1 files changed, 17 insertions, 13 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index ec8f75d57..6a6217017 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
        struct stat st;
        int status, devnull, p[2], i;
        pid_t pid;
-        char errmsg[512];
+        char *username, errmsg[512];
        if (options.authorized_keys_command == NULL ||
            options.authorized_keys_command[0] != '/')
                return 0;
-        /* If no user specified to run commands the default to target user */
+        if (options.authorized_keys_command_user == NULL) {
-        if (options.authorized_keys_command_user == NULL)
+                error("No user for AuthorizedKeysCommand specified, skipping");
-                pw = user_pw;
+                return 0;
-        else {
+        }
-                pw = getpwnam(options.authorized_keys_command_user);
-                if (pw == NULL) {
+        username = percent_expand(options.authorized_keys_command_user,
-                        error("AuthorizedKeyCommandUser \"%s\" not found: %s",
+            "u", user_pw->pw_name, (char *)NULL);
-                            options.authorized_keys_command, strerror(errno));
+        pw = getpwnam(username);
-                        return 0;
+        if (pw == NULL) {
-                }
+                error("AuthorizedKeyCommandUser \"%s\" not found: %s",
+                    options.authorized_keys_command, strerror(errno));
+                free(username);
+                return 0;
        }
+        free(username);
        temporarily_use_uid(pw);
@@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                for (i = 0; i < NSIG; i++)
                        signal(i, SIG_DFL);
+                closefrom(STDERR_FILENO + 1);
                /* Don't use permanently_set_uid() here to avoid fatal() */
                if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
                        error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
                        error("%s: dup2: %s", __func__, strerror(errno));
                        _exit(1);
                }
-                closefrom(STDERR_FILENO + 1);
                execl(options.authorized_keys_command,
                    options.authorized_keys_command, pw->pw_name, NULL);

diff --git a/auth2-pubkey.c b/auth2-pubkey.c index ec8f75d57..6a6217017 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */	1	/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd user_pw, Key key)
462	struct stat st;	462	struct stat st;
463	int status, devnull, p[2], i;	463	int status, devnull, p[2], i;
464	pid_t pid;	464	pid_t pid;
465	char errmsg[512];	465	char *username, errmsg[512];
466		466
467	if (options.authorized_keys_command == NULL \|\|	467	if (options.authorized_keys_command == NULL \|\|
468	options.authorized_keys_command[0] != '/')	468	options.authorized_keys_command[0] != '/')
469	return 0;	469	return 0;
470		470
471	/* If no user specified to run commands the default to target user */	471	if (options.authorized_keys_command_user == NULL) {
472	if (options.authorized_keys_command_user == NULL)	472	error("No user for AuthorizedKeysCommand specified, skipping");
473	pw = user_pw;	473	return 0;
474	else {	474	}
475	pw = getpwnam(options.authorized_keys_command_user);	475
476	if (pw == NULL) {	476	username = percent_expand(options.authorized_keys_command_user,
477	error("AuthorizedKeyCommandUser \"%s\" not found: %s",	477	"u", user_pw->pw_name, (char *)NULL);
478	options.authorized_keys_command, strerror(errno));	478	pw = getpwnam(username);
479	return 0;	479	if (pw == NULL) {
480	}	480	error("AuthorizedKeyCommandUser \"%s\" not found: %s",
		481	options.authorized_keys_command, strerror(errno));
		482	free(username);
		483	return 0;
481	}	484	}
		485	free(username);
482		486
483	temporarily_use_uid(pw);	487	temporarily_use_uid(pw);
484		488
@@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd user_pw, Key key)
517	for (i = 0; i < NSIG; i++)	521	for (i = 0; i < NSIG; i++)
518	signal(i, SIG_DFL);	522	signal(i, SIG_DFL);
519		523
		524	closefrom(STDERR_FILENO + 1);
520	/* Don't use permanently_set_uid() here to avoid fatal() */	525	/* Don't use permanently_set_uid() here to avoid fatal() */
521	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {	526	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
522	error("setresgid %u: %s", (u_int)pw->pw_gid,	527	error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd user_pw, Key key)
541	error("%s: dup2: %s", __func__, strerror(errno));	546	error("%s: dup2: %s", __func__, strerror(errno));
542	_exit(1);	547	_exit(1);
543	}	548	}
544	closefrom(STDERR_FILENO + 1);
545		549
546	execl(options.authorized_keys_command,	550	execl(options.authorized_keys_command,
547	options.authorized_keys_command, pw->pw_name, NULL);	551	options.authorized_keys_command, pw->pw_name, NULL);