Date: Fri, 22 Dec 2000 15:45:59 -0500 From: Chris Faulhaber <jedgar@fxp.org> To: freebsd-audit@FreeBSD.org Subject: openssh patch Message-ID: <20001222154559.A25487@peitho.fxp.org>
next in thread | raw e-mail | index | archive | help
Would anyone care to give the following patch a sanity-check before I submit it to the openssh folks? OpenSSH hardcodes /tmp in a few places for the creation of a directory to hold the agent's unix-domain socket (those /tmp/ssh_XXXXXXXXXX/ dirs that occasionally get left behind). I have added the option of allowing the TMPDIR env variable to override _PATH_TMP. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org Index: channels.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/channels.c,v retrieving revision 1.1.1.1.2.2 diff -u -r1.1.1.1.2.2 channels.c --- channels.c 2000/10/28 23:00:47 1.1.1.1.2.2 +++ channels.c 2000/12/22 14:55:56 @@ -2094,6 +2094,7 @@ { int sock, newch; struct sockaddr_un sunaddr; + char *tmpdir; if (auth_get_socket_name() != NULL) fatal("Protocol error: authentication forwarding requested twice."); @@ -2104,7 +2105,10 @@ /* Allocate a buffer for the socket name, and format the name. */ channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME); - strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); + if ((tmpdir = getenv("TMPDIR")) == NULL) + tmpdir = _PATH_TMP; + snprintf(channel_forwarded_auth_socket_dir, MAX_SOCKET_NAME, + "%s/ssh-XXXXXXXX", tmpdir); /* Create private directory for socket */ if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) { Index: session.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/session.c,v retrieving revision 1.4.2.5 diff -u -r1.4.2.5 session.c --- session.c 2000/10/28 23:00:49 1.4.2.5 +++ session.c 2000/12/22 14:55:56 @@ -184,7 +184,7 @@ int type, fd; int compression_level = 0, enable_compression_after_reply = 0; int have_pty = 0; - char *command; + char *command, *tmpdir; int n_bytes; int plen; unsigned int proto_len, data_len, dlen; @@ -324,7 +324,10 @@ /* Setup to always have a local .Xauthority. */ xauthfile = xmalloc(MAXPATHLEN); - strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); + if ((tmpdir = getenv("TMPDIR")) == NULL) + tmpdir = _PATH_TMP; + snprintf(xauthfile, MAXPATHLEN, "%s/ssh-XXXXXXXX", + tmpdir); temporarily_use_uid(pw->pw_uid); if (mkdtemp(xauthfile) == NULL) { restore_uid(); @@ -1549,6 +1552,7 @@ session_x11_req(Session *s) { int fd; + char *tmpdir; if (no_x11_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; @@ -1579,7 +1583,9 @@ return 0; } xauthfile = xmalloc(MAXPATHLEN); - strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); + if ((tmpdir = getenv("TMPDIR")) == NULL) + tmpdir = _PATH_TMP; + snprintf(xauthfile, MAXPATHLEN, "%s/ssh-XXXXXXXX", tmpdir); temporarily_use_uid(s->pw->pw_uid); if (mkdtemp(xauthfile) == NULL) { restore_uid(); Index: ssh-agent.1 =================================================================== RCS file: /home/ncvs/src/crypto/openssh/ssh-agent.1,v retrieving revision 1.1.1.1.2.2 diff -u -r1.1.1.1.2.2 ssh-agent.1 --- ssh-agent.1 2000/10/28 23:00:49 1.1.1.1.2.2 +++ ssh-agent.1 2000/12/22 14:55:56 @@ -129,6 +129,11 @@ .Ev SSH_AUTH_SOCK environment variable. +The +.Pa /tmp +directory can be overridden with the +.Ev TMPDIR +environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same user. Index: ssh-agent.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/ssh-agent.c,v retrieving revision 1.2.2.3 diff -u -r1.2.2.3 ssh-agent.c --- ssh-agent.c 2000/10/28 23:00:49 1.2.2.3 +++ ssh-agent.c 2000/12/22 14:55:56 @@ -87,8 +87,8 @@ pid_t parent_pid = -1; /* pathname and directory for AUTH_SOCKET */ -char socket_name[1024]; -char socket_dir[1024]; +char socket_name[MAXPATHLEN]; +char socket_dir[MAXPATHLEN]; extern char *__progname; @@ -655,7 +655,7 @@ int sock, c_flag = 0, k_flag = 0, s_flag = 0, ch; struct sockaddr_un sunaddr; pid_t pid; - char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; + char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid], *tmpdir; /* check if RSA support exists */ if (rsa_alive() == 0) { @@ -721,7 +721,9 @@ parent_pid = getpid(); /* Create private directory for agent socket */ - strlcpy(socket_dir, "/tmp/ssh-XXXXXXXX", sizeof socket_dir); + if ((tmpdir = getenv("TMPDIR")) == NULL) + tmpdir = _PATH_TMP; + snprintf(socket_dir, sizeof socket_dir, "%s/ssh-XXXXXXXX", tmpdir); if (mkdtemp(socket_dir) == NULL) { perror("mkdtemp: private socket dir"); exit(1); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001222154559.A25487>