bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 07:01 UTC
[Bug 1680] New: Match User/Group with no affirmative match does not work as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1680 Summary: Match User/Group with no affirmative match does not work as expected Product: Portable OpenSSH Version: 5.3p1 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: osshbugs at qwe.cc Statements such as: Match User !root ForceCommand /bin/rshell or: Match Group !root ForceCommand /bin/rshell Will not work, due to (in my read) servconf.c # } else if (ga_match_pattern_list(grps) != 1) { and # if (match_pattern_list(user, arg, len, 0) != 1) Both functions on an affirmatively negated match will return -1 (rather than 1, but still non zero), thus never being considered a "match" by either user or group negation processing. In fact, for users, I'm not certain the processing will ever be correct for negation in any sane deploy (Match user steve !steve)?, though for groups it could make sense to return differing results based on the intersection of group1 & !group2 Since there is not a "ForceCommand no", and ForceCommand /bin/bash is not the same as login (obv.), I'm left at a bit of a puzzle to handle this one. Or I could be misreading all this code, or its already fixed elsewhere and I missed it. But I think its a bug anyhow... -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 07:11 UTC
[Bug 1680] Match User/Group with no affirmative match does not work as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1680 --- Comment #1 from osshbugs at qwe.cc 2009-12-03 18:11:53 EST --- ahh, an undocumented, but logical workaround: If you force a positive match, it will work: Match user *,!root Perhaps just a fix in the manpages would suffice to save someone else hours on this one :-) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1918] match_pattern_list fails for negated failure