# HG changeset patch # User Matt Johnston # Date 1087901236 0 # Node ID d7cc5b484a2e6f2273c9874c351edd1f8e0c5d2b # Parent db2c8e6fb28460f8604e3cf327cf4e0168e5d4fa - Port restriction code back in - Remove bad strerror() logging diff -r db2c8e6fb284 -r d7cc5b484a2e common-session.c --- a/common-session.c Thu Jun 03 18:08:34 2004 +0000 +++ b/common-session.c Tue Jun 22 10:47:16 2004 +0000 @@ -108,6 +108,8 @@ ses.chantypes = NULL; + ses.allowprivport = 0; + TRACE(("leave session_init")); } diff -r db2c8e6fb284 -r d7cc5b484a2e session.h --- a/session.h Thu Jun 03 18:08:34 2004 +0000 +++ b/session.h Tue Jun 22 10:47:16 2004 +0000 @@ -138,10 +138,13 @@ /* TCP forwarding - where manage listeners */ -#ifndef DISABLE_REMOTETCPFWD +#ifdef USING_LISTENERS struct Listener ** listeners; unsigned int listensize; + /* Whether to allow binding to privileged ports (<1024). This doesn't + * really belong here, but nowhere else fits nicely */ #endif + int allowprivport; }; diff -r db2c8e6fb284 -r d7cc5b484a2e svr-auth.c --- a/svr-auth.c Thu Jun 03 18:08:34 2004 +0000 +++ b/svr-auth.c Tue Jun 22 10:47:16 2004 +0000 @@ -341,6 +341,10 @@ svr_ses.authstate.authdone = 1; + if (svr_ses.authstate.pw->pw_uid == 0) { + ses.allowprivport = 1; + } + /* Remove from the list of pre-auth sockets. Should be m_close(), since if * we fail, we might end up leaking connection slots, and disallow new * logins - a nasty situation. */ diff -r db2c8e6fb284 -r d7cc5b484a2e svr-session.c --- a/svr-session.c Thu Jun 03 18:08:34 2004 +0000 +++ b/svr-session.c Tue Jun 22 10:47:16 2004 +0000 @@ -183,12 +183,6 @@ "exit before auth: %s", format); } - if (errno != 0) { - /* XXX - is this valid? */ - snprintf(fmtbuf, sizeof(fmtbuf), "%s [%d %s]", fmtbuf, - errno, strerror(errno)); - } - _dropbear_log(LOG_INFO, fmtbuf, param); /* must be after we've done with username etc */ diff -r db2c8e6fb284 -r d7cc5b484a2e tcpfwd-remote.c --- a/tcpfwd-remote.c Thu Jun 03 18:08:34 2004 +0000 +++ b/tcpfwd-remote.c Tue Jun 22 10:47:16 2004 +0000 @@ -208,13 +208,10 @@ goto out; } - /* XXX matt - server change - if (ses.authstate.pw->pw_uid != 0 - && port < IPPORT_RESERVED) { + if (!ses.allowprivport && port < IPPORT_RESERVED) { TRACE(("can't assign port < 1024 for non-root")); goto out; } - */ ret = listen_tcpfwd(bindaddr, port);