
privsep_challenge_enable(void)
{
@@ -350,3 +351,4 @@
#endif
#endif
}
+#endif /* DISABLE_PRIVSEP */
diff -adurN openssh-3.7.1p2.privsep/auth2-gss.c openssh-3.7.1p2/auth2-gss.c
--- openssh-3.7.1p2.privsep/auth2-gss.c Tue Sep 2 16:59:01 2003
+++ openssh-3.7.1p2/auth2-gss.c Sat Oct 4 23:17:47 2003
@@ -130,7 +130,11 @@
OM_uint32 maj_status, min_status;
u_int len;
+#ifndef DISABLE_PRIVSEP
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+#else
+ if (authctxt == NULL || authctxt->methoddata == NULL)
+#endif /* DISABLE_PRIVSEP */
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
@@ -179,7 +183,11 @@
OM_uint32 maj_status;
u_int len;
+#ifndef DISABLE_PRIVSEP
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+#else
+ if (authctxt == NULL || authctxt->methoddata == NULL)
+#endif /* DISABLE_PRIVSEP */
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
@@ -216,7 +224,11 @@
Gssctxt *gssctxt;
int authenticated;
+#ifndef DISABLE_PRIVSEP
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+#else
+ if (authctxt == NULL || authctxt->methoddata == NULL)
+#endif /* DISABLE_PRIVSEP */
fatal("No authentication or GSSAPI context");
gssctxt = authctxt->methoddata;
diff -adurN openssh-3.7.1p2.privsep/auth2.c openssh-3.7.1p2/auth2.c
--- openssh-3.7.1p2.privsep/auth2.c Wed Sep 3 01:32:46 2003
+++ openssh-3.7.1p2/auth2.c Sat Oct 4 23:21:44 2003
@@ -174,13 +174,19 @@
PRIVSEP(start_pam(user));
#endif
}
+#ifndef DISABLE_PRIVSEP
setproctitle("%s%s", authctxt->pw ? user : "unknown",
use_privsep ? " [net]" : "");
+#else
+ setproctitle("%s", authctxt->pw ? user : "unknown");
+#endif /* DISABLE_PRIVSEP */
authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
+#ifndef DISABLE_PRIVSEP
if (use_privsep)
mm_inform_authserv(service, style);
+#endif /* DISABLE_PRIVSEP */
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: "
diff -adurN openssh-3.7.1p2.privsep/configure.ac openssh-3.7.1p2/configure.ac
--- openssh-3.7.1p2.privsep/configure.ac Tue Sep 23 13:24:21 2003
+++ openssh-3.7.1p2/configure.ac Sat Oct 4 22:24:32 2003
@@ -2455,6 +2455,12 @@
fi
]
)
+AC_ARG_ENABLE(privsep,
+ [ --disable-privsep disable use of privilege separation. [no]],
+ [ AC_DEFINE(DISABLE_PRIVSEP, 1, [Define if you don't want to use privilege separation]) ],
+ [ PRIVSEP_OBJS="monitor.o monitor_mm.o monitor_wrap.o monitor_fdpass.o" ]
+)
+AC_SUBST(PRIVSEP_OBJS)
AC_ARG_WITH(lastlog,
[ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
[
diff -adurN openssh-3.7.1p2.privsep/monitor.h openssh-3.7.1p2/monitor.h
--- openssh-3.7.1p2.privsep/monitor.h Tue Sep 2 16:51:17 2003
+++ openssh-3.7.1p2/monitor.h Sat Oct 4 22:42:59 2003
@@ -28,6 +28,7 @@
#ifndef _MONITOR_H_
#define _MONITOR_H_
+#ifndef DISABLE_PRIVSEP
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
@@ -87,4 +88,5 @@
void mm_request_receive(int, Buffer *);
void mm_request_receive_expect(int, enum monitor_reqtype, Buffer *);
+#endif /* DISABLE_PRIVSEP */
#endif /* _MONITOR_H_ */
diff -adurN openssh-3.7.1p2.privsep/monitor_fdpass.h openssh-3.7.1p2/monitor_fdpass.h
