upstream: Remove support for running ssh(1) setuid and fatal if
attempted. Do not link uidwap.c into ssh any more. Neuters
UsePrivilegedPort, which will be marked as deprecated shortly. ok markus@
djm@
OpenBSD-Commit-ID: c4ba5bf9c096f57a6ed15b713a1d7e9e2e373c42
diff --git a/ssh.c b/ssh.c
index 609c209..49a9fab 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.486 2018/07/16 22:25:01 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.487 2018/07/18 11:34:04 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -104,7 +104,6 @@
#include "sshpty.h"
#include "match.h"
#include "msg.h"
-#include "uidswap.h"
#include "version.h"
#include "ssherr.h"
#include "myproposal.h"
@@ -628,24 +627,6 @@
original_real_uid = getuid();
original_effective_uid = geteuid();
- /*
- * Use uid-swapping to give up root privileges for the duration of
- * option processing. We will re-instantiate the rights when we are
- * ready to create the privileged port, and will permanently drop
- * them when the port has been created (actually, when the connection
- * has been made, as we may need to create the port several times).
- */
- PRIV_END;
-
-#ifdef HAVE_SETRLIMIT
- /* If we are installed setuid root be careful to not drop core. */
- if (original_real_uid != original_effective_uid) {
- struct rlimit rlim;
- rlim.rlim_cur = rlim.rlim_max = 0;
- if (setrlimit(RLIMIT_CORE, &rlim) < 0)
- fatal("setrlimit failed: %.100s", strerror(errno));
- }
-#endif
/* Get user data. */
pw = getpwuid(original_real_uid);
if (!pw) {
@@ -1448,22 +1429,8 @@
L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 9);
}
}
- /*
- * Get rid of any extra privileges that we may have. We will no
- * longer need them. Also, extra privileges could make it very hard
- * to read identity files and other non-world-readable files from the
- * user's home directory if it happens to be on a NFS volume where
- * root is mapped to nobody.
- */
- if (original_effective_uid == 0) {
- PRIV_START;
- permanently_set_uid(pw);
- }
- /*
- * Now that we are back to our own permissions, create ~/.ssh
- * directory if it doesn't already exist.
- */
+ /* Create ~/.ssh * directory if it doesn't already exist. */
if (config == NULL) {
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);