no longer use uidswap.[ch] from the ssh client

run less code with euid==0 if ssh is installed setuid root
just switch the euid, don't switch the complete set of groups
(this is only needed by sshd). ok provos@

5 files changed, 48 insertions, 43 deletions

diff --git a/usr.bin/ssh/lib/Makefile b/usr.bin/ssh/lib/Makefile
index 95036b4451b..1fe6cfefb58 100644
--- a/usr.bin/ssh/lib/Makefile
+++ b/usr.bin/ssh/lib/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.34 2002/05/23 19:24:31 markus Exp $
+#	$OpenBSD: Makefile,v 1.35 2002/06/11 04:14:26 markus Exp $
 
 .PATH:		${.CURDIR}/..
 
@@ -6,7 +6,7 @@ LIB=	ssh
 SRCS=	authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
 	cipher.c compat.c compress.c crc32.c deattack.c fatal.c \
 	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
-	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
+	rsa.c tildexpand.c ttymodes.c xmalloc.c atomicio.c \
 	key.c dispatch.c kex.c mac.c uuencode.c misc.c \
 	rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
 	scard.c monitor_wrap.c monitor_fdpass.c msg.c
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index 8b00fb9d500..d8468255f24 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.176 2002/06/08 05:17:01 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.177 2002/06/11 04:14:26 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -53,7 +53,6 @@ RCSID("$OpenBSD: ssh.c,v 1.176 2002/06/08 05:17:01 markus Exp $");
 #include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
-#include "uidswap.h"
 #include "channels.h"
 #include "key.h"
 #include "authfd.h"
@@ -128,6 +127,7 @@ Sensitive sensitive_data;
 
 /* Original real UID. */
 uid_t original_real_uid;
+uid_t original_effective_uid;
 
 /* command to be executed */
 Buffer command;
@@ -209,7 +209,6 @@ main(int ac, char **av)
 	struct stat st;
 	struct passwd *pw;
 	int dummy;
-	uid_t original_effective_uid;
 	extern int optind, optreset;
 	extern char *optarg;
 
@@ -243,7 +242,7 @@ main(int ac, char **av)
 	 * them when the port has been created (actually, when the connection
 	 * has been made, as we may need to create the port several times).
 	 */
-	temporarily_use_uid(pw);
+	PRIV_END;
 
 	/*
 	 * Set our umask to something reasonable, as some files are created
@@ -592,15 +591,12 @@ again:
 		    "originating port will not be trusted.");
 		options.rhosts_authentication = 0;
 	}
-	/* Restore our superuser privileges. */
-	restore_uid();
-
 	/* Open a connection to the remote host. */
 
 	cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6,
 	    options.connection_attempts,
-	    original_effective_uid != 0 || !options.use_privileged_port,
-	    pw, options.proxy_command);
+	    original_effective_uid == 0 && options.use_privileged_port,
+	    options.proxy_command);
 
 	/*
 	 * If we successfully made the connection, load the host private key
@@ -617,12 +613,15 @@ again:
 	    options.hostbased_authentication)) {
 		sensitive_data.nkeys = 3;
 		sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+
+		PRIV_START;
 		sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
 		    _PATH_HOST_KEY_FILE, "", NULL);
 		sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
 		    _PATH_HOST_DSA_KEY_FILE, "", NULL);
 		sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
+		PRIV_END;
 
 		if (sensitive_data.keys[0] == NULL &&
 		    sensitive_data.keys[1] == NULL &&
@@ -641,7 +640,8 @@ again:
 	 * user's home directory if it happens to be on a NFS volume where
 	 * root is mapped to nobody.
 	 */
-	permanently_set_uid(pw);
+	seteuid(original_real_uid);
+	setuid(original_real_uid);
 
 	/*
 	 * Now that we are back to our own permissions, create ~/.ssh
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c
index 368100889f1..635fc81956b 100644
--- a/usr.bin/ssh/sshconnect.c
+++ b/usr.bin/ssh/sshconnect.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.124 2002/06/11 04:14:26 markus Exp $");
 
 #include <openssl/bn.h>
 
@@ -36,8 +36,11 @@ RCSID("$OpenBSD: sshconnect.c,v 1.123 2002/06/09 22:17:21 itojun Exp $");
 char *client_version_string = NULL;
 char *server_version_string = NULL;
 
+/* import */
 extern Options options;
 extern char *__progname;
+extern uid_t original_real_uid;
+extern uid_t original_effective_uid;
 
 static const char *
 sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
@@ -54,8 +57,7 @@ sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
  * Connect to the given ssh server using a proxy command.
  */
 static int
-ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
-		  const char *proxy_command)
+ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
 {
 	Buffer command;
 	const char *cp;
@@ -105,7 +107,8 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
 		char *argv[10];
 
 		/* Child.  Permanently give up superuser privileges. */
-		permanently_set_uid(pw);
+		seteuid(original_real_uid);
+		setuid(original_real_uid);
 
