From 1ffa2e9bc804a8893c584ffb93df8be35543fa62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 16 Oct 2024 08:46:56 +0000 Subject: [PATCH] fix: allow ssh-as in connect.pl --- bin/shell/connect.pl | 20 +++++++++++--- tests/functional/tests.d/300-activeness.sh | 31 ++++++++++++++++++++++ 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/bin/shell/connect.pl b/bin/shell/connect.pl index f2b7d2e30..3263dbe5a 100755 --- a/bin/shell/connect.pl +++ b/bin/shell/connect.pl @@ -84,18 +84,32 @@ sub exit_sig { } # clush plugin - elsif ($pargv[1] =~ m{^/opt/bastion/bin/plugin/(open|restricted)/clush$}) { + elsif ($pargv[1] =~ m{/bin/plugin/(open|restricted)/clush$}) { ; # we're being called by the clush plugin, ok } # interactive mode: our parent is osh.pl - elsif ($pargv[0] eq 'perl' and $pargv[1] eq '/opt/bastion/bin/shell/osh.pl') { + elsif ($pargv[0] eq 'perl' and $pargv[1] =~ m{/bin/shell/osh\.pl$}) { + ; # we're being called by the interactive mode of osh.pl, ok + } + + # --ssh-as + elsif ( @pargv == 9 + and $pargv[0] eq 'sudo' + and $pargv[1] eq '-n' + and $pargv[2] eq '-u' + and $pargv[4] eq '--' + and $pargv[5] eq '/usr/bin/env' + and $pargv[6] eq 'perl' + and $pargv[7] =~ m{/bin/shell/osh\.pl$} + and $pargv[8] eq '-c') + { ; # we're being called by the interactive mode of osh.pl, ok } # else: it sucks. else { - #foreach (@pargv) { print "<".$_.">\n" }; + foreach (@pargv) { print "<".$_.">\n" }; die("SECURITY VIOLATION, ABORTING."); } } diff --git a/tests/functional/tests.d/300-activeness.sh b/tests/functional/tests.d/300-activeness.sh index 0bd036565..eef886fe0 100644 --- a/tests/functional/tests.d/300-activeness.sh +++ b/tests/functional/tests.d/300-activeness.sh @@ -40,6 +40,37 @@ testsuite_activeness() # for remaining tests, disable the feature configchg 's=^\\\\x22accountExternalValidationProgram\\\\x22.+=\\\\x22accountExternalValidationProgram\\\\x22:\\\\x22\\\\x22,=' + # SSH-AS + + grant accountAddPersonalAccess + + # allow account1 to localhost, just so that ssh-as calls connect.pl (even if the connection doesn't make it through in the end) + success add_access_to_a1 $a0 --osh accountAddPersonalAccess --account $account2 --host 127.0.0.1 --user sshas --port 22 + + revoke accountAddPersonalAccess + + # now, test ssh-as + run ssh_as_denied $a1 --ssh-as $account2 sshas@127.0.0.1 + retvalshouldbe 106 + json .error_code KO_SSHAS_DENIED + + # set account1 as admin + success set_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-admin\"" + configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22,\\\\x22'"$account1"'\\\\x22],=' + + # test ssh-as again + run ssh_as_allowed $a1 --ssh-as $account2 sshas@127.0.0.1 + retvalshouldbe 255 + contain "you'll now impersonate" + contain "Connecting..." + contain "Permission denied (publickey)" + + # and finally remove admin grant + success del_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-admin\"" + configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],=' + + # /SSH-AS + grant accountDelete # delete account1