diff options
author | Oleg Safiullin <form@cvs.openbsd.org> | 2002-05-30 09:12:00 +0000 |
---|---|---|
committer | Oleg Safiullin <form@cvs.openbsd.org> | 2002-05-30 09:12:00 +0000 |
commit | f9e8b133d95960d55ce73160a28ae32883b8ff6e (patch) | |
tree | 5d09d81fcdebb4356eb4e332da220a71061c96fe /usr.sbin | |
parent | 196b75fc92592c09eacfc395031fbebc6e7b3ab0 (diff) |
Do not allow user to run authpf if user's shell is not /usr/sbin/authpf to
prevent users from playing with $SSH_CLIENT.
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/authpf/authpf.c | 8 | ||||
-rw-r--r-- | usr.sbin/authpf/pathnames.h | 25 |
2 files changed, 20 insertions, 13 deletions
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index 126ade4f171..27c1375f7be 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.15 2002/05/21 19:48:04 deraadt Exp $ */ +/* $OpenBSD: authpf.c,v 1.16 2002/05/30 09:11:59 form Exp $ */ /* * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org). @@ -124,6 +124,12 @@ main(int argc, char *argv[]) exit(1); } + if (strcmp(pwp->pw_shell, PATH_AUTHPF_SHELL)) { + syslog(LOG_ERR, "wrong shell for user %s, uid %u", + pwp->pw_name, pwp->pw_uid); + exit(1); + } + strlcpy(luser, pwp->pw_name, sizeof(luser)); if ((foo = getenv("SSH_CLIENT")) != NULL) { diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h index adc7a687046..3ba7e7b0758 100644 --- a/usr.sbin/authpf/pathnames.h +++ b/usr.sbin/authpf/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.2 2002/04/05 20:35:52 deraadt Exp $ */ +/* $OpenBSD: pathnames.h,v 1.3 2002/05/30 09:11:59 form Exp $ */ /* * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca) @@ -28,14 +28,15 @@ * SUCH DAMAGE. */ -#define PATH_CONFFILE "/etc/authpf/authpf.conf" -#define PATH_ALLOWFILE "/etc/authpf/authpf.allow" -#define PATH_PFRULES "/etc/authpf/authpf.rules" -#define PATH_NATRULES "/etc/authpf/authpf.nat" -#define PATH_PROBLEM "/etc/authpf/authpf.problem" -#define PATH_MESSAGE "/etc/authpf/authpf.message" -#define PATH_USER_DIR "/etc/authpf/users" -#define PATH_BAN_DIR "/etc/authpf/banned" -#define PATH_DEVFILE "/dev/pf" -#define PATH_PIDFILE "/var/run/authpf" -#define PATH_USERFILE "/var/authpf" +#define PATH_CONFFILE "/etc/authpf/authpf.conf" +#define PATH_ALLOWFILE "/etc/authpf/authpf.allow" +#define PATH_PFRULES "/etc/authpf/authpf.rules" +#define PATH_NATRULES "/etc/authpf/authpf.nat" +#define PATH_PROBLEM "/etc/authpf/authpf.problem" +#define PATH_MESSAGE "/etc/authpf/authpf.message" +#define PATH_USER_DIR "/etc/authpf/users" +#define PATH_BAN_DIR "/etc/authpf/banned" +#define PATH_DEVFILE "/dev/pf" +#define PATH_PIDFILE "/var/run/authpf" +#define PATH_USERFILE "/var/authpf" +#define PATH_AUTHPF_SHELL "/usr/sbin/authpf" |