diff options
| author | Damien Miller <djm@mindrot.org> | 2012-11-14 19:04:02 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-11-14 19:04:02 +1100 |
| commit | 1e85469fcb1e81e7f8f643eafd42eb6c123a8c13 (patch) | |
| tree | a2a297d54cf5b121af7cd9875d7f20b19f770439 /auth2-pubkey.c | |
| parent | 0120c41d6b927beb89499b49eb66512225d30f7f (diff) | |
- djm@cvs.openbsd.org 2012/11/14 02:24:27
[auth2-pubkey.c]
fix username passed to helper program
prepare stdio fds before closefrom()
spotted by landry@
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f9cc6c2c..70d8996e 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.32 2012/11/04 10:38:43 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.33 2012/11/14 02:24:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -504,8 +504,8 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) goto out; } - debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"", - options.authorized_keys_command, pw->pw_name); + debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"", + options.authorized_keys_command, user_pw->pw_name, pw->pw_name); /* * Don't want to call this in the child, where it can fatal() and @@ -523,7 +523,19 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) for (i = 0; i < NSIG; i++) signal(i, SIG_DFL); + if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { + error("%s: open %s: %s", __func__, _PATH_DEVNULL, + strerror(errno)); + _exit(1); + } + /* Keep stderr around a while longer to catch errors */ + if (dup2(devnull, STDIN_FILENO) == -1 || + dup2(p[1], STDOUT_FILENO) == -1) { + error("%s: dup2: %s", __func__, strerror(errno)); + _exit(1); + } closefrom(STDERR_FILENO + 1); + /* Don't use permanently_set_uid() here to avoid fatal() */ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { error("setresgid %u: %s", (u_int)pw->pw_gid, @@ -535,22 +547,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) strerror(errno)); _exit(1); } - - close(p[0]); - if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { - error("%s: open %s: %s", __func__, _PATH_DEVNULL, - strerror(errno)); - _exit(1); - } - if (dup2(devnull, STDIN_FILENO) == -1 || - dup2(p[1], STDOUT_FILENO) == -1 || - dup2(devnull, STDERR_FILENO) == -1) { + /* stdin is pointed to /dev/null at this point */ + if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) { error("%s: dup2: %s", __func__, strerror(errno)); _exit(1); } execl(options.authorized_keys_command, - options.authorized_keys_command, pw->pw_name, NULL); + options.authorized_keys_command, user_pw->pw_name, NULL); error("AuthorizedKeysCommand %s exec failed: %s", options.authorized_keys_command, strerror(errno)); |