diff options
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 61 |
1 files changed, 45 insertions, 16 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.269 2014/01/18 09:36:26 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -442,7 +442,7 @@ do_authenticated1(Authctxt *authctxt) | |||
| 442 | } | 442 | } |
| 443 | } | 443 | } |
| 444 | 444 | ||
| 445 | #define USE_PIPES | 445 | #define USE_PIPES 1 |
| 446 | /* | 446 | /* |
| 447 | * This is called to fork and execute a command when we have no tty. This | 447 | * This is called to fork and execute a command when we have no tty. This |
| 448 | * will call do_child from the child, and server_loop from the parent after | 448 | * will call do_child from the child, and server_loop from the parent after |
| @@ -795,27 +795,50 @@ int | |||
| 795 | do_exec(Session *s, const char *command) | 795 | do_exec(Session *s, const char *command) |
| 796 | { | 796 | { |
| 797 | int ret; | 797 | int ret; |
| 798 | const char *forced = NULL; | ||
| 799 | char session_type[1024], *tty = NULL; | ||
| 798 | 800 | ||
| 799 | if (options.adm_forced_command) { | 801 | if (options.adm_forced_command) { |
| 800 | original_command = command; | 802 | original_command = command; |
| 801 | command = options.adm_forced_command; | 803 | command = options.adm_forced_command; |
| 802 | if (IS_INTERNAL_SFTP(command)) { | 804 | forced = "(config)"; |
| 803 | s->is_subsystem = s->is_subsystem ? | ||
| 804 | SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; | ||
| 805 | } else if (s->is_subsystem) | ||
| 806 | s->is_subsystem = SUBSYSTEM_EXT; | ||
| 807 | debug("Forced command (config) '%.900s'", command); | ||
| 808 | } else if (forced_command) { | 805 | } else if (forced_command) { |
| 809 | original_command = command; | 806 | original_command = command; |
| 810 | command = forced_command; | 807 | command = forced_command; |
| 808 | forced = "(key-option)"; | ||
| 809 | } | ||
| 810 | if (forced != NULL) { | ||
| 811 | if (IS_INTERNAL_SFTP(command)) { | 811 | if (IS_INTERNAL_SFTP(command)) { |
| 812 | s->is_subsystem = s->is_subsystem ? | 812 | s->is_subsystem = s->is_subsystem ? |
| 813 | SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; | 813 | SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; |
| 814 | } else if (s->is_subsystem) | 814 | } else if (s->is_subsystem) |
| 815 | s->is_subsystem = SUBSYSTEM_EXT; | 815 | s->is_subsystem = SUBSYSTEM_EXT; |
| 816 | debug("Forced command (key option) '%.900s'", command); | 816 | snprintf(session_type, sizeof(session_type), |
| 817 | "forced-command %s '%.900s'", forced, command); | ||
| 818 | } else if (s->is_subsystem) { | ||
| 819 | snprintf(session_type, sizeof(session_type), | ||
| 820 | "subsystem '%.900s'", s->subsys); | ||
| 821 | } else if (command == NULL) { | ||
| 822 | snprintf(session_type, sizeof(session_type), "shell"); | ||
| 823 | } else { | ||
| 824 | /* NB. we don't log unforced commands to preserve privacy */ | ||
| 825 | snprintf(session_type, sizeof(session_type), "command"); | ||
| 826 | } | ||
| 827 | |||
| 828 | if (s->ttyfd != -1) { | ||
| 829 | tty = s->tty; | ||
| 830 | if (strncmp(tty, "/dev/", 5) == 0) | ||
| 831 | tty += 5; | ||
| 817 | } | 832 | } |
| 818 | 833 | ||
| 834 | verbose("Starting session: %s%s%s for %s from %.200s port %d", | ||
| 835 | session_type, | ||
| 836 | tty == NULL ? "" : " on ", | ||
| 837 | tty == NULL ? "" : tty, | ||
| 838 | s->pw->pw_name, | ||
| 839 | get_remote_ipaddr(), | ||
| 840 | get_remote_port()); | ||
| 841 | |||
| 819 | #ifdef SSH_AUDIT_EVENTS | 842 | #ifdef SSH_AUDIT_EVENTS |
