summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c30
1 files changed, 17 insertions, 13 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index ec8f75d57..6a6217017 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.31 2012/10/30 21:29:54 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -462,23 +462,27 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
462 struct stat st; 462 struct stat st;
463 int status, devnull, p[2], i; 463 int status, devnull, p[2], i;
464 pid_t pid; 464 pid_t pid;
465 char errmsg[512]; 465 char *username, errmsg[512];
466 466
467 if (options.authorized_keys_command == NULL || 467 if (options.authorized_keys_command == NULL ||
468 options.authorized_keys_command[0] != '/') 468 options.authorized_keys_command[0] != '/')
469 return 0; 469 return 0;
470 470
471 /* If no user specified to run commands the default to target user */ 471 if (options.authorized_keys_command_user == NULL) {
472 if (options.authorized_keys_command_user == NULL) 472 error("No user for AuthorizedKeysCommand specified, skipping");
473 pw = user_pw; 473 return 0;
474 else { 474 }
475 pw = getpwnam(options.authorized_keys_command_user); 475
476 if (pw == NULL) { 476 username = percent_expand(options.authorized_keys_command_user,
477 error("AuthorizedKeyCommandUser \"%s\" not found: %s", 477 "u", user_pw->pw_name, (char *)NULL);
478 options.authorized_keys_command, strerror(errno)); 478 pw = getpwnam(username);
479 return 0; 479 if (pw == NULL) {
480 } 480 error("AuthorizedKeyCommandUser \"%s\" not found: %s",
481 options.authorized_keys_command, strerror(errno));
482 free(username);
483 return 0;
481 } 484 }
485 free(username);
482 486
483 temporarily_use_uid(pw); 487 temporarily_use_uid(pw);
484 488
@@ -517,6 +521,7 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
517 for (i = 0; i < NSIG; i++) 521 for (i = 0; i < NSIG; i++)
518 signal(i, SIG_DFL); 522 signal(i, SIG_DFL);
519 523
524 closefrom(STDERR_FILENO + 1);
520 /* Don't use permanently_set_uid() here to avoid fatal() */ 525 /* Don't use permanently_set_uid() here to avoid fatal() */
521 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { 526 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
522 error("setresgid %u: %s", (u_int)pw->pw_gid, 527 error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -541,7 +546,6 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
541 error("%s: dup2: %s", __func__, strerror(errno)); 546 error("%s: dup2: %s", __func__, strerror(errno));
542 _exit(1); 547 _exit(1);
543 } 548 }
544 closefrom(STDERR_FILENO + 1);
545 549
546 execl(options.authorized_keys_command, 550 execl(options.authorized_keys_command,
547 options.authorized_keys_command, pw->pw_name, NULL); 551 options.authorized_keys_command, pw->pw_name, NULL);