devel/openssh/pam_ssh_agent_auth-0.9-build.patch

diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c
--- pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build	2009-08-08 11:51:04.000000000 +0200
+++ pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c	2009-10-16 15:20:55.000000000 +0200
@@ -41,7 +41,16 @@
 #include "buffer.h"
 #include "key.h"
 #include "authfd.h"
+#include "ssh.h"
 #include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <fcntl.h>
 #include <openssl/evp.h>
 
 #include "userauth_pubkey_from_id.h"
@@ -73,6 +82,96 @@ session_id2_gen()
     return cookie;
 }
 
+/* 
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user 
+ * A cursory check is done, but to avoid race conditions, it is necessary 
+ * to drop effective UID when connecting to the socket. 
+ *
+ * If the cause of error is EACCES, because we verified we would not have that 
+ * problem initially, we can safely assume that somebody is attempting to find a 
+ * race condition; so a more "direct" log message is generated.
+ */
+
+int
+ssh_get_authentication_socket_for_uid(uid_t uid)
+{
+	const char *authsocket;
+	int sock;
+	struct sockaddr_un sunaddr;
+	struct stat sock_st;
+
+	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
+	if (!authsocket)
+		return -1;
+
+	/* Advisory only; seteuid ensures no race condition; but will only log if we see EACCES */
+	if( stat(authsocket,&sock_st) == 0) {
+		if(uid != 0 && sock_st.st_uid != uid) {
+			fatal("uid %lu attempted to open an agent socket owned by uid %lu", (unsigned long) uid, (unsigned long) sock_st.st_uid);
+			return -1;
+		}
+	}
+
+	/* 
+	 * Ensures that the EACCES tested for below can _only_ happen if somebody 
+	 * is attempting to race the stat above to bypass authentication.
+	 */
+	if( (sock_st.st_mode & S_IWUSR) != S_IWUSR || (sock_st.st_mode & S_IRUSR) != S_IRUSR) {
+		error("ssh-agent socket has incorrect permissions for owner");
+		return -1;
+	}
+
+	sunaddr.sun_family = AF_UNIX;
+	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
+
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+		return -1;
+
+	/* close on exec */
+	if (fcntl(sock, F_SETFD, 1) == -1) {
+		close(sock);
+		return -1;
+	}
+
+	errno = 0; 
+	seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
+	             above, we will temporarily drop UID to the caller */
+	if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
+		close(sock);
+        if(errno == EACCES)
+		fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
+		return -1;
+	}
+
+	seteuid(0); /* we now continue the regularly scheduled programming */
+
+	return sock;
+}
+
+AuthenticationConnection *
+ssh_get_authentication_connection_for_uid(uid_t uid)
+{
+	AuthenticationConnection *auth;
+	int sock;
+
+	sock = ssh_get_authentication_socket_for_uid(uid);
+
+	/*
+	 * Fail if we couldn't obtain a connection.  This happens if we
+	 * exited due to a timeout.
+	 */
+	if (sock < 0)
+		return NULL;
+
+	auth = xmalloc(sizeof(*auth));
+	auth->fd = sock;
+	buffer_init(&auth->identities);
+	auth->howmany = 0;
+
+	return auth;
+}
+
 int
 find_authorized_keys(uid_t uid)
 {
@@ -85,7 +184,7 @@ find_authorized_keys(uid_t uid)
     OpenSSL_add_all_digests();
     session_id2 = session_id2_gen();
 
-    if ((ac = ssh_get_authentication_connection(uid))) {
+    if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
         verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
         for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) 
         {
@@ -113,3 +212,4 @@ find_authorized_keys(uid_t uid)
     EVP_cleanup();
     return retval;
 }
+
diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Makefile.in
--- pam_ssh_agent_auth-0.9/Makefile.in.psaa-build	2009-08-06 07:40:16.000000000 +0200
+++ pam_ssh_agent_auth-0.9/Makefile.in	2009-10-16 15:20:55.000000000 +0200
@@ -28,7 +28,7 @@ PATHS=
 CC=@CC@
 LD=@LD@
 CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 AR=@AR@
 AWK=@AWK@
@@ -37,7 +37,7 @@ INSTALL=@INSTALL@
 PERL=@PERL@
 SED=@SED@
 ENT=@ENT@
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
 LDFLAGS_SHARED = @LDFLAGS_SHARED@
 EXEEXT=@EXEEXT@
 
