author | Tomas Kuthan <tomas.kuthan@oracle.com> |
Mon, 03 Apr 2017 01:42:38 -0700 | |
changeset 7839 | d2c617295be6 |
permissions | -rw-r--r-- |
7839
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
1 |
# |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
2 |
# Temporary patch for 7.4p1 regression, fixed in 7.5 |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
3 |
# Fix from upstream |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
4 |
# Remove when upgrading |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
5 |
# |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
6 |
# https://github.com/openssh/openssh-portable/commit/51045869fa084cdd016fdd721ea760417c0a3bf3 |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
7 |
# unbreak Unix domain socket forwarding for root |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
8 |
# |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
9 |
diff -rupN old/serverloop.c new/serverloop.c |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
10 |
--- old/serverloop.c 2017-03-30 14:34:07.762152901 -0700 |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
11 |
+++ new/serverloop.c 2017-03-30 14:43:20.195633292 -0700 |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
12 |
@@ -469,6 +469,11 @@ server_request_direct_streamlocal(void) |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
13 |
char *target, *originator; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
14 |
u_short originator_port; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
15 |
|
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
16 |
+ struct passwd *pw = the_authctxt->pw; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
17 |
+ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
18 |
+ if (pw == NULL || !the_authctxt->valid) |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
19 |
+ fatal("server_input_global_request: no/invalid user"); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
20 |
+ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
21 |
target = packet_get_string(NULL); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
22 |
originator = packet_get_string(NULL); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
23 |
originator_port = packet_get_int(); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
24 |
@@ -480,7 +485,7 @@ server_request_direct_streamlocal(void) |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
25 |
/* XXX fine grained permissions */ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
26 |
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
27 |
!no_port_forwarding_flag && !options.disable_forwarding && |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
28 |
- use_privsep) { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
29 |
+ (pw->pw_uid == 0 || use_privsep)) { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
30 |
c = channel_connect_to_path(target, |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
31 |
"[email protected]", "direct-streamlocal"); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
32 |
} else { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
33 |
@@ -702,6 +707,10 @@ server_input_global_request(int type, u_ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
34 |
int want_reply; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
35 |
int r, success = 0, allocated_listen_port = 0; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
36 |
struct sshbuf *resp = NULL; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
37 |
+ struct passwd *pw = the_authctxt->pw; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
38 |
+ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
39 |
+ if (pw == NULL || !the_authctxt->valid) |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
40 |
+ fatal("server_input_global_request: no/invalid user"); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
41 |
|
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
42 |
rtype = packet_get_string(NULL); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
43 |
want_reply = packet_get_char(); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
44 |
@@ -709,12 +718,8 @@ server_input_global_request(int type, u_ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
45 |
|
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
46 |
/* -R style forwarding */ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
47 |
if (strcmp(rtype, "tcpip-forward") == 0) { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
48 |
- struct passwd *pw; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
49 |
struct Forward fwd; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
50 |
|
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
51 |
- pw = the_authctxt->pw; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
52 |
- if (pw == NULL || !the_authctxt->valid) |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
53 |
- fatal("server_input_global_request: no/invalid user"); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
54 |
memset(&fwd, 0, sizeof(fwd)); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
55 |
fwd.listen_host = packet_get_string(NULL); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
56 |
fwd.listen_port = (u_short)packet_get_int(); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
57 |
@@ -762,9 +767,10 @@ server_input_global_request(int type, u_ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
58 |
/* check permissions */ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
59 |
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
60 |
|| no_port_forwarding_flag || options.disable_forwarding || |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
61 |
- !use_privsep) { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
62 |
+ (pw->pw_uid != 0 && !use_privsep)) { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
63 |
success = 0; |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
64 |
- packet_send_debug("Server has disabled port forwarding."); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
65 |
+ packet_send_debug("Server has disabled " |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
66 |
+ "streamlocal forwarding."); |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
67 |
} else { |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
68 |
/* Start listening on the socket */ |
d2c617295be6
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
69 |
success = channel_setup_remote_fwd_listener( |