the below patch drops another test for uid 0 on Cygwin. It's embarassing
that I never found it. Actually temporarily_use_uid never worked on
Cygwin due to that.

So far that had no influence, but now that we have activated another
feature which makes Cygwin more POSIX-like, somebody on the Cygwin list
found that agent forwarding didn't work anymore. The reason is that
due to the uid == 0 check in temporarily_use_uid, the user account
is not temporarily switched before creating the forwarded agent socket,
which then is owned by the account running sshd instead of the account
which is going to log in.

The below patch fixes that. Could somebody please check it in?

I guess I asked this question already at least twice, but would it
hurt OpenSSH badly if it would drop the tests for uid == 0 and instead
call a function which checks the current account for being a privilieged
account? This could be very simple on most UNIX derivates like this:

privileged_user ()
return geteuid () == 0;

and much more complicated on systems needing that. On Cygwin we could
check for the SE_CREATE_TOKEN_NAME privilege in the current access token
on NT and just return 1 on 9x systems.

The advantage would be that we could remove lots of #ifdef stuff which
is just there because of these non-portable uid == 0 tests.

I would be willing to submit a patch for this, provided that it has a
chance for inclusion.


Index: uidswap.c
================================================== =================
RCS file: /cvs/openssh_cvs/uidswap.c,v
retrieving revision 1.45
diff -p -u -r1.45 uidswap.c
--- uidswap.c 19 Oct 2004 06:33:33 -0000 1.45
+++ uidswap.c 19 Feb 2005 10:33:38 -0000
@@ -56,10 +56,12 @@ temporarily_use_uid(struct passwd *pw)
debug("temporarily_use_uid: %u/%u (e=%u/%u)",
(u_int)pw->pw_uid, (u_int)pw->pw_gid,
(u_int)saved_euid, (u_int)saved_egid);
+#ifndef HAVE_CYGWIN
if (saved_euid != 0) {
privileged = 0;
if (geteuid() != 0) {
privileged = 0;

Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.

openssh-unix-dev mailing list