@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
 
 SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
 
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
 
 
 MANPAGES_IN	= pam_ssh_agent_auth.pod
@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
 
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
 $(LIBCOMPAT): always
 	(cd openbsd-compat && $(MAKE))
 always:
 
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
-	$(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
+	$(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o
 
 $(MANPAGES): $(MANPAGES_IN)
 	pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
diff -up pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c
--- pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build	2009-07-29 02:46:38.000000000 +0200
+++ pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c	2009-10-16 15:50:36.000000000 +0200
@@ -94,7 +94,7 @@ parse_authorized_key_file(const char *us
     /*
      * temporary copy, so that both tilde expansion and percent expansion both get to apply to the path
      */
-    strncat(auth_keys_file_buf, authorized_keys_file_input, 4096);
+    strncat(auth_keys_file_buf, authorized_keys_file_input, sizeof(auth_keys_file_buf)-1);
 
     if(allow_user_owned_authorized_keys_file)
         authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
1	diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c
2	--- pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build 2009-08-08 11:51:04.000000000 +0200
3	+++ pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c 2009-10-16 15:20:55.000000000 +0200
4	@@ -41,7 +41,16 @@
5	#include "buffer.h"
6	#include "key.h"
7	#include "authfd.h"
8	+#include "ssh.h"
9	#include <stdio.h>
10	+#include <sys/types.h>
11	+#include <sys/stat.h>
12	+#include <sys/socket.h>
13	+#include <sys/un.h>
14	+#include <unistd.h>
15	+#include <stdlib.h>
16	+#include <errno.h>
17	+#include <fcntl.h>
18	#include <openssl/evp.h>
19
20	#include "userauth_pubkey_from_id.h"
21	@@ -73,6 +82,96 @@ session_id2_gen()
22	return cookie;
23	}
24
25	+/*
26	+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
27	+ * A cursory check is done, but to avoid race conditions, it is necessary
28	+ * to drop effective UID when connecting to the socket.
29	+ *
30	+ * If the cause of error is EACCES, because we verified we would not have that
31	+ * problem initially, we can safely assume that somebody is attempting to find a
32	+ * race condition; so a more "direct" log message is generated.
33	+ */
34	+
35	+int
36	+ssh_get_authentication_socket_for_uid(uid_t uid)
37	+{
38	+ const char *authsocket;
39	+ int sock;
40	+ struct sockaddr_un sunaddr;
41	+ struct stat sock_st;
42	+
43	+ authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
44	+ if (!authsocket)
45	+ return -1;
46	+
47	+ /* Advisory only; seteuid ensures no race condition; but will only log if we see EACCES */
48	+ if( stat(authsocket,&sock_st) == 0) {
49	+ if(uid != 0 && sock_st.st_uid != uid) {
50	+ fatal("uid %lu attempted to open an agent socket owned by uid %lu", (unsigned long) uid, (unsigned long) sock_st.st_uid);
51	+ return -1;
52	+ }
53	+ }
54	+
55	+ /*
56	+ * Ensures that the EACCES tested for below can _only_ happen if somebody
57	+ * is attempting to race the stat above to bypass authentication.
58	+ */
59	+ if( (sock_st.st_mode & S_IWUSR) != S_IWUSR \|\| (sock_st.st_mode & S_IRUSR) != S_IRUSR) {
60	+ error("ssh-agent socket has incorrect permissions for owner");
61	+ return -1;
62	+ }
63	+
64	+ sunaddr.sun_family = AF_UNIX;
65	+ strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
66	+
67	+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
68	+ if (sock < 0)
69	+ return -1;
70	+
71	+ /* close on exec */
72	+ if (fcntl(sock, F_SETFD, 1) == -1) {
73	+ close(sock);
74	+ return -1;
75	+ }
76	+
77	+ errno = 0;
78	+ seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
