diff options
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 61 |
1 files changed, 45 insertions, 16 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.266 2013/07/19 07:37:48 markus Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.269 2014/01/18 09:36:26 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -442,7 +442,7 @@ do_authenticated1(Authctxt *authctxt) | |||
442 | } | 442 | } |
443 | } | 443 | } |
444 | 444 | ||
445 | #define USE_PIPES | 445 | #define USE_PIPES 1 |
446 | /* | 446 | /* |
447 | * This is called to fork and execute a command when we have no tty. This | 447 | * This is called to fork and execute a command when we have no tty. This |
448 | * will call do_child from the child, and server_loop from the parent after | 448 | * will call do_child from the child, and server_loop from the parent after |
@@ -795,27 +795,50 @@ int | |||
795 | do_exec(Session *s, const char *command) | 795 | do_exec(Session *s, const char *command) |
796 | { | 796 | { |
797 | int ret; | 797 | int ret; |
798 | const char *forced = NULL; | ||
799 | char session_type[1024], *tty = NULL; | ||
798 | 800 | ||
799 | if (options.adm_forced_command) { | 801 | if (options.adm_forced_command) { |
800 | original_command = command; | 802 | original_command = command; |
801 | command = options.adm_forced_command; | 803 | command = options.adm_forced_command; |
802 | if (IS_INTERNAL_SFTP(command)) { | 804 | forced = "(config)"; |
803 | s->is_subsystem = s->is_subsystem ? | ||
804 | SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; | ||
805 | } else if (s->is_subsystem) | ||
806 | s->is_subsystem = SUBSYSTEM_EXT; | ||
807 | debug("Forced command (config) '%.900s'", command); | ||
808 | } else if (forced_command) { | 805 | } else if (forced_command) { |
809 | original_command = command; | 806 | original_command = command; |
810 | command = forced_command; | 807 | command = forced_command; |
808 | forced = "(key-option)"; | ||
809 | } | ||
810 | if (forced != NULL) { | ||
811 | if (IS_INTERNAL_SFTP(command)) { | 811 | if (IS_INTERNAL_SFTP(command)) { |
812 | s->is_subsystem = s->is_subsystem ? | 812 | s->is_subsystem = s->is_subsystem ? |
813 | SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; | 813 | SUBSYSTEM_INT_SFTP : SUBSYSTEM_INT_SFTP_ERROR; |
814 | } else if (s->is_subsystem) | 814 | } else if (s->is_subsystem) |
815 | s->is_subsystem = SUBSYSTEM_EXT; | 815 | s->is_subsystem = SUBSYSTEM_EXT; |
816 | debug("Forced command (key option) '%.900s'", command); | 816 | snprintf(session_type, sizeof(session_type), |
817 | "forced-command %s '%.900s'", forced, command); | ||
818 | } else if (s->is_subsystem) { | ||
819 | snprintf(session_type, sizeof(session_type), | ||
820 | "subsystem '%.900s'", s->subsys); | ||
821 | } else if (command == NULL) { | ||
822 | snprintf(session_type, sizeof(session_type), "shell"); | ||
823 | } else { | ||
824 | /* NB. we don't log unforced commands to preserve privacy */ | ||
825 | snprintf(session_type, sizeof(session_type), "command"); | ||
826 | } | ||
827 | |||
828 | if (s->ttyfd != -1) { | ||
829 | tty = s->tty; | ||
830 | if (strncmp(tty, "/dev/", 5) == 0) | ||
831 | tty += 5; | ||
817 | } | 832 | } |
818 | 833 | ||
834 | verbose("Starting session: %s%s%s for %s from %.200s port %d", | ||
835 | session_type, | ||
836 | tty == NULL ? "" : " on ", | ||
837 | tty == NULL ? "" : tty, | ||
838 | s->pw->pw_name, | ||
839 | get_remote_ipaddr(), | ||
840 | get_remote_port()); | ||
841 | |||