--- openssh-3.7.1p2.privsep/monitor_fdpass.h Wed Jun 26 03:04:11 2002
+++ openssh-3.7.1p2/monitor_fdpass.h Sat Oct 4 22:44:24 2003
@@ -28,7 +28,9 @@
#ifndef _MM_FDPASS_H_
#define _MM_FDPASS_H_
+#ifndef DISABLE_PRIVSEP
void mm_send_fd(int, int);
int mm_receive_fd(int);
+#endif /* DISABLE_PRIVSEP */
#endif /* _MM_FDPASS_H_ */
diff -adurN openssh-3.7.1p2.privsep/monitor_mm.h openssh-3.7.1p2/monitor_mm.h
--- openssh-3.7.1p2.privsep/monitor_mm.h Thu Sep 12 04:43:31 2002
+++ openssh-3.7.1p2/monitor_mm.h Sat Oct 4 22:45:11 2003
@@ -29,6 +29,7 @@
#define _MM_H_
#include "openbsd-compat/sys-tree.h"
+#ifndef DISABLE_PRIVSEP
struct mm_share {
RB_ENTRY(mm_share) next;
void *address;
@@ -63,4 +64,5 @@
void mm_free(struct mm_master *, void *);
void mm_memvalid(struct mm_master *, void *, size_t);
+#endif /* DISABLE_PRIVSEP */
#endif /* _MM_H_ */
diff -adurN openssh-3.7.1p2.privsep/monitor_wrap.h openssh-3.7.1p2/monitor_wrap.h
--- openssh-3.7.1p2.privsep/monitor_wrap.h Tue Sep 2 16:51:17 2003
+++ openssh-3.7.1p2/monitor_wrap.h Sat Oct 4 22:46:55 2003
@@ -30,6 +30,7 @@
#include "key.h"
#include "buffer.h"
+#ifndef DISABLE_PRIVSEP
extern int use_privsep;
#define PRIVSEP(x) (use_privsep ? mm_##x : x)
@@ -102,4 +103,7 @@
void mm_zfree(struct mm_master *, void *);
void mm_init_compression(struct mm_master *);
+#else /* DISABLE_PRIVSEP */
+#define PRIVSEP(x) x
+#endif /* DISABLE_PRIVSEP */
#endif /* _MM_H_ */
diff -adurN openssh-3.7.1p2.privsep/servconf.c openssh-3.7.1p2/servconf.c
--- openssh-3.7.1p2.privsep/servconf.c Tue Sep 23 13:24:21 2003
+++ openssh-3.7.1p2/servconf.c Sun Oct 5 00:44:06 2003
@@ -29,8 +29,10 @@
/* AF_UNSPEC or AF_INET or AF_INET6 */
extern int IPv4or6;
+#ifndef DISABLE_PRIVSEP
/* Use of privilege separation or not */
extern int use_privsep;
+#endif /* DISABLE_PRIVSEP */
/* Initializes the server options to their default values. */
@@ -101,8 +103,10 @@
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+#ifndef DISABLE_PRIVSEP
/* Needs to be accessable in many places */
use_privsep = -1;
+#endif /* DISABLE_PRIVSEP */
}
void
@@ -225,6 +229,7 @@
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+#ifndef DISABLE_PRIVSEP
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -237,6 +242,7 @@
options->compression = 0;
}
#endif
+#endif /* DISABLE_PRIVSEP */
}
@@ -732,8 +738,13 @@
goto parse_flag;
case sUsePrivilegeSeparation:
+#ifndef DISABLE_PRIVSEP
intptr = &use_privsep;
goto parse_flag;
+#else
+ /* Ignore the whole line */
+ return 0;
+#endif /* DISABLE_PRIVSEP */
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
diff -adurN openssh-3.7.1p2.privsep/session.c openssh-3.7.1p2/session.c
--- openssh-3.7.1p2.privsep/session.c Tue Sep 23 12:59:08 2003
+++ openssh-3.7.1p2/session.c Sat Oct 4 23:36:50 2003
@@ -692,7 +692,9 @@
}
/* Record that there was a login on that tty from the remote host. */
+#ifndef DISABLE_PRIVSEP
if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
get_remote_name_or_ip(utmp_len,
options.use_dns),
@@ -1668,7 +1670,9 @@
* time in case we call fatal() (e.g., the connection gets closed).
