openssh unix dev - Sep 2003 - OpenSSH 3.7p1, PrivSep, and Tru64 broken (sorry)

Well, I had just finally gotten around to downloading a snapshot to test
the latest on Tru64 a couple of days ago but hadn't had a chance to
build it yet, and 3.7p1 has now been released.  Sigh.

The problem is that Tru64 setreuid() and setregid() are broken, so
privsep doesn't work.

This could also be a security problem for SIA authentication in general
(any version of OpenSSH on Tru64, using PrivSep or not), as I wrote
auth-sia.c to use setreuid() (per the Tru64 SIA documentation), so the
saved UID carries forward there.

Patch below.  It includes a patch to configure (so it is vs. the
distributed .tar.gz file), so if applying to CVS, leave that part out.
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


diff -urN openssh-3.7p1-dist/auth-sia.c openssh-3.7p1/auth-sia.c
--- openssh-3.7p1-dist/auth-sia.c	Mon Jun  2 19:25:48 2003
+++ openssh-3.7p1/auth-sia.c	Tue Sep 16 14:02:56 2003
@@ -80,6 +80,7 @@
 {
 	SIAENTITY *ent = NULL;
 	const char *host;
+	uid_t uid;
 
 	host = get_canonical_hostname(options.use_dns);
 
@@ -103,8 +104,11 @@
 	
 	sia_ses_release(&ent);
 
-	if (setreuid(geteuid(), geteuid()) < 0)
-		fatal("setreuid: %s", strerror(errno));
+	uid = geteuid();
+	if (setuid(0) < 0)
+		fatal("setuid: %s", strerror(errno));
+	if (setuid(uid) < 0)
+		fatal("setuid: %s", strerror(errno));
 }
 
 #endif /* HAVE_OSF_SIA */
diff -urN openssh-3.7p1-dist/configure openssh-3.7p1/configure
--- openssh-3.7p1-dist/configure	Tue Sep 16 01:19:17 2003
+++ openssh-3.7p1/configure	Tue Sep 16 14:11:31 2003
@@ -4532,6 +4532,18 @@
 EOF
 
 			cat >>confdefs.h <<\EOF
+#define SETEUID_BREAKS_SETUID 1
+EOF
+
+			cat >>confdefs.h <<\EOF
+#define BROKEN_SETREGID 1
+EOF
+
+			cat >>confdefs.h <<\EOF
+#define BROKEN_SETREUID 1
+EOF
+
+			cat >>confdefs.h <<\EOF
 #define DISABLE_LOGIN 1
 EOF
 
diff -urN openssh-3.7p1-dist/configure.ac openssh-3.7p1/configure.ac
--- openssh-3.7p1-dist/configure.ac	Tue Sep 16 00:48:15 2003
+++ openssh-3.7p1/configure.ac	Tue Sep 16 14:03:51 2003
@@ -395,6 +395,9 @@
 	fi
 	AC_DEFINE(DISABLE_FD_PASSING)
 	AC_DEFINE(BROKEN_GETADDRINFO)
+	AC_DEFINE(SETEUID_BREAKS_SETUID)
+	AC_DEFINE(BROKEN_SETREUID)
+	AC_DEFINE(BROKEN_SETREGID)
 	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
 	;;

Chris Adams wrote:
> This could also be a security problem for SIA authentication in general
> (any version of OpenSSH on Tru64, using PrivSep or not), as I wrote
> auth-sia.c to use setreuid() (per the Tru64 SIA documentation), so the
> saved UID carries forward there.
[snip]
(patch to auth-sia.c)
> -       if (setreuid(geteuid(), geteuid()) < 0)
> -               fatal("setreuid: %s", strerror(errno));
> +       uid = geteuid();
> +       if (setuid(0) < 0)
> +               fatal("setuid: %s", strerror(errno));
> +       if (setuid(uid) < 0)
> +               fatal("setuid: %s", strerror(errno));
Any reason not to use permanently_set_uid() here?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.