diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-11-11 14:35:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-11 14:35:48 +0100 |
| commit | 126c02a8fd86040ce97e6d0ebb4b282cb6298cf0 (patch) | |
| tree | 27b8a7c5c778ac49621ca7f551a279bfb09a9c48 | |
| parent | bb23992740dedeb36bffbe00fe56e10b9841d2be (diff) | |
| parent | 01f6c450b655a8ce233cb5feeaddb4ec8a5610f7 (diff) | |
| download | systemd-126c02a8fd86040ce97e6d0ebb4b282cb6298cf0.tar.gz | |
Merge pull request #21304 from poettering/chain-ssh-auth-keys
userdbctl: add support for chaining other ssh-authorized-keys commands from userdbctl
| -rw-r--r-- | man/userdbctl.xml | 25 | ||||
| -rw-r--r-- | src/basic/escape.c | 6 | ||||
| -rw-r--r-- | src/basic/escape.h | 2 | ||||
| -rw-r--r-- | src/basic/process-util.c | 13 | ||||
| -rw-r--r-- | src/core/execute.c | 11 | ||||
| -rw-r--r-- | src/libsystemd/sd-bus/bus-socket.c | 2 | ||||
| -rw-r--r-- | src/test/test-escape.c | 2 | ||||
| -rw-r--r-- | src/userdb/userdbctl.c | 95 |
8 files changed, 114 insertions, 42 deletions
diff --git a/man/userdbctl.xml b/man/userdbctl.xml index 522c6c665f..6a01e9d179 100644 --- a/man/userdbctl.xml +++ b/man/userdbctl.xml @@ -146,6 +146,14 @@ typically preferable, since it runs in a locked down sandbox.</para></listitem> </varlistentry> + <varlistentry> + <term><option>--chain</option></term> + + <listitem><para>When used with the <command>ssh-authorized-keys</command> command, this will allow + passing an additional command line after the user name that is chain executed after the lookup + completed. This allows chaining multiple tools that show SSH authorized keys.</para></listitem> + </varlistentry> + <xi:include href="standard-options.xml" xpointer="no-pager" /> <xi:include href="standard-options.xml" xpointer="no-legend" /> <xi:include href="standard-options.xml" xpointer="help" /> @@ -201,8 +209,8 @@ <varlistentry> <term><command>ssh-authorized-keys</command></term> - <listitem><para>This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick - up authorized keys from user records, see below.</para></listitem> + <listitem><para>Show SSH authorized keys for this account. This command is intended to be used to + allow the SSH daemon to pick up authorized keys from user records, see below.</para></listitem> </varlistentry> </variablelist> </refsect1> @@ -301,6 +309,19 @@ AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u AuthorizedKeysCommandUser root …</programlisting> + + <para>Sometimes it's useful to allow chain invocation of another program to list SSH authorized keys. By + using the <option>--chain</option> such a tool may be chain executed by <command>userdbctl + ssh-authorized-keys</command> once a lookup completes (regardless if an SSH key was found or + not). Example:</para> + + <programlisting>… +AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u --chain /usr/bin/othertool %u +AuthorizedKeysCommandUser root +…</programlisting> + + <para>The above will first query the userdb database for SSH keys, and then chain execute + <command>/usr/bin/othertool</command> to also be queried.</para> </refsect1> <refsect1> diff --git a/src/basic/escape.c b/src/basic/escape.c index 4bb98f9342..ce57fcc762 100644 --- a/src/basic/escape.c +++ b/src/basic/escape.c @@ -544,7 +544,7 @@ char* shell_maybe_quote(const char *s, ShellEscapeFlags flags) { return str_realloc(buf); } -char* quote_command_line(char **argv) { +char* quote_command_line(char **argv, ShellEscapeFlags flags) { _cleanup_free_ char *result = NULL; assert(argv); @@ -553,7 +553,7 @@ char* quote_command_line(char **argv) { STRV_FOREACH(a, argv) { _cleanup_free_ char *t = NULL; - t = shell_maybe_quote(*a, SHELL_ESCAPE_EMPTY); + t = shell_maybe_quote(*a, flags); if (!t) return NULL; @@ -561,5 +561,5 @@ char* quote_command_line(char **argv) { return NULL; } - return TAKE_PTR(result); + return str_realloc(TAKE_PTR(result)); } diff --git a/src/basic/escape.h b/src/basic/escape.h index d490510deb..318da6f220 100644 --- a/src/basic/escape.h +++ b/src/basic/escape.h @@ -69,4 +69,4 @@ char* escape_non_printable_full(const char *str, size_t console_width, XEscapeFl char* shell_escape(const char *s, const char *bad); char* shell_maybe_quote(const char *s, ShellEscapeFlags flags); -char* quote_command_line(char **argv); +char* quote_command_line(char **argv, ShellEscapeFlags flags); diff --git a/src/basic/process-util.c b/src/basic/process-util.c index 82bbda895f..fe732c0322 100644 --- a/src/basic/process-util.c +++ b/src/basic/process-util.c @@ -219,20 +219,9 @@ int