bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 07:01 UTC
[Bug 1680] New: Match User/Group with no affirmative match does not work as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1680
Summary: Match User/Group with no affirmative match does not
work as expected
Product: Portable OpenSSH
Version: 5.3p1
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: osshbugs at qwe.cc
Statements such as:
Match User !root
ForceCommand /bin/rshell
or:
Match Group !root
ForceCommand /bin/rshell
Will not work, due to (in my read) servconf.c
# } else if (ga_match_pattern_list(grps) != 1) {
and
# if (match_pattern_list(user, arg, len, 0) != 1)
Both functions on an affirmatively negated match will return -1 (rather
than 1, but still non zero), thus never being considered a "match" by
either user or group negation processing.
In fact, for users, I'm not certain the processing will ever be correct
for negation in any sane deploy (Match user steve !steve)?, though for
groups it could make sense to return differing results based on the
intersection of group1 & !group2
Since there is not a "ForceCommand no", and ForceCommand /bin/bash is
not the same as login (obv.), I'm left at a bit of a puzzle to handle
this one.
Or I could be misreading all this code, or its already fixed elsewhere
and I missed it.
But I think its a bug anyhow...
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 07:11 UTC
[Bug 1680] Match User/Group with no affirmative match does not work as expected
https://bugzilla.mindrot.org/show_bug.cgi?id=1680 --- Comment #1 from osshbugs at qwe.cc 2009-12-03 18:11:53 EST --- ahh, an undocumented, but logical workaround: If you force a positive match, it will work: Match user *,!root Perhaps just a fix in the manpages would suffice to save someone else hours on this one :-) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Maybe Matching Threads
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1680] Match User/Group with no affirmative match does not work as expected
- [Bug 1918] match_pattern_list fails for negated failure