Line data Source code
1 : /*-
2 : * Copyright (c) 2011-2013 Baptiste Daroussin <bapt@FreeBSD.org>
3 : * All rights reserved.
4 : *
5 : * Redistribution and use in source and binary forms, with or without
6 : * modification, are permitted provided that the following conditions
7 : * are met:
8 : * 1. Redistributions of source code must retain the above copyright
9 : * notice, this list of conditions and the following disclaimer
10 : * in this position and unchanged.
11 : * 2. Redistributions in binary form must reproduce the above copyright
12 : * notice, this list of conditions and the following disclaimer in the
13 : * documentation and/or other materials provided with the distribution.
14 : *
15 : * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
16 : * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 : * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 : * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
19 : * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 : * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 : * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 : * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 : * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 : */
26 :
27 : #ifdef HAVE_CONFIG_H
28 : #include "pkg_config.h"
29 : #endif
30 :
31 : #ifdef HAVE_CAPSICUM
32 : #include <sys/capability.h>
33 : #endif
34 :
35 : #include <sysexits.h>
36 : #include <stdio.h>
37 : #include <unistd.h>
38 : #include <fcntl.h>
39 : #include <err.h>
40 : #include <errno.h>
41 :
42 : #include <pkg.h>
43 :
44 : #include "pkgcli.h"
45 :
46 : void
47 0 : usage_ssh(void)
48 : {
49 0 : fprintf(stderr, "Usage: pkg ssh\n\n");
50 0 : fprintf(stderr, "For more information see 'pkg help ssh'.\n");
51 0 : }
52 :
53 : int
54 0 : exec_ssh(int argc, char **argv __unused)
55 : {
56 0 : int fd = -1;
57 0 : const char *restricted = NULL;
58 :
59 : #ifdef HAVE_CAPSICUM
60 : cap_rights_t rights;
61 : #endif
62 :
63 0 : if (argc > 1) {
64 0 : usage_ssh();
65 0 : return (EX_USAGE);
66 : }
67 :
68 0 : restricted = pkg_object_string(pkg_config_get("SSH_RESTRICT_DIR"));
69 0 : if (restricted == NULL)
70 0 : restricted = "/";
71 :
72 0 : if ((fd = open(restricted, O_DIRECTORY|O_RDONLY)) < 0) {
73 0 : warn("Impossible to open the restricted directory");
74 0 : return (EX_SOFTWARE);
75 : }
76 :
77 : #ifdef HAVE_CAPSICUM
78 0 : cap_rights_init(&rights, CAP_READ, CAP_FSTATAT, CAP_FCNTL);
79 0 : if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS ) {
80 0 : warn("cap_rights_limit() failed");
81 0 : close(fd);
82 0 : return (EX_SOFTWARE);
83 : }
84 :
85 0 : if (cap_enter() < 0 && errno != ENOSYS) {
86 0 : warn("cap_enter() failed");
87 0 : close(fd);
88 0 : return (EX_SOFTWARE);
89 : }
90 :
91 : #endif
92 0 : if (pkg_sshserve(fd) != EPKG_OK) {
93 0 : close(fd);
94 0 : return (EX_SOFTWARE);
95 : }
96 :
97 0 : close(fd);
98 0 : return (EX_OK);
99 : }
|
