- stevesk@cvs.openbsd.org 2002/03/20 19:12:25

     [servconf.c servconf.h ssh.h sshd.c]
     for unprivileged user, group do:
     pw=getpwnam(SSH_PRIVSEP_USER); do_setusercontext(pw).  ok provos@

ChangeLog

@@ -100,6 +100,10 @@
    - markus@cvs.openbsd.org 2002/03/19 15:31:47
      [auth.c]
      check for NULL; from provos@
+   - stevesk@cvs.openbsd.org 2002/03/20 19:12:25
+     [servconf.c servconf.h ssh.h sshd.c]
+     for unprivileged user, group do:
+     pw=getpwnam(SSH_PRIVSEP_USER); do_setusercontext(pw).  ok provos@
 
 20020317
  - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7946,4 +7950,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1953 2002/03/22 03:08:30 mouring Exp $
+$Id: ChangeLog,v 1.1954 2002/03/22 03:11:49 mouring Exp $

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.104 2002/03/19 03:03:43 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");
 
 #if defined(KRB4) || defined(KRB5)
 #include <krb.h>
@@ -113,9 +113,6 @@ initialize_server_options(ServerOptions *options)
 	options->authorized_keys_file = NULL;
 	options->authorized_keys_file2 = NULL;
 
-	options->unprivileged_user = -1;
-	options->unprivileged_group = -1;
-
 	/* Needs to be accessable in many places */
 	use_privsep = -1;
 }
@@ -247,10 +244,6 @@ fill_default_server_options(ServerOptions *options)
 	/* Turn privilege separation _off_ by default */
 	if (use_privsep == -1)
 		use_privsep = 0;
-	if (options->unprivileged_user == -1)
-		options->unprivileged_user = 32767;
-	if (options->unprivileged_group == -1)
-		options->unprivileged_group = 32767;
 }
 
 /* Keyword tokens. */
@@ -283,7 +276,7 @@ typedef enum {
 	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
-	sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup,
+	sUsePrivilegeSeparation,
 	sDeprecated
 } ServerOpCodes;
 
@@ -360,8 +353,6 @@ static struct {
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation},
-	{ "unprivuser", sUnprivUser},
-	{ "unprivgroup", sUnprivGroup},
 	{ NULL, sBadOption }
 };
 
@@ -742,14 +733,6 @@ process_server_config_line(ServerOptions *options, char *line,
 		intptr = &use_privsep;
 		goto parse_flag;
 
-	case sUnprivUser:
-		intptr = &options->unprivileged_user;
-		goto parse_int;
-
-	case sUnprivGroup:
-		intptr = &options->unprivileged_group;
-		goto parse_int;
-
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)

servconf.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: servconf.h,v 1.56 2002/03/19 03:03:43 stevesk Exp $	*/
+/*	$OpenBSD: servconf.h,v 1.57 2002/03/20 19:12:25 stevesk Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -130,9 +130,6 @@ typedef struct {
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 	int	pam_authentication_via_kbd_int;
-
-	int	unprivileged_user;	/* User unprivileged child uses */
-	int	unprivileged_group;	/* Group unprivileged child uses */
 }       ServerOptions;
 
 void	 initialize_server_options(ServerOptions *);

ssh.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssh.h,v 1.64 2002/03/04 17:27:39 stevesk Exp $	*/
+/*	$OpenBSD: ssh.h,v 1.65 2002/03/20 19:12:25 stevesk Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -99,4 +99,11 @@
 /* Used to identify ``EscapeChar none'' */
 #define SSH_ESCAPECHAR_NONE		-2
 
+/*
+ * unprivileged user when UsePrivilegeSeparation=yes;
+ * sshd will change its pivileges to this user and its
+ * primary group.
+ */
+#define SSH_PRIVSEP_USER		"nobody"
+
 #endif				/* SSH_H */

sshd.c

@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.234 2002/03/19 10:49:35 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.235 2002/03/20 19:12:25 stevesk Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -521,6 +521,7 @@ privsep_preauth_child(void)
 {
 	u_int32_t rand[256];
 	int i;
+	struct passwd *pw;
 
 	/* Enable challenge-response authentication for privilege separation */
 	privsep_challenge_enable();
@@ -532,6 +533,11 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
 
+	if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL)
+		fatal("%s: no user", SSH_PRIVSEP_USER);
+	memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
+	endpwent();
+
 	/* Change our root directory*/
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -540,10 +546,9 @@ privsep_preauth_child(void)
 		fatal("chdir(/)");
 
 	/* Drop our privileges */
-	setegid(options.unprivileged_group);
-	setgid(options.unprivileged_group);
-	seteuid(options.unprivileged_user);
-	setuid(options.unprivileged_user);
+	debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
+	    (u_int)pw->pw_gid);
+	do_setusercontext(pw);
 }
 
 static void