Bugzilla – Attachment 578 Details for
Bug 815
RFE: sshd should be able to set environment variables defined by the client
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Implement environment passing
envpass.diff (text/plain), 9.58 KB, created by
Damien Miller
on 2004-03-30 13:58:47 AEST
(
hide
)
Description:
Implement environment passing
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2004-03-30 13:58:47 AEST
Size:
9.58 KB
patch
obsolete
>? ssh.core >Index: channels.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/channels.c,v >retrieving revision 1.200 >diff -u -r1.200 channels.c >--- channels.c 19 Jan 2004 09:24:21 -0000 1.200 >+++ channels.c 30 Mar 2004 03:54:27 -0000 >@@ -1914,7 +1914,6 @@ > if (buffer_len(&c->input) == 0) > chan_ibuf_empty(c); > } >- > } > > void >Index: readconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/readconf.c,v >retrieving revision 1.128 >diff -u -r1.128 readconf.c >--- readconf.c 5 Mar 2004 10:53:58 -0000 1.128 >+++ readconf.c 30 Mar 2004 03:54:27 -0000 >@@ -106,6 +106,7 @@ > oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, > oAddressFamily, oGssAuthentication, oGssDelegateCreds, > oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, >+ oSendEnv, > oDeprecated, oUnsupported > } OpCodes; > >@@ -193,6 +194,7 @@ > { "addressfamily", oAddressFamily }, > { "serveraliveinterval", oServerAliveInterval }, > { "serveralivecountmax", oServerAliveCountMax }, >+ { "sendenv", oSendEnv }, > { NULL, oBadOption } > }; > >@@ -747,6 +749,19 @@ > intptr = &options->server_alive_count_max; > goto parse_int; > >+ case oSendEnv: >+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') { >+ if (strchr(arg, '=') != NULL) >+ fatal("%s line %d: Invalid environment name.", >+ filename, linenum); >+ if (options->num_send_env >= MAX_SEND_ENV) >+ fatal("%s line %d: too many send env.", >+ filename, linenum); >+ options->send_env[options->num_send_env++] = >+ xstrdup(arg); >+ } >+ break; >+ > case oDeprecated: > debug("%s line %d: Deprecated option \"%s\"", > filename, linenum, keyword); >@@ -877,6 +892,7 @@ > options->verify_host_key_dns = -1; > options->server_alive_interval = -1; > options->server_alive_count_max = -1; >+ options->num_send_env = 0; > } > > /* >Index: readconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/readconf.h,v >retrieving revision 1.60 >diff -u -r1.60 readconf.h >--- readconf.h 5 Mar 2004 10:53:58 -0000 1.60 >+++ readconf.h 30 Mar 2004 03:54:28 -0000 >@@ -27,6 +27,8 @@ > } Forward; > /* Data structure for representing option data. */ > >+#define MAX_SEND_ENV 256 >+ > typedef struct { > int forward_agent; /* Forward authentication agent. */ > int forward_x11; /* Forward X11 display. */ >@@ -103,6 +105,9 @@ > int identities_only; > int server_alive_interval; > int server_alive_count_max; >+ >+ int num_send_env; >+ char *send_env[MAX_SEND_ENV]; > } Options; > > >Index: servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.130 >diff -u -r1.130 servconf.c >--- servconf.c 23 Dec 2003 16:12:10 -0000 1.130 >+++ servconf.c 30 Mar 2004 03:54:28 -0000 >@@ -96,6 +96,7 @@ > options->client_alive_count_max = -1; > options->authorized_keys_file = NULL; > options->authorized_keys_file2 = NULL; >+ options->num_allow_env = 0; > > /* Needs to be accessable in many places */ > use_privsep = -1; >@@ -243,7 +244,7 @@ > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, >- sGssAuthentication, sGssCleanupCreds, >+ sGssAuthentication, sGssCleanupCreds, sAllowEnv, > sUsePrivilegeSeparation, > sDeprecated, sUnsupported > } ServerOpCodes; >@@ -331,6 +332,7 @@ > { "authorizedkeysfile", sAuthorizedKeysFile }, > { "authorizedkeysfile2", sAuthorizedKeysFile2 }, > { "useprivilegeseparation", sUsePrivilegeSeparation}, >+ { "allowenv", sAllowEnv }, > { NULL, sBadOption } > }; > >@@ -850,6 +852,19 @@ > case sClientAliveCountMax: > intptr = &options->client_alive_count_max; > goto parse_int; >+ >+ case sAllowEnv: >+ while ((arg = strdelim(&cp)) && *arg != '\0') { >+ if (strchr(arg, '=') != NULL) >+ fatal("%s line %d: Invalid environment name.", >+ filename, linenum); >+ if (options->num_allow_env >= MAX_ALLOW_ENV) >+ fatal("%s line %d: too many allow env.", >+ filename, linenum); >+ options->allow_env[options->num_allow_env++] = >+ xstrdup(arg); >+ } >+ break; > > case sDeprecated: > logit("%s line %d: Deprecated option %s", >Index: servconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.h,v >retrieving revision 1.67 >diff -u -r1.67 servconf.h >--- servconf.h 23 Dec 2003 16:12:10 -0000 1.67 >+++ servconf.h 30 Mar 2004 03:54:28 -0000 >@@ -24,6 +24,7 @@ > #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ > #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ > #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ >+#define MAX_ALLOW_ENV 256 /* Max # of env vars. */ > > /* permit_root_login */ > #define PERMIT_NOT_SET -1 >@@ -106,6 +107,9 @@ > u_int num_subsystems; > char *subsystem_name[MAX_SUBSYSTEMS]; > char *subsystem_command[MAX_SUBSYSTEMS]; >+ >+ u_int num_allow_env; >+ char *allow_env[MAX_ALLOW_ENV]; > > int max_startups_begin; > int max_startups_rate; >Index: session.