diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-12-22 00:12:22 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-12-22 15:43:59 +1100 |
commit | a34e14a5a0071de2036826a00197ce38c8b4ba8b (patch) | |
tree | fecbedec82ee4132e34ec64e173c301f9598bed2 /auth2-pubkey.c | |
parent | 649205fe388b56acb3481a1b2461f6b5b7c6efa6 (diff) |
upstream: move subprocess() from auth.c to misc.c
make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)
add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.
feedback & ok markus@
OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 307afa56..14863cbf 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.102 2020/12/17 23:28:50 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.103 2020/12/22 00:12:22 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -530,9 +530,10 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw, /* Prepare a printable command for logs, etc. */ command = argv_assemble(ac, av); - if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command, + if ((pid = subprocess("AuthorizedPrincipalsCommand", command, ac, av, &f, - SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, + runas_pw, temporarily_use_uid, restore_uid)) == 0) goto out; uid_swapped = 1; @@ -968,9 +969,10 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, xasprintf(&command, "%s %s", av[0], av[1]); } - if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command, + if ((pid = subprocess("AuthorizedKeysCommand", command, ac, av, &f, - SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, + runas_pw, temporarily_use_uid, restore_uid)) == 0) goto out; uid_swapped = 1; |