diff options
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 52 |
1 files changed, 27 insertions, 25 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.278 2015/04/24 01:36:00 deraadt Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.280 2016/02/16 03:37:48 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -160,6 +160,7 @@ login_cap_t *lc; | |||
| 160 | #endif | 160 | #endif |
| 161 | 161 | ||
| 162 | static int is_child = 0; | 162 | static int is_child = 0; |
| 163 | static int in_chroot = 0; | ||
| 163 | 164 | ||
| 164 | /* Name and directory of socket for authentication agent forwarding. */ | 165 | /* Name and directory of socket for authentication agent forwarding. */ |
| 165 | static char *auth_sock_name = NULL; | 166 | static char *auth_sock_name = NULL; |
| @@ -778,8 +779,8 @@ int | |||
| 778 | do_exec(Session *s, const char *command) | 779 | do_exec(Session *s, const char *command) |
| 779 | { | 780 | { |
| 780 | int ret; | 781 | int ret; |
| 781 | const char *forced = NULL; | 782 | const char *forced = NULL, *tty = NULL; |
| 782 | char session_type[1024], *tty = NULL; | 783 | char session_type[1024]; |
| 783 | 784 | ||
| 784 | if (options.adm_forced_command) { | 785 | if (options.adm_forced_command) { |
| 785 | original_command = command; | 786 | original_command = command; |
| @@ -814,13 +815,14 @@ do_exec(Session *s, const char *command) | |||
| 814 | tty += 5; | 815 | tty += 5; |
| 815 | } | 816 | } |
| 816 | 817 | ||
| 817 | verbose("Starting session: %s%s%s for %s from %.200s port %d", | 818 | verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", |
| 818 | session_type, | 819 | session_type, |
| 819 | tty == NULL ? "" : " on ", | 820 | tty == NULL ? "" : " on ", |
| 820 | tty == NULL ? "" : tty, | 821 | tty == NULL ? "" : tty, |
| 821 | s->pw->pw_name, | 822 | s->pw->pw_name, |
| 822 | get_remote_ipaddr(), | 823 | get_remote_ipaddr(), |
| 823 | get_remote_port()); | 824 | get_remote_port(), |
| 825 | s->self); | ||
| 824 | 826 | ||
| 825 | #ifdef SSH_AUDIT_EVENTS | 827 | #ifdef SSH_AUDIT_EVENTS |
| 826 | if (command != NULL) | 828 | if (command != NULL) |
| @@ -1490,9 +1492,6 @@ void | |||
| 1490 | do_setusercontext(struct passwd *pw, const char *role) | 1492 | do_setusercontext(struct passwd *pw, const char *role) |
| 1491 | { | 1493 | { |
| 1492 | char *chroot_path, *tmp; | 1494 | char *chroot_path, *tmp; |
| 1493 | #ifdef USE_LIBIAF | ||
| 1494 | int doing_chroot = 0; | ||
| 1495 | #endif | ||
| 1496 | 1495 | ||
| 1497 | platform_setusercontext(pw); | 1496 | platform_setusercontext(pw); |
| 1498 | 1497 | ||
| @@ -1520,7 +1519,7 @@ do_setusercontext(struct passwd *pw, const char *role) | |||
| 1520 | 1519 | ||
| 1521 | platform_setusercontext_post_groups(pw, role); | 1520 | platform_setusercontext_post_groups(pw, role); |
| 1522 | 1521 | ||
| 1523 | if (options.chroot_directory != NULL && | 1522 | if (!in_chroot && options.chroot_directory != NULL && |
| 1524 | strcasecmp(options.chroot_directory, "none") != 0) { | 1523 | strcasecmp(options.chroot_directory, "none") != 0) { |
| 1525 | tmp = tilde_expand_filename(options.chroot_directory, | 1524 | tmp = tilde_expand_filename(options.chroot_directory, |
| 1526 | pw->pw_uid); | 1525 | pw->pw_uid); |
| @@ -1532,9 +1531,7 @@ do_setusercontext(struct passwd *pw, const char *role) | |||
| 1532 | /* Make sure we don't attempt to chroot again */ | 1531 | /* Make sure we don't attempt to chroot again */ |
