[Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Dec 29 17:57:59 EST 2009 

https://bugzilla.mindrot.org/show_bug.cgi?id=1690

           Summary: AllowUsers and DenyGroups directives are not parsed in
                    the order specified
           Product: Portable OpenSSH
           Version: 5.3p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Keywords: patch
          Severity: trivial
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: pallenpost at gmail.com


Created an attachment (id=1762)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1762)
Patch for src/auth.c to process AllowUsers/DenyGroups config directives
correctly

Details:

When logging into the sshd server, if the server's sshd_config
configuration file contains both "AllowUsers joe" and "DenyGroups joe",
a user "joe" belonging to group "joe" will be denied access based on
his group.  However, the sshd_config man page states that AllowUsers
should be processed before DenyGroups, thereby allowing joe to log in:

"... The allow/deny directives are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups."

To reproduce:

1) Create a user 'test' and give him a password.
2) Add these lines in sshd_config:

AllowUsers test
DenyGroups test

3) Restart sshd.
4) Attempt to SSH in as user 'test'.
5) Check /var/log/auth.log.  The attempt will be reported as denied
because the user is in a denied group.

Solution:

The solution depends on what the problem actually is:  If the way it is
currently working is the desired functionality, the man page just needs
to be updated.  However, if the order currently listed in the man page
is desired, auth.c needs a quick patch.  In that case, I have attached
a patch for review.  

Basically, it tells allowed_user() to return true if the username is
indeed present in the AllowUsers list.  This falls in the correct order
between DenyUsers and DenyGroups according to the man page.  There was
some ifdef'd auth check for AIX (?) that I also moved ahead so it would
be checked before the user was authorized.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list