SFTP server forced permissions should restore umask

2016-06-23 16:23:32 +02:00 · 2016-06-23 16:23:32 +02:00 · d8ffa911e3
commit d8ffa911e3
parent f22e5dcaeb
1 changed files with 29 additions and 12 deletions
--- a/openssh-6.7p1-sftp-force-permission.patch
+++ b/openssh-6.7p1-sftp-force-permission.patch
@ -1,6 +1,6 @@
-diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8
+diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
--- openssh-6.8p1/sftp-server.8.sftp-force-mode	2015-03-17 06:49:20.000000000 +0100
+--- openssh-7.2p2/sftp-server.8.sftp-force-mode	2016-03-09 19:04:48.000000000 +0100
-+++ openssh-6.8p1/sftp-server.8	2015-03-18 13:18:05.898306477 +0100
+++ openssh-7.2p2/sftp-server.8	2016-06-23 16:18:20.463854117 +0200
@@ -38,6 +38,7 @@
 .Op Fl P Ar blacklisted_requests
 .Op Fl p Ar whitelisted_requests
@ -20,10 +20,10 @@ diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8
 .El
 .Pp
 On some systems,
-diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
+diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
--- openssh-6.8p1/sftp-server.c.sftp-force-mode	2015-03-18 13:18:05.883306513 +0100
+--- openssh-7.2p2/sftp-server.c.sftp-force-mode	2016-06-23 16:18:20.446854128 +0200
-+++ openssh-6.8p1/sftp-server.c	2015-03-18 13:18:36.697232193 +0100
+++ openssh-7.2p2/sftp-server.c	2016-06-23 16:20:37.950766082 +0200
-@@ -70,6 +70,10 @@ struct sshbuf *oqueue;
+@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
 /* Version of client */
 static u_int version;
@ -34,18 +34,35 @@ diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
 /* SSH2_FXP_INIT received */
 static int init_done;
-@@ -693,6 +697,10 @@ process_open(u_int32_t id)
+@@ -683,6 +687,7 @@ process_open(u_int32_t id)
 	Attrib a;
 	char *name;
 	int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
 +	mode_t old_umask;
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
 	    (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
@@ -692,6 +697,10 @@ process_open(u_int32_t id)
 	debug3("request %u: open flags %d", id, pflags);
 	flags = flags_from_portable(pflags);
 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
 +	if (permforce == 1) {   /* Force perm if -m is set */
 +		mode = permforcemode;
-+		(void)umask(0); /* so umask does not interfere		 */
+		old_umask = umask(0); /* so umask does not interfere */
 +	}	
 	logit("open \"%s\" flags %s mode 0%o",
 	    name, string_from_portable(pflags), mode);
 	if (readonly &&
-@@ -1495,7 +1503,7 @@ sftp_server_usage(void)
+@@ -713,6 +722,8 @@ process_open(u_int32_t id)
 			}
 		}
 	}
 +	if (permforce == 1)
 +		(void) umask(old_umask); /* restore umask to something sane */
 	if (status != SSH2_FX_OK)
 		send_status(id, status);
 	free(name);
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
 	    "[-l log_level]\n\t[-P blacklisted_requests] "
@ -54,7 +71,7 @@ diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
-@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1520,7 +1531,7 @@ sftp_server_main(int argc, char **argv,
 	pw = pwcopy(user_pw);
 	while (!skipargs && (ch = getopt(argc, argv,
@ -63,7 +80,7 @@ diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
 		switch (ch) {
 		case 'Q':
 			if (strcasecmp(optarg, "requests") != 0) {
-@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv,
+@@ -1580,6 +1591,15 @@ sftp_server_main(int argc, char **argv,
 				fatal("Invalid umask \"%s\"", optarg);
 			(void)umask((mode_t)mask);
 			break;