| 1533 | free(options.chroot_directory); | 1532 | free(options.chroot_directory); |
| 1534 | options.chroot_directory = NULL; | 1533 | options.chroot_directory = NULL; |
| 1535 | #ifdef USE_LIBIAF | 1534 | in_chroot = 1; |
| 1536 | doing_chroot = 1; | ||
| 1537 | #endif | ||
| 1538 | } | 1535 | } |
| 1539 | 1536 | ||
| 1540 | #ifdef HAVE_LOGIN_CAP | 1537 | #ifdef HAVE_LOGIN_CAP |
| @@ -1549,16 +1546,16 @@ do_setusercontext(struct passwd *pw, const char *role) | |||
| 1549 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); | 1546 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); |
| 1550 | #else | 1547 | #else |
| 1551 | # ifdef USE_LIBIAF | 1548 | # ifdef USE_LIBIAF |
| 1552 | /* In a chroot environment, the set_id() will always fail; typically | 1549 | /* |
| 1553 | * because of the lack of necessary authentication services and runtime | 1550 | * In a chroot environment, the set_id() will always fail; |
| 1554 | * such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd | 1551 | * typically because of the lack of necessary authentication |
| 1555 | * We skip it in the internal sftp chroot case. | 1552 | * services and runtime such as ./usr/lib/libiaf.so, |
| 1556 | * We'll lose auditing and ACLs but permanently_set_uid will | 1553 | * ./usr/lib/libpam.so.1, and ./etc/passwd We skip it in the |
| 1557 | * take care of the rest. | 1554 | * internal sftp chroot case. We'll lose auditing and ACLs but |
| 1558 | */ | 1555 | * permanently_set_uid will take care of the rest. |
| 1559 | if ((doing_chroot == 0) && set_id(pw->pw_name) != 0) { | 1556 | */ |
| 1560 | fatal("set_id(%s) Failed", pw->pw_name); | 1557 | if (!in_chroot && set_id(pw->pw_name) != 0) |
| 1561 | } | 1558 | fatal("set_id(%s) Failed", pw->pw_name); |
| 1562 | # endif /* USE_LIBIAF */ | 1559 | # endif /* USE_LIBIAF */ |
| 1563 | /* Permanently switch to the desired uid. */ | 1560 | /* Permanently switch to the desired uid. */ |
| 1564 | permanently_set_uid(pw); | 1561 | permanently_set_uid(pw); |
| @@ -1790,11 +1787,11 @@ do_child(Session *s, const char *command) | |||
| 1790 | #ifdef HAVE_LOGIN_CAP | 1787 | #ifdef HAVE_LOGIN_CAP |
| 1791 | r = login_getcapbool(lc, "requirehome", 0); | 1788 | r = login_getcapbool(lc, "requirehome", 0); |
| 1792 | #endif | 1789 | #endif |
| 1793 | if (r || options.chroot_directory == NULL || | 1790 | if (r || !in_chroot) { |
| 1794 | strcasecmp(options.chroot_directory, "none") == 0) | ||
| 1795 | fprintf(stderr, "Could not chdir to home " | 1791 | fprintf(stderr, "Could not chdir to home " |
| 1796 | "directory %s: %s\n", pw->pw_dir, | 1792 | "directory %s: %s\n", pw->pw_dir, |
| 1797 | strerror(errno)); | 1793 | strerror(errno)); |
| 1794 | } | ||
| 1798 | if (r) | 1795 | if (r) |
| 1799 | exit(1); | 1796 | exit(1); |
| 1800 | } | 1797 | } |
| @@ -2503,7 +2500,12 @@ session_close(Session *s) | |||
| 2503 | { | 2500 | { |
| 2504 | u_int i; | 2501 | u_int i; |
| 2505 | 2502 | ||
| 2506 | debug("session_close: session %d pid %ld", s->self, (long)s->pid); | 2503 | verbose("Close session: user %s from %.200s port %d id %d", |
| 2504 | s->pw->pw_name, | ||
| 2505 | get_remote_ipaddr(), | ||
| 2506 | get_remote_port(), | ||
| 2507 | s->self); | ||
| 2508 | |||
| 2507 | if (s->ttyfd != -1) | 2509 | if (s->ttyfd != -1) |
| 2508 | session_pty_cleanup(s); | 2510 | session_pty_cleanup(s); |
| 2509 | free(s->term); | 2511 | free(s->term); |