[Bug 1680] New: Match User/Group with no affirmative match does not work as expected

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Dec 3 18:01:05 EST 2009


https://bugzilla.mindrot.org/show_bug.cgi?id=1680

           Summary: Match User/Group with no affirmative match does not
                    work as expected
           Product: Portable OpenSSH
           Version: 5.3p1
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: osshbugs at qwe.cc


Statements such as:
Match User !root
  ForceCommand /bin/rshell

or:
Match Group !root
  ForceCommand /bin/rshell

Will not work, due to (in my read) servconf.c
# } else if (ga_match_pattern_list(grps) != 1) {
and 
# if (match_pattern_list(user, arg, len, 0) != 1)

Both functions on an affirmatively negated match will return -1 (rather
than 1, but still non zero), thus never being considered a "match" by
either user or group negation processing.

In fact, for users, I'm not certain the processing will ever be correct
for negation in any sane deploy (Match user steve !steve)?, though for
groups it could make sense to return differing results based on the
intersection of group1 & !group2

Since there is not a "ForceCommand no", and ForceCommand /bin/bash is
not the same as login (obv.), I'm left at a bit of a puzzle to handle
this one.

Or I could be misreading all this code, or its already fixed elsewhere
and I missed it.

But I think its a bug anyhow...

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list