mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
userdbctl: add support for chaining command lines in "authorized-keys" verb
This commit is contained in:
parent
7d0cede04f
commit
8072a7e6a9
@ -5,6 +5,7 @@
|
||||
|
||||
#include "dirent-util.h"
|
||||
#include "errno-list.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
#include "format-table.h"
|
||||
#include "format-util.h"
|
||||
@ -34,6 +35,7 @@ static bool arg_legend = true;
|
||||
static char** arg_services = NULL;
|
||||
static UserDBFlags arg_userdb_flags = 0;
|
||||
static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF;
|
||||
static bool arg_chain = false;
|
||||
|
||||
STATIC_DESTRUCTOR_REGISTER(arg_services, strv_freep);
|
||||
|
||||
@ -586,33 +588,84 @@ static int display_services(int argc, char *argv[], void *userdata) {
|
||||
|
||||
static int ssh_authorized_keys(int argc, char *argv[], void *userdata) {
|
||||
_cleanup_(user_record_unrefp) UserRecord *ur = NULL;
|
||||
char **chain_invocation;
|
||||
int r;
|
||||
|
||||
assert(argc >= 2);
|
||||
|
||||
if (arg_chain) {
|
||||
/* If --chain is specified, the rest of the command line is the chain command */
|
||||
|
||||
if (argc < 3)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"No chain command line specified, refusing.");
|
||||
|
||||
/* Make similar restrictions on the chain command as OpenSSH itself makes on the primary command. */
|
||||
if (!path_is_absolute(argv[2]))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Chain invocation of ssh-authorized-keys commands requires an absolute binary path argument.");
|
||||
|
||||
if (!path_is_normalized(argv[2]))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Chain invocation of ssh-authorized-keys commands requires an normalized binary path argument.");
|
||||
|
||||
chain_invocation = argv + 2;
|
||||
} else {
|
||||
/* If --chain is not specified, then refuse any further arguments */
|
||||
|
||||
if (argc > 2)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Too many arguments.");
|
||||
|
||||
chain_invocation = NULL;
|
||||
}
|
||||
|
||||
r = userdb_by_name(argv[1], arg_userdb_flags, &ur);
|
||||
if (r == -ESRCH)
|
||||
return log_error_errno(r, "User %s does not exist.", argv[1]);
|
||||
log_error_errno(r, "User %s does not exist.", argv[1]);
|
||||
else if (r == -EHOSTDOWN)
|
||||
return log_error_errno(r, "Selected user database service is not available for this request.");
|
||||
log_error_errno(r, "Selected user database service is not available for this request.");
|
||||
else if (r == -EINVAL)
|
||||
return log_error_errno(r, "Failed to find user %s: %m (Invalid user name?)", argv[1]);
|
||||
log_error_errno(r, "Failed to find user %s: %m (Invalid user name?)", argv[1]);
|
||||
else if (r < 0)
|
||||
return log_error_errno(r, "Failed to find user %s: %m", argv[1]);
|
||||
|
||||
if (strv_isempty(ur->ssh_authorized_keys))
|
||||
log_debug("User record for %s has no public SSH keys.", argv[1]);
|
||||
log_error_errno(r, "Failed to find user %s: %m", argv[1]);
|
||||
else {
|
||||
char **i;
|
||||
if (strv_isempty(ur->ssh_authorized_keys))
|
||||
log_debug("User record for %s has no public SSH keys.", argv[1]);
|
||||
else {
|
||||
char **i;
|
||||
|
||||
STRV_FOREACH(i, ur->ssh_authorized_keys)
|
||||
printf("%s\n", *i);
|
||||
STRV_FOREACH(i, ur->ssh_authorized_keys)
|
||||
printf("%s\n", *i);
|
||||
}
|
||||
|
||||
if (ur->incomplete) {
|
||||
fflush(stdout);
|
||||
log_warning("Warning: lacking rights to acquire privileged fields of user record of '%s', output incomplete.", ur->user_name);
