diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-08-19 03:18:06 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-08-23 14:29:07 +1000 |
commit | 83b581862a1dbb06fc859959f829dde2654aef3c (patch) | |
tree | fc8569112cdf47a9f27fc778ab9bf9d4fecdcfbb /session.c | |
parent | ffe6549c2f7a999cc5264b873a60322e91862581 (diff) |
upstream commit
remove UseLogin option and support for having /bin/login
manage login sessions; ok deraadt markus dtucker
Upstream-ID: bea7213fbf158efab7e602d9d844fba4837d2712
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 171 |
1 files changed, 61 insertions, 110 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.283 2016/08/13 17:47:41 markus Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.284 2016/08/19 03:18:06 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -544,7 +544,7 @@ do_exec_pty(Session *s, const char *command) | |||
544 | 544 | ||
545 | /* record login, etc. similar to login(1) */ | 545 | /* record login, etc. similar to login(1) */ |
546 | #ifndef HAVE_OSF_SIA | 546 | #ifndef HAVE_OSF_SIA |
547 | if (!(options.use_login && command == NULL)) { | 547 | if (command != NULL) { |
548 | #ifdef _UNICOS | 548 | #ifdef _UNICOS |
549 | cray_init_job(s->pw); /* set up cray jid and tmpdir */ | 549 | cray_init_job(s->pw); /* set up cray jid and tmpdir */ |
550 | #endif /* _UNICOS */ | 550 | #endif /* _UNICOS */ |
@@ -1019,69 +1019,63 @@ do_setup_env(Session *s, const char *shell) | |||
1019 | ssh_gssapi_do_child(&env, &envsize); | 1019 | ssh_gssapi_do_child(&env, &envsize); |
1020 | #endif | 1020 | #endif |
1021 | 1021 | ||
1022 | if (!options.use_login) { | 1022 | /* Set basic environment. */ |
1023 | /* Set basic environment. */ | 1023 | for (i = 0; i < s->num_env; i++) |
1024 | for (i = 0; i < s->num_env; i++) | 1024 | child_set_env(&env, &envsize, s->env[i].name, s->env[i].val); |
1025 | child_set_env(&env, &envsize, s->env[i].name, | ||
1026 | s->env[i].val); | ||
1027 | 1025 | ||
1028 | child_set_env(&env, &envsize, "USER", pw->pw_name); | 1026 | child_set_env(&env, &envsize, "USER", pw->pw_name); |
1029 | child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); | 1027 | child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); |
1030 | #ifdef _AIX | 1028 | #ifdef _AIX |
1031 | child_set_env(&env, &envsize, "LOGIN", pw->pw_name); | 1029 | child_set_env(&env, &envsize, "LOGIN", pw->pw_name); |
1032 | #endif | 1030 | #endif |
1033 | child_set_env(&env, &envsize, "HOME", pw->pw_dir); | 1031 | child_set_env(&env, &envsize, "HOME", pw->pw_dir); |
1034 | #ifdef HAVE_LOGIN_CAP | 1032 | #ifdef HAVE_LOGIN_CAP |
1035 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) | 1033 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) |
1036 | child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); | 1034 | child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); |
1037 | else | 1035 | else |
1038 | child_set_env(&env, &envsize, "PATH", getenv("PATH")); | 1036 | child_set_env(&env, &envsize, "PATH", getenv("PATH")); |
1039 | #else /* HAVE_LOGIN_CAP */ | 1037 | #else /* HAVE_LOGIN_CAP */ |
1040 | # ifndef HAVE_CYGWIN | 1038 | # ifndef HAVE_CYGWIN |
1041 | /* | 1039 | /* |
1042 | * There's no standard path on Windows. The path contains | 1040 | * There's no standard path on Windows. The path contains |
1043 | * important components pointing to the system directories, | 1041 | * important components pointing to the system directories, |
1044 | * needed for loading shared libraries. So the path better | 1042 | * needed for loading shared libraries. So the path better |