*/
fatal_add_cleanup(session_pty_cleanup, (void *)s);
+#ifndef DISABLE_PRIVSEP
if (!use_privsep)
+#endif /* DISABLE_PRIVSEP */
pty_setowner(s->pw, s->tty);
/* Set window size from the packet. */
diff -adurN openssh-3.7.1p2.privsep/sshd.c openssh-3.7.1p2/sshd.c
--- openssh-3.7.1p2.privsep/sshd.c Tue Sep 2 16:51:17 2003
+++ openssh-3.7.1p2/sshd.c Sat Oct 4 23:44:14 2003
@@ -197,9 +197,11 @@
int *startup_pipes = NULL;
int startup_pipe; /* in child */
+#ifndef DISABLE_PRIVSEP
/* variables used for privilege separation */
int use_privsep;
struct monitor *pmonitor;
+#endif /* DISABLE_PRIVSEP */
/* message to be displayed after login */
Buffer loginmsg;
@@ -526,6 +528,7 @@
/* We do not clear ssh1_host key and cookie. XXX - Okay Niels? */
}
+#ifndef DISABLE_PRIVSEP
static void
privsep_preauth_child(void)
{
@@ -674,6 +677,7 @@
/* It is safe now to apply the key state */
monitor_apply_keystate(pmonitor);
}
+#endif /* DISABLE_PRIVSEP */
static char *
list_hostkey_types(void)
@@ -1034,6 +1038,7 @@
}
}
+#ifndef DISABLE_PRIVSEP
if (use_privsep) {
struct passwd *pw;
struct stat st;
@@ -1056,6 +1061,7 @@
fatal("%s must be owned by root and not group or "
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
}
+#endif /* DISABLE_PRIVSEP */
/* Configuration looks good, so exit if in test mode. */
if (test_flag)
@@ -1468,9 +1474,11 @@
/* prepare buffers to collect authentication messages */
buffer_init(&loginmsg);
+#ifndef DISABLE_PRIVSEP
if (use_privsep)
if ((authctxt = privsep_preauth()) != NULL)
goto authenticated;
+#endif /* DISABLE_PRIVSEP */
/* perform the key exchange */
/* authenticate user and start session */
@@ -1481,6 +1489,7 @@
do_ssh1_kex();
authctxt = do_authentication();
}
+#ifndef DISABLE_PRIVSEP
/*
* If we use privilege separation, the unprivileged child transfers
* the current keystate and exits
@@ -1501,6 +1510,7 @@
if (!compat20)
destroy_sensitive_data();
}
+#endif /* DISABLE_PRIVSEP */
/* Perform session preparation. */
do_authenticated(authctxt);
@@ -1515,8 +1525,10 @@
packet_close();
+#ifndef DISABLE_PRIVSEP
if (use_privsep)
mm_terminate();
+#endif /* DISABLE_PRIVSEP */
exit(0);
}
@@ -1722,8 +1734,10 @@
/* Destroy the private and public keys. No longer. */
destroy_sensitive_data();
+#ifndef DISABLE_PRIVSEP
if (use_privsep)
mm_ssh1_session_id(session_id);
+#endif /* DISABLE_PRIVSEP */
/* Destroy the decrypted integer. It is no longer needed. */
BN_clear_free(session_key_int);
More information about the openssh-unix-dev
mailing list