diff options
| -rw-r--r-- | common-session.c | 2 | ||||
| -rw-r--r-- | session.h | 5 | ||||
| -rw-r--r-- | svr-auth.c | 4 | ||||
| -rw-r--r-- | svr-session.c | 6 | ||||
| -rw-r--r-- | tcpfwd-remote.c | 5 |
5 files changed, 11 insertions, 11 deletions
diff --git a/common-session.c b/common-session.c index fce301a..71e9e68 100644 --- a/common-session.c +++ b/common-session.c @@ -108,6 +108,8 @@ void common_session_init(int sock, runopts *opts) { ses.chantypes = NULL; + ses.allowprivport = 0; + TRACE(("leave session_init")); } @@ -138,10 +138,13 @@ struct sshsession { /* TCP forwarding - where manage listeners */ -#ifndef DISABLE_REMOTETCPFWD +#ifdef USING_LISTENERS struct Listener ** listeners; unsigned int listensize; + /* Whether to allow binding to privileged ports (<1024). This doesn't + * really belong here, but nowhere else fits nicely */ #endif + int allowprivport; }; @@ -341,6 +341,10 @@ void send_msg_userauth_success() { svr_ses.authstate.authdone = 1; + if (svr_ses.authstate.pw->pw_uid == 0) { + ses.allowprivport = 1; + } + /* Remove from the list of pre-auth sockets. Should be m_close(), since if * we fail, we might end up leaking connection slots, and disallow new * logins - a nasty situation. */ diff --git a/svr-session.c b/svr-session.c index 2a97f94..4310e2b 100644 --- a/svr-session.c +++ b/svr-session.c @@ -183,12 +183,6 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) { "exit before auth: %s", format); } - if (errno != 0) { - /* XXX - is this valid? */ - snprintf(fmtbuf, sizeof(fmtbuf), "%s [%d %s]", fmtbuf, - errno, strerror(errno)); - } - _dropbear_log(LOG_INFO, fmtbuf, param); /* must be after we've done with username etc */ diff --git a/tcpfwd-remote.c b/tcpfwd-remote.c index 880044f..16b1105 100644 --- a/tcpfwd-remote.c +++ b/tcpfwd-remote.c @@ -208,13 +208,10 @@ static int remotetcpreq() { goto out; } - /* XXX matt - server change - if (ses.authstate.pw->pw_uid != 0 - && port < IPPORT_RESERVED) { + if (!ses.allowprivport && port < IPPORT_RESERVED) { TRACE(("can't assign port < 1024 for non-root")); goto out; } - */ ret = listen_tcpfwd(bindaddr, port); |