1045 | * remains intact here. | 1043 | * remains intact here. |
1046 | */ | 1044 | */ |
1047 | # ifdef HAVE_ETC_DEFAULT_LOGIN | 1045 | # ifdef HAVE_ETC_DEFAULT_LOGIN |
1048 | read_etc_default_login(&env, &envsize, pw->pw_uid); | 1046 | read_etc_default_login(&env, &envsize, pw->pw_uid); |
1049 | path = child_get_env(env, "PATH"); | 1047 | path = child_get_env(env, "PATH"); |
1050 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | 1048 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ |
1051 | if (path == NULL || *path == '\0') { | 1049 | if (path == NULL || *path == '\0') { |
1052 | child_set_env(&env, &envsize, "PATH", | 1050 | child_set_env(&env, &envsize, "PATH", |
1053 | s->pw->pw_uid == 0 ? | 1051 | s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); |
1054 | SUPERUSER_PATH : _PATH_STDPATH); | 1052 | } |
1055 | } | ||
1056 | # endif /* HAVE_CYGWIN */ | 1053 | # endif /* HAVE_CYGWIN */ |
1057 | #endif /* HAVE_LOGIN_CAP */ | 1054 | #endif /* HAVE_LOGIN_CAP */ |
1058 | 1055 | ||
1059 | snprintf(buf, sizeof buf, "%.200s/%.50s", | 1056 | snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); |
1060 | _PATH_MAILDIR, pw->pw_name); | 1057 | child_set_env(&env, &envsize, "MAIL", buf); |
1061 | child_set_env(&env, &envsize, "MAIL", buf); | 1058 | |
1059 | /* Normal systems set SHELL by default. */ | ||
1060 | child_set_env(&env, &envsize, "SHELL", shell); | ||
1062 | 1061 | ||
1063 | /* Normal systems set SHELL by default. */ | ||
1064 | child_set_env(&env, &envsize, "SHELL", shell); | ||
1065 | } | ||
1066 | if (getenv("TZ")) | 1062 | if (getenv("TZ")) |
1067 | child_set_env(&env, &envsize, "TZ", getenv("TZ")); | 1063 | child_set_env(&env, &envsize, "TZ", getenv("TZ")); |
1068 | 1064 | ||
1069 | /* Set custom environment options from RSA authentication. */ | 1065 | /* Set custom environment options from RSA authentication. */ |
1070 | if (!options.use_login) { | 1066 | while (custom_environment) { |
1071 | while (custom_environment) { | 1067 | struct envstring *ce = custom_environment; |
1072 | struct envstring *ce = custom_environment; | 1068 | char *str = ce->s; |
1073 | char *str = ce->s; | 1069 | |
1074 | 1070 | for (i = 0; str[i] != '=' && str[i]; i++) | |
1075 | for (i = 0; str[i] != '=' && str[i]; i++) | 1071 | ; |
1076 | ; | 1072 | if (str[i] == '=') { |
1077 | if (str[i] == '=') { | 1073 | str[i] = 0; |
1078 | str[i] = 0; | 1074 | child_set_env(&env, &envsize, str, str + i + 1); |
1079 | child_set_env(&env, &envsize, str, str + i + 1); | ||
1080 | } | ||
1081 | custom_environment = ce->next; | ||
1082 | free(ce->s); | ||
1083 | free(ce); | ||
1084 | } | 1075 | } |
1076 | custom_environment = ce->next; | ||
1077 | free(ce->s); | ||
1078 | free(ce); | ||
1085 | } | 1079 | } |
1086 | 1080 | ||
1087 | /* SSH_CLIENT deprecated */ | 1081 | /* SSH_CLIENT deprecated */ |
@@ -1143,7 +1137,7 @@ do_setup_env(Session *s, const char *shell) | |||
1143 | * Pull in any environment variables that may have | 1137 | * Pull in any environment variables that may have |
1144 | * been set by PAM. | 1138 | * been set by PAM. |
1145 | */ | 1139 | */ |
1146 | if (options.use_pam && !options.use_login) { | 1140 | if (options.use_pam) { |
1147 | char **p; | 1141 | char **p; |
1148 | 1142 | ||
1149 | p = fetch_pam_child_environment(); | 1143 | p = fetch_pam_child_environment(); |
@@ -1161,7 +1155,7 @@ do_setup_env(Session *s, const char *shell) | |||
1161 | auth_sock_name); | 1155 | auth_sock_name); |
1162 | 1156 | ||
1163 | /* read $HOME/.ssh/environment. */ | 1157 | /* read $HOME/.ssh/environment. */ |