|
||||
}
|
||||
}
|
||||
|
||||
if (ur->incomplete) {
|
||||
fflush(stdout);
|
||||
log_warning("Warning: lacking rights to acquire privileged fields of user record of '%s', output incomplete.", ur->user_name);
|
||||
if (chain_invocation) {
|
||||
if (DEBUG_LOGGING) {
|
||||
_cleanup_free_ char *s = NULL;
|
||||
|
||||
s = quote_command_line(chain_invocation, SHELL_ESCAPE_EMPTY);
|
||||
if (!s)
|
||||
return log_oom();
|
||||
|
||||
log_debug("Chain invoking: %s", s);
|
||||
}
|
||||
|
||||
execv(chain_invocation[0], chain_invocation);
|
||||
if (errno == ENOENT) /* Let's handle ENOENT gracefully */
|
||||
log_warning_errno(errno, "Chain executable '%s' does not exist, ignoring chain invocation.", chain_invocation[0]);
|
||||
else {
|
||||
log_error_errno(errno, "Failed to invoke chain executable '%s': %m", chain_invocation[0]);
|
||||
if (r >= 0)
|
||||
r = -errno;
|
||||
}
|
||||
}
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
return r;
|
||||
}
|
||||
|
||||
static int help(int argc, char *argv[], void *userdata) {
|
||||
@ -633,6 +686,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||
" users-in-group [GROUP…] Show users that are members of specified group(s)\n"
|
||||
" groups-of-user [USER…] Show groups the specified user(s) is a member of\n"
|
||||
" services Show enabled database services\n"
|
||||
" ssh-authorized-keys USER Show SSH authorized keys for user\n"
|
||||
"\nOptions:\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Show package version\n"
|
||||
@ -650,6 +704,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||
" --with-varlink=BOOL Control whether to talk to services at all\n"
|
||||
" --multiplexer=BOOL Control whether to use the multiplexer\n"
|
||||
" --json=pretty|short JSON output mode\n"
|
||||
" --chain Chain another command\n"
|
||||
"\nSee the %s for details.\n",
|
||||
program_invocation_short_name,
|
||||
ansi_highlight(),
|
||||
@ -672,6 +727,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
ARG_SYNTHESIZE,
|
||||
ARG_MULTIPLEXER,
|
||||
ARG_JSON,
|
||||
ARG_CHAIN,
|
||||
};
|
||||
|
||||
static const struct option options[] = {
|
||||
@ -687,6 +743,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
{ "synthesize", required_argument, NULL, ARG_SYNTHESIZE },
|
||||
{ "multiplexer", required_argument, NULL, ARG_MULTIPLEXER },
|
||||
{ "json", required_argument, NULL, ARG_JSON },
|
||||
{ "chain", no_argument, NULL, ARG_CHAIN },
|
||||
{}
|
||||
};
|
||||
|
||||
@ -712,7 +769,9 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
for (;;) {
|
||||
int c;
|
||||
|
||||
c = getopt_long(argc, argv, "hjs:N", options, NULL);
|
||||
c = getopt_long(argc, argv,
|
||||
arg_chain ? "+hjs:N" : "hjs:N", /* When --chain was used disable parsing of further switches */
|
||||
options, NULL);
|
||||
if (c < 0)
|
||||
break;
|
||||
|
||||
@ -829,6 +888,10 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
SET_FLAG(arg_userdb_flags, USERDB_AVOID_MULTIPLEXER, !r);
|
||||
break;
|
||||
|
||||
case ARG_CHAIN:
|
||||
arg_chain = true;
|
||||
break;
|
||||
|
||||
case '?':
|
||||
return -EINVAL;
|
||||
|
||||
@ -851,7 +914,7 @@ static int run(int argc, char *argv[]) {
|
||||
|
||||
/* This one is a helper for sshd_config's AuthorizedKeysCommand= setting, it's not a
|
||||
* user-facing verb and thus should not appear in man pages or --help texts. */
|
||||
{ "ssh-authorized-keys", 2, 2, 0, ssh_authorized_keys },
|
||||
{ "ssh-authorized-keys", 2, VERB_ANY, 0, ssh_authorized_keys },
|
||||
{}
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user