[Bug 3122] New Include functionality does not work as documented

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Apr 17 15:24:54 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3122

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |jjelen at redhat.com

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is the stanza that is causing this:

>  /* consult cache of include files */                     
>  TAILQ_FOREACH(item, includes, entry) {                     
>      if (strcmp(item->selector, arg) != 0)                         
>          continue;                             
>      if (item->filename != NULL) {                         
>          parse_server_config_depth(options,                             
>              item->filename, item->contents,                             
>              includes, connectinfo,                             
>              (oactive ? 0 : SSHCFG_NEVERMATCH),                             
>              activep, depth + 1);                             
>      }                         
>      found = 1;                         
>      *activep = oactive;                         
>  }

I'm not sure what the intention around NEVERMATCH is. There are a few
cases to consider:

1) Include in sshd_config before Match
2) Include in sshd_config after Match directive

and for each of those:

a) included file contains non-match directives
b) included file contains at least one Match directive

>From this I think we get case (b) wrong wrt processing of the Match -
as NEVERMATCH gets set and the match never gets considered. I need to
think about it a little more

Adding Jakub, the author of the Include patch (well, before I mangled
it anyway) in case he has something to add.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list