Bugzilla – Attachment 3156 Details for
Bug 2870
Support "%i" token expansion in the IdentityAgent option
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Cast to safe integral value
bz2870.diff (text/plain), 9.30 KB, created by
Damien Miller
on 2018-05-25 15:02:20 AEST
(
hide
)
Description:
Cast to safe integral value
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2018-05-25 15:02:20 AEST
Size:
9.30 KB
patch
obsolete
>diff --git a/auth.c b/auth.c >index 63366768..ab28497d 100644 >--- a/auth.c >+++ b/auth.c >@@ -422,11 +422,13 @@ auth_root_allowed(struct ssh *ssh, const char *method) > char * > expand_authorized_keys(const char *filename, struct passwd *pw) > { >- char *file, ret[PATH_MAX]; >+ char *file, uidstr[32], ret[PATH_MAX]; > int i; > >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)pw->pw_uid); > file = percent_expand(filename, "h", pw->pw_dir, >- "u", pw->pw_name, (char *)NULL); >+ "u", pw->pw_name, "U", uidstr, (char *)NULL); > > /* > * Ensure that filename starts anchored. If not, be backward >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index 8024b1d6..8f9a0da4 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -387,7 +387,7 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw, > pid_t pid; > char *tmp, *username = NULL, *command = NULL, **av = NULL; > char *ca_fp = NULL, *key_fp = NULL, *catext = NULL, *keytext = NULL; >- char serial_s[16]; >+ char serial_s[16], uidstr[32]; > void (*osigchld)(int); > > if (authoptsp != NULL) >@@ -447,8 +447,11 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw, > } > snprintf(serial_s, sizeof(serial_s), "%llu", > (unsigned long long)cert->serial); >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)user_pw->pw_uid); > for (i = 1; i < ac; i++) { > tmp = percent_expand(av[i], >+ "U", uidstr, > "u", user_pw->pw_name, > "h", user_pw->pw_dir, > "t", sshkey_ssh_name(key), >@@ -852,7 +855,7 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, > int i, uid_swapped = 0, ac = 0; > pid_t pid; > char *username = NULL, *key_fp = NULL, *keytext = NULL; >- char *tmp, *command = NULL, **av = NULL; >+ char uidstr[32], *tmp, *command = NULL, **av = NULL; > void (*osigchld)(int); > > if (authoptsp != NULL) >@@ -902,8 +905,11 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, > command); > goto out; > } >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)user_pw->pw_uid); > for (i = 1; i < ac; i++) { > tmp = percent_expand(av[i], >+ "U", uidstr, > "u", user_pw->pw_name, > "h", user_pw->pw_dir, > "t", sshkey_ssh_name(key), >diff --git a/readconf.c b/readconf.c >index 7b7a0d7e..07b594b3 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -551,6 +551,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, > const char *ruser; > int r, port, this_result, result = 1, attributes = 0, negate; > char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; >+ char uidstr[32]; > > /* > * Configuration is likely to be incomplete at this point so we >@@ -631,6 +632,8 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, > strlcpy(shorthost, thishost, sizeof(shorthost)); > shorthost[strcspn(thishost, ".")] = '\0'; > snprintf(portstr, sizeof(portstr), "%d", port); >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)pw->pw_uid); > > cmd = percent_expand(arg, > "L", shorthost, >@@ -641,6 +644,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, > "p", portstr, > "r", ruser, > "u", pw->pw_name, >+ "i", uidstr, > (char *)NULL); > if (result != 1) { > /* skip execution if prior predicate failed */ >diff --git a/session.c b/session.c >index 58826db1..f9406933 100644 >--- a/session.c >+++ b/session.c >@@ -1324,7 +1324,7 @@ safely_chroot(const char *path, uid_t uid) > void > do_setusercontext(struct passwd *pw) > { >- char *chroot_path, *tmp; >+ char uidstr[32], *chroot_path, *tmp; > > platform_setusercontext(pw); > >@@ -1356,8 +1356,10 @@ do_setusercontext(struct passwd *pw) > strcasecmp(options.chroot_directory, "none") != 0) { > tmp = tilde_expand_filename(options.chroot_directory, > pw->pw_uid); >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)pw->pw_uid); > chroot_path = percent_expand(tmp, "h", pw->pw_dir, >- "u", pw->pw_name, (char *)NULL); >+ "u", pw->pw_name, "U", uidstr, (char *)NULL); > safely_chroot(chroot_path, pw->pw_uid); > free(tmp); > free(chroot_path); >diff --git a/sftp-server.c b/sftp-server.c >index df0fb506..bb9dd93e 100644 >--- a/sftp-server.c >+++ b/sftp-server.c >@@ -1503,7 +1503,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) > int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; > ssize_t len, olen, set_size; > SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; >- char *cp, *homedir = NULL, buf[4*4096]; >+ char *cp, *homedir = NULL, uidstr[32], buf[4*4096]; > long mask; > > extern char *optarg; >@@ -1554,8 +1554,10 