Bug 1459 - Request for better documentation of shell used to run commands
Summary: Request for better documentation of shell used to run commands
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.0p1
Hardware: Other All
: P2 minor
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_6_9
  Show dependency treegraph
 
Reported: 2008-04-19 02:54 AEST by Joe Krahn
Modified: 2015-08-11 23:03 AEST (History)
2 users (show)

See Also:


Attachments
mention the shell used (280 bytes, patch)
2015-05-01 15:08 AEST, Damien Miller
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Krahn 2008-04-19 02:54:13 AEST
It would be helpful if the documentation gave a more complete description of how the shell is selected to run commands. Recently, the sshd man page added documentation that sshrc commands are run by sh, and not the user shell. There are still some other things that could use more detail. For example, sshd never uses the SHELL environment variable, but ssh-agent does. I think it should be stated that commands are always run under the shell defined by getpw(), including commands for ssh_config keys with the "command=" option.

This came up when trying to set up an ssh key to allow remote execution of a pre-defined task using the "command=" feature. I also wanted to disable logins for that account, so it could only be used to invoke that specific task. Obviously, setting the shell to /sbin/nologin didn't work. However, searching for ways to achieve this, I found that it is not uncommon for people to assume that commands are run as if by system(). In most cases, perhaps it should be obvious that a "remote shell" always runs commands under the account's shell, but I think this should be clarified at least for the "command=" feature. Consider a situation where an ssh-key is defined to invoke a specific task, but a user figures out a way to change the account shell in a way that affects the access allowed by that ssh key.

It's not a major issue, but I think its worth including a few extra sentences so that you don't have to read the source code just to figure out the details of how commands are run.
Comment 1 Damien Miller 2015-05-01 15:08:53 AEST
Created attachment 2613 [details]
mention the shell used
Comment 2 Damien Miller 2015-05-01 17:12:02 AEST
patch applied - this will be in openssh-6.9
Comment 3 Damien Miller 2015-08-11 23:03:49 AEST
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1