rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone

Blame SOURCES/pam_ssh_agent_auth-0.10.3-seteuid.patch

3e8b5b
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
3e8b5b
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid	2017-02-07 15:41:53.172334151 +0100
3e8b5b
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-02-07 15:41:53.174334149 +0100
3e8b5b
@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui
3e8b5b
 	}
3e8b5b
 
3e8b5b
 	errno = 0; 
3e8b5b
-	seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
3e8b5b
-	             above, we will temporarily drop UID to the caller */
3e8b5b
-	if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
3e8b5b
+	/* To ensure a race condition is not used to circumvent the stat
3e8b5b
+	   above, we will temporarily drop UID to the caller */
3e8b5b
+	if (seteuid(uid) == -1) {
3e8b5b
 		close(sock);
3e8b5b
-        if(errno == EACCES)
3e8b5b
-		fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
3e8b5b
+		error("seteuid(%lu) failed with error: %s",
3e8b5b
+		    (unsigned long) uid, strerror(errno));
3e8b5b
 		return -1;
3e8b5b
 	}
3e8b5b
+	if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
3e8b5b
+		close(sock);
3e8b5b
+		sock = -1;
3e8b5b
+		if(errno == EACCES)
3e8b5b
+			fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
3e8b5b
+	}
3e8b5b
 
3e8b5b
-	seteuid(0); /* we now continue the regularly scheduled programming */
3e8b5b
-
3e8b5b
+	/* we now continue the regularly scheduled programming */
3e8b5b
+	if (0 != seteuid(0)) {
3e8b5b
+		fatal("setuid(0) failed with error: %s", strerror(errno));
3e8b5b
+		return -1;
3e8b5b
+	}
3e8b5b
 	return sock;
3e8b5b
 }
3e8b5b