upstream: better terminology for permissions; feedback & ok markus@

OpenBSD-Commit-ID: ffb220b435610741dcb4de0e7fc68cbbdc876d2c
2025-07-28 08:14:24 +02:00 · 2020-06-22 05:52:05 +00:00 · 2020-06-22 05:52:05 +00:00 · fc270baf26
commit fc270baf26
parent 00531bb42f
3 changed files with 37 additions and 37 deletions
--- a/sftp-server.c
+++ b/sftp-server.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.117 2019/07/05 04:55:40 djm Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.118 2020/06/22 05:52:05 djm Exp $ */
 /*
 * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
 *
@ -74,7 +74,7 @@ static int init_done;
 static int readonly;
 /* Requests that are allowed/denied */
-static char *request_whitelist, *request_blacklist;
+static char *request_allowlist, *request_denylist;
 /* portable attributes, etc. */
 typedef struct Stat Stat;
@ -164,20 +164,20 @@ request_permitted(const struct sftp_handler *h)
 		verbose("Refusing %s request in read-only mode", h->name);
 		return 0;
 	}
-	if (request_blacklist != NULL &&
+	if (request_denylist != NULL &&
-	    ((result = match_list(h->name, request_blacklist, NULL))) != NULL) {
+	    ((result = match_list(h->name, request_denylist, NULL))) != NULL) {
 		free(result);
-		verbose("Refusing blacklisted %s request", h->name);
+		verbose("Refusing denylisted %s request", h->name);
 		return 0;
 	}
-	if (request_whitelist != NULL &&
+	if (request_allowlist != NULL &&
-	    ((result = match_list(h->name, request_whitelist, NULL))) != NULL) {
+	    ((result = match_list(h->name, request_allowlist, NULL))) != NULL) {
 		free(result);
-		debug2("Permitting whitelisted %s request", h->name);
+		debug2("Permitting allowlisted %s request", h->name);
 		return 1;
 	}
-	if (request_whitelist != NULL) {
+	if (request_allowlist != NULL) {
-		verbose("Refusing non-whitelisted %s request", h->name);
+		verbose("Refusing non-allowlisted %s request", h->name);
 		return 0;
 	}
 	return 1;
@ -1556,8 +1556,8 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
-	    "[-l log_level]\n\t[-P blacklisted_requests] "
+	    "[-l log_level]\n\t[-P denied_requests] "
-	    "[-p whitelisted_requests] [-u umask]\n"
+	    "[-p allowed_requests] [-u umask]\n"
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
@ -1627,14 +1627,14 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 			free(cp);
 			break;
 		case 'p':
-			if (request_whitelist != NULL)
+			if (request_allowlist != NULL)
 				fatal("Permitted requests already set");
-			request_whitelist = xstrdup(optarg);
+			request_allowlist = xstrdup(optarg);
 			break;
 		case 'P':
-			if (request_blacklist != NULL)
+			if (request_denylist != NULL)
 				fatal("Refused requests already set");
-			request_blacklist = xstrdup(optarg);
+			request_denylist = xstrdup(optarg);
 			break;
 		case 'u':
 			errno = 0;
--- a/ssh-agent.1
+++ b/ssh-agent.1
@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.71 2020/06/19 07:21:42 dtucker Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 19 2020 $
+.Dd $Mdocdate: June 22 2020 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@ -46,12 +46,12 @@
 .Op Fl \&Dd
 .Op Fl a Ar bind_address
 .Op Fl E Ar fingerprint_hash
-.Op Fl P Ar provider_whitelist
+.Op Fl P Ar allowed_providers
 .Op Fl t Ar life
 .Nm ssh-agent
 .Op Fl a Ar bind_address
 .Op Fl E Ar fingerprint_hash
-.Op Fl P Ar provider_whitelist
+.Op Fl P Ar allowed_providers
 .Op Fl t Ar life
 .Ar command Op Ar arg ...
 .Nm ssh-agent
@ -102,19 +102,19 @@ The default is
 Kill the current agent (given by the
 .Ev SSH_AGENT_PID
 environment variable).
-.It Fl P Ar provider_whitelist
+.It Fl P Ar allowed_providers
-Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
-shared libraries that may be used with the
+authenticator middleware shared libraries that may be used with the
 .Fl S
 or
 .Fl s
 options to
 .Xr ssh-add 1 .
-Libraries that do not match the whitelist will be refused.
+Libraries that do not match the pattern list will be refused.
 See PATTERNS in
 .Xr ssh_config 5
 for a description of pattern-list syntax.
-The default whitelist is
+The default list is
 .Dq /usr/lib/*,/usr/local/lib/* .
 .It Fl s
 Generate Bourne shell commands on
--- a/ssh-agent.c
+++ b/ssh-agent.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.259 2020/06/19 07:21:42 dtucker Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.260 2020/06/22 05:52:05 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -150,8 +150,8 @@ pid_t cleanup_pid = 0;
 char socket_name[PATH_MAX];
 char socket_dir[PATH_MAX];
-/* PKCS#11/Security key path whitelist */
+/* Pattern-list of allowed PKCS#11/Security key paths */
-static char *provider_whitelist;
+static char *allowed_providers;
 /* locking */
 #define LOCK_SIZE	32
@ -612,9 +612,9 @@ process_add_identity(SocketEntry *e)
 			free(sk_provider);
 			sk_provider = xstrdup(canonical_provider);
 			if (match_pattern_list(sk_provider,
-			    provider_whitelist, 0) != 1) {
+			    allowed_providers, 0) != 1) {
 				error("Refusing add key: "
-				    "provider %s not whitelisted", sk_provider);
+				    "provider %s not allowed", sk_provider);
 				free(sk_provider);
 				goto send;
 			}
@ -769,9 +769,9 @@ process_add_smartcard_key(SocketEntry *e)
 		    provider, strerror(errno));
 		goto send;
 	}
-	if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+	if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
 		verbose("refusing PKCS#11 add of \"%.100s\": "
-		    "provider not whitelisted", canonical_provider);
+		    "provider not allowed", canonical_provider);
 		goto send;
 	}
 	debug("%s: add %.100s", __func__, canonical_provider);
@ -1255,7 +1255,7 @@ usage(void)
 	fprintf(stderr,
 	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
 	    "                 [-P provider_whitelist] [-t life]\n"
-	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P provider_whitelist]\n"
+	    "       ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
 	    "                 [-t life] command [arg ...]\n"
 	    "       ssh-agent [-c | -s] -k\n");
 	exit(1);
@ -1320,9 +1320,9 @@ main(int ac, char **av)
 				fatal("Unknown -O option");
 			break;
 		case 'P':
-			if (provider_whitelist != NULL)
+			if (allowed_providers != NULL)
 				fatal("-P option already specified");
-			provider_whitelist = xstrdup(optarg);
+			allowed_providers = xstrdup(optarg);
 			break;
 		case 's':
 			if (c_flag)
@ -1358,8 +1358,8 @@ main(int ac, char **av)
 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
 		usage();
-	if (provider_whitelist == NULL)
+	if (allowed_providers == NULL)
-		provider_whitelist = xstrdup(DEFAULT_PROVIDER_WHITELIST);
+		allowed_providers = xstrdup(DEFAULT_PROVIDER_WHITELIST);
 	if (ac == 0 && !c_flag && !s_flag) {
 		shell = getenv("SHELL");