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) > break; > case 'd': > cp = tilde_expand_filename(optarg, user_pw->pw_uid); >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)pw->pw_uid); > homedir = percent_expand(cp, "d", user_pw->pw_dir, >- "u", user_pw->pw_name, (char *)NULL); >+ "u", user_pw->pw_name, "U", uidstr, (char *)NULL); > free(cp); > break; > case 'p': >diff --git a/ssh.c b/ssh.c >index ce16627d..15dae1a7 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -1269,7 +1269,8 @@ main(int ac, char **av) > strlcpy(shorthost, thishost, sizeof(shorthost)); > shorthost[strcspn(thishost, ".")] = '\0'; > snprintf(portstr, sizeof(portstr), "%d", options.port); >- snprintf(uidstr, sizeof(uidstr), "%d", pw->pw_uid); >+ snprintf(uidstr, sizeof(uidstr), "%llu", >+ (unsigned long long)pw->pw_uid); > > if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL || > ssh_digest_update(md, thishost, strlen(thishost)) < 0 || >@@ -1294,6 +1295,7 @@ main(int ac, char **av) > "L", shorthost, > "d", pw->pw_dir, > "h", host, >+ "i", uidstr, > "l", thishost, > "n", host_arg, > "p", portstr, >@@ -1314,6 +1316,7 @@ main(int ac, char **av) > "C", conn_hash_hex, > "L", shorthost, > "h", host, >+ "i", uidstr, > "l", thishost, > "n", host_arg, > "p", portstr, >@@ -1492,9 +1495,14 @@ main(int ac, char **av) > } else { > p = tilde_expand_filename(options.identity_agent, > original_real_uid); >- cp = percent_expand(p, "d", pw->pw_dir, >- "u", pw->pw_name, "l", thishost, "h", host, >- "r", options.user, (char *)NULL); >+ cp = percent_expand(p, >+ "d", pw->pw_dir, >+ "h", host, >+ "i", uidstr, >+ "l", thishost, >+ "r", options.user, >+ "u", pw->pw_name, >+ (char *)NULL); > setenv(SSH_AUTHSOCKET_ENV_NAME, cp, 1); > free(cp); > free(p); >@@ -1899,6 +1907,7 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) > "L", shorthost, > "d", pw->pw_dir, > "h", host, >+ "i", uidstr, > "l", thishost, > "n", host_arg, > "p", portstr, >@@ -2097,9 +2106,14 @@ load_public_identity_files(struct passwd *pw) > for (i = 0; i < options.num_certificate_files; i++) { > cp = tilde_expand_filename(options.certificate_files[i], > original_real_uid); >- filename = percent_expand(cp, "d", pw->pw_dir, >- "u", pw->pw_name, "l", thishost, "h", host, >- "r", options.user, (char *)NULL); >+ filename = percent_expand(cp, >+ "d", pw->pw_dir, >+ "h", host, >+ "i", host, >+ "l", thishost, >+ "r", options.user, >+ "u", pw->pw_name, >+ (char *)NULL); > free(cp); > > public = key_load_public(filename, NULL); >diff --git a/ssh_config.5 b/ssh_config.5 >index bcd18a87..e3370e5f 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -1743,10 +1743,10 @@ The local username. > .El > .Pp > .Cm Match exec >-accepts the tokens %%, %h, %L, %l, %n, %p, %r, and %u. >+accepts the tokens %%, %h, %i, %L, %l, %n, %p, %r, and %u. > .Pp > .Cm CertificateFile >-accepts the tokens %%, %d, %h, %l, %r, and %u. >+accepts the tokens %%, %d, %h, %i %l, %r, and %u. > .Pp > .Cm ControlPath > accepts the tokens %%, %C, %h, %i, %L, %l, %n, %p, %r, and %u. >@@ -1757,16 +1757,16 @@ accepts the tokens %% and %h. > .Cm IdentityAgent > and > .Cm IdentityFile >-accept the tokens %%, %d, %h, %l, %r, and %u. >+accept the tokens %%, %d, %h, %i %l, %r, and %u. > .Pp > .Cm LocalCommand >-accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, %T, and %u. >+accepts the tokens %%, %C, %d, %h, %i %l, %n, %p, %r, %T, and %u. > .Pp > .Cm ProxyCommand > accepts the tokens %%, %h, %p, and %r. > .Pp > .Cm RemoteCommand >-accepts the tokens %%, %C, %d, %h, %l, %n, %p, %r, and %u. >+accepts the tokens %%, %C, %d, %h, %i, %l, %n, %p, %r, and %u. > .Sh FILES > .Bl -tag -width Ds > .It Pa ~/.ssh/config >diff --git a/sshd_config.5 b/sshd_config.5 >index 95dbc1d1..4d49074c 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -1689,24 +1689,26 @@ The serial number of the certificate. > The type of the CA key. > .It %t > The key or certificate type. >+.It %U >+The numeric user-id id of the target user. > .It %u > The username. > .El > .Pp > .Cm AuthorizedKeysCommand >-accepts the tokens %%, %f, %h, %k, %t, and %u. >+accepts the tokens %%, %f, %h, %k, %t, %U and %u. > .Pp > .Cm AuthorizedKeysFile >-accepts the tokens %%, %h, and %u. >+accepts the tokens %%, %h, %U and %u. > .Pp > .Cm AuthorizedPrincipalsCommand >-accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, and %u. >+accepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U and %u. > .Pp > .Cm AuthorizedPrincipalsFile >-accepts the tokens %%, %h, and %u. >+accepts the tokens %%, %h, and %U %u. > .Pp > .Cm ChrootDirectory >-accepts the tokens %%, %h, and %u. >+accepts the tokens %%, %h, and %U %u. > .Pp > .Cm RoutingDomain > accepts the token %D.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3156">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 2870
:
3155
| 3156