diff options
| author |   dtucker <dtucker@openbsd.org> | 2018-07-27 05:13:02 +0000 |
|---|---|---|
| committer | dtucker <dtucker@openbsd.org> | 2018-07-27 05:13:02 +0000 |
| commit | d867cf751373e6d8b41f67604b8bc5ca5ddba8c7 (patch) | |
| tree | 5ed5a966b6275dc066137f09ed058a1bb3bba200 /usr.bin/ssh/serverloop.c | |
| parent | hds arrays can have more ports now, apparently; this lets theo use 4 paths (diff) | |
| download | wireguard-openbsd-d867cf751373e6d8b41f67604b8bc5ca5ddba8c7.tar.xz wireguard-openbsd-d867cf751373e6d8b41f67604b8bc5ca5ddba8c7.zip | |
Remove uid checks from low port binds. Now that ssh cannot be
setuid and sshd always has privsep on, we can remove the uid checks
for low port binds and just let the system do the check. We leave
a sanity check for the !privsep case so long as the code is stil
there. with & ok djm@
Diffstat (limited to 'usr.bin/ssh/serverloop.c')
| -rw-r--r-- | usr.bin/ssh/serverloop.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 5f9c696bb87..380121ab5ca 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.208 2018/07/11 18:53:29 markus Exp $ */ +/* $OpenBSD: serverloop.c,v 1.209 2018/07/27 05:13:02 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -99,6 +99,17 @@ static void server_init_dispatch(void); /* requested tunnel forwarding interface(s), shared with session.c */ char *tun_fwd_ifnames = NULL; +/* returns 1 if bind to specified port by specified user is permitted */ +static int +bind_permitted(int port, uid_t uid) +{ + if (use_privsep) + return 1; /* allow system to decide */ + if (port < IPPORT_RESERVED && uid != 0) + return 0; + return 1; +} + /* * we write to this pipe if a SIGCHLD is caught in order to avoid * the race between select() and child_terminated |