819 | #ifdef SSH_AUDIT_EVENTS | 842 | #ifdef SSH_AUDIT_EVENTS |
820 | if (command != NULL) | 843 | if (command != NULL) |
821 | PRIVSEP(audit_run_command(command)); | 844 | PRIVSEP(audit_run_command(command)); |
@@ -1538,6 +1561,11 @@ do_setusercontext(struct passwd *pw, const char *role) | |||
1538 | */ | 1561 | */ |
1539 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); | 1562 | (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); |
1540 | #else | 1563 | #else |
1564 | # ifdef USE_LIBIAF | ||
1565 | if (set_id(pw->pw_name) != 0) { | ||
1566 | fatal("set_id(%s) Failed", pw->pw_name); | ||
1567 | } | ||
1568 | # endif /* USE_LIBIAF */ | ||
1541 | /* Permanently switch to the desired uid. */ | 1569 | /* Permanently switch to the desired uid. */ |
1542 | permanently_set_uid(pw); | 1570 | permanently_set_uid(pw); |
1543 | #endif | 1571 | #endif |
@@ -2048,7 +2076,7 @@ session_pty_req(Session *s) | |||
2048 | u_int len; | 2076 | u_int len; |
2049 | int n_bytes; | 2077 | int n_bytes; |
2050 | 2078 | ||
2051 | if (no_pty_flag) { | 2079 | if (no_pty_flag || !options.permit_tty) { |
2052 | debug("Allocating a pty not permitted for this authentication."); | 2080 | debug("Allocating a pty not permitted for this authentication."); |
2053 | return 0; | 2081 | return 0; |
2054 | } | 2082 | } |
@@ -2109,15 +2137,16 @@ session_subsystem_req(Session *s) | |||
2109 | struct stat st; | 2137 | struct stat st; |
2110 | u_int len; | 2138 | u_int len; |
2111 | int success = 0; | 2139 | int success = 0; |
2112 | char *prog, *cmd, *subsys = packet_get_string(&len); | 2140 | char *prog, *cmd; |
2113 | u_int i; | 2141 | u_int i; |
2114 | 2142 | ||
2143 | s->subsys = packet_get_string(&len); | ||
2115 | packet_check_eom(); | 2144 | packet_check_eom(); |
2116 | logit("subsystem request for %.100s by user %s", subsys, | 2145 | debug2("subsystem request for %.100s by user %s", s->subsys, |
2117 | s->pw->pw_name); | 2146 | s->pw->pw_name); |
2118 | 2147 | ||
2119 | for (i = 0; i < options.num_subsystems; i++) { | 2148 | for (i = 0; i < options.num_subsystems; i++) { |
2120 | if (strcmp(subsys, options.subsystem_name[i]) == 0) { | 2149 | if (strcmp(s->subsys, options.subsystem_name[i]) == 0) { |
2121 | prog = options.subsystem_command[i]; | 2150 | prog = options.subsystem_command[i]; |
2122 | cmd = options.subsystem_args[i]; | 2151 | cmd = options.subsystem_args[i]; |
2123 | if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) { | 2152 | if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) { |
@@ -2136,10 +2165,9 @@ session_subsystem_req(Session *s) | |||
2136 | } | 2165 | } |
2137 | 2166 | ||
2138 | if (!success) | 2167 | if (!success) |
2139 | logit("subsystem request for %.100s failed, subsystem not found", | 2168 | logit("subsystem request for %.100s by user %s failed, " |
2140 | subsys); | 2169 | "subsystem not found", s->subsys, s->pw->pw_name); |
2141 | 2170 | ||
2142 | free(subsys); | ||
2143 | return success; | 2171 | return success; |
2144 | } | 2172 | } |
2145 | 2173 | ||
@@ -2494,6 +2522,7 @@ session_close(Session *s) | |||
2494 | free(s->auth_display); | 2522 | free(s->auth_display); |
2495 | free(s->auth_data); | 2523 | free(s->auth_data); |
2496 | free(s->auth_proto); | 2524 | free(s->auth_proto); |
2525 | free(s->subsys); | ||
2497 | if (s->env != NULL) { | 2526 | if (s->env != NULL) { |
2498 | for (i = 0; i < s->num_env; i++) { | 2527 | for (i = 0; i < s->num_env; i++) { |
2499 | free(s->env[i].name); | 2528 | free(s->env[i].name); |