[Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Dec 29 17:57:59 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1690
Summary: AllowUsers and DenyGroups directives are not parsed in
the order specified
Product: Portable OpenSSH
Version: 5.3p1
Platform: ix86
OS/Version: Linux
Status: NEW
Keywords: patch
Severity: trivial
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: pallenpost at gmail.com
Created an attachment (id=1762)
--> (https://bugzilla.mindrot.org/attachment.cgi?id=1762)
Patch for src/auth.c to process AllowUsers/DenyGroups config directives
correctly
Details:
When logging into the sshd server, if the server's sshd_config
configuration file contains both "AllowUsers joe" and "DenyGroups joe",
a user "joe" belonging to group "joe" will be denied access based on
his group. However, the sshd_config man page states that AllowUsers
should be processed before DenyGroups, thereby allowing joe to log in:
"... The allow/deny directives are processed in the following order:
DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups."
To reproduce:
1) Create a user 'test' and give him a password.
2) Add these lines in sshd_config:
AllowUsers test
DenyGroups test
3) Restart sshd.
4) Attempt to SSH in as user 'test'.
5) Check /var/log/auth.log. The attempt will be reported as denied
because the user is in a denied group.
Solution:
The solution depends on what the problem actually is: If the way it is
currently working is the desired functionality, the man page just needs
to be updated. However, if the order currently listed in the man page
is desired, auth.c needs a quick patch. In that case, I have attached
a patch for review.
Basically, it tells allowed_user() to return true if the username is
indeed present in the AllowUsers list. This falls in the correct order
between DenyUsers and DenyGroups according to the man page. There was
some ifdef'd auth check for AIX (?) that I also moved ahead so it would
be checked before the user was authorized.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list