upstream: Remove uid checks from low port binds. Now that ssh

cannot be setuid and sshd always has privsep on, we can remove the uid checks for low port binds and just let the system do the check. We leave a sanity check for the !privsep case so long as the code is stil there. with & ok djm@ OpenBSD-Commit-ID: 9535cfdbd1cd54486fdbedfaee44ce4367ec7ca0
author: dtucker@openbsd.org <dtucker@openbsd.org> 2018-07-27 05:13:02 +0000
committer: Damien Miller <djm@mindrot.org> 2018-07-31 12:18:49 +1000
commit: 73ddb25bae4c33a0db361ac13f2e3a60d7c6c4a5 (patch)
tree: 9e0b4b1f0866800e6ff6ce1d66f1b97631c13414 /serverloop.c
parent: c12033e102760d043bc5c98e6c8180e4d331b0df (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/serverloop.c b/serverloop.c
index cf18e387..7be83e2d 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.208 2018/07/11 18:53:29 markus Exp $ */
+/* $OpenBSD: serverloop.c,v 1.209 2018/07/27 05:13:02 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -103,6 +103,17 @@ static void server_init_dispatch(void);
 /* requested tunnel forwarding interface(s), shared with session.c */
 char *tun_fwd_ifnames = NULL;
 
+/* returns 1 if bind to specified port by specified user is permitted */
+static int
+bind_permitted(int port, uid_t uid)
+{
+	if (use_privsep)
+		return 1; /* allow system to decide */
+	if (port < IPPORT_RESERVED && uid != 0)
+		return 0;
+	return 1;
+}
+
 /*
  * we write to this pipe if a SIGCHLD is caught in order to avoid
  * the race between select() and child_terminated
author	dtucker@openbsd.org <dtucker@openbsd.org>	2018-07-27 05:13:02 +0000
committer	Damien Miller <djm@mindrot.org>	2018-07-31 12:18:49 +1000
commit	73ddb25bae4c33a0db361ac13f2e3a60d7c6c4a5 (patch)
tree	9e0b4b1f0866800e6ff6ce1d66f1b97631c13414 /serverloop.c
parent	c12033e102760d043bc5c98e6c8180e4d331b0df (diff)