summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c32
1 files changed, 18 insertions, 14 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f9cc6c2c6..70d8996ea 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.33 2012/11/14 02:24:27 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -504,8 +504,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
504 goto out; 504 goto out;
505 } 505 }
506 506
507 debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"", 507 debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
508 options.authorized_keys_command, pw->pw_name); 508 options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
509 509
510 /* 510 /*
511 * Don't want to call this in the child, where it can fatal() and 511 * Don't want to call this in the child, where it can fatal() and
@@ -523,7 +523,19 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
523 for (i = 0; i < NSIG; i++) 523 for (i = 0; i < NSIG; i++)
524 signal(i, SIG_DFL); 524 signal(i, SIG_DFL);
525 525
526 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
527 error("%s: open %s: %s", __func__, _PATH_DEVNULL,
528 strerror(errno));
529 _exit(1);
530 }
531 /* Keep stderr around a while longer to catch errors */
532 if (dup2(devnull, STDIN_FILENO) == -1 ||
533 dup2(p[1], STDOUT_FILENO) == -1) {
534 error("%s: dup2: %s", __func__, strerror(errno));
535 _exit(1);
536 }
526 closefrom(STDERR_FILENO + 1); 537 closefrom(STDERR_FILENO + 1);
538
527 /* Don't use permanently_set_uid() here to avoid fatal() */ 539 /* Don't use permanently_set_uid() here to avoid fatal() */
528 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { 540 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
529 error("setresgid %u: %s", (u_int)pw->pw_gid, 541 error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -535,22 +547,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
535 strerror(errno)); 547 strerror(errno));
536 _exit(1); 548 _exit(1);
537 } 549 }
538 550 /* stdin is pointed to /dev/null at this point */
539 close(p[0]); 551 if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
540 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
541 error("%s: open %s: %s", __func__, _PATH_DEVNULL,
542 strerror(errno));
543 _exit(1);
544 }
545 if (dup2(devnull, STDIN_FILENO) == -1 ||
546 dup2(p[1], STDOUT_FILENO) == -1 ||
547 dup2(devnull, STDERR_FILENO) == -1) {
548 error("%s: dup2: %s", __func__, strerror(errno)); 552 error("%s: dup2: %s", __func__, strerror(errno));
549 _exit(1); 553 _exit(1);
550 } 554 }
551 555
552 execl(options.authorized_keys_command, 556 execl(options.authorized_keys_command,
553 options.authorized_keys_command, pw->pw_name, NULL); 557 options.authorized_keys_command, user_pw->pw_name, NULL);
554 558
555 error("AuthorizedKeysCommand %s exec failed: %s", 559 error("AuthorizedKeysCommand %s exec failed: %s",
556 options.authorized_keys_command, strerror(errno)); 560 options.authorized_keys_command, strerror(errno));