Attachment #1778 for bug #1679




{
	struct stat st;
	const char *hostname = NULL, *ipaddr = NULL;
	char *shell, *tmp, *chroot_path;
	u_int i;

	/* Shouldn't be called if pw is NULL, but better safe than sorry... */

	 * Get the shell from the password data.  An empty shell field is
	 * legal, and means /bin/sh.
	 */
	shell = xstrdup((pw->pw_shell[0] == '\0') ?
	    _PATH_BSHELL : pw->pw_shell);

	/*
	 * Amend shell if chroot is requested.
	 */
	if (options.chroot_directory != NULL &&
	    strcasecmp(options.chroot_directory, "none") != 0) {
		tmp = tilde_expand_filename(options.chroot_directory,
		    pw->pw_uid);
		chroot_path = percent_expand(tmp, "h", pw->pw_dir,
		    "u", pw->pw_name, (char *)NULL);
		xfree(tmp);
		xasprintf(&tmp, "%s/%s", chroot_path, shell);
		xfree(shell);
		shell = tmp;
		free(chroot_path);
	}

	/* deny if shell does not exists or is not executable */
	if (stat(shell, &st) != 0) {
		logit("User %.100s not allowed because shell %.100s does not exist",
		    pw->pw_name, shell);
		xfree(shell);
		return 0;
	}
	if (S_ISREG(st.st_mode) == 0 ||
	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
		logit("User %.100s not allowed because shell %.100s is not executable",
		    pw->pw_name, shell);
		xfree(shell);
		return 0;
	}
	xfree(shell);

	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {

Return to bug 1679

Lines 79-85 allowed_user(struct passwd * pw) Link Here

(-)auth.c (-2 / +22 lines)
79	{	79	{
80	struct stat st;	80	struct stat st;
81	const char hostname = NULL, ipaddr = NULL;	81	const char hostname = NULL, ipaddr = NULL;
82	char *shell;	82	char shell, tmp, *chroot_path;
83	u_int i;	83	u_int i;
84		84
85	/* Shouldn't be called if pw is NULL, but better safe than sorry... */	85	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
Lines 90-109 allowed_user(struct passwd * pw) Link Here
90	* Get the shell from the password data. An empty shell field is	90	* Get the shell from the password data. An empty shell field is
91	* legal, and means /bin/sh.	91	* legal, and means /bin/sh.
92	*/	92	*/
93	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;	93	shell = xstrdup((pw->pw_shell[0] == '\0') ?
		94	_PATH_BSHELL : pw->pw_shell);
		95
		96	/*
		97	* Amend shell if chroot is requested.
		98	*/
		99	if (options.chroot_directory != NULL &&
		100	strcasecmp(options.chroot_directory, "none") != 0) {
		101	tmp = tilde_expand_filename(options.chroot_directory,
		102	pw->pw_uid);
		103	chroot_path = percent_expand(tmp, "h", pw->pw_dir,
		104	"u", pw->pw_name, (char *)NULL);
		105	xfree(tmp);
		106	xasprintf(&tmp, "%s/%s", chroot_path, shell);
		107	xfree(shell);
		108	shell = tmp;
		109	free(chroot_path);
		110	}
94		111
95	/* deny if shell does not exists or is not executable */	112	/* deny if shell does not exists or is not executable */
96	if (stat(shell, &st) != 0) {	113	if (stat(shell, &st) != 0) {
97	logit("User %.100s not allowed because shell %.100s does not exist",	114	logit("User %.100s not allowed because shell %.100s does not exist",
98	pw->pw_name, shell);	115	pw->pw_name, shell);
		116	xfree(shell);
99	return 0;	117	return 0;
100	}	118	}
101	if (S_ISREG(st.st_mode) == 0 \|\|	119	if (S_ISREG(st.st_mode) == 0 \|\|
102	(st.st_mode & (S_IXOTH\|S_IXUSR\|S_IXGRP)) == 0) {	120	(st.st_mode & (S_IXOTH\|S_IXUSR\|S_IXGRP)) == 0) {
103	logit("User %.100s not allowed because shell %.100s is not executable",	121	logit("User %.100s not allowed because shell %.100s is not executable",
104	pw->pw_name, shell);	122	pw->pw_name, shell);
		123	xfree(shell);
105	return 0;	124	return 0;
106	}	125	}
		126	xfree(shell);
107		127
108	if (options.num_deny_users > 0 \|\| options.num_allow_users > 0 \|\|	128	if (options.num_deny_users > 0 \|\| options.num_allow_users > 0 \|\|
109	options.num_deny_groups > 0 \|\| options.num_allow_groups > 0) {	129	options.num_deny_groups > 0 \|\| options.num_allow_groups > 0) {