1164 | if (options.permit_user_env && !options.use_login) { | 1158 | if (options.permit_user_env) { |
1165 | snprintf(buf, sizeof buf, "%.200s/.ssh/environment", | 1159 | snprintf(buf, sizeof buf, "%.200s/.ssh/environment", |
1166 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); | 1160 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); |
1167 | read_environment_file(&env, &envsize, buf); | 1161 | read_environment_file(&env, &envsize, buf); |
@@ -1443,27 +1437,6 @@ do_pwchange(Session *s) | |||
1443 | } | 1437 | } |
1444 | 1438 | ||
1445 | static void | 1439 | static void |
1446 | launch_login(struct passwd *pw, const char *hostname) | ||
1447 | { | ||
1448 | /* Launch login(1). */ | ||
1449 | |||
1450 | execl(LOGIN_PROGRAM, "login", "-h", hostname, | ||
1451 | #ifdef xxxLOGIN_NEEDS_TERM | ||
1452 | (s->term ? s->term : "unknown"), | ||
1453 | #endif /* LOGIN_NEEDS_TERM */ | ||
1454 | #ifdef LOGIN_NO_ENDOPT | ||
1455 | "-p", "-f", pw->pw_name, (char *)NULL); | ||
1456 | #else | ||
1457 | "-p", "-f", "--", pw->pw_name, (char *)NULL); | ||
1458 | #endif | ||
1459 | |||
1460 | /* Login couldn't be executed, die. */ | ||
1461 | |||
1462 | perror("login"); | ||
1463 | exit(1); | ||
1464 | } | ||
1465 | |||
1466 | static void | ||
1467 | child_close_fds(void) | 1440 | child_close_fds(void) |
1468 | { | 1441 | { |
1469 | extern int auth_sock; | 1442 | extern int auth_sock; |
@@ -1510,11 +1483,10 @@ child_close_fds(void) | |||
1510 | void | 1483 | void |
1511 | do_child(Session *s, const char *command) | 1484 | do_child(Session *s, const char *command) |
1512 | { | 1485 | { |
1513 | struct ssh *ssh = active_state; /* XXX */ | ||
1514 | extern char **environ; | 1486 | extern char **environ; |
1515 | char **env; | 1487 | char **env; |
1516 | char *argv[ARGV_MAX]; | 1488 | char *argv[ARGV_MAX]; |
1517 | const char *shell, *shell0, *hostname = NULL; | 1489 | const char *shell, *shell0; |
1518 | struct passwd *pw = s->pw; | 1490 | struct passwd *pw = s->pw; |
1519 | int r = 0; | 1491 | int r = 0; |
1520 | 1492 | ||
@@ -1529,10 +1501,6 @@ do_child(Session *s, const char *command) | |||
1529 | exit(1); | 1501 | exit(1); |
1530 | } | 1502 | } |
1531 | 1503 | ||
1532 | /* login(1) is only called if we execute the login shell */ | ||
1533 | if (options.use_login && command != NULL) | ||
1534 | options.use_login = 0; | ||
1535 | |||
1536 | #ifdef _UNICOS | 1504 | #ifdef _UNICOS |
1537 | cray_setup(pw->pw_uid, pw->pw_name, command); | 1505 | cray_setup(pw->pw_uid, pw->pw_name, command); |
1538 | #endif /* _UNICOS */ | 1506 | #endif /* _UNICOS */ |
@@ -1541,28 +1509,26 @@ do_child(Session *s, const char *command) | |||
1541 | * Login(1) does this as well, and it needs uid 0 for the "-h" | 1509 | * Login(1) does this as well, and it needs uid 0 for the "-h" |
1542 | * switch, so we let login(1) to this for us. | 1510 | * switch, so we let login(1) to this for us. |
1543 | */ | 1511 | */ |
1544 | if (!options.use_login) { | ||
1545 | #ifdef HAVE_OSF_SIA | 1512 | #ifdef HAVE_OSF_SIA |
1546 | session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); | 1513 | session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); |
1547 | if (!check_quietlogin(s, command)) | 1514 | if (!check_quietlogin(s, command)) |
1548 | do_motd(); | 1515 | do_motd(); |
1549 | #else /* HAVE_OSF_SIA */ | 1516 | #else /* HAVE_OSF_SIA */ |
1550 | /* When PAM is enabled we rely on it to do the nologin check */ | 1517 | /* When PAM is enabled we rely on it to do the nologin check */ |
1551 | if (!options.use_pam) | 1518 | if (!options.use_pam) |
