search for: 100s

...AX_MATCH_GROUPS]; struct passwd *pw; + char* notstr = not ? "!" : ""; /* * Even if we do not have a user yet, we still need to check for @@ -529,12 +537,12 @@ } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { debug("Can't Match group because user %.100s not in any group " "at line %d", user, line); - } else if (ga_match(grplist, ngrps) != 1) { - debug("user %.100s does not match group %.100s at line %d", - user, arg, line); + } else if (ga_match(grplist, ngrps) == not) { + debug("user %.100s does not mat...

...ged = 1; - temporarily_use_uid_effective = 1; + /* Save the current euid, and egroups. */ +#ifdef SAVED_IDS_WORK_WITH_SETEUID + saved_euid = geteuid(); saved_egid = getegid(); - saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); - if (saved_egroupslen < 0) - fatal("getgroups: %.100s", strerror(errno)); - - /* set and save the user's groups */ - if (user_groupslen == -1) { - if (initgroups(pw->pw_name, pw->pw_gid) < 0) - fatal("initgroups: %s: %.100s", pw->pw_name, - strerror(errno)); - user_groupslen = getgroups(NGROUPS_MAX, user_...

...empty and user isn't listed there */ if (options.num_allow_users > 0) { --- 68,92 ---- shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) { ! log("User %.100s not allowed because shell %.100s does not exist", ! pw->pw_name, shell); return 0; ! } ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) { ! log("User %.100s not allowed because shell %.100s is not executable", ! pw->pw_n...

...to fix this problem? I also found what I believe might be a bug in uidswap.c at line 88. It used to look like: ----- #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); /* Propagate the privileged uid to all of our uids. */ if (setuid(geteuid()) < 0) debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ if (setegid(pw-...

...", original_real_uid); + fatal("User id %lu not found from user database.", (long)original_real_uid); local_user = xstrdup(pw->pw_name); server_user = options.user ? options.user : local_user; Index: sshd.c @@ -1053,7 +1053,7 @@ if (pid < 0) error("fork: %.100s", strerror(errno)); else - debug("Forked child %d.", pid); + debug("Forked child %ld.", (long)pid); close(startup_p[1]); Index: sshpty.c @@ -318,12 +318,12 @@ if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(ttyname, pw->pw_uid, gi...

...um_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) - break; - /* i < options.num_allow_users iff we break for loop */ - if (i >= options.num_allow_users) { - log("User %.100s not allowed because not listed in AllowUsers", + goto success; + + if (options.num_deny_groups == 0 && + options.num_allow_groups == 0) { + log("User %.100s not allowed because not in AllowUsers", pw->pw_name); return 0; } @@ -136,20 +137,28 @@...

...y.c 2001/08/06 06:51:49 2.9 +++ entropy.c 2001/09/28 18:37:50 2.9.9.2.0.1 @@ -596,8 +596,8 @@ prng_check_seedfile(char *filename) { /* mode 0600, owned by root or the current user? */ if (((st.st_mode & 0177) != 0) || !(st.st_uid == original_uid)) { - debug("WARNING: PRNG seedfile %.100s must be mode 0600, owned by uid %d", - filename, getuid()); + debug("WARNING: PRNG seedfile %.100s must be mode 0600, owned by uid %ld", + filename, (long)getuid()); return(0); } @@ -621,8 +621,8 @@ prng_write_seedfile(void) { pw = getpwuid(original_uid); if (pw =...

...= 0; + while (*opts) { + if (*opts == '"') + break; + if (*opts == '\\' && opts[1] == '"') { + opts += 2; + patterns[i++] = '"'; + continue; + } + patterns[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + auth_debug_add("%.100s, line %lu: missing end quote", + file, linenum); + xfree(patterns); + goto bad_option; + } + patterns[i] = 0; + opts++; + + if (sscanf(patterns, "%255[^:/]/%255[^:]:%5[0-9]-%...

