Attachment #2452 for bug #2160

View | Details | Raw Unified | Return to bug 2160
Collapse All | Expand All

Lines 84-89 initialize_server_options(ServerOptions *options) Link Here

(-)servconf.c (-1 / +11 lines)
84	options->x11_display_offset = -1;	84	options->x11_display_offset = -1;
85	options->x11_use_localhost = -1;	85	options->x11_use_localhost = -1;
86	options->permit_tty = -1;	86	options->permit_tty = -1;
		87	options->permit_user_rc = -1;
87	options->xauth_location = NULL;	88	options->xauth_location = NULL;
88	options->strict_modes = -1;	89	options->strict_modes = -1;
89	options->tcp_keep_alive = -1;	90	options->tcp_keep_alive = -1;
Lines 200-205 fill_default_server_options(ServerOptions *options) Link Here
200	options->xauth_location = _PATH_XAUTH;	201	options->xauth_location = _PATH_XAUTH;
201	if (options->permit_tty == -1)	202	if (options->permit_tty == -1)
202	options->permit_tty = 1;	203	options->permit_tty = 1;
		204	if (options->permit_user_rc == -1)
		205	options->permit_user_rc = 1;
203	if (options->strict_modes == -1)	206	if (options->strict_modes == -1)
204	options->strict_modes = 1;	207	options->strict_modes = 1;
205	if (options->tcp_keep_alive == -1)	208	if (options->tcp_keep_alive == -1)
Lines 318-324 typedef enum { Link Here
318	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	321	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
319	sKexAlgorithms, sIPQoS, sVersionAddendum,	322	sKexAlgorithms, sIPQoS, sVersionAddendum,
320	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	323	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
321	sAuthenticationMethods, sHostKeyAgent,	324	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
322	sDeprecated, sUnsupported	325	sDeprecated, sUnsupported
323	} ServerOpCodes;	326	} ServerOpCodes;
324		327
Lines 419-424 static struct { Link Here
419	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },	422	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
420	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },	423	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
421	{ "permittty", sPermitTTY, SSHCFG_ALL },	424	{ "permittty", sPermitTTY, SSHCFG_ALL },
		425	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
422	{ "match", sMatch, SSHCFG_ALL },	426	{ "match", sMatch, SSHCFG_ALL },
423	{ "permitopen", sPermitOpen, SSHCFG_ALL },	427	{ "permitopen", sPermitOpen, SSHCFG_ALL },
424	{ "forcecommand", sForceCommand, SSHCFG_ALL },	428	{ "forcecommand", sForceCommand, SSHCFG_ALL },
Lines 1083-1088 process_server_config_line(ServerOptions options, char line, Link Here
1083	intptr = &options->permit_tty;	1087	intptr = &options->permit_tty;
1084	goto parse_flag;	1088	goto parse_flag;
1085		1089
		1090	case sPermitUserRC:
		1091	intptr = &options->permit_user_rc;
		1092	goto parse_flag;
		1093
1086	case sStrictModes:	1094	case sStrictModes:
1087	intptr = &options->strict_modes;	1095	intptr = &options->strict_modes;
1088	goto parse_flag;	1096	goto parse_flag;
Lines 1719-1724 copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth) Link Here
1719	M_CP_INTOPT(x11_forwarding);	1727	M_CP_INTOPT(x11_forwarding);
1720	M_CP_INTOPT(x11_use_localhost);	1728	M_CP_INTOPT(x11_use_localhost);
1721	M_CP_INTOPT(permit_tty);	1729	M_CP_INTOPT(permit_tty);
		1730	M_CP_INTOPT(permit_user_rc);
1722	M_CP_INTOPT(max_sessions);	1731	M_CP_INTOPT(max_sessions);
1723	M_CP_INTOPT(max_authtries);	1732	M_CP_INTOPT(max_authtries);
1724	M_CP_INTOPT(ip_qos_interactive);	1733	M_CP_INTOPT(ip_qos_interactive);
Lines 1955-1960 dump_config(ServerOptions *o) Link Here
1955	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);	1964	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1956	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);	1965	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1957	dump_cfg_fmtint(sPermitTTY, o->permit_tty);	1966	dump_cfg_fmtint(sPermitTTY, o->permit_tty);
		1967	dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
1958	dump_cfg_fmtint(sStrictModes, o->strict_modes);	1968	dump_cfg_fmtint(sStrictModes, o->strict_modes);
1959	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);	1969	dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1960	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);	1970	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);

