From 12f57c7d9b0ca041279277e1e39a582c2e696ac8 Mon Sep 17 00:00:00 2001 From: dtucker Date: Tue, 12 Jan 2010 08:51:48 +0000 Subject: [PATCH] - dtucker@cvs.openbsd.org 2010/01/12 08:33:17 [session.c] Add explicit stat so we reliably detect nologin with bad perms. ok djm markus --- ChangeLog | 6 +++++- session.c | 40 ++++++++++++++++++++++------------------ 2 files changed, 27 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6992a01b..174b60a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -20100111 +20100112 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2010/01/11 01:39:46 [ssh_config channels.c ssh.1 channels.h ssh.c] @@ -35,6 +35,10 @@ [buffer.h bufaux.c] add a buffer_get_string_ptr_ret() that does the same as buffer_get_string_ptr() but does not fatal() on error; ok dtucker@ + - dtucker@cvs.openbsd.org 2010/01/12 08:33:17 + [session.c] + Add explicit stat so we reliably detect nologin with bad perms. + ok djm markus 20100110 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] diff --git a/session.c b/session.c index 6cd07d4f..fd7acbe0 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.250 2010/01/12 01:31:05 dtucker Exp $ */ +/* $OpenBSD: session.c,v 1.251 2010/01/12 08:33:17 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1377,28 +1377,32 @@ static void do_nologin(struct passwd *pw) { FILE *f = NULL; - char buf[1024]; + char buf[1024], *nl, *def_nl = _PATH_NOLOGIN; + struct stat sb; #ifdef HAVE_LOGIN_CAP - if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) - f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN, - _PATH_NOLOGIN), "r"); + if (login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) + return; + nl = login_getcapstr(lc, "nologin", def_nl, def_nl); #else - if (pw->pw_uid) - f = fopen(_PATH_NOLOGIN, "r"); + if (pw->pw_uid == 0) + return; + nl = def_nl; #endif - if (f != NULL || errno == EPERM) { - /* /etc/nologin exists. Print its contents and exit. */ - logit("User %.100s not allowed because %s exists", - pw->pw_name, _PATH_NOLOGIN); - if (f == NULL) - exit(254); - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stderr); - fclose(f); - fflush(NULL); - exit(254); + if (stat(nl, &sb) == -1) { + if (nl != def_nl) + xfree(nl); + return; } + + /* /etc/nologin exists. Print its contents if we can and exit. */ + logit("User %.100s not allowed because %s exists", pw->pw_name, nl); + if ((f = fopen(nl, "r")) != NULL) { + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); + } + exit(254); } /* -- 2.11.4.GIT