1552 | do_nologin(pw); | 1519 | do_nologin(pw); |
1553 | do_setusercontext(pw); | 1520 | do_setusercontext(pw); |
1554 | /* | 1521 | /* |
1555 | * PAM session modules in do_setusercontext may have | 1522 | * PAM session modules in do_setusercontext may have |
1556 | * generated messages, so if this in an interactive | 1523 | * generated messages, so if this in an interactive |
1557 | * login then display them too. | 1524 | * login then display them too. |
1558 | */ | 1525 | */ |
1559 | if (!check_quietlogin(s, command)) | 1526 | if (!check_quietlogin(s, command)) |
1560 | display_loginmsg(); | 1527 | display_loginmsg(); |
1561 | #endif /* HAVE_OSF_SIA */ | 1528 | #endif /* HAVE_OSF_SIA */ |
1562 | } | ||
1563 | 1529 | ||
1564 | #ifdef USE_PAM | 1530 | #ifdef USE_PAM |
1565 | if (options.use_pam && !options.use_login && !is_pam_session_open()) { | 1531 | if (options.use_pam && !is_pam_session_open()) { |
1566 | debug3("PAM session not opened, exiting"); | 1532 | debug3("PAM session not opened, exiting"); |
1567 | display_loginmsg(); | 1533 | display_loginmsg(); |
1568 | exit(254); | 1534 | exit(254); |
@@ -1585,10 +1551,6 @@ do_child(Session *s, const char *command) | |||
1585 | shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); | 1551 | shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); |
1586 | #endif | 1552 | #endif |
1587 | 1553 | ||
1588 | /* we have to stash the hostname before we close our socket. */ | ||
1589 | if (options.use_login) | ||
1590 | hostname = session_get_remote_name_or_ip(ssh, utmp_len, | ||
1591 | options.use_dns); | ||
1592 | /* | 1554 | /* |
1593 | * Close the connection descriptors; note that this is the child, and | 1555 | * Close the connection descriptors; note that this is the child, and |
1594 | * the server will still have the socket open, and it is important | 1556 | * the server will still have the socket open, and it is important |
@@ -1647,8 +1609,7 @@ do_child(Session *s, const char *command) | |||
1647 | 1609 | ||
1648 | closefrom(STDERR_FILENO + 1); | 1610 | closefrom(STDERR_FILENO + 1); |
1649 | 1611 | ||
1650 | if (!options.use_login) | 1612 | do_rc_files(s, shell); |
1651 | do_rc_files(s, shell); | ||
1652 | 1613 | ||
1653 | /* restore SIGPIPE for child */ | 1614 | /* restore SIGPIPE for child */ |
1654 | signal(SIGPIPE, SIG_DFL); | 1615 | signal(SIGPIPE, SIG_DFL); |
@@ -1678,11 +1639,6 @@ do_child(Session *s, const char *command) | |||
1678 | 1639 | ||
1679 | fflush(NULL); | 1640 | fflush(NULL); |
1680 | 1641 | ||
1681 | if (options.use_login) { | ||
1682 | launch_login(pw, hostname); | ||
1683 | /* NEVERREACHED */ | ||
1684 | } | ||
1685 | |||
1686 | /* Get the last component of the shell name. */ | 1642 | /* Get the last component of the shell name. */ |
1687 | if ((shell0 = strrchr(shell, '/')) != NULL) | 1643 | if ((shell0 = strrchr(shell, '/')) != NULL) |
1688 | shell0++; | 1644 | shell0++; |
@@ -2502,11 +2458,6 @@ session_setup_x11fwd(Session *s) | |||
2502 | packet_send_debug("No xauth program; cannot forward with spoofing."); | 2458 | packet_send_debug("No xauth program; cannot forward with spoofing."); |
2503 | return 0; | 2459 | return 0; |
2504 | } | 2460 | } |
2505 | if (options.use_login) { | ||
2506 | packet_send_debug("X11 forwarding disabled; " | ||
2507 | "not compatible with UseLogin=yes."); | ||
2508 | return 0; | ||
2509 | } | ||
2510 | if (s->display != NULL) { | 2461 | if (s->display != NULL) { |
2511 | debug("X11 display already set."); | 2462 | debug("X11 display already set."); |
2512 | return 0; | 2463 | return 0; |