summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <djm>2004-04-20 10:11:57 +0000
committerdjm <djm>2004-04-20 10:11:57 +0000
commit8e6fd52ce623c53298928669caa6d8b4149906c5 (patch)
treea8d0fc9f21958023f933e61cee4cc39f9c6fdd25
parent6706e4957b14120e88b022ef81a900f11a3d0808 (diff)
downloadopenssh-8e6fd52ce623c53298928669caa6d8b4149906c5.tar.gz
- djm@cvs.openbsd.org 2004/04/18 23:10:26
[readconf.c readconf.h ssh-keysign.c ssh.c] perform strict ownership and modes checks for ~/.ssh/config files, as these can be used to execute arbitrary programs; ok markus@ NB. ssh will now exit when it detects a config with poor permissions
Diffstat
-rw-r--r--ChangeLog7
-rw-r--r--readconf.c23
-rw-r--r--readconf.h4
-rw-r--r--ssh-keysign.c4
-rw-r--r--ssh.c9
5 files changed, 34 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index 2a299a1c..a06931c6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
[sshconnect2.c]
swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what FreeBSD and NetBSD do.
ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@
+ - djm@cvs.openbsd.org 2004/04/18 23:10:26
+ [readconf.c readconf.h ssh-keysign.c ssh.c]
+ perform strict ownership and modes checks for ~/.ssh/config files,
+ as these can be used to execute arbitrary programs; ok markus@
+ NB. ssh will now exit when it detects a config with poor permissions
- (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for above change
20040419
@@ -1009,4 +1014,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3323 2004/04/20 10:10:46 djm Exp $
+$Id: ChangeLog,v 1.3324 2004/04/20 10:11:57 djm Exp $
diff --git a/readconf.c b/readconf.c
index ce0d1f75..096d1a71 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.128 2004/03/05 10:53:58 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.129 2004/04/18 23:10:26 djm Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -779,7 +779,8 @@ parse_int:
*/
int
-read_config_file(const char *filename, const char *host, Options *options)
+read_config_file(const char *filename, const char *host, Options *options,
+ int checkperm)
{
FILE *f;
char line[1024];
@@ -787,10 +788,24 @@ read_config_file(const char *filename, const char *host, Options *options)
int bad_options = 0;
/* Open the file. */
- f = fopen(filename, "r");
- if (!f)
+ if ((f = fopen(filename, "r")) == NULL)
return 0;
+ if (checkperm) {
+ struct stat sb;
+
+ if (fstat(fileno(f), &sb) == -1) {
+ fatal("fstat %s: %s", filename, strerror(errno));
+ fclose(f);
+ return (0);
+ }
+ if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+ (sb.st_mode & 022) != 0)) {
+ fatal("Bad owner or permissions on %s", filename);
+ return 0;
+ }
+ }
+
debug("Reading configuration data %.200s", filename);
/*
diff --git a/readconf.h b/readconf.h
index 93d833ce..9d70fee6 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $ */
+/* $OpenBSD: readconf.h,v 1.61 2004/04/18 23:10:26 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -108,7 +108,7 @@ typedef struct {
void initialize_options(Options *);
void fill_default_options(Options *);
-int read_config_file(const char *, const char *, Options *);
+int read_config_file(const char *, const char *, Options *, int);
int
process_config_line(Options *, const char *, char *, const char *, int, int *);
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 9e9ebe2f..e642948a 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.15 2004/01/19 21:25:15 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.16 2004/04/18 23:10:26 djm Exp $");
#include <openssl/evp.h>
#include <openssl/rand.h>
@@ -168,7 +168,7 @@ main(int argc, char **argv)
/* verify that ssh-keysign is enabled by the admin */
original_real_uid = getuid(); /* XXX readconf.c needs this */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);
fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",
diff --git a/ssh.c b/ssh.c
index e655e68d..53d7f0f5 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.209 2004/03/11 10:21:17 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.210 2004/04/18 23:10:26 djm Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -526,16 +526,17 @@ again:
* file if the user specifies a config file on the command line.
*/
if (config != NULL) {
- if (!read_config_file(config, host, &options))
+ if (!read_config_file(config, host, &options, 0), 0)
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
- (void)read_config_file(buf, host, &options);
+ (void)read_config_file(buf, host, &options, 1);
/* Read systemwide configuration file after use config. */
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options);
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
+ &options, 0);
}
/* Fill configuration defaults. */
View Lorry Controller Status