From 465b6e6b82d7e7c3657d406824779912cb7eff05 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 7 Feb 2017 15:34:01 +0100 Subject: [PATCH] Check seteuid return values in all cases --- openssh.spec | 5 ++-- pam_ssh_agent_auth-0.10.3-seteuid.patch | 37 +++++++++++++++++++++++++ pam_ssh_agent_auth-0.9.2-seteuid.patch | 27 ------------------ 3 files changed, 40 insertions(+), 29 deletions(-) create mode 100644 pam_ssh_agent_auth-0.10.3-seteuid.patch delete mode 100644 pam_ssh_agent_auth-0.9.2-seteuid.patch diff --git a/openssh.spec b/openssh.spec index 48a67c0..4a1dd8d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -115,7 +115,8 @@ Patch201: openssh-7.1p2-audit-race-condition.patch # make it build reusing the openssh sources Patch300: pam_ssh_agent_auth-0.9.3-build.patch # check return value of seteuid() -Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch +# https://sourceforge.net/p/pamsshagentauth/bugs/23/ +Patch301: pam_ssh_agent_auth-0.10.3-seteuid.patch # explicitly make pam callbacks visible Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch # update to current version of agent structure @@ -403,7 +404,7 @@ The module is most useful for su and sudo service stacks. %if %{pam_ssh_agent} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch300 -p2 -b .psaa-build -%patch301 -p1 -b .psaa-seteuid +%patch301 -p2 -b .psaa-seteuid %patch302 -p2 -b .psaa-visibility %patch306 -p2 -b .psaa-compat %patch305 -p2 -b .psaa-agent diff --git a/pam_ssh_agent_auth-0.10.3-seteuid.patch b/pam_ssh_agent_auth-0.10.3-seteuid.patch new file mode 100644 index 0000000..be1f8e5 --- /dev/null +++ b/pam_ssh_agent_auth-0.10.3-seteuid.patch @@ -0,0 +1,37 @@ +diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c +--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid 2017-02-07 15:41:53.172334151 +0100 ++++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 15:41:53.174334149 +0100 +@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui + } + + errno = 0; +- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat +- above, we will temporarily drop UID to the caller */ +- if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) { ++ /* To ensure a race condition is not used to circumvent the stat ++ above, we will temporarily drop UID to the caller */ ++ if (seteuid(uid) == -1) { + close(sock); +- if(errno == EACCES) +- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid); ++ error("seteuid(%lu) failed with error: %s", ++ (unsigned long) uid, strerror(errno)); + return -1; + } ++ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) { ++ close(sock); ++ sock = -1; ++ if(errno == EACCES) ++ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid); ++ } + +- seteuid(0); /* we now continue the regularly scheduled programming */ +- ++ /* we now continue the regularly scheduled programming */ ++ if (0 != seteuid(0)) { ++ fatal("setuid(0) failed with error: %s", strerror(errno)); ++ return -1; ++ } + return sock; + } + diff --git a/pam_ssh_agent_auth-0.9.2-seteuid.patch b/pam_ssh_agent_auth-0.9.2-seteuid.patch deleted file mode 100644 index b7f12a4..0000000 --- a/pam_ssh_agent_auth-0.9.2-seteuid.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c ---- pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid 2010-09-08 08:54:29.000000000 +0200 -+++ pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c 2010-11-22 08:38:05.000000000 +0100 -@@ -131,13 +131,18 @@ ssh_get_authentication_socket_for_uid(ui - } - - errno = 0; -- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat -- above, we will temporarily drop UID to the caller */ -+ /* To ensure a race condition is not used to circumvent the stat -+ above, we will temporarily drop UID to the caller */ -+ if (seteuid(uid) == -1) { -+ close(sock); -+ error("seteuid(%lu) failed", (unsigned long) uid); -+ return -1; -+ } - if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) { - close(sock); -- if(errno == EACCES) -- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid); -- return -1; -+ sock = -1; -+ if(errno == EACCES) -+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid); - } - - seteuid(0); /* we now continue the regularly scheduled programming */