..._ccache ccache = NULL; @@ -146,28 +143,7 @@ goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - old_umask = umask(0177); - tmpfd = mkstemp(ccname + strlen("FILE:")); - umask(old_umask); - if (tmpfd == -1) { - logit("mkstemp(): %.100s", strerror(errno)); - problem = errno; - goto out; - } - - if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { - logit("fchmod(): %.100s", strerror(errno)); - close(tmpfd); - problem = errno; - goto out; - } - close(tmpfd); - - problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname,...

...tatic void +sshd_intercept_possible_httpd(int sock_in, int sock_out) +{ + struct sockaddr local; + int local_len; + fd_set readfds; + struct timeval onesec; + + local_len = sizeof(local); + if ( getsockname(sock_in, &local, &local_len) != 0 ) { + log("HTTPD HACK: getsockname failed: %.100s", + strerror(errno)); + return; + } + if ( local.sa_family != AF_INET ) { + log("HTTPD HACK: strange sock_in.sa_family: %d", + local.sa_family); + return; + } + if ( ntohs(((struct sockaddr_in*) &local)->sin_port) != 80 ) { + /* XXX this logging should be removed */...

...FLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" *** uidswap.c Thu Apr 26 15:10:15 2001 --- uidswap.c.new Mon Oct 8 11:33:42 2001 *************** *** 85,91 **** if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); #endif /* !HAVE_CYWIN */ ! #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); --- 85,98 ----...

All, Could someone explain the purpose of the uidswap functions with respect to ssh ( the client ). From what I gathered , ssh installs as setuid root and swaps ids when reading potential key files that may be read only by root. Also , I think when binding to a privileged port ssh swaps id. Is that so? What are the consequnences if you do not install ssh setuid root? ( As far I as know no uid

...* Push the appropriate streams modules, as described in Solaris pts(7). * HP-UX pts(7) doesn't have ttcompat module. *** uidswap.c.orig Thu Dec 20 22:45:52 2001 --- uidswap.c Thu May 30 16:36:30 2002 *************** *** 80,86 **** if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } ! #ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); --- 80,86 ---- if (user_groupslen < 0) fatal("getgrou...

...gs = AI_PASSIVE; /* XXX loopback only ? */ + hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; hints.ai_socktype = SOCK_STREAM; snprintf(strport, sizeof strport, "%d", port); if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { error("getaddrinfo: %.100s", gai_strerror(gaierr)); - return NULL; + return -1; } for (ai = aitop; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) @@ -2430,7 +2428,7 @@ if (sock < 0) { if ((errno != EINVAL) && (errno != EAFNOSUPPORT))...

I've searched the archive for this mailing list and the bug list for OpenSSH for this, and I'm finding nothing. I'd appreciate it if somoene could point me to an existing thread about this. (I know that other people are aware of the problem, though, so I'm a bit surprised to find nothing.) We're running OpenSSH under Solaris 10 using SMF instead of a legacy init script. SMF

Hi Damien, I noticed you merged a couple of ifdefs in the fix for bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd =

...es && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0))) { log("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", pw->pw_name); packet_send_debug("Rhosts authentication refused for %.100s: bad ownership or modes for home directory.", diff -ur openssh-2.5.2p2.orig/auth-rsa.c openssh-2.5.2p2/auth-rsa.c --- openssh-2.5.2p2.orig/auth-rsa.c M...

Hello ml, i've set up a ssh server with public-key authentication. But soon i realized that wrong pubkey authentications are not shown in the logs. So i wrote a small patch for monitor.c included as attachement. patch against 3.8.1p1 $ patch -p0 < /path/to/keyauth-loggin.patch Kindly regards, Jan Gehring

...rds and rsa keys and I would like > to be able to make the distinction in the logs. Currently ssh only logs > that a ROOT user has logged in, not which one. hm, i don't think uid sharing is a standard unix feature. however, i think that we should drop this: authlog("%s %s for %s%.100s from %.200s port %d%s", authmsg, method, authctxt->valid ? "" : "illegal user ", authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, get_remote_ipaddr(), get_remote_port(), info); and...

...that the parent directory is there */ snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_USER_DIR); mkdir(filename, 0700); snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_PRNG_SEED_FILE); debug("writing PRNG seed to file %.100s", filename); RAND_bytes(seed, sizeof(seed)); /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) { debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)", filena...