Lines 83-88 typedef struct { Link Here

(-)servconf.h (+1 lines)
83	int x11_use_localhost; /* If true, use localhost for fake X11 server. */	83	int x11_use_localhost; /* If true, use localhost for fake X11 server. */
84	char xauth_location; / Location of xauth program */	84	char xauth_location; / Location of xauth program */
85	int permit_tty; /* If false, deny pty allocation */	85	int permit_tty; /* If false, deny pty allocation */
		86	int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
86	int strict_modes; /* If true, require string home dir modes. */	87	int strict_modes; /* If true, require string home dir modes. */
87	int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */	88	int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
88	int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */	89	int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */

Lines 1078-1084 do_rc_files(Session s, const char shell) Link Here

(-)session.c (-1 / +2 lines)
1078		1078
1079	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */	1079	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
1080	if (!s->is_subsystem && options.adm_forced_command == NULL &&	1080	if (!s->is_subsystem && options.adm_forced_command == NULL &&
1081	!no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) {	1081	!no_user_rc && options.permit_user_rc &&
		1082	stat(_PATH_SSH_USER_RC, &st) >= 0) {
1082	snprintf(cmd, sizeof cmd, "%s -c '%s %s'",	1083	snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1083	shell, _PATH_BSHELL, _PATH_SSH_USER_RC);	1084	shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
1084	if (debug_flag)	1085	if (debug_flag)

Lines 381-387 Changes to user's home directory. Link Here

(-)sshd.8 (-1 / +4 lines)
381	.It	381	.It
382	If	382	If
383	.Pa ~/.ssh/rc	383	.Pa ~/.ssh/rc
384	exists, runs it; else if	384	exists and the
		385	.Xr sshd_config 5
		386	.Cm PermitUserRC
		387	option is set, runs it; else if
385	.Pa /etc/ssh/sshrc	388	.Pa /etc/ssh/sshrc
386	exists, runs	389	exists, runs
387	it; otherwise runs xauth.	390	it; otherwise runs xauth.

Lines 913-918 Available keywords are Link Here

(-)sshd_config.5 (+7 lines)
913	.Cm PermitRootLogin ,	913	.Cm PermitRootLogin ,
914	.Cm PermitTTY ,	914	.Cm PermitTTY ,
915	.Cm PermitTunnel ,	915	.Cm PermitTunnel ,
		916	.Cm PermitUserRC ,
916	.Cm PubkeyAuthentication ,	917	.Cm PubkeyAuthentication ,
917	.Cm RekeyLimit ,	918	.Cm RekeyLimit ,
918	.Cm RhostsRSAAuthentication ,	919	.Cm RhostsRSAAuthentication ,
Lines 1061-1066 The default is Link Here
1061	Enabling environment processing may enable users to bypass access	1062	Enabling environment processing may enable users to bypass access
1062	restrictions in some configurations using mechanisms such as	1063	restrictions in some configurations using mechanisms such as
1063	.Ev LD_PRELOAD .	1064	.Ev LD_PRELOAD .
		1065	.It Cm PermitUserRC
		1066	Specifies whether any
		1067	.Pa ~/.ssh/rc
		1068	file is executed.
		1069	The default is
		1070	.Dq yes .
1064	.It Cm PidFile	1071	.It Cm PidFile
1065	Specifies the file that contains the process ID of the	1072	Specifies the file that contains the process ID of the
1066	SSH daemon.	1073	SSH daemon.

Return to bug 2160