[Bug 1680] New: Match User/Group with no affirmative match does not work as expected
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Dec 3 18:01:05 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1680
Summary: Match User/Group with no affirmative match does not
work as expected
Product: Portable OpenSSH
Version: 5.3p1
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: osshbugs at qwe.cc
Statements such as:
Match User !root
ForceCommand /bin/rshell
or:
Match Group !root
ForceCommand /bin/rshell
Will not work, due to (in my read) servconf.c
# } else if (ga_match_pattern_list(grps) != 1) {
and
# if (match_pattern_list(user, arg, len, 0) != 1)
Both functions on an affirmatively negated match will return -1 (rather
than 1, but still non zero), thus never being considered a "match" by
either user or group negation processing.
In fact, for users, I'm not certain the processing will ever be correct
for negation in any sane deploy (Match user steve !steve)?, though for
groups it could make sense to return differing results based on the
intersection of group1 & !group2
Since there is not a "ForceCommand no", and ForceCommand /bin/bash is
not the same as login (obv.), I'm left at a bit of a puzzle to handle
this one.
Or I could be misreading all this code, or its already fixed elsewhere
and I missed it.
But I think its a bug anyhow...
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list