On Tue, 3 May 2016, Rogan Dawes wrote:> Hi Damien, > Thanks for the response! > > I tried moving the StreamLocalBindUnlink directive outside of the Match > rule, and it worked. But that doesn't explain why the Match was not > correctly setting the directive: > > This is running on an alternate port with -ddd: > > debug3: checking match for 'User sshvpn' user sshvpn host 196.209.244.243 > addr 196.209.244.243 laddr 176.9.9.247 lport 52221 > debug1: user sshvpn matched 'User sshvpn' at line 91 > debug3: match found > debug3: reprocess config:92 setting ChrootDirectory /var/sshvpn/ > debug3: reprocess config:93 setting AllowTCPForwarding no > debug3: reprocess config:94 setting AllowStreamLocalForwarding yes > debug3: reprocess config:95 setting StreamLocalBindUnlink yes > > And, surprisingly, even having set the directive outside the Match block, > the following command still doesn't show streamlocalbindunlink set: > > sshd -T -C "user=sshvpn,host=196.209.244.243,addr=196.209.244.243" | grep -i > stream > streamlocalbindmask 0177 > allowstreamlocalforwarding yesoh, that's a bug in the config dump support. diff --git a/servconf.c b/servconf.c index 6111c5a..2094c48 100644 --- a/servconf.c +++ b/servconf.c @@ -2293,6 +2293,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
On Wed, 4 May 2016, Damien Miller wrote:> On Tue, 3 May 2016, Rogan Dawes wrote: > > > And, surprisingly, even having set the directive outside the Match block, > > the following command still doesn't show streamlocalbindunlink set: > > > > sshd -T -C "user=sshvpn,host=196.209.244.243,addr=196.209.244.243" | grep -i > > stream > > streamlocalbindmask 0177 > > allowstreamlocalforwarding yes > > oh, that's a bug in the config dump support.... and with that fixed the real bug reveals itself: diff --git a/servconf.c b/servconf.c index 6111c5a..5e8b7ca 100644 --- a/servconf.c +++ b/servconf.c @@ -1994,6 +1994,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(allow_agent_forwarding); M_CP_INTOPT(permit_tun); M_CP_INTOPT(fwd_opts.gateway_ports); + M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); @@ -2006,6 +2007,12 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); + /* This is a mode_t, so can't use M_CP_INTOPT */ + if (src->fwd_opts.streamlocal_bind_mask == (mode_t)-1) { + dst->fwd_opts.streamlocal_bind_mask + src->fwd_opts.streamlocal_bind_mask; + } + /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ #define M_CP_STROPT(n) do {\ if (src->n != NULL && dst->n != src->n) { \
On Wed, 4 May 2016, Damien Miller wrote:> On Wed, 4 May 2016, Damien Miller wrote: > > > On Tue, 3 May 2016, Rogan Dawes wrote: > > > > > And, surprisingly, even having set the directive outside the Match block, > > > the following command still doesn't show streamlocalbindunlink set: > > > > > > sshd -T -C "user=sshvpn,host=196.209.244.243,addr=196.209.244.243" | grep -i > > > stream > > > streamlocalbindmask 0177 > > > allowstreamlocalforwarding yes > > > > oh, that's a bug in the config dump support. > > ... and with that fixed the real bug reveals itself:both fixes committed and in HEAD: commit cfefbcea1057c2623e76c579174a4107a0b6e6cd Author: djm at openbsd.org <djm at openbsd.org> Date: Tue May 3 15:57:39 2016 +0000 upstream commit fix overriding of StreamLocalBindMask and StreamLocalBindUnlink in Match blocks; found the hard way by Rogan Dawes Upstream-ID: 940bc69ec0249ab428d24ccd0722ce35cb932ee2 commit 771c2f51ffc0c9a2877b7892fada0c77bd1f6549 Author: djm at openbsd.org <djm at openbsd.org> Date: Tue May 3 15:25:06 2016 +0000 upstream commit don't forget to include StreamLocalBindUnlink in the config dump output Upstream-ID: 14a6d970b3b45c8e94272e3c661e9a0b2a0ee7cb
Haha! Glad to know i wasn't just doing something stupid! Thanks for your help! Rogan On Tue, 03 May 2016 at 5:49 PM Damien Miller <djm at mindrot.org> wrote:> On Wed, 4 May 2016, Damien Miller wrote: > > > On Tue, 3 May 2016, Rogan Dawes wrote: > > > > > And, surprisingly, even having set the directive outside the Match > block, > > > the following command still doesn't show streamlocalbindunlink set: > > > > > > sshd -T -C "user=sshvpn,host=196.209.244.243,addr=196.209.244.243" | > grep -i > > > stream > > > streamlocalbindmask 0177 > > > allowstreamlocalforwarding yes > > > > oh, that's a bug in the config dump support. > > ... and with that fixed the real bug reveals itself: > > diff --git a/servconf.c b/servconf.c > index 6111c5a..5e8b7ca 100644 > --- a/servconf.c > +++ b/servconf.c > @@ -1994,6 +1994,7 @@ copy_set_server_options(ServerOptions *dst, > ServerOptions *src, int preauth) > M_CP_INTOPT(allow_agent_forwarding); > M_CP_INTOPT(permit_tun); > M_CP_INTOPT(fwd_opts.gateway_ports); > + M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); > M_CP_INTOPT(x11_display_offset); > M_CP_INTOPT(x11_forwarding); > M_CP_INTOPT(x11_use_localhost); > @@ -2006,6 +2007,12 @@ copy_set_server_options(ServerOptions *dst, > ServerOptions *src, int preauth) > M_CP_INTOPT(rekey_limit); > M_CP_INTOPT(rekey_interval); > > + /* This is a mode_t, so can't use M_CP_INTOPT */ > + if (src->fwd_opts.streamlocal_bind_mask == (mode_t)-1) { > + dst->fwd_opts.streamlocal_bind_mask > + src->fwd_opts.streamlocal_bind_mask; > + } > + > /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here > */ > #define M_CP_STROPT(n) do {\ > if (src->n != NULL && dst->n != src->n) { \ >