diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-07-03 10:59:36 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-07-03 10:59:36 +0000 |
| commit | 9f298e278e650a6691afa4c7558391b2a676654d (patch) | |
| tree | e3017b9205651982e97d03f37a9ea91ff38ebe9d /usr.bin | |
| parent | a5b7bce61b4c7a6ad54318a2c3ee9ced330bb8f7 (diff) | |
allow sshd_config PermitUserEnvironment to accept a pattern-list of
whitelisted environment variable names in addition to yes|no.
bz#1800, feedback and ok markus@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/servconf.c | 40 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/session.c | 19 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 10 |
4 files changed, 62 insertions, 11 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 4e973d06277..e2534c676ba 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.334 2018/07/03 10:59:35 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -116,6 +116,7 @@ initialize_server_options(ServerOptions *options) options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; + options->permit_user_env_whitelist = NULL; options->compression = -1; options->rekey_limit = -1; options->rekey_interval = -1; @@ -308,8 +309,10 @@ fill_default_server_options(ServerOptions *options) options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; - if (options->permit_user_env == -1) + if (options->permit_user_env == -1) { options->permit_user_env = 0; + options->permit_user_env_whitelist = NULL; + } if (options->compression == -1) options->compression = COMP_DELAYED; if (options->rekey_limit == -1) @@ -1451,7 +1454,29 @@ process_server_config_line(ServerOptions *options, char *line, case sPermitUserEnvironment: intptr = &options->permit_user_env; - goto parse_flag; + charptr = &options->permit_user_env_whitelist; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing argument.", + filename, linenum); + value = 0; + p = NULL; + if (strcmp(arg, "yes") == 0) + value = 1; + else if (strcmp(arg, "no") == 0) + value = 0; + else { + /* Pattern-list specified */ + value = 1; + p = xstrdup(arg); + } + if (*activep && *intptr == -1) { + *intptr = value; + *charptr = p; + p = NULL; + } + free(p); + break; case sCompression: intptr = &options->compression; @@ -2458,7 +2483,6 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStrictModes, o->strict_modes); dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); - dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sUseDNS, o->use_dns); @@ -2558,4 +2582,12 @@ dump_config(ServerOptions *o) printf(" %s", o->permitted_listens[i]); } printf("\n"); + + if (o->permit_user_env_whitelist == NULL) { + dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); + } else { + printf("permituserenvironment %s\n", + o->permit_user_env_whitelist); + } + } diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index e8a108ce779..97561874194 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.135 2018/07/03 10:59:35 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -133,6 +133,7 @@ typedef struct { int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int permit_user_env; /* If true, read ~/.ssh/environment */ + char *permit_user_env_whitelist; /* pattern-list whitelist */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; /* One of FORWARD_* */ int allow_streamlocal_forwarding; /* One of FORWARD_* */ @@ -240,6 +241,7 @@ struct connection_info { M_CP_STROPT(hostbased_key_types); \ M_CP_STROPT(pubkey_key_types); \ M_CP_STROPT(routing_domain); \ + M_CP_STROPT(permit_user_env_whitelist); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ M_CP_STRARRAYOPT(allow_users, num_allow_users); \ M_CP_STRARRAYOPT(deny_users, num_deny_users); \ diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index d245368dbea..6fb5b43d8ba 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */ +/* $OpenBSD: session.c,v 1.301 2018/07/03 10:59:35 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -778,10 +778,12 @@ check_quietlogin(Session *s, const char *command) * into the environment. If the file does not exist, this does nothing. * Otherwise, it must consist of empty lines, comments (line starts with '#') * and assignments of the form name=value. No other forms are allowed. + * If whitelist is not NULL, then it is interpreted as a pattern list and + * only variable names that match it will be accepted. */ static void read_environment_file(char ***env, u_int *envsize, - const char *filename) + const char *filename, const char *whitelist) { FILE *f; char *line = NULL, *cp, *value; @@ -814,6 +816,9 @@ read_environment_file(char ***env, u_int *envsize, */ *value = '\0'; value++; + if (whitelist != NULL && + match_pattern_list(cp, whitelist, 0) != 1) + continue; child_set_env(env, envsize, cp, value); } free(line); @@ -882,7 +887,12 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) cp = strchr(ocp, '='); if (*cp == '=') { *cp = '\0'; - child_set_env(&env, &envsize, ocp, cp + 1); + /* Apply PermitUserEnvironment whitelist */ + if (options.permit_user_env_whitelist == NULL || + match_pattern_list(ocp, + options.permit_user_env_whitelist, 0) == 1) + child_set_env(&env, &envsize, + ocp, cp + 1); } free(ocp); } @@ -892,7 +902,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) if (options.permit_user_env) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir); - read_environment_file(&env, &envsize, buf); + read_environment_file(&env, &envsize, buf, + options.permit_user_env_whitelist); } /* Environment specified by admin */ diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 994f241cfcf..4b5cd188179 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.277 2018/06/19 05:36:57 jmc Exp $ -.Dd $Mdocdate: June 19 2018 $ +.\" $OpenBSD: sshd_config.5,v 1.278 2018/07/03 10:59:35 djm Exp $ +.Dd $Mdocdate: July 3 2018 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1333,6 +1333,12 @@ options in .Pa ~/.ssh/authorized_keys are processed by .Xr sshd 8 . +Valid options are +.Cm yes , +.Cm no +or a pattern-list specifying which environment variable names to accept +(for example +.Qq LANG,LC_* ) . The default is .Cm no . Enabling environment processing may enable users to bypass access |