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/session.c,v >retrieving revision 1.172 >diff -u -r1.172 session.c >--- session.c 30 Jan 2004 09:48:57 -0000 1.172 >+++ session.c 30 Mar 2004 03:54:29 -0000 >@@ -42,6 +42,7 @@ > #include "sshpty.h" > #include "packet.h" > #include "buffer.h" >+#include "match.h" > #include "mpaux.h" > #include "uidswap.h" > #include "compat.h" >@@ -784,6 +785,9 @@ > env = xmalloc(envsize * sizeof(char *)); > env[0] = NULL; > >+ for (i = 0; i < s->num_env; i++) >+ child_set_env(&env, &envsize, s->env[i].name, s->env[i].val); >+ > #ifdef GSSAPI > /* Allow any GSSAPI methods that we've used to alter > * the childs environment as they see fit >@@ -1514,6 +1518,41 @@ > } > > static int >+session_env_req(Session *s) >+{ >+ char *name, *val; >+ u_int name_len, val_len, i; >+ >+ name = packet_get_string(&name_len); >+ val = packet_get_string(&val_len); >+ packet_check_eom(); >+ >+ /* Don't set too many environment variables */ >+ if (s->num_env > 128) { >+ debug2("Ignoring env request %s: too many env vars", name); >+ goto fail; >+ } >+ >+ for (i = 0; i < options.num_allow_env; i++) { >+ if (match_pattern(name, options.allow_env[i])) { >+ debug2("Setting env %d: %s=%s", s->num_env, name, val); >+ s->env = xrealloc(s->env, sizeof(*s->env) * >+ (s->num_env + 1)); >+ s->env[s->num_env].name = name; >+ s->env[s->num_env].val = val; >+ s->num_env++; >+ return (1); >+ } >+ } >+ debug2("Ignoring env request %s: disallowed name", name); >+ >+ fail: >+ xfree(name); >+ xfree(val); >+ return (0); >+} >+ >+static int > session_auth_agent_req(Session *s) > { > static int called = 0; >@@ -1562,6 +1601,8 @@ > success = session_subsystem_req(s); > } else if (strcmp(rtype, "break") == 0) { > success = session_break_req(s); >+ } else if (strcmp(rtype, "env") == 0) { >+ success = session_env_req(s); > } > } > if (strcmp(rtype, "window-change") == 0) { >@@ -1695,6 +1736,8 @@ > void > session_close(Session *s) > { >+ int i; >+ > debug("session_close: session %d pid %ld", s->self, (long)s->pid); > if (s->ttyfd != -1) > session_pty_cleanup(s); >@@ -1709,6 +1752,12 @@ > if (s->auth_proto) > xfree(s->auth_proto); > s->used = 0; >+ for (i = 0; i < s->num_env; i++) { >+ xfree(s->env[i].name); >+ xfree(s->env[i].val); >+ } >+ if (s->env != NULL) >+ xfree(s->env); > session_proctitle(s); > } > >Index: session.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/session.h,v >retrieving revision 1.21 >diff -u -r1.21 session.h >--- session.h 23 Sep 2003 20:17:11 -0000 1.21 >+++ session.h 30 Mar 2004 03:54:29 -0000 >@@ -53,6 +53,11 @@ > /* proto 2 */ > int chanid; > int is_subsystem; >+ int num_env; >+ struct { >+ char *name; >+ char *val; >+ } *env; > }; > > void do_authenticated(Authctxt *); >Index: sftp-client.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v >retrieving revision 1.47 >diff -u -r1.47 sftp-client.c >--- sftp-client.c 3 Mar 2004 09:30:42 -0000 1.47 >+++ sftp-client.c 30 Mar 2004 03:54:30 -0000 >@@ -643,7 +643,7 @@ > > buffer_init(&msg); > >- /* Send rename request */ >+ /* Send symlink request */ > id = conn->msg_id++; > buffer_put_char(&msg, SSH2_FXP_SYMLINK); > buffer_put_int(&msg, id); >Index: ssh.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh.c,v >retrieving revision 1.209 >diff -u -r1.209 ssh.c >--- ssh.c 11 Mar 2004 10:21:17 -0000 1.209 >+++ ssh.c 30 Mar 2004 03:54:30 -0000 >@@ -68,6 +68,7 @@ > #include "kex.h" > #include "mac.h" > #include "sshtty.h" >+#include "match.h" > > #ifdef SMARTCARD > #include "scard.h" >@@ -1039,6 +1040,44 @@ > debug("Requesting authentication agent forwarding."); > channel_request_start(id, "auth-agent-req@openssh.com", 0); > packet_send(); >+ } >+ >+ /* Transfer any environment variables from client to server */ >+ if (options.num_send_env != 0) { >+ int i, j, matched; >+ extern char **environ; >+ char *name, *val; >+ >+ debug("Sending environment."); >+ for (i = 0; environ && environ[i] != NULL; i++) { >+ /* Split */ >+ name = xstrdup(environ[i]); >+ if ((val = strchr(name, '=')) == NULL) { >+ free(name); >+ continue; >+ } >+ *val++ = '\0'; >+ >+ matched = 0; >+ for (j = 0; j < options.num_send_env; j++) { >+ if (match_pattern(name, options.send_env[j])) { >+ matched = 1; >+ break; >+ } >+ } >+ if (!matched) { >+ debug3("Ignored env %s", name); >+ free(name); >+ continue; >+ } >+ >+ debug("Sending env %s = %s", name, val); >+ channel_request_start(id, "env", 0); >+ packet_put_cstring(name); >+ packet_put_cstring(val); >+ packet_send(); >+ free(name); >+ } > } > > len = buffer_len(&command);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=578">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 815
:
578
|
620