diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-11-11 09:33:39 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-11-11 10:06:35 +0100 |
commit | 8072a7e6a9eaf2de120797dd16c5e0baea606219 (patch) | |
tree | 0319d822024e87919426c629e38fd3b601469bac /src | |
parent | 7d0cede04f38d392834ba59f698d533782c39796 (diff) | |
download | systemd-8072a7e6a9eaf2de120797dd16c5e0baea606219.tar.gz |
userdbctl: add support for chaining command lines in "authorized-keys" verb
Diffstat (limited to 'src')
-rw-r--r-- | src/userdb/userdbctl.c | 95 |
1 files changed, 79 insertions, 16 deletions
diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c index f7ef1a3ef5..4dac6b0e44 100644 --- a/src/userdb/userdbctl.c +++ b/src/userdb/userdbctl.c @@ -5,6 +5,7 @@ #include "dirent-util.h" #include "errno-list.h" +#include "escape.h" #include "fd-util.h" #include "format-table.h" #include "format-util.h" @@ -34,6 +35,7 @@ static bool arg_legend = true; static char** arg_services = NULL; static UserDBFlags arg_userdb_flags = 0; static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; +static bool arg_chain = false; STATIC_DESTRUCTOR_REGISTER(arg_services, strv_freep); @@ -586,33 +588,84 @@ static int display_services(int argc, char *argv[], void *userdata) { static int ssh_authorized_keys(int argc, char *argv[], void *userdata) { _cleanup_(user_record_unrefp) UserRecord *ur = NULL; + char **chain_invocation; int r; + assert(argc >= 2); + + if (arg_chain) { + /* If --chain is specified, the rest of the command line is the chain command */ + + if (argc < 3) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "No chain command line specified, refusing."); + + /* Make similar restrictions on the chain command as OpenSSH itself makes on the primary command. */ + if (!path_is_absolute(argv[2])) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Chain invocation of ssh-authorized-keys commands requires an absolute binary path argument."); + + if (!path_is_normalized(argv[2])) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Chain invocation of ssh-authorized-keys commands requires an normalized binary path argument."); + + chain_invocation = argv + 2; + } else { + /* If --chain is not specified, then refuse any further arguments */ + + if (argc > 2) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Too many arguments."); + + chain_invocation = NULL; + } + r = userdb_by_name(argv[1], arg_userdb_flags, &ur); if (r == -ESRCH) - return log_error_errno(r, "User %s does not exist.", argv[1]); + log_error_errno(r, "User %s does not exist.", argv[1]); else if (r == -EHOSTDOWN) - return log_error_errno(r, "Selected user database service is not available for this request."); + log_error_errno(r, "Selected user database service is not available for this request."); else if (r == -EINVAL) - return log_error_errno(r, "Failed to find user %s: %m (Invalid user name?)", argv[1]); + log_error_errno(r, "Failed to find user %s: %m (Invalid user name?)", argv[1]); else if (r < 0) - return log_error_errno(r, "Failed to find user %s: %m", argv[1]); - - if (strv_isempty(ur->ssh_authorized_keys)) - log_debug("User record for %s has no public SSH keys.", argv[1]); + log_error_errno(r, "Failed to find user %s: %m", argv[1]); else { - char **i; + if (strv_isempty(ur->ssh_authorized_keys)) + log_debug("User record for %s has no public SSH keys.", argv[1]); + else { + char **i; + + STRV_FOREACH(i, ur->ssh_authorized_keys) + printf("%s\n", *i); + } - STRV_FOREACH(i, ur->ssh_authorized_keys) - printf("%s\n", *i); + if (ur->incomplete) { + fflush(stdout); + log_warning("Warning: lacking rights to acquire privileged fields of user record of '%s', output incomplete.", ur->user_name); + } } - if (ur->incomplete) { - fflush(stdout); - log_warning("Warning: lacking rights to acquire privileged fields of user record of '%s', output incomplete.", ur->user_name); + if (chain_invocation) { + if (DEBUG_LOGGING) { + _cleanup_free_ char *s = NULL; + + s = quote_command_line(chain_invocation, SHELL_ESCAPE_EMPTY); + if (!s) + return log_oom(); + + log_debug("Chain invoking: %s", s); + } + + execv(chain_invocation[0], chain_invocation); + if (errno == ENOENT) /* Let's handle ENOENT gracefully */ + log_warning_errno(errno, "Chain executable '%s' does not exist, ignoring chain invocation.", chain_invocation[0]); + else { + log_error_errno(errno, "Failed to invoke chain executable '%s': %m", chain_invocation[0]); + if (r >= 0) + r = -errno; + } } - return EXIT_SUCCESS; + return r; } static int help(int argc, char *argv[], void *userdata) { @@ -633,6 +686,7 @@ static int help(int argc, char *argv[], void *userdata) { " users-in-group [GROUP…] Show users that are members of specified group(s)\n" " groups-of-user [USER…] Show groups the specified user(s) is a member of\n" " services Show enabled database services\n" + " ssh-authorized-keys USER Show SSH authorized keys for user\n" "\nOptions:\n" " -h --help Show this help\n" " --version Show package version\n" @@ -650,6 +704,7 @@ static int help(int argc, char *argv[], void *userdata) { " --with-varlink=BOOL Control whether to talk to services at all\n" " --multiplexer=BOOL Control whether to use the multiplexer\n" " --json=pretty|short JSON output mode\n" + " --chain Chain another command\n" "\nSee the %s for details.\n", program_invocation_short_name, ansi_highlight(), @@ -672,6 +727,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_SYNTHESIZE, ARG_MULTIPLEXER, ARG_JSON, + ARG_CHAIN, }; static const struct option options[] = { @@ -687,6 +743,7 @@ static int parse_argv(int argc, char *argv[]) { { "synthesize", required_argument, NULL, ARG_SYNTHESIZE }, { "multiplexer", required_argument, NULL, ARG_MULTIPLEXER }, { "json", required_argument, NULL, ARG_JSON }, + { "chain", no_argument, NULL, ARG_CHAIN }, {} }; @@ -712,7 +769,9 @@ static int parse_argv(int argc, char *argv[]) { for (;;) { int c; - c = getopt_long(argc, argv, "hjs:N", options, NULL); + c = getopt_long(argc, argv, + arg_chain ? "+hjs:N" : "hjs:N", /* When --chain was used disable parsing of further switches */ + options, NULL); if (c < 0) break; @@ -829,6 +888,10 @@ static int parse_argv(int argc, char *argv[]) { SET_FLAG(arg_userdb_flags, USERDB_AVOID_MULTIPLEXER, !r); break; + case ARG_CHAIN: + arg_chain = true; + break; + case '?': return -EINVAL; @@ -851,7 +914,7 @@ static int run(int argc, char *argv[]) { /* This one is a helper for sshd_config's AuthorizedKeysCommand= setting, it's not a * user-facing verb and thus should not appear in man pages or --help texts. */ - { "ssh-authorized-keys", 2, 2, 0, ssh_authorized_keys }, + { "ssh-authorized-keys", 2, VERB_ANY, 0, ssh_authorized_keys }, {} }; |