let principals-command.sh work for noexec /var/run

This commit is contained in:
Damien Miller 2015-08-10 11:13:44 +10:00
parent 2651e34cd1
commit 55b263fb7c
1 changed files with 102 additions and 98 deletions

View File

@ -14,15 +14,15 @@ fi
# Establish a AuthorizedPrincipalsCommand in /var/run where it will have # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
# acceptable directory permissions. # acceptable directory permissions.
PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
#!/bin/sh #!/bin/sh
test "x\$1" != "x${LOGNAME}" && exit 1 test "x\$1" != "x${LOGNAME}" && exit 1
test -f "$OBJ/authorized_principals_${LOGNAME}" && test -f "$OBJ/authorized_principals_${LOGNAME}" &&
exec cat "$OBJ/authorized_principals_${LOGNAME}" exec cat "$OBJ/authorized_principals_${LOGNAME}"
_EOF _EOF
test $? -eq 0 || fatal "couldn't prepare principals command" test $? -eq 0 || fatal "couldn't prepare principals command"
$SUDO chmod 0755 "$PRINCIPALS_COMMAND" $SUDO chmod 0755 "$PRINCIPALS_CMD"
# Create a CA key and a user certificate. # Create a CA key and a user certificate.
${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
@ -33,8 +33,9 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
fatal "couldn't sign cert_user_key" fatal "couldn't sign cert_user_key"
# Test explicitly-specified principals if [ -x $PRINCIPALS_CMD ]; then
for privsep in yes no ; do # Test explicitly-specified principals
for privsep in yes no ; do
_prefix="privsep $privsep" _prefix="privsep $privsep"
# Setup for AuthorizedPrincipalsCommand # Setup for AuthorizedPrincipalsCommand
@ -43,7 +44,7 @@ for privsep in yes no ; do
cat $OBJ/sshd_proxy_bak cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep" echo "UsePrivilegeSeparation $privsep"
echo "AuthorizedKeysFile none" echo "AuthorizedKeysFile none"
echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
) > $OBJ/sshd_proxy ) > $OBJ/sshd_proxy
@ -97,7 +98,6 @@ for privsep in yes no ; do
fail "ssh cert connect succeeded unexpectedly" fail "ssh cert connect succeeded unexpectedly"
fi fi
# authorized_principals with command=true # authorized_principals with command=true
verbose "$tid: ${_prefix} authorized_principals command=true" verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \ echo 'command="true" mekmitasdigoat' > \
@ -138,4 +138,8 @@ for privsep in yes no ; do
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
fail "ssh cert connect failed" fail "ssh cert connect failed"
fi fi
done done
else
echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
"(/var/run mounted noexec?)"
fi