[openssh-commits] [openssh] 04/04: upstream: unveil ssh-pkcs11-helper too; fixes breakage spotted by

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Mar 10 14:46:12 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 2a9e1aadaa20a05430bddc30853fbd3449083a4d
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Tue Mar 10 03:40:26 2026 +0000

    upstream: unveil ssh-pkcs11-helper too; fixes breakage spotted by
    
    anton@
    
    If SK/P11/askpass is overridden by environment, only unveil the requested
    path and not both the requested one and the default.
    
    feedback/ok deraadt@
    
    OpenBSD-Commit-ID: 84356c6a44f35e66fe73fc1524a7c8e908521eb2
---
 ssh-agent.c | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/ssh-agent.c b/ssh-agent.c
index 03ca6f982..9c762a2e3 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.321 2026/03/07 18:35:43 deraadt Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.322 2026/03/10 03:40:26 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2574,21 +2574,19 @@ skip:
 
 	if (unveil("/", "r") == -1)
 		fatal("%s: unveil /: %s", __progname, strerror(errno));
-	if (getenv("SSH_SK_HELPER"))
-		if (unveil(getenv("SSH_SK_HELPER"), "x") == -1)
-			fatal("%s: unveil %s: %s", __progname,
-			    getenv("SSH_SK_HELPER"), strerror(errno));
-	if (unveil(_PATH_SSH_SK_HELPER, "x") == -1)
-		fatal("%s: unveil %s: %s", __progname,
-		    _PATH_SSH_SK_HELPER, strerror(errno));
-	if (getenv("SSH_ASKPASS"))
-		if (unveil(getenv("SSH_ASKPASS"), "x") == -1)
-			fatal("%s: unveil %s: %s", __progname,
-			    getenv("SSH_ASKPASS"), strerror(errno));
-	if (unveil(_PATH_SSH_ASKPASS_DEFAULT, "x") == -1)
-		fatal("%s: unveil %s: %s", __progname,
-		    _PATH_SSH_ASKPASS_DEFAULT, strerror(errno));
-	if (unveil("/dev/null", "rw") == -1)
+	if ((ccp = getenv("SSH_SK_HELPER")) == NULL || *ccp == '\0')
+		ccp = _PATH_SSH_SK_HELPER;
+	if (unveil(ccp, "x") == -1)
+		fatal("%s: unveil %s: %s", __progname, ccp, strerror(errno));
+	if ((ccp = getenv("SSH_PKCS11_HELPER")) == NULL || *ccp == '\0')
+		ccp = _PATH_SSH_PKCS11_HELPER;
+	if (unveil(ccp, "x") == -1)
+		fatal("%s: unveil %s: %s", __progname, cp, strerror(errno));
+	if ((ccp = getenv("SSH_ASKPASS")) == NULL || *ccp == '\0')
+		ccp = _PATH_SSH_ASKPASS_DEFAULT;
+	if (unveil(ccp, "x") == -1)
+		fatal("%s: unveil %s: %s", __progname, cp, strerror(errno));
+	if (unveil("/dev/null", "rw") == -1)                                    
 		fatal("%s: unveil /dev/null: %s", __progname, strerror(errno));
 	if (pledge("stdio rpath cpath wpath unix id proc exec", NULL) == -1)
 		fatal("%s: pledge: %s", __progname, strerror(errno));

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list