diff options
| author | Damien Miller <djm@mindrot.org> | 2002-09-12 09:51:10 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2002-09-12 09:51:10 +1000 |
| commit | 538f1819d8fb22c7e3b3a5ee99c406f296c86335 (patch) | |
| tree | 5a233c3a4ba0ee117ea0648e48c3bb293ed277ad | |
| parent | a10f56151b24ce677c2c93440d723597410229d5 (diff) | |
| download | openssh-git-538f1819d8fb22c7e3b3a5ee99c406f296c86335.tar.gz | |
- markus@cvs.openbsd.org 2002/09/10 20:24:47
[ssh-agent.c]
check the euid of the connecting process with getpeereid(2);
ok provos deraadt stevesk
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | ssh-agent.c | 17 |
2 files changed, 21 insertions, 2 deletions
@@ -11,6 +11,10 @@ - markus@cvs.openbsd.org 2002/09/09 14:54:15 [channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c] signed vs unsigned from -pedantic; ok henning@ + - markus@cvs.openbsd.org 2002/09/10 20:24:47 + [ssh-agent.c] + check the euid of the connecting process with getpeereid(2); + ok provos deraadt stevesk 20020911 - (djm) Sync openbsd-compat with OpenBSD -current @@ -1631,4 +1635,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2454 2002/09/11 23:49:15 djm Exp $ +$Id: ChangeLog,v 1.2455 2002/09/11 23:51:10 djm Exp $ diff --git a/ssh-agent.c b/ssh-agent.c index 0bfef4dc..312f2269 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/fake-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.102 2002/08/22 20:57:19 stevesk Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.103 2002/09/10 20:24:47 markus Exp $"); #include <openssl/evp.h> #include <openssl/md5.h> @@ -810,6 +810,8 @@ after_select(fd_set *readset, fd_set *writeset) char buf[1024]; int len, sock; u_int i; + uid_t euid; + gid_t egid; for (i = 0; i < sockets_alloc; i++) switch (sockets[i].type) { @@ -825,6 +827,19 @@ after_select(fd_set *readset, fd_set *writeset) strerror(errno)); break; } + if (getpeereid(sock, &euid, &egid) < 0) { + error("getpeereid %d failed: %s", + sock, strerror(errno)); + close(sock); + break; + } + if (getuid() != euid) { + error("uid mismatch: " + "peer euid %d != uid %d", + (int) euid, (int) getuid()); + close(sock); + break; + } new_socket(AUTH_CONNECTION, sock); } break; |