get_process_cmdline(pid_t pid, size_t max_columns, ProcessCmdlineFlags flags if (!args) return -ENOMEM; - for (size_t i = 0; args[i]; i++) { - char *e; - - e = shell_maybe_quote(args[i], shflags); - if (!e) - return -ENOMEM; - - free_and_replace(args[i], e); - } - - ans = strv_join(args, " "); + ans = quote_command_line(args, shflags); if (!ans) return -ENOMEM; - } else { /* Arguments are separated by NULs. Let's replace those with spaces. */ for (size_t i = 0; i < k - 1; i++) diff --git a/src/core/execute.c b/src/core/execute.c index 425e3e5a37..6f19f5024e 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3999,16 +3999,15 @@ static int exec_child( exec_context_tty_reset(context, params); if (unit_shall_confirm_spawn(unit)) { - const char *vc = params->confirm_spawn; _cleanup_free_ char *cmdline = NULL; - cmdline = quote_command_line(command->argv); + cmdline = quote_command_line(command->argv, SHELL_ESCAPE_EMPTY); if (!cmdline) { *exit_status = EXIT_MEMORY; return log_oom(); } - r = ask_for_confirmation(context, vc, unit, cmdline); + r = ask_for_confirmation(context, params->confirm_spawn, unit, cmdline); if (r != CONFIRM_EXECUTE) { if (r == CONFIRM_PRETEND_SUCCESS) { *exit_status = EXIT_SUCCESS; @@ -4884,7 +4883,7 @@ static int exec_child( if (DEBUG_LOGGING) { _cleanup_free_ char *line = NULL; - line = quote_command_line(final_argv); + line = quote_command_line(final_argv, SHELL_ESCAPE_EMPTY); if (!line) { *exit_status = EXIT_MEMORY; return log_oom(); @@ -4976,7 +4975,7 @@ int exec_spawn(Unit *unit, if (r < 0) return log_unit_error_errno(unit, r, "Failed to load environment files: %m"); - line = quote_command_line(command->argv); + line = quote_command_line(command->argv, SHELL_ESCAPE_EMPTY); if (!line) return log_oom(); @@ -6230,7 +6229,7 @@ static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { prefix = strempty(prefix); prefix2 = strjoina(prefix, "\t"); - cmd = quote_command_line(c->argv); + cmd = quote_command_line(c->argv, SHELL_ESCAPE_EMPTY); fprintf(f, "%sCommand Line: %s\n", prefix, cmd ? cmd : strerror_safe(ENOMEM)); diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c index 9c448e3639..a603764c27 100644 --- a/src/libsystemd/sd-bus/bus-socket.c +++ b/src/libsystemd/sd-bus/bus-socket.c @@ -968,7 +968,7 @@ int bus_socket_exec(sd_bus *b) { _cleanup_free_ char *line = NULL; if (b->exec_argv) - line = quote_command_line(b->exec_argv); + line = quote_command_line(b->exec_argv, SHELL_ESCAPE_EMPTY); log_debug("sd-bus: starting bus%s%s with %s%s", b->description ? " " : "", strempty(b->description), diff --git a/src/test/test-escape.c b/src/test/test-escape.c index 3fd318653c..75aa86bf69 100644 --- a/src/test/test-escape.c +++ b/src/test/test-escape.c @@ -206,7 +206,7 @@ static void test_shell_maybe_quote(void) { static void test_quote_command_line_one(char **argv, const char *expected) { _cleanup_free_ char *s; - assert_se(s = quote_command_line(argv)); + assert_se(s = quote_command_line(argv, SHELL_ESCAPE_EMPTY)); log_info("%s", s); assert_se(streq(s, expected)); } diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c index f7ef1a3ef5..4dac6b0e44 100644 --- a/src/userdb/userdbctl.c +++ b/src/userdb/userdbctl.c @@ -5,6 +5,7 @@ #include "dirent-util.h" #include "errno-list.h" +#include "escape.h" #include "fd-util.h" #include "format-table.h" #include "format-util.h" @@ -34,6 +35,7 @@ static bool arg_legend = true; static char** arg_services = NULL; static UserDBFlags arg_userdb_flags = 0; static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; +static bool arg_chain = false; STATIC_DESTRUCTOR_REGISTER(arg_services, strv_freep); @@ -586,33 +588,84 @@ static int display_services(int argc, char *argv[], void *userdata) { static int ssh_authorized_keys(int argc, char *argv[], void *userdata) { _cleanup_(user_record_unrefp) UserRecord *ur = NULL; + char **chain_invocation; int r; + assert(argc >= 2); + + if (arg_chain) { + /* If --chain is specified, the rest of the command line is the chain command */ + + if (argc < 3) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "No chain command line specified, refusing."); + + /* Make similar restrictions on the chain command as OpenSSH itself makes on the primary command. */ + if (!path_is_absolute(argv[2])) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Chain invocation of ssh-authorized-keys commands requires an absolute binary path argument."); + + if (!path_is_normalized(argv[2])) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Chain invocation of ssh-authorized-keys commands requires an normalized binary