[session.c]
     Add explicit stat so we reliably detect nologin with bad perms.
     ok djm markus
This commit is contained in:
Darren Tucker 2010-01-12 19:51:48 +11:00
parent ebc71d908c
commit 09aa4c000e
2 changed files with 27 additions and 19 deletions

View File

@ -1,4 +1,4 @@
20100111 20100112
- (dtucker) OpenBSD CVS Sync - (dtucker) OpenBSD CVS Sync
- dtucker@cvs.openbsd.org 2010/01/11 01:39:46 - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
[ssh_config channels.c ssh.1 channels.h ssh.c] [ssh_config channels.c ssh.1 channels.h ssh.c]
@ -35,6 +35,10 @@
[buffer.h bufaux.c] [buffer.h bufaux.c]
add a buffer_get_string_ptr_ret() that does the same as add a buffer_get_string_ptr_ret() that does the same as
buffer_get_string_ptr() but does not fatal() on error; ok dtucker@ buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
- dtucker@cvs.openbsd.org 2010/01/12 08:33:17
[session.c]
Add explicit stat so we reliably detect nologin with bad perms.
ok djm markus
20100110 20100110
- (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]

View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.250 2010/01/12 01:31:05 dtucker Exp $ */ /* $OpenBSD: session.c,v 1.251 2010/01/12 08:33:17 dtucker Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -1377,28 +1377,32 @@ static void
do_nologin(struct passwd *pw) do_nologin(struct passwd *pw)
{ {
FILE *f = NULL; FILE *f = NULL;
char buf[1024]; char buf[1024], *nl, *def_nl = _PATH_NOLOGIN;
struct stat sb;
#ifdef HAVE_LOGIN_CAP #ifdef HAVE_LOGIN_CAP
if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) if (login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN, return;
_PATH_NOLOGIN), "r"); nl = login_getcapstr(lc, "nologin", def_nl, def_nl);
#else #else
if (pw->pw_uid) if (pw->pw_uid == 0)
f = fopen(_PATH_NOLOGIN, "r"); return;
nl = def_nl;
#endif #endif
if (f != NULL || errno == EPERM) { if (stat(nl, &sb) == -1) {
/* /etc/nologin exists. Print its contents and exit. */ if (nl != def_nl)
logit("User %.100s not allowed because %s exists", xfree(nl);
pw->pw_name, _PATH_NOLOGIN); return;
if (f == NULL)
exit(254);
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
fflush(NULL);
exit(254);
} }
/* /etc/nologin exists. Print its contents if we can and exit. */
logit("User %.100s not allowed because %s exists", pw->pw_name, nl);
if ((f = fopen(nl, "r")) != NULL) {
while (fgets(buf, sizeof(buf), f))
fputs(buf, stderr);
fclose(f);
}
exit(254);
} }
/* /*