ForceCommand and ~/.ssh/rc
Mikhail Terekhov
termim at gmail.com
Wed Mar 26 03:06:40 EST 2008
On Mon, Mar 24, 2008 at 6:21 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Mar 25, 2008 at 08:57:39AM +1100, Damien Miller wrote:
> > On Thu, 20 Mar 2008, Mikhail Terekhov wrote:
>
> > > As I understand the "ForceCommand" in the sshd_confing file is meant to
> > > ignore any command supplied by the client, but if user's home is shared by
> > > server and client machines over network (ex. NFS) then user can still put
> > > something else into ~/.ssh/rc file and overcome this limitation. Is it
> > > possible to disable execution of the ~/.ssh/rc file in such a case?
> >
> > Could you please try this?
> [..]
>
> > - if (!options.use_login)
> > + if (!options.use_login && options.adm_forced_command == NULL)
>
> This should also check forced_command too, no? That usually comes from
> a user-controlled authorized_keys file in ~/.ssh, however that's not
> necessarily the case (eg AuthorizedKeysFile /etc/ssh/keys or some such).
>
> Also, this will disable the root-owned rc file which isn't necessary.
> How about something like this?
>
> Index: session.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh/session.c,v
> retrieving revision 1.364
> diff -u -p -r1.364 session.c
> --- session.c 15 Mar 2008 06:27:58 -0000 1.364
> +++ session.c 24 Mar 2008 22:19:08 -0000
> @@ -1196,14 +1196,18 @@ do_rc_files(Session *s, const char *shel
> {
> FILE *f = NULL;
> char cmd[1024];
> - int do_xauth;
> + int do_xauth, do_user_rc = 1;
> struct stat st;
>
> do_xauth =
> s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
>
> - /* ignore _PATH_SSH_USER_RC for subsystems */
> - if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
> + /* ignore _PATH_SSH_USER_RC for subsystems and forced commands */
> + if (s->is_subsystem || options.adm_forced_command != NULL ||
> + forced_command != NULL)
> + do_user_rc = 0;
> +
> + if (do_user_rc && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
> snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
> shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
> if (debug_flag)
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
I'm a little confused about version number. Your patch shows session.c
rev.1.364 but I've got
rev. 1.231 from CVS. Anyway, it looks like rev.1.231 did the required
changes. Unfortunately
there is a typo in this revision that reverses the effect. The
following patch fixes that.
*** session.c 25 Mar 2008 09:47:50 -0400 1.231
--- session.c 25 Mar 2008 11:56:24 -0400
***************
*** 879,885 ****
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
! if (!s->is_subsystem && options.adm_forced_command != NULL &&
(stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
--- 879,885 ----
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
! if (!s->is_subsystem && options.adm_forced_command == NULL &&
(stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
More information about the openssh-unix-dev
mailing list