|
1 # |
|
2 # OpenSSH verifies, that changing [ug]id back to 0 fails, after it |
|
3 # was set to the values of the user logging in. |
|
4 # On Solaris, if that user was given PRIV_PROC_SETUID privilege, |
|
5 # set[gu]id(0) succeeds. But in this case this is not an error in |
|
6 # dropping privilege, such user is supposed to be able to do that. |
|
7 # |
|
8 # This fix removes this check entirely. Skipping the check only in |
|
9 # case PRIV_PROC_SETUID is asserted in the effective set was considered |
|
10 # but decided against. The check is redundant, because inability to |
|
11 # restore uid=0 can be inferred from successful run of setreuid(uid, uid). |
|
12 # |
|
13 # The fix is implemented by replacing an OS-related HAVE_CYGWIN guard |
|
14 # with a functional NO_UID_RESTORATION_TEST and by defining the new |
|
15 # symbol in the component Makefile. |
|
16 # |
|
17 # This patch was submitted upstream: |
|
18 # |
|
19 # https://bugzilla.mindrot.org/show_bug.cgi?id=2299 |
|
20 # |
|
21 # See the above URL for details on if/when it might be accepted. |
|
22 # |
|
23 diff -ur old/uidswap.c new/uidswap.c |
|
24 --- old/uidswap.c 2014-01-18 01:43:50.000000000 -0800 |
|
25 +++ new/uidswap.c 2014-09-04 06:26:32.965065384 -0700 |
|
26 @@ -134,7 +134,7 @@ |
|
27 void |
|
28 permanently_drop_suid(uid_t uid) |
|
29 { |
|
30 -#ifndef HAVE_CYGWIN |
|
31 +#ifndef NO_UID_RESTORATION_TEST |
|
32 uid_t old_uid = getuid(); |
|
33 #endif |
|
34 |
|
35 @@ -142,7 +142,7 @@ |
|
36 if (setresuid(uid, uid, uid) < 0) |
|
37 fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno)); |
|
38 |
|
39 -#ifndef HAVE_CYGWIN |
|
40 +#ifndef NO_UID_RESTORATION_TEST |
|
41 /* Try restoration of UID if changed (test clearing of saved uid) */ |
|
42 if (old_uid != uid && |
|
43 (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) |
|
44 @@ -199,7 +199,7 @@ |
|
45 void |
|
46 permanently_set_uid(struct passwd *pw) |
|
47 { |
|
48 -#ifndef HAVE_CYGWIN |
|
49 +#ifndef NO_UID_RESTORATION_TEST |
|
50 uid_t old_uid = getuid(); |
|
51 gid_t old_gid = getgid(); |
|
52 #endif |
|
53 @@ -227,7 +227,7 @@ |
|
54 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) |
|
55 fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); |
|
56 |
|
57 -#ifndef HAVE_CYGWIN |
|
58 +#ifndef NO_UID_RESTORATION_TEST |
|
59 /* Try restoration of GID if changed (test clearing of saved gid) */ |
|
60 if (old_gid != pw->pw_gid && pw->pw_uid != 0 && |
|
61 (setgid(old_gid) != -1 || setegid(old_gid) != -1)) |
|
62 @@ -241,7 +241,7 @@ |
|
63 (u_int)pw->pw_gid); |
|
64 } |
|
65 |
|
66 -#ifndef HAVE_CYGWIN |
|
67 +#ifndef NO_UID_RESTORATION_TEST |
|
68 /* Try restoration of UID if changed (test clearing of saved uid) */ |
|
69 if (old_uid != pw->pw_uid && |
|
70 (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) |