diff options
| author | Damien Miller <djm@mindrot.org> | 2012-11-04 22:23:14 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-11-04 22:23:14 +1100 |
| commit | d0d1099b3b8a766480ce6df215631bf0af6e6bcd (patch) | |
| tree | e29b37b3e3a9e8e14e78ddc5eb15005fe201717f /auth2-pubkey.c | |
| parent | f33580eed055472b9e5ca05f4826b05e9eacc651 (diff) | |
- djm@cvs.openbsd.org 2012/11/04 10:38:43
[auth2-pubkey.c sshd.c sshd_config.5]
Remove default of AuthorizedCommandUser. Administrators are now expected
to explicitly specify a user. feedback and ok markus@
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index ec8f75d57..6a6217017 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) | |||
| 462 | struct stat st; | 462 | struct stat st; |
| 463 | int status, devnull, p[2], i; | 463 | int status, devnull, p[2], i; |
| 464 | pid_t pid; | 464 | pid_t pid; |
| 465 | char errmsg[512]; | 465 | char *username, errmsg[512]; |
| 466 | 466 | ||
| 467 | if (options.authorized_keys_command == NULL || | 467 | if (options.authorized_keys_command == NULL || |
| 468 | options.authorized_keys_command[0] != '/') | 468 | options.authorized_keys_command[0] != '/') |
| 469 | return 0; | 469 | return 0; |
| 470 | 470 | ||
| 471 | /* If no user specified to run commands the default to target user */ | 471 | if (options.authorized_keys_command_user == NULL) { |
| 472 | if (options.authorized_keys_command_user == NULL) | 472 | error("No user for AuthorizedKeysCommand specified, skipping"); |
| 473 | pw = user_pw; | 473 | return 0; |
| 474 | else { | 474 | } |
| 475 | pw = getpwnam(options.authorized_keys_command_user); | 475 | |
| 476 | if (pw == NULL) { | 476 | username = percent_expand(options.authorized_keys_command_user, |
| 477 | error("AuthorizedKeyCommandUser \"%s\" not found: %s", | 477 | "u", user_pw->pw_name, (char *)NULL); |
| 478 | options.authorized_keys_command, strerror(errno)); | 478 | pw = getpwnam(username); |
| 479 | return 0; | 479 | if (pw == NULL) { |
| 480 | } | 480 | error("AuthorizedKeyCommandUser \"%s\" not found: %s", |
| 481 | options.authorized_keys_command, strerror(errno)); | ||
| 482 | free(username); | ||
| 483 | return 0; | ||
| 481 | } | 484 | } |
| 485 | free(username); | ||
| 482 | 486 | ||
| 483 | temporarily_use_uid(pw); | 487 | temporarily_use_uid(pw); |
| 484 | 488 | ||
| @@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) | |||
| 517 | for (i = 0; i < NSIG; i++) | 521 | for (i = 0; i < NSIG; i++) |
| 518 | signal(i, SIG_DFL); | 522 | signal(i, SIG_DFL); |
| 519 | 523 | ||
| 524 | closefrom(STDERR_FILENO + 1); | ||
| 520 | /* Don't use permanently_set_uid() here to avoid fatal() */ | 525 | /* Don't use permanently_set_uid() here to avoid fatal() */ |
| 521 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { | 526 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { |
| 522 | error("setresgid %u: %s", (u_int)pw->pw_gid, | 527 | error("setresgid %u: %s", (u_int)pw->pw_gid, |
| @@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) | |||
| 541 | error("%s: dup2: %s", __func__, strerror(errno)); | 546 | error("%s: dup2: %s", __func__, strerror(errno)); |
| 542 | _exit(1); | 547 | _exit(1); |
| 543 | } | 548 | } |
| 544 | closefrom(STDERR_FILENO + 1); | ||
| 545 | 549 | ||
| 546 | execl(options.authorized_keys_command, | 550 | execl(options.authorized_keys_command, |
| 547 | options.authorized_keys_command, pw->pw_name, NULL); | 551 | options.authorized_keys_command, pw->pw_name, NULL); |