summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/servconf.c
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2018-07-03 10:59:36 +0000
committerDamien Miller <djm@cvs.openbsd.org>2018-07-03 10:59:36 +0000
commit9f298e278e650a6691afa4c7558391b2a676654d (patch)
treee3017b9205651982e97d03f37a9ea91ff38ebe9d /usr.bin/ssh/servconf.c
parenta5b7bce61b4c7a6ad54318a2c3ee9ced330bb8f7 (diff)
allow sshd_config PermitUserEnvironment to accept a pattern-list of
whitelisted environment variable names in addition to yes|no. bz#1800, feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/servconf.c')
-rw-r--r--usr.bin/ssh/servconf.c40
1 files changed, 36 insertions, 4 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 4e973d06277..e2534c676ba 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.334 2018/07/03 10:59:35 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options)
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
+ options->permit_user_env_whitelist = NULL;
options->compression = -1;
options->rekey_limit = -1;
options->rekey_interval = -1;
@@ -308,8 +309,10 @@ fill_default_server_options(ServerOptions *options)
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
- if (options->permit_user_env == -1)
+ if (options->permit_user_env == -1) {
options->permit_user_env = 0;
+ options->permit_user_env_whitelist = NULL;
+ }
if (options->compression == -1)
options->compression = COMP_DELAYED;
if (options->rekey_limit == -1)
@@ -1451,7 +1454,29 @@ process_server_config_line(ServerOptions *options, char *line,
case sPermitUserEnvironment:
intptr = &options->permit_user_env;
- goto parse_flag;
+ charptr = &options->permit_user_env_whitelist;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing argument.",
+ filename, linenum);
+ value = 0;
+ p = NULL;
+ if (strcmp(arg, "yes") == 0)
+ value = 1;
+ else if (strcmp(arg, "no") == 0)
+ value = 0;
+ else {
+ /* Pattern-list specified */
+ value = 1;
+ p = xstrdup(arg);
+ }
+ if (*activep && *intptr == -1) {
+ *intptr = value;
+ *charptr = p;
+ p = NULL;
+ }
+ free(p);
+ break;
case sCompression:
intptr = &options->compression;
@@ -2458,7 +2483,6 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStrictModes, o->strict_modes);
dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
- dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
@@ -2558,4 +2582,12 @@ dump_config(ServerOptions *o)
printf(" %s", o->permitted_listens[i]);
}
printf("\n");
+
+ if (o->permit_user_env_whitelist == NULL) {
+ dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
+ } else {
+ printf("permituserenvironment %s\n",
+ o->permit_user_env_whitelist);
+ }
+
}