summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorOleg Safiullin <form@cvs.openbsd.org>2002-05-30 09:12:00 +0000
committerOleg Safiullin <form@cvs.openbsd.org>2002-05-30 09:12:00 +0000
commitf9e8b133d95960d55ce73160a28ae32883b8ff6e (patch)
tree5d09d81fcdebb4356eb4e332da220a71061c96fe /usr.sbin
parent196b75fc92592c09eacfc395031fbebc6e7b3ab0 (diff)
Do not allow user to run authpf if user's shell is not /usr/sbin/authpf to
prevent users from playing with $SSH_CLIENT.
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/authpf/authpf.c8
-rw-r--r--usr.sbin/authpf/pathnames.h25
2 files changed, 20 insertions, 13 deletions
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index 126ade4f171..27c1375f7be 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authpf.c,v 1.15 2002/05/21 19:48:04 deraadt Exp $ */
+/* $OpenBSD: authpf.c,v 1.16 2002/05/30 09:11:59 form Exp $ */
/*
* Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
@@ -124,6 +124,12 @@ main(int argc, char *argv[])
exit(1);
}
+ if (strcmp(pwp->pw_shell, PATH_AUTHPF_SHELL)) {
+ syslog(LOG_ERR, "wrong shell for user %s, uid %u",
+ pwp->pw_name, pwp->pw_uid);
+ exit(1);
+ }
+
strlcpy(luser, pwp->pw_name, sizeof(luser));
if ((foo = getenv("SSH_CLIENT")) != NULL) {
diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h
index adc7a687046..3ba7e7b0758 100644
--- a/usr.sbin/authpf/pathnames.h
+++ b/usr.sbin/authpf/pathnames.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.2 2002/04/05 20:35:52 deraadt Exp $ */
+/* $OpenBSD: pathnames.h,v 1.3 2002/05/30 09:11:59 form Exp $ */
/*
* Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@@ -28,14 +28,15 @@
* SUCH DAMAGE.
*/
-#define PATH_CONFFILE "/etc/authpf/authpf.conf"
-#define PATH_ALLOWFILE "/etc/authpf/authpf.allow"
-#define PATH_PFRULES "/etc/authpf/authpf.rules"
-#define PATH_NATRULES "/etc/authpf/authpf.nat"
-#define PATH_PROBLEM "/etc/authpf/authpf.problem"
-#define PATH_MESSAGE "/etc/authpf/authpf.message"
-#define PATH_USER_DIR "/etc/authpf/users"
-#define PATH_BAN_DIR "/etc/authpf/banned"
-#define PATH_DEVFILE "/dev/pf"
-#define PATH_PIDFILE "/var/run/authpf"
-#define PATH_USERFILE "/var/authpf"
+#define PATH_CONFFILE "/etc/authpf/authpf.conf"
+#define PATH_ALLOWFILE "/etc/authpf/authpf.allow"
+#define PATH_PFRULES "/etc/authpf/authpf.rules"
+#define PATH_NATRULES "/etc/authpf/authpf.nat"
+#define PATH_PROBLEM "/etc/authpf/authpf.problem"
+#define PATH_MESSAGE "/etc/authpf/authpf.message"
+#define PATH_USER_DIR "/etc/authpf/users"
+#define PATH_BAN_DIR "/etc/authpf/banned"
+#define PATH_DEVFILE "/dev/pf"
+#define PATH_PIDFILE "/var/run/authpf"
+#define PATH_USERFILE "/var/authpf"
+#define PATH_AUTHPF_SHELL "/usr/sbin/authpf"