Corinna Vinschen
2002-Jul-04 09:27 UTC
[PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT
Hi, I've sent that patch once already but it seems more or less forgotten in the tumultuous days of the latest vulnerability. It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined on platforms not supporting the concept of "privileged" ports only accessible by privileged users but which allow everyone to use these ports. This patch removes some Cygwin dependencies from the code. Otherwise, if this patch isn't applied, we definitely need another #ifndef HAVE_CYGWIN in serverloop.c otherwise serverside port forwarding for reserverd ports doesn't work in Cygwin's 3.4 version. The official Cygwin release of 3.4 contains that additional HAVE_CYGWIN patch so far. Corinna Index: acconfig.h ==================================================================RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.141 diff -u -p -r1.141 acconfig.h --- acconfig.h 25 Jun 2002 22:35:16 -0000 1.141 +++ acconfig.h 4 Jul 2002 09:13:29 -0000 @@ -310,6 +310,9 @@ /* Define if X11 doesn't support AF_UNIX sockets on that system */ #undef NO_X11_UNIX_SOCKETS +/* Define if the concept of ports only accessible to superusers isn't known */ +#undef NO_IPPORT_RESERVED_CONCEPT + /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS Index: configure.ac ==================================================================RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.73 diff -u -p -r1.73 configure.ac --- configure.ac 28 Jun 2002 00:37:33 -0000 1.73 +++ configure.ac 4 Jul 2002 09:13:30 -0000 @@ -86,6 +86,7 @@ case "$host" in AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) AC_DEFINE(BROKEN_FD_PASSING) AC_DEFINE(SETGROUPS_NOOP) ;; Index: readconf.c ==================================================================RCS file: /cvs/openssh_cvs/readconf.c,v retrieving revision 1.75 diff -u -p -r1.75 readconf.c --- readconf.c 21 Jun 2002 00:41:52 -0000 1.75 +++ readconf.c 4 Jul 2002 09:13:31 -0000 @@ -199,7 +199,7 @@ add_local_forward(Options *options, u_sh u_short host_port) { Forward *fwd; -#ifndef HAVE_CYGWIN +#ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); Index: serverloop.c ==================================================================RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.102 diff -u -p -r1.102 serverloop.c --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 +++ serverloop.c 4 Jul 2002 09:13:34 -0000 @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
Corinna Vinschen
2002-Jul-09 13:00 UTC
[PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT
Hi, may I ask what's about this one? As I said, if it's unacceptable to use something like NO_IPPORT_RESERVED_CONCEPT, we need at least a HAVE_CYGWIN in serverloop.c which is currently missing. Corinna On Thu, Jul 04, 2002 at 11:27:10AM +0200, Corinna Vinschen wrote:> Hi, > > I've sent that patch once already but it seems more or less forgotten > in the tumultuous days of the latest vulnerability. > > It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined > on platforms not supporting the concept of "privileged" ports only > accessible by privileged users but which allow everyone to use these > ports. > > This patch removes some Cygwin dependencies from the code. > > Otherwise, if this patch isn't applied, we definitely need another > #ifndef HAVE_CYGWIN in serverloop.c otherwise serverside port forwarding > for reserverd ports doesn't work in Cygwin's 3.4 version. The official > Cygwin release of 3.4 contains that additional HAVE_CYGWIN patch so far. > > Corinna > > > Index: acconfig.h > ==================================================================> RCS file: /cvs/openssh_cvs/acconfig.h,v > retrieving revision 1.141 > diff -u -p -r1.141 acconfig.h > --- acconfig.h 25 Jun 2002 22:35:16 -0000 1.141 > +++ acconfig.h 4 Jul 2002 09:13:29 -0000 > @@ -310,6 +310,9 @@ > /* Define if X11 doesn't support AF_UNIX sockets on that system */ > #undef NO_X11_UNIX_SOCKETS > > +/* Define if the concept of ports only accessible to superusers isn't known */ > +#undef NO_IPPORT_RESERVED_CONCEPT > + > /* Needed for SCO and NeXT */ > #undef BROKEN_SAVED_UIDS > > Index: configure.ac > ==================================================================> RCS file: /cvs/openssh_cvs/configure.ac,v > retrieving revision 1.73 > diff -u -p -r1.73 configure.ac > --- configure.ac 28 Jun 2002 00:37:33 -0000 1.73 > +++ configure.ac 4 Jul 2002 09:13:30 -0000 > @@ -86,6 +86,7 @@ case "$host" in > AC_DEFINE(IPV4_DEFAULT) > AC_DEFINE(IP_TOS_IS_BROKEN) > AC_DEFINE(NO_X11_UNIX_SOCKETS) > + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) > AC_DEFINE(BROKEN_FD_PASSING) > AC_DEFINE(SETGROUPS_NOOP) > ;; > Index: readconf.c > ==================================================================> RCS file: /cvs/openssh_cvs/readconf.c,v > retrieving revision 1.75 > diff -u -p -r1.75 readconf.c > --- readconf.c 21 Jun 2002 00:41:52 -0000 1.75 > +++ readconf.c 4 Jul 2002 09:13:31 -0000 > @@ -199,7 +199,7 @@ add_local_forward(Options *options, u_sh > u_short host_port) > { > Forward *fwd; > -#ifndef HAVE_CYGWIN > +#ifndef NO_IPPORT_RESERVED_CONCEPT > extern uid_t original_real_uid; > if (port < IPPORT_RESERVED && original_real_uid != 0) > fatal("Privileged ports can only be forwarded by root."); > Index: serverloop.c > ==================================================================> RCS file: /cvs/openssh_cvs/serverloop.c,v > retrieving revision 1.102 > diff -u -p -r1.102 serverloop.c > --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 > +++ serverloop.c 4 Jul 2002 09:13:34 -0000 > @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ > > /* check permissions */ > if (!options.allow_tcp_forwarding || > - no_port_forwarding_flag || > - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { > + no_port_forwarding_flag > +#ifndef NO_IPPORT_RESERVED_CONCEPT > + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) > +#endif > + ) { > success = 0; > packet_send_debug("Server has disabled port forwarding."); > } else { > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com