From 72e6b5c9ed5e72ca3a6ccc3177941b7c487a0826 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 4 Jul 2014 09:00:04 +1000
Subject:    - djm@cvs.openbsd.org 2014/07/03 22:40:43      [servconf.c
 servconf.h session.c sshd.8 sshd_config.5]      Add a sshd_config
 PermitUserRC option to control whether ~/.ssh/rc is      executed, mirroring
 the no-user-rc authorized_keys option;      bz#2160; ok markus@

---
 ChangeLog     |  5 +++++
 servconf.c    | 14 ++++++++++++--
 servconf.h    |  3 ++-
 session.c     |  5 +++--
 sshd.8        |  9 ++++++---
 sshd_config.5 | 11 +++++++++--
 6 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f430bfe8a..2a29c2ee0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,11 @@
      allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
      GatewayPorts=no; allows client to choose address family;
      bz#2222 ok markus@
+   - djm@cvs.openbsd.org 2014/07/03 22:40:43
+     [servconf.c servconf.h session.c sshd.8 sshd_config.5]
+     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
+     executed, mirroring the no-user-rc authorized_keys option;
+     bz#2160; ok markus@
 
 20140703
  - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
diff --git a/servconf.c b/servconf.c
index 7ba65d51d..331716c8f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.250 2014/07/03 22:40:43 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options)
 	options->x11_display_offset = -1;
 	options->x11_use_localhost = -1;
 	options->permit_tty = -1;
+	options->permit_user_rc = -1;
 	options->xauth_location = NULL;
 	options->strict_modes = -1;
 	options->tcp_keep_alive = -1;
@@ -216,6 +217,8 @@ fill_default_server_options(ServerOptions *options)
 		options->xauth_location = _PATH_XAUTH;
 	if (options->permit_tty == -1)
 		options->permit_tty = 1;
+	if (options->permit_user_rc == -1)
+		options->permit_user_rc = 1;
 	if (options->strict_modes == -1)
 		options->strict_modes = 1;
 	if (options->tcp_keep_alive == -1)
@@ -347,7 +350,7 @@ typedef enum {
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 	sKexAlgorithms, sIPQoS, sVersionAddendum,
 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-	sAuthenticationMethods, sHostKeyAgent,
+	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -460,6 +463,7 @@ static struct {
 	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
 	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
 	{ "permittty", sPermitTTY, SSHCFG_ALL },
+	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
 	{ "match", sMatch, SSHCFG_ALL },
 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -1130,6 +1134,10 @@ process_server_config_line(ServerOptions *options, char *line,
 		intptr = &options->permit_tty;
 		goto parse_flag;
 
+	case sPermitUserRC:
+		intptr = &options->permit_user_rc;
+		goto parse_flag;
+
 	case sStrictModes:
 		intptr = &options->strict_modes;
 		goto parse_flag;
@@ -1766,6 +1774,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(x11_forwarding);
 	M_CP_INTOPT(x11_use_localhost);
 	M_CP_INTOPT(permit_tty);
+	M_CP_INTOPT(permit_user_rc);
 	M_CP_INTOPT(max_sessions);
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
@@ -2007,6 +2016,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
 	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
+	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
 	dump_cfg_fmtint(sStrictModes, o->strict_modes);
 	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
diff --git a/servconf.h b/servconf.h
index 752d1c5ae..f2a177649 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.113 2014/07/03 22:40:43 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -83,6 +83,7 @@ typedef struct {
 	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
 	char   *xauth_location;	/* Location of xauth program */
 	int	permit_tty;	/* If false, deny pty allocation */
+	int	permit_user_rc;	/* If false, deny ~/.ssh/rc execution */
 	int     strict_modes;	/* If true, require string home dir modes. */
 	int     tcp_keep_alive;	/* If true, set SO_KEEPALIVE. */
 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
diff --git a/session.c b/session.c
index 821867d59..b5979dd91 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.272 2014/07/03 03:34:09 djm Exp $ */
+/* $OpenBSD: session.c,v 1.273 2014/07/03 22:40:43 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1359,7 +1359,8 @@ do_rc_files(Session *s, const char *shell)
 
 	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
 	if (!s->is_subsystem && options.adm_forced_command == NULL &&
-	    !no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) {
+	    !no_user_rc && options.permit_user_rc &&
+	    stat(_PATH_SSH_USER_RC, &st) >= 0) {
 		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
 		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
 		if (debug_flag)
diff --git a/sshd.8 b/sshd.8
index 3f27521d9..01459d637 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.275 2014/04/19 18:15:16 tedu Exp $
-.Dd $Mdocdate: April 19 2014 $
+.\" $OpenBSD: sshd.8,v 1.276 2014/07/03 22:40:43 djm Exp $
+.Dd $Mdocdate: July 3 2014 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -408,7 +408,10 @@ Changes to user's home directory.
 .It
 If
 .Pa ~/.ssh/rc
-exists, runs it; else if
+exists and the
+.Xr sshd_config 5
+.Cm PermitUserRC
+option is set, runs it; else if
 .Pa /etc/ssh/sshrc
 exists, runs
 it; otherwise runs xauth.
diff --git a/sshd_config.5 b/sshd_config.5
index 88be8d984..06fd62de7 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.173 2014/03/28 05:17:11 naddy Exp $
-.Dd $Mdocdate: March 28 2014 $
+.\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $
+.Dd $Mdocdate: July 3 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -912,6 +912,7 @@ Available keywords are
 .Cm PermitRootLogin ,
 .Cm PermitTTY ,
 .Cm PermitTunnel ,
+.Cm PermitUserRC ,
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
@@ -1060,6 +1061,12 @@ The default is
 Enabling environment processing may enable users to bypass access
 restrictions in some configurations using mechanisms such as
 .Ev LD_PRELOAD .
+.It Cm PermitUserRC
+Specifies whether any
+.Pa ~/.ssh/rc
+file is executed.
+The default is
+.Dq yes .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 SSH daemon.
-- 
cgit v1.2.3