 		/* Redirect stdin and stdout. */
 		close(pin[1]);
@@ -155,7 +158,7 @@ ssh_proxy_connect(const char *host, u_short port, struct passwd *pw,
  * Creates a (possibly privileged) socket for use as the ssh connection.
  */
 static int
-ssh_create_socket(struct passwd *pw, int privileged, int family)
+ssh_create_socket(int privileged, int family)
 {
 	int sock, gaierr;
 	struct addrinfo hints, *res;
@@ -166,22 +169,18 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
 	 */
 	if (privileged) {
 		int p = IPPORT_RESERVED - 1;
+		PRIV_START;
 		sock = rresvport_af(&p, family);
+		PRIV_END;
 		if (sock < 0)
 			error("rresvport: af=%d %.100s", family, strerror(errno));
 		else
 			debug("Allocated local port %d.", p);
 		return sock;
 	}
-	/*
-	 * Just create an ordinary socket on arbitrary port.  We use
-	 * the user's uid to create the socket.
-	 */
-	temporarily_use_uid(pw);
 	sock = socket(family, SOCK_STREAM, 0);
 	if (sock < 0)
 		error("socket: %.100s", strerror(errno));
-	restore_uid();
 
 	/* Bind the socket to an alternative local IP address */
 	if (options.bind_address == NULL)
@@ -211,9 +210,9 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
 /*
  * Opens a TCP/IP connection to the remote server on the given host.
  * The address of the remote host will be returned in hostaddr.
- * If port is 0, the default port will be used.  If anonymous is zero,
+ * If port is 0, the default port will be used.  If needpriv is true,
  * a privileged port will be allocated to make the connection.
- * This requires super-user privileges if anonymous is false.
+ * This requires super-user privileges if needpriv is true.
  * Connection_attempts specifies the maximum number of tries (one per
  * second).  If proxy_command is non-NULL, it specifies the command (with %h
  * and %p substituted for host and port, respectively) to use to contact
@@ -228,7 +227,7 @@ ssh_create_socket(struct passwd *pw, int privileged, int family)
 int
 ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
     u_short port, int family, int connection_attempts,
-    int anonymous, struct passwd *pw, const char *proxy_command)
+    int needpriv, const char *proxy_command)
 {
 	int gaierr;
 	int on = 1;
@@ -244,8 +243,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
 	 */
 	int full_failure = 1;
 
-	debug("ssh_connect: getuid %u geteuid %u anon %d",
-	    (u_int) getuid(), (u_int) geteuid(), anonymous);
+	debug("ssh_connect: needpriv %d", needpriv);
 
 	/* Get default port if port has not been set. */
 	if (port == 0) {
@@ -257,7 +255,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
 	}
 	/* If a proxy command is given, connect using it. */
 	if (proxy_command != NULL)
-		return ssh_proxy_connect(host, port, pw, proxy_command);
+		return ssh_proxy_connect(host, port, proxy_command);
 
 	/* No proxy command. */
 
@@ -293,22 +291,14 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
 				host, ntop, strport);
 
 			/* Create a socket for connecting. */
-			sock = ssh_create_socket(pw,
-			    !anonymous && geteuid() == 0,
-			    ai->ai_family);
+			sock = ssh_create_socket(needpriv, ai->ai_family);
 			if (sock < 0)
 				/* Any error is already output */
 				continue;
 
-			/* Connect to the host.  We use the user's uid in the
-			 * hope that it will help with tcp_wrappers showing
-			 * the remote uid as root.
-			 */
-			temporarily_use_uid(pw);
 			if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
 				/* Successful connection. */
 				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
-				restore_uid();
 				break;
 			} else {
 				if (errno == ECONNREFUSED)
@@ -316,7 +306,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
 				log("ssh: connect to address %s port %s: %s",
 				    sockaddr_ntop(ai->ai_addr, ai->ai_addrlen),
 				    strport, strerror(errno));
-				restore_uid();
 				/*
 				 * Close the failed socket; there appear to
 				 * be some problems when reusing a socket for
diff --git a/usr.bin/ssh/sshconnect.h b/usr.bin/ssh/sshconnect.h
index aeb2e51a579..48148833fd5 100644
--- a/usr.bin/ssh/sshconnect.h
+++ b/usr.bin/ssh/sshconnect.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshconnect.h,v 1.15 2002/06/09 13:32:01 markus Exp $	*/
+/*	$OpenBSD: sshconnect.h,v 1.16 2002/06/11 04:14:26 markus Exp $	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -35,7 +35,7 @@ struct Sensitive {
 
 int
 ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
-    int, struct passwd *, const char *);
+    int, const char *);
 
 void
 ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *);
@@ -50,4 +50,20 @@ void	 ssh_userauth2(const char *, const char *, char *, Sensitive *);
 
 void	 ssh_put_password(char *);
 
+
+/*
+ * Macros to raise/lower permissions.
+ */
+#define PRIV_START do {                         \
+        int save_errno = errno;                 \
+        (void)seteuid(original_effective_uid);  \
+        errno = save_errno;                     \
+} while (0)
+
+#define PRIV_END do {                           \
+        int save_errno = errno;                 \
+        (void)seteuid(original_real_uid);       \
+        errno = save_errno;                     \
+} while (0)
+
 #endif
diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index f23148d5390..5720e323cca 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.49 2002/05/25 18:51:07 markus Exp $
+#	$OpenBSD: Makefile,v 1.50 2002/06/11 04:14:26 markus Exp $
 
 .PATH:		${.CURDIR}/..
 
@@ -10,7 +10,7 @@ MAN=	sshd.8
 CFLAGS+=-DHAVE_LOGIN_CAP -DBSD_AUTH
 
 SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
-	sshpty.c sshlogin.c servconf.c serverloop.c \
+	sshpty.c sshlogin.c servconf.c serverloop.c uidswap.c \
 	auth.c auth1.c auth2.c auth-options.c session.c \
 	auth-chall.c auth2-chall.c groupaccess.c \
 	auth-skey.c auth-bsdauth.c monitor_mm.c monitor.c \