[openssh-commits] [openssh] 02/06: upstream: better terminology for permissions; feedback & ok markus@
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Jun 22 16:28:16 AEST 2020
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit fc270baf264248c3ee3050b13a6c8c0919e6559f
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Jun 22 05:52:05 2020 +0000
upstream: better terminology for permissions; feedback & ok markus@
OpenBSD-Commit-ID: ffb220b435610741dcb4de0e7fc68cbbdc876d2c
---
sftp-server.c | 32 ++++++++++++++++----------------
ssh-agent.1 | 18 +++++++++---------
ssh-agent.c | 24 ++++++++++++------------
3 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/sftp-server.c b/sftp-server.c
index 359204fa..b1d8c88c 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.117 2019/07/05 04:55:40 djm Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.118 2020/06/22 05:52:05 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@@ -74,7 +74,7 @@ static int init_done;
static int readonly;
/* Requests that are allowed/denied */
-static char *request_whitelist, *request_blacklist;
+static char *request_allowlist, *request_denylist;
/* portable attributes, etc. */
typedef struct Stat Stat;
@@ -164,20 +164,20 @@ request_permitted(const struct sftp_handler *h)
verbose("Refusing %s request in read-only mode", h->name);
return 0;
}
- if (request_blacklist != NULL &&
- ((result = match_list(h->name, request_blacklist, NULL))) != NULL) {
+ if (request_denylist != NULL &&
+ ((result = match_list(h->name, request_denylist, NULL))) != NULL) {
free(result);
- verbose("Refusing blacklisted %s request", h->name);
+ verbose("Refusing denylisted %s request", h->name);
return 0;
}
- if (request_whitelist != NULL &&
- ((result = match_list(h->name, request_whitelist, NULL))) != NULL) {
+ if (request_allowlist != NULL &&
+ ((result = match_list(h->name, request_allowlist, NULL))) != NULL) {
free(result);
- debug2("Permitting whitelisted %s request", h->name);
+ debug2("Permitting allowlisted %s request", h->name);
return 1;
}
- if (request_whitelist != NULL) {
- verbose("Refusing non-whitelisted %s request", h->name);
+ if (request_allowlist != NULL) {
+ verbose("Refusing non-allowlisted %s request", h->name);
return 0;
}
return 1;
@@ -1556,8 +1556,8 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
- "[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
+ "[-l log_level]\n\t[-P denied_requests] "
+ "[-p allowed_requests] [-u umask]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
@@ -1627,14 +1627,14 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
free(cp);
break;
case 'p':
- if (request_whitelist != NULL)
+ if (request_allowlist != NULL)
fatal("Permitted requests already set");
- request_whitelist = xstrdup(optarg);
+ request_allowlist = xstrdup(optarg);
break;
case 'P':
- if (request_blacklist != NULL)
+ if (request_denylist != NULL)
fatal("Refused requests already set");
- request_blacklist = xstrdup(optarg);
+ request_denylist = xstrdup(optarg);
break;
case 'u':
errno = 0;
diff --git a/ssh-agent.1 b/ssh-agent.1
index 8e9295e9..2cf46160 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.71 2020/06/19 07:21:42 dtucker Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo at cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: June 19 2020 $
+.Dd $Mdocdate: June 22 2020 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -46,12 +46,12 @@
.Op Fl \&Dd
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
-.Op Fl P Ar provider_whitelist
+.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Nm ssh-agent
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
-.Op Fl P Ar provider_whitelist
+.Op Fl P Ar allowed_providers
.Op Fl t Ar life
.Ar command Op Ar arg ...
.Nm ssh-agent
@@ -102,19 +102,19 @@ The default is
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
-.It Fl P Ar provider_whitelist
-Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
-shared libraries that may be used with the
+.It Fl P Ar allowed_providers
+Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO
+authenticator middleware shared libraries that may be used with the
.Fl S
or
.Fl s
options to
.Xr ssh-add 1 .
-Libraries that do not match the whitelist will be refused.
+Libraries that do not match the pattern list will be refused.
See PATTERNS in
.Xr ssh_config 5
for a description of pattern-list syntax.
-The default whitelist is
+The default list is
.Dq /usr/lib/*,/usr/local/lib/* .
.It Fl s
Generate Bourne shell commands on
diff --git a/ssh-agent.c b/ssh-agent.c
index 596c3958..d2f00e5b 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.259 2020/06/19 07:21:42 dtucker Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.260 2020/06/22 05:52:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -150,8 +150,8 @@ pid_t cleanup_pid = 0;
char socket_name[PATH_MAX];
char socket_dir[PATH_MAX];
-/* PKCS#11/Security key path whitelist */
-static char *provider_whitelist;
+/* Pattern-list of allowed PKCS#11/Security key paths */
+static char *allowed_providers;
/* locking */
#define LOCK_SIZE 32
@@ -612,9 +612,9 @@ process_add_identity(SocketEntry *e)
free(sk_provider);
sk_provider = xstrdup(canonical_provider);
if (match_pattern_list(sk_provider,
- provider_whitelist, 0) != 1) {
+ allowed_providers, 0) != 1) {
error("Refusing add key: "
- "provider %s not whitelisted", sk_provider);
+ "provider %s not allowed", sk_provider);
free(sk_provider);
goto send;
}
@@ -769,9 +769,9 @@ process_add_smartcard_key(SocketEntry *e)
provider, strerror(errno));
goto send;
}
- if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+ if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
verbose("refusing PKCS#11 add of \"%.100s\": "
- "provider not whitelisted", canonical_provider);
+ "provider not allowed", canonical_provider);
goto send;
}
debug("%s: add %.100s", __func__, canonical_provider);
@@ -1255,7 +1255,7 @@ usage(void)
fprintf(stderr,
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
" [-P provider_whitelist] [-t life]\n"
- " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P provider_whitelist]\n"
+ " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n"
" [-t life] command [arg ...]\n"
" ssh-agent [-c | -s] -k\n");
exit(1);
@@ -1320,9 +1320,9 @@ main(int ac, char **av)
fatal("Unknown -O option");
break;
case 'P':
- if (provider_whitelist != NULL)
+ if (allowed_providers != NULL)
fatal("-P option already specified");
- provider_whitelist = xstrdup(optarg);
+ allowed_providers = xstrdup(optarg);
break;
case 's':
if (c_flag)
@@ -1358,8 +1358,8 @@ main(int ac, char **av)
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
usage();
- if (provider_whitelist == NULL)
- provider_whitelist = xstrdup(DEFAULT_PROVIDER_WHITELIST);
+ if (allowed_providers == NULL)
+ allowed_providers = xstrdup(DEFAULT_PROVIDER_WHITELIST);
if (ac == 0 && !c_flag && !s_flag) {
shell = getenv("SHELL");
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list