| 820 | if (command != NULL) | 843 | if (command != NULL) |
| 821 | PRIVSEP(audit_run_command(command)); | 844 | PRIVSEP(audit_run_command(command)); |
| @@ -1538,6 +1561,11 @@ do_setusercontext(struct passwd *pw, const char *role) | |||
| 1538 | */ | 1561 | */ |
| 1539 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); | 1562 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); |
| 1540 | #else | 1563 | #else |
| 1564 | # ifdef USE_LIBIAF | ||
| 1565 | if (set_id(pw->pw_name) != 0) { | ||
| 1566 | fatal("set_id(%s) Failed", pw->pw_name); | ||
| 1567 | } | ||
| 1568 | # endif /* USE_LIBIAF */ | ||
| 1541 | /* Permanently switch to the desired uid. */ | 1569 | /* Permanently switch to the desired uid. */ |
| 1542 | permanently_set_uid(pw); | 1570 | permanently_set_uid(pw); |
| 1543 | #endif | 1571 | #endif |
| @@ -2048,7 +2076,7 @@ session_pty_req(Session *s) | |||
| 2048 | u_int len; | 2076 | u_int len; |
| 2049 | int n_bytes; | 2077 | int n_bytes; |
| 2050 | 2078 | ||
| 2051 | if (no_pty_flag) { | 2079 | if (no_pty_flag || !options.permit_tty) { |
| 2052 | debug("Allocating a pty not permitted for this authentication."); | 2080 | debug("Allocating a pty not permitted for this authentication."); |
| 2053 | return 0; | 2081 | return 0; |
| 2054 | } | 2082 | } |
| @@ -2109,15 +2137,16 @@ session_subsystem_req(Session *s) | |||
| 2109 | struct stat st; | 2137 | struct stat st; |
| 2110 | u_int len; | 2138 | u_int len; |
| 2111 | int success = 0; | 2139 | int success = 0; |
| 2112 | char *prog, *cmd, *subsys = packet_get_string(&len); | 2140 | char *prog, *cmd; |
| 2113 | u_int i; | 2141 | u_int i; |
| 2114 | 2142 | ||
| 2143 | s->subsys = packet_get_string(&len); | ||
| 2115 | packet_check_eom(); | 2144 | packet_check_eom(); |
| 2116 | logit("subsystem request for %.100s by user %s", subsys, | 2145 | debug2("subsystem request for %.100s by user %s", s->subsys, |
| 2117 | s->pw->pw_name); | 2146 | s->pw->pw_name); |
| 2118 | 2147 | ||
| 2119 | for (i = 0; i < options.num_subsystems; i++) { | 2148 | for (i = 0; i < options.num_subsystems; i++) { |
| 2120 | if (strcmp(subsys, options.subsystem_name[i]) == 0) { | 2149 | if (strcmp(s->subsys, options.subsystem_name[i]) == 0) { |
| 2121 | prog = options.subsystem_command[i]; | 2150 | prog = options.subsystem_command[i]; |
| 2122 | cmd = options.subsystem_args[i]; | 2151 | cmd = options.subsystem_args[i]; |
| 2123 | if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) { | 2152 | if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) { |
| @@ -2136,10 +2165,9 @@ session_subsystem_req(Session *s) | |||
| 2136 | } | 2165 | } |
| 2137 | 2166 | ||
| 2138 | if (!success) | 2167 | if (!success) |
| 2139 | logit("subsystem request for %.100s failed, subsystem not found", | 2168 | logit("subsystem request for %.100s by user %s failed, " |
| 2140 | subsys); | 2169 | "subsystem not found", s->subsys, s->pw->pw_name); |
| 2141 | 2170 | ||
| 2142 | free(subsys); | ||
| 2143 | return success; | 2171 | return success; |
| 2144 | } | 2172 | } |
| 2145 | 2173 | ||
| @@ -2494,6 +2522,7 @@ session_close(Session *s) | |||
| 2494 | free(s->auth_display); | 2522 | free(s->auth_display); |
| 2495 | free(s->auth_data); | 2523 | free(s->auth_data); |
| 2496 | free(s->auth_proto); | 2524 | free(s->auth_proto); |
| 2525 | free(s->subsys); | ||
| 2497 | if (s->env != NULL) { | 2526 | if (s->env != NULL) { |
| 2498 | for (i = 0; i < s->num_env; i++) { | 2527 | for (i = 0; i < s->num_env; i++) { |
| 2499 | free(s->env[i].name); | 2528 | free(s->env[i].name); |