Bugzilla – Attachment 2535 Details for
Bug 2062
Add support for a ForceShell sshd option
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated patch
force-shell-vs-git.diff (text/plain), 4.56 KB, created by
Iain Morgan
on 2015-01-28 09:22:20 AEDT
(
hide
)
Description:
Updated patch
Filename:
MIME Type:
Creator:
Iain Morgan
Created:
2015-01-28 09:22:20 AEDT
Size:
4.56 KB
patch
obsolete
>diff --git a/auth.c b/auth.c >index facc962..559bab5 100644 >--- a/auth.c >+++ b/auth.c >@@ -159,8 +159,9 @@ allowed_user(struct passwd * pw) > * Deny if shell does not exist or is not executable unless we > * are chrooting. > */ >- if (options.chroot_directory == NULL || >- strcasecmp(options.chroot_directory, "none") == 0) { >+ if (options.adm_forced_shell == NULL && >+ (options.chroot_directory == NULL || >+ strcasecmp(options.chroot_directory, "none") == 0)) { > char *shell = xstrdup((pw->pw_shell[0] == '\0') ? > _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */ > >diff --git a/servconf.c b/servconf.c >index 475076b..68adca2 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options) > options->ip_qos_bulk = -1; > options->version_addendum = NULL; > options->fingerprint_hash = -1; >+ options->adm_forced_shell = NULL; > } > > /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ >@@ -400,7 +401,7 @@ typedef enum { > sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, > sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, > sStreamLocalBindMask, sStreamLocalBindUnlink, >- sAllowStreamLocalForwarding, sFingerprintHash, >+ sAllowStreamLocalForwarding, sFingerprintHash, sForceShell, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -534,6 +535,7 @@ static struct { > { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, > { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, > { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, >+ { "forceshell", sForceShell, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1743,6 +1745,15 @@ process_server_config_line(ServerOptions *options, char *line, > options->fingerprint_hash = value; > break; > >+ case sForceShell: >+ if (cp == NULL) >+ fatal("%.200s line %d: Missing argument.", filename, >+ linenum); >+ len = strspn(cp, WHITESPACE); >+ if (*activep && options->adm_forced_shell == NULL) >+ options->adm_forced_shell = xstrdup(cp + len); >+ return 0; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >@@ -1924,6 +1935,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) > > M_CP_STROPT(adm_forced_command); > M_CP_STROPT(chroot_directory); >+ M_CP_STROPT(adm_forced_shell); > } > > #undef M_CP_INTOPT >@@ -2173,6 +2185,7 @@ dump_config(ServerOptions *o) > o->hostbased_key_types : KEX_DEFAULT_PK_ALG); > dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? > o->pubkey_key_types : KEX_DEFAULT_PK_ALG); >+ dump_cfg_string(sForceShell, o->adm_forced_shell); > > /* string arguments requiring a lookup */ > dump_cfg_string(sLogLevel, log_level_name(o->log_level)); >diff --git a/servconf.h b/servconf.h >index 9922f0c..f1392e0 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -189,6 +189,8 @@ typedef struct { > char *auth_methods[MAX_AUTH_METHODS]; > > int fingerprint_hash; >+ >+ char *adm_forced_shell; > } ServerOptions; > > /* Information about the incoming connection as used by Match */ >diff --git a/session.c b/session.c >index 54bac36..1d798e0 100644 >--- a/session.c >+++ b/session.c >@@ -828,7 +828,9 @@ do_exec(Session *s, const char *command) > else if (s->ttyfd == -1) { > char *shell = s->pw->pw_shell; > >- if (shell[0] == '\0') /* empty shell means /bin/sh */ >+ if (options.adm_forced_shell) >+ shell = options.adm_forced_shell; >+ else if (shell[0] == '\0') /* empty shell means /bin/sh */ > shell =_PATH_BSHELL; > PRIVSEP(audit_run_command(shell)); > } >@@ -1728,6 +1730,8 @@ do_child(Session *s, const char *command) > * legal, and means /bin/sh. > */ > shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; >+ if (options.adm_forced_shell) >+ shell = options.adm_forced_shell; > > /* > * Make sure $SHELL points to the shell from the password file, >diff --git a/sshd_config.5 b/sshd_config.5 >index 4fd93d6..8747844 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -539,6 +539,14 @@ Specifying a command of > will force the use of an in-process sftp server that requires no support > files when used with > .Cm ChrootDirectory . >+.It Cm ForceShell >+Executes the command specified by >+.Cm ForceShell >+in place of the user's normal login shell. >+This applies to shell, command, or subsystem execution. >+It is most useful inside a >+.Cm Match >+block. > .It Cm GatewayPorts > Specifies whether remote hosts are allowed to connect to ports > forwarded for the client. >@@ -980,6 +988,7 @@ Available keywords are > .Cm DenyGroups , > .Cm DenyUsers , > .Cm ForceCommand , >+.Cm ForceShell , > .Cm GatewayPorts , > .Cm GSSAPIAuthentication , > .Cm HostbasedAcceptedKeyTypes ,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2535">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2062
:
2207
| 2535