diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2018-07-03 10:59:36 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2018-07-03 10:59:36 +0000 |
commit | 9f298e278e650a6691afa4c7558391b2a676654d (patch) | |
tree | e3017b9205651982e97d03f37a9ea91ff38ebe9d /usr.bin/ssh/servconf.c | |
parent | a5b7bce61b4c7a6ad54318a2c3ee9ced330bb8f7 (diff) |
allow sshd_config PermitUserEnvironment to accept a pattern-list of
whitelisted environment variable names in addition to yes|no.
bz#1800, feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/servconf.c')
-rw-r--r-- | usr.bin/ssh/servconf.c | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 4e973d06277..e2534c676ba 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.334 2018/07/03 10:59:35 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options) options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; + options->permit_user_env_whitelist = NULL; options->compression = -1; options->rekey_limit = -1; options->rekey_interval = -1; @@ -308,8 +309,10 @@ fill_default_server_options(ServerOptions *options) options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; - if (options->permit_user_env == -1) + if (options->permit_user_env == -1) { options->permit_user_env = 0; + options->permit_user_env_whitelist = NULL; + } if (options->compression == -1) options->compression = COMP_DELAYED; if (options->rekey_limit == -1) @@ -1451,7 +1454,29 @@ process_server_config_line(ServerOptions *options, char *line, case sPermitUserEnvironment: intptr = &options->permit_user_env; - goto parse_flag; + charptr = &options->permit_user_env_whitelist; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing argument.", + filename, linenum); + value = 0; + p = NULL; + if (strcmp(arg, "yes") == 0) + value = 1; + else if (strcmp(arg, "no") == 0) + value = 0; + else { + /* Pattern-list specified */ + value = 1; + p = xstrdup(arg); + } + if (*activep && *intptr == -1) { + *intptr = value; + *charptr = p; + p = NULL; + } + free(p); + break; case sCompression: intptr = &options->compression; @@ -2458,7 +2483,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStrictModes, o->strict_modes); dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); - dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); @@ -2558,4 +2582,12 @@ dump_config(ServerOptions *o) printf(" %s", o->permitted_listens[i]); } printf("\n"); + + if (o->permit_user_env_whitelist == NULL) { + dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); + } else { + printf("permituserenvironment %s\n", + o->permit_user_env_whitelist); + } + } |