path argument."); + + chain_invocation = argv + 2; + } else { + /* If --chain is not specified, then refuse any further arguments */ + + if (argc > 2) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Too many arguments."); + + chain_invocation = NULL; + } + r = userdb_by_name(argv[1], arg_userdb_flags, &ur); if (r == -ESRCH) - return log_error_errno(r, "User %s does not exist.", argv[1]); + log_error_errno(r, "User %s does not exist.", argv[1]); else if (r == -EHOSTDOWN) - return log_error_errno(r, "Selected user database service is not available for this request."); + log_error_errno(r, "Selected user database service is not available for this request."); else if (r == -EINVAL) - return log_error_errno(r, "Failed to find user %s: %m (Invalid user name?)", argv[1]); + log_error_errno(r, "Failed to find user %s: %m (Invalid user name?)", argv[1]); else if (r < 0) - return log_error_errno(r, "Failed to find user %s: %m", argv[1]); - - if (strv_isempty(ur->ssh_authorized_keys)) - log_debug("User record for %s has no public SSH keys.", argv[1]); + log_error_errno(r, "Failed to find user %s: %m", argv[1]); else { - char **i; + if (strv_isempty(ur->ssh_authorized_keys)) + log_debug("User record for %s has no public SSH keys.", argv[1]); + else { + char **i; + + STRV_FOREACH(i, ur->ssh_authorized_keys) + printf("%s\n", *i); + } - STRV_FOREACH(i, ur->ssh_authorized_keys) - printf("%s\n", *i); + if (ur->incomplete) { + fflush(stdout); + log_warning("Warning: lacking rights to acquire privileged fields of user record of '%s', output incomplete.", ur->user_name); + } } - if (ur->incomplete) { - fflush(stdout); - log_warning("Warning: lacking rights to acquire privileged fields of user record of '%s', output incomplete.", ur->user_name); + if (chain_invocation) { + if (DEBUG_LOGGING) { + _cleanup_free_ char *s = NULL; + + s = quote_command_line(chain_invocation, SHELL_ESCAPE_EMPTY); + if (!s) + return log_oom(); + + log_debug("Chain invoking: %s", s); + } + + execv(chain_invocation[0], chain_invocation); + if (errno == ENOENT) /* Let's handle ENOENT gracefully */ + log_warning_errno(errno, "Chain executable '%s' does not exist, ignoring chain invocation.", chain_invocation[0]); + else { + log_error_errno(errno, "Failed to invoke chain executable '%s': %m", chain_invocation[0]); + if (r >= 0) + r = -errno; + } } - return EXIT_SUCCESS; + return r; } static int help(int argc, char *argv[], void *userdata) { @@ -633,6 +686,7 @@ static int help(int argc, char *argv[], void *userdata) { " users-in-group [GROUP…] Show users that are members of specified group(s)\n" " groups-of-user [USER…] Show groups the specified user(s) is a member of\n" " services Show enabled database services\n" + " ssh-authorized-keys USER Show SSH authorized keys for user\n" "\nOptions:\n" " -h --help Show this help\n" " --version Show package version\n" @@ -650,6 +704,7 @@ static int help(int argc, char *argv[], void *userdata) { " --with-varlink=BOOL Control whether to talk to services at all\n" " --multiplexer=BOOL Control whether to use the multiplexer\n" " --json=pretty|short JSON output mode\n" + " --chain Chain another command\n" "\nSee the %s for details.\n", program_invocation_short_name, ansi_highlight(), @@ -672,6 +727,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_SYNTHESIZE, ARG_MULTIPLEXER, ARG_JSON, + ARG_CHAIN, }; static const struct option options[] = { @@ -687,6 +743,7 @@ static int parse_argv(int argc, char *argv[]) { { "synthesize", required_argument, NULL, ARG_SYNTHESIZE }, { "multiplexer", required_argument, NULL, ARG_MULTIPLEXER }, { "json", required_argument, NULL, ARG_JSON }, + { "chain", no_argument, NULL, ARG_CHAIN }, {} }; @@ -712,7 +769,9 @@ static int parse_argv(int argc, char *argv[]) { for (;;) { int c; - c = getopt_long(argc, argv, "hjs:N", options, NULL); + c = getopt_long(argc, argv, + arg_chain ? "+hjs:N" : "hjs:N", /* When --chain was used disable parsing of further switches */ + options, NULL); if (c < 0) break; @@ -829,6 +888,10 @@ static int parse_argv(int argc, char *argv[]) { SET_FLAG(arg_userdb_flags, USERDB_AVOID_MULTIPLEXER, !r); break; + case ARG_CHAIN: + arg_chain = true; + break; + case '?': return -EINVAL; @@ -851,7 +914,7 @@ static int run(int argc, char *argv[]) { /* This one is a helper for sshd_config's AuthorizedKeysCommand= setting, it's not a * user-facing verb and thus should not appear in man pages or --help texts. */ - { "ssh-authorized-keys", 2, 2, 0, ssh_authorized_keys }, + { "ssh-authorized-keys", 2, VERB_ANY, 0, ssh_authorized_keys }, {} }; |