forked from rpms/openssh
Check seteuid return values in all cases
This commit is contained in:
parent
bdb932c46a
commit
465b6e6b82
@ -115,7 +115,8 @@ Patch201: openssh-7.1p2-audit-race-condition.patch
|
|||||||
# make it build reusing the openssh sources
|
# make it build reusing the openssh sources
|
||||||
Patch300: pam_ssh_agent_auth-0.9.3-build.patch
|
Patch300: pam_ssh_agent_auth-0.9.3-build.patch
|
||||||
# check return value of seteuid()
|
# check return value of seteuid()
|
||||||
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
# https://sourceforge.net/p/pamsshagentauth/bugs/23/
|
||||||
|
Patch301: pam_ssh_agent_auth-0.10.3-seteuid.patch
|
||||||
# explicitly make pam callbacks visible
|
# explicitly make pam callbacks visible
|
||||||
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
||||||
# update to current version of agent structure
|
# update to current version of agent structure
|
||||||
@ -403,7 +404,7 @@ The module is most useful for su and sudo service stacks.
|
|||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
%patch300 -p2 -b .psaa-build
|
%patch300 -p2 -b .psaa-build
|
||||||
%patch301 -p1 -b .psaa-seteuid
|
%patch301 -p2 -b .psaa-seteuid
|
||||||
%patch302 -p2 -b .psaa-visibility
|
%patch302 -p2 -b .psaa-visibility
|
||||||
%patch306 -p2 -b .psaa-compat
|
%patch306 -p2 -b .psaa-compat
|
||||||
%patch305 -p2 -b .psaa-agent
|
%patch305 -p2 -b .psaa-agent
|
||||||
|
37
pam_ssh_agent_auth-0.10.3-seteuid.patch
Normal file
37
pam_ssh_agent_auth-0.10.3-seteuid.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||||
|
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid 2017-02-07 15:41:53.172334151 +0100
|
||||||
|
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 15:41:53.174334149 +0100
|
||||||
|
@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui
|
||||||
|
}
|
||||||
|
|
||||||
|
errno = 0;
|
||||||
|
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
||||||
|
- above, we will temporarily drop UID to the caller */
|
||||||
|
- if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||||
|
+ /* To ensure a race condition is not used to circumvent the stat
|
||||||
|
+ above, we will temporarily drop UID to the caller */
|
||||||
|
+ if (seteuid(uid) == -1) {
|
||||||
|
close(sock);
|
||||||
|
- if(errno == EACCES)
|
||||||
|
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||||
|
+ error("seteuid(%lu) failed with error: %s",
|
||||||
|
+ (unsigned long) uid, strerror(errno));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||||
|
+ close(sock);
|
||||||
|
+ sock = -1;
|
||||||
|
+ if(errno == EACCES)
|
||||||
|
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- seteuid(0); /* we now continue the regularly scheduled programming */
|
||||||
|
-
|
||||||
|
+ /* we now continue the regularly scheduled programming */
|
||||||
|
+ if (0 != seteuid(0)) {
|
||||||
|
+ fatal("setuid(0) failed with error: %s", strerror(errno));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
return sock;
|
||||||
|
}
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
diff -up pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c
|
|
||||||
--- pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid 2010-09-08 08:54:29.000000000 +0200
|
|
||||||
+++ pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c 2010-11-22 08:38:05.000000000 +0100
|
|
||||||
@@ -131,13 +131,18 @@ ssh_get_authentication_socket_for_uid(ui
|
|
||||||
}
|
|
||||||
|
|
||||||
errno = 0;
|
|
||||||
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
|
||||||
- above, we will temporarily drop UID to the caller */
|
|
||||||
+ /* To ensure a race condition is not used to circumvent the stat
|
|
||||||
+ above, we will temporarily drop UID to the caller */
|
|
||||||
+ if (seteuid(uid) == -1) {
|
|
||||||
+ close(sock);
|
|
||||||
+ error("seteuid(%lu) failed", (unsigned long) uid);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
|
||||||
close(sock);
|
|
||||||
- if(errno == EACCES)
|
|
||||||
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
|
||||||
- return -1;
|
|
||||||
+ sock = -1;
|
|
||||||
+ if(errno == EACCES)
|
|
||||||
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
|
||||||
}
|
|
||||||
|
|
||||||
seteuid(0); /* we now continue the regularly scheduled programming */
|
|
Loading…
Reference in New Issue
Block a user