trivial patch to post overridden command into env

Bennett Todd bet at rahul.net
Tue Sep 5 03:14:53 EST 2000


I am not 100% positive of the security implications of this, but I
really can't see any potential for harm.

If this patch is applied (I coded it against the now-current
openssh-2.2.0p1), then if (a) the authorized_keys entry has
command="whatever" to force a specific command, and also (b) the
invoker specified some command on their ssh cmdline, then the
invoked command will be posted into the $command environment
variable.

This is really helpful for providing restricted-access versions of
things like rsync-over-ssh and cvs-over-ssh, where the command may
vary, but nonetheless needs to be restricted; the command="..."
string in authorized_keys can specify a wrapper that checks the
command environment variable, and if and only if it likes it, execs
the real command with some (checked) args from the user.

I used a new global [global to session.c, static for file scope] to
pass the saved command from one place to another, which is almost
certainly inappropriate. Hopefully, if the maintainers of OpenSSH
deem this functionality worth including, they'll be able to bring
their superior knowlege of openssh's data structures and flow to
bear on the problem and pick a more apt place to stash it.

-Bennett

[ I'd be grateful if any comments on this patch were Cc-ed to me
  directly, as I'm not on the list ]
-------------- next part --------------
diff -ruN openssh-2.2.0p1.orig/session.c openssh-2.2.0p1/session.c
--- openssh-2.2.0p1.orig/session.c	Tue Aug 29 18:21:22 2000
+++ openssh-2.2.0p1/session.c	Mon Sep  4 11:47:10 2000
@@ -125,6 +125,8 @@
 static login_cap_t *lc;
 #endif
 
+static char *saved_command = 0;
+
 /*
  * Remove local Xauthority file.
  */
@@ -377,8 +379,11 @@
 				packet_integrity_check(plen, 0, type);
 			}
 			if (forced_command != NULL) {
+				saved_command = command;
 				command = forced_command;
 				debug("Forced command '%.500s'", forced_command);
+			} else {
+				saved_command  = NULL;
 			}
 			if (have_pty)
 				do_exec_pty(s, command, pw);
@@ -1042,6 +1047,9 @@
 	env = xmalloc(envsize * sizeof(char *));
 	env[0] = NULL;
 
+	if (saved_command) {
+		child_set_env(&env, &envsize, "command", saved_command);
+	}
 	if (!options.use_login) {
 		/* Set basic environment. */
 		child_set_env(&env, &envsize, "USER", pw->pw_name);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000904/88d7031a/attachment.bin 


More information about the openssh-unix-dev mailing list