diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-07-03 10:59:35 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-07-03 21:01:30 +1000 |
| commit | 95344c257412b51199ead18d54eaed5bafb75617 (patch) | |
| tree | 320a21db8781ca4f6a363db928ca04b3b0d1dd70 /servconf.c | |
| parent | 6f56fe4b9578b0627667f8bce69d4d938a88324c (diff) | |
upstream: allow sshd_config PermitUserEnvironment to accept a
pattern-list of whitelisted environment variable names in addition to yes|no.
bz#1800, feedback and ok markus@
OpenBSD-Commit-ID: 77dc2b468e0bf04b53f333434ba257008a1fdf24
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/servconf.c b/servconf.c index cb5786583..a41fdc26a 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.334 2018/07/03 10:59:35 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -130,6 +130,7 @@ initialize_server_options(ServerOptions *options) | |||
| 130 | options->challenge_response_authentication = -1; | 130 | options->challenge_response_authentication = -1; |
| 131 | options->permit_empty_passwd = -1; | 131 | options->permit_empty_passwd = -1; |
| 132 | options->permit_user_env = -1; | 132 | options->permit_user_env = -1; |
| 133 | options->permit_user_env_whitelist = NULL; | ||
| 133 | options->compression = -1; | 134 | options->compression = -1; |
| 134 | options->rekey_limit = -1; | 135 | options->rekey_limit = -1; |
| 135 | options->rekey_interval = -1; | 136 | options->rekey_interval = -1; |
| @@ -329,8 +330,10 @@ fill_default_server_options(ServerOptions *options) | |||
| 329 | options->challenge_response_authentication = 1; | 330 | options->challenge_response_authentication = 1; |
| 330 | if (options->permit_empty_passwd == -1) | 331 | if (options->permit_empty_passwd == -1) |
| 331 | options->permit_empty_passwd = 0; | 332 | options->permit_empty_passwd = 0; |
| 332 | if (options->permit_user_env == -1) | 333 | if (options->permit_user_env == -1) { |
| 333 | options->permit_user_env = 0; | 334 | options->permit_user_env = 0; |
| 335 | options->permit_user_env_whitelist = NULL; | ||
| 336 | } | ||
| 334 | if (options->compression == -1) | 337 | if (options->compression == -1) |
| 335 | options->compression = COMP_DELAYED; | 338 | options->compression = COMP_DELAYED; |
| 336 | if (options->rekey_limit == -1) | 339 | if (options->rekey_limit == -1) |
| @@ -1514,7 +1517,29 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1514 | 1517 | ||
| 1515 | case sPermitUserEnvironment: | 1518 | case sPermitUserEnvironment: |
| 1516 | intptr = &options->permit_user_env; | 1519 | intptr = &options->permit_user_env; |
| 1517 | goto parse_flag; | 1520 | charptr = &options->permit_user_env_whitelist; |
| 1521 | arg = strdelim(&cp); | ||
| 1522 | if (!arg || *arg == '\0') | ||
| 1523 | fatal("%s line %d: missing argument.", | ||
| 1524 | filename, linenum); | ||
| 1525 | value = 0; | ||
| 1526 | p = NULL; | ||
| 1527 | if (strcmp(arg, "yes") == 0) | ||
| 1528 | value = 1; | ||
| 1529 | else if (strcmp(arg, "no") == 0) | ||
| 1530 | value = 0; | ||
| 1531 | else { | ||
| 1532 | /* Pattern-list specified */ | ||
| 1533 | value = 1; | ||
| 1534 | p = xstrdup(arg); | ||
| 1535 | } | ||
| 1536 | if (*activep && *intptr == -1) { | ||
| 1537 | *intptr = value; | ||
| 1538 | *charptr = p; | ||
| 1539 | p = NULL; | ||
| 1540 | } | ||
| 1541 | free(p); | ||
| 1542 | break; | ||
| 1518 | 1543 | ||
| 1519 | case sCompression: | 1544 | case sCompression: |
| 1520 | intptr = &options->compression; | 1545 | intptr = &options->compression; |
| @@ -2528,7 +2553,6 @@ dump_config(ServerOptions *o) | |||
| 2528 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 2553 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
| 2529 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 2554 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
| 2530 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 2555 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
| 2531 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | ||
| 2532 | dump_cfg_fmtint(sCompression, o->compression); | 2556 | dump_cfg_fmtint(sCompression, o->compression); |
| 2533 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); | 2557 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); |
| 2534 | dump_cfg_fmtint(sUseDNS, o->use_dns); | 2558 | dump_cfg_fmtint(sUseDNS, o->use_dns); |
| @@ -2628,4 +2652,12 @@ dump_config(ServerOptions *o) | |||
| 2628 | printf(" %s", o->permitted_listens[i]); | 2652 | printf(" %s", o->permitted_listens[i]); |
| 2629 | } | 2653 | } |
| 2630 | printf("\n"); | 2654 | printf("\n"); |
| 2655 | |||
| 2656 | if (o->permit_user_env_whitelist == NULL) { | ||
| 2657 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | ||
| 2658 | } else { | ||
| 2659 | printf("permituserenvironment %s\n", | ||
| 2660 | o->permit_user_env_whitelist); | ||
| 2661 | } | ||
| 2662 | |||
| 2631 | } | 2663 | } |