Bugzilla – Attachment 2559 Details for
Bug 2276
AuthorizedKeysCommand: add an option for alternate owner
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
AuthorizedKeysCommand-owner-can-be-the-one-that-star.patch
0001-AuthorizedKeysCommand-owner-can-be-the-one-that-star.patch (text/plain), 1.96 KB, created by
Alon Bar-Lev
on 2015-03-04 18:35:13 AEDT
(
hide
)
Description:
AuthorizedKeysCommand-owner-can-be-the-one-that-star.patch
Filename:
MIME Type:
Creator:
Alon Bar-Lev
Created:
2015-03-04 18:35:13 AEDT
Size:
1.96 KB
patch
obsolete
>From 34b393d7e5b55674ec6c31cf2506b7e4355ce7bb Mon Sep 17 00:00:00 2001 >From: Alon Bar-Lev <alon.barlev@gmail.com> >Date: Tue, 7 Oct 2014 15:18:58 +0300 >Subject: [PATCH] AuthorizedKeysCommand: owner can be the one that started sshd > >Currently the owner of AuthorizedKeysCommand must be root. > >This patch relaxes this check to whoever started sshd. > >Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> >Bug-Url: https://bugzilla.mindrot.org/show_bug.cgi?id=2276 >--- > auth2-pubkey.c | 4 ++-- > servconf.c | 1 + > servconf.h | 1 + > 3 files changed, 4 insertions(+), 2 deletions(-) > >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index d943efa..e6c3f01 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -561,8 +561,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) > options.authorized_keys_command, strerror(errno)); > goto out; > } >- if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, >- errmsg, sizeof(errmsg)) != 0) { >+ if (auth_secure_path(options.authorized_keys_command, &st, NULL, >+ options.authorized_keys_command_owner, errmsg, sizeof(errmsg)) != 0) { > error("Unsafe AuthorizedKeysCommand: %s", errmsg); > goto out; > } >diff --git a/servconf.c b/servconf.c >index 3185462..121b904 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -155,6 +155,7 @@ initialize_server_options(ServerOptions *options) > options->adm_forced_command = NULL; > options->chroot_directory = NULL; > options->authorized_keys_command = NULL; >+ options->authorized_keys_command_owner = geteuid(); > options->authorized_keys_command_user = NULL; > options->revoked_keys_file = NULL; > options->trusted_user_ca_keys = NULL; >diff --git a/servconf.h b/servconf.h >index 9922f0c..1f2e1ad 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -178,6 +178,7 @@ typedef struct { > char *trusted_user_ca_keys; > char *authorized_principals_file; > char *authorized_keys_command; >+ uid_t authorized_keys_command_owner; > char *authorized_keys_command_user; > > int64_t rekey_limit; >-- >2.0.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2559">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2276
:
2474
|
2558
| 2559 |
2560