openssh bugs - May 2007 - [Bug 1315] New: Match Group does not support negation

http://bugzilla.mindrot.org/show_bug.cgi?id=1315

           Summary: Match Group does not support negation
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: wknox at mitre.org


Created an attachment (id=1283)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1283)
Suggested patch

A Match conditional with a Group keyword does not support negation of
groups (i.e. don't apply if the person is a member of the named group).
The following patch adds this functionality. A small change to wording
on line 534 of servconf.c is also in order, but I haven't added that. I
also did not check to see if this causes any major headaches with
AllowGroups or DenyGroups, which also use the modified function
(ga_match), but I don't believe it should. The one assumption which
should be spelled out is that if you get a negation match, that is a
breaker which causes further matching to stop.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

http://bugzilla.mindrot.org/show_bug.cgi?id=1315


Remy Blank <remy.blank at pobox.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |remy.blank at pobox.com




-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1315


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
             Blocks|                            |1452




--- Comment #1 from Darren Tucker <dtucker at zip.com.au>  2008-06-14
11:15:11 ---
Target 5.1.  ga_match is used by more than just the "Match Group" so
we
will need to check carefully that this doesn't have side effects.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1315


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #2 from Damien Miller <djm at mindrot.org>  2008-06-30
20:55:48 ---
Yeah, the interactions between AllowGroups and DenyGroups (the two
other places where ga_match is used) are weird enough without having
negation thrown in the mix.

Perhaps either add a flag to ga_match() to specify whether negation is
allowed and only set it for the Match case, or create a separate
ga_match_list() for the Match case.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1315


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1538|                            |ok?
               Flag|                            |




--- Comment #3 from Damien Miller <djm at mindrot.org>  2008-07-03
13:25:15 ---
Created an attachment (id=1538)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1538)
separate ga_match_pattern_list() function

like this

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1315


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1538|                            |ok+
               Flag|                            |




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1315


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




--- Comment #4 from Damien Miller <djm at mindrot.org>  2008-07-04
13:45:36 ---
patch applied - this will be in openssh-5.1. Thanks!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1315


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #5 from Damien Miller <djm at mindrot.org>  2008-07-22
12:18:53 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.