[Bug 3122] New Include functionality does not work as documented

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri May 15 21:03:49 AEST 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3122

--- Comment #6 from Jakub Jelen <jjelen at redhat.com> ---
(In reply to Damien Miller from comment #5)
> Just so I understand what's going on in the patch, is *activep==2
> supposed to mean "only allow match/include directives"?

Only options in match blocks are used. Regardless they are in the main
file or in included file (after first match block). The includes are
processed the same way as in normally, but if directive comes before
any match block, it is ignored.

> If so, rather than touch every *activep test but those, I think it
> might be better to add a new inc_flags value, say SSHCFG_IN_MATCH or
> perhaps SSHCFG_MATCH_ONLY drive the logic from that. What do you
> think?

Sure, if you would be able to plug it somehow together. I was not able
to figure out correct conditions to make the flags working towards this
goal.

The main issue is that I need this flag to be active up to the first
match block, but I do not have simple way to get this information out
of process_server_config_line_depth() function to its caller, which is
the only place I can for sure say "here was a Match block". I can
probably introduce new parameters, modify return values or use global
variables, but I was not satisfied with either direction so far.

But what I put together and which is missing in my patch above is the
regression test:

@@ -150,5 +150,19 @@ ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
     -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
        fail "sshd allowed Include with no argument"

+# Ensure the Include before any Match block works as expected (bug
#3122)
+cat > $OBJ/sshd_config.i << _EOF
+Banner /xx
+HostKey $OBJ/host.ssh-ed25519
+Include $OBJ/sshd_config.i.2
+_EOF
+cat > $OBJ/sshd_config.i.2 << _EOF
+Match host a
+       Banner /aa
+_EOF
+
+trace "Include before match blocks"
+trial a /aa "included file before match blocks is properly evaluated"
+
 # cleanup
 rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list