79	+ above, we will temporarily drop UID to the caller */
80	+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
81	+ close(sock);
82	+ if(errno == EACCES)
83	+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
84	+ return -1;
85	+ }
86	+
87	+ seteuid(0); /* we now continue the regularly scheduled programming */
88	+
89	+ return sock;
90	+}
91	+
92	+AuthenticationConnection *
93	+ssh_get_authentication_connection_for_uid(uid_t uid)
94	+{
95	+ AuthenticationConnection *auth;
96	+ int sock;
97	+
98	+ sock = ssh_get_authentication_socket_for_uid(uid);
99	+
100	+ /*
101	+ * Fail if we couldn't obtain a connection. This happens if we
102	+ * exited due to a timeout.
103	+ */
104	+ if (sock < 0)
105	+ return NULL;
106	+
107	+ auth = xmalloc(sizeof(*auth));
108	+ auth->fd = sock;
109	+ buffer_init(&auth->identities);
110	+ auth->howmany = 0;
111	+
112	+ return auth;
113	+}
114	+
115	int
116	find_authorized_keys(uid_t uid)
117	{
118	@@ -85,7 +184,7 @@ find_authorized_keys(uid_t uid)
119	OpenSSL_add_all_digests();
120	session_id2 = session_id2_gen();
121
122	- if ((ac = ssh_get_authentication_connection(uid))) {
123	+ if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
124	verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
125	for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
126	{
127	@@ -113,3 +212,4 @@ find_authorized_keys(uid_t uid)
128	EVP_cleanup();
129	return retval;
130	}
131	+
132	diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Makefile.in
133	--- pam_ssh_agent_auth-0.9/Makefile.in.psaa-build 2009-08-06 07:40:16.000000000 +0200
134	+++ pam_ssh_agent_auth-0.9/Makefile.in 2009-10-16 15:20:55.000000000 +0200
135	@@ -28,7 +28,7 @@ PATHS=
136	CC=@CC@
137	LD=@LD@
138	CFLAGS=@CFLAGS@
139	-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
140	+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
141	LIBS=@LIBS@
142	AR=@AR@
143	AWK=@AWK@
144	@@ -37,7 +37,7 @@ INSTALL=@INSTALL@
145	PERL=@PERL@
146	SED=@SED@
147	ENT=@ENT@
148	-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
149	+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
150	LDFLAGS_SHARED = @LDFLAGS_SHARED@
151	EXEEXT=@EXEEXT@
152
153	@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
154
155	SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
156
157	-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
158	+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
159
160
161	MANPAGES_IN = pam_ssh_agent_auth.pod
162	@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h
163	.c.o:
164	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
165
166	-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
167	+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
168	$(LIBCOMPAT): always
169	(cd openbsd-compat && $(MAKE))
170	always:
171
172	-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
173	- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
174	+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
175	+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o
176
177	$(MANPAGES): $(MANPAGES_IN)
178	pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
179	diff -up pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c
180	--- pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build 2009-07-29 02:46:38.000000000 +0200
181	+++ pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c 2009-10-16 15:50:36.000000000 +0200
182	@@ -94,7 +94,7 @@ parse_authorized_key_file(const char *us
183	/*
184	* temporary copy, so that both tilde expansion and percent expansion both get to apply to the path
185	*/
186	- strncat(auth_keys_file_buf, authorized_keys_file_input, 4096);
187	+ strncat(auth_keys_file_buf, authorized_keys_file_input, sizeof(auth_keys_file_buf)-1);
188
189	if(allow_user_owned_authorized_keys_file)
190	authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
admin@fedoraproject.org	ViewVC Help
Powered by ViewVC 1.1.2