diff options
| author | Aaron Ball <nullspoon@oper.io> | 2017-03-05 15:40:20 -0700 |
|---|---|---|
| committer | Aaron Ball <nullspoon@oper.io> | 2017-03-05 15:46:23 -0700 |
| commit | aaa102bd029c2f5ee188e1a451d1c1496ec61fa0 (patch) | |
| tree | ca0e7bff529d818ca71f200470c7b9011277a3a9 | |
| parent | feb7ded6a33b93abeb905252f9159bfef1597c45 (diff) | |
| download | gitaccess-aaa102bd029c2f5ee188e1a451d1c1496ec61fa0.tar.gz gitaccess-aaa102bd029c2f5ee188e1a451d1c1496ec61fa0.tar.xz | |
Fixed two security attack vectors
If a user logged in with a non-interractive shell requesting the command
'gitaccess' be executed, an infinite loop would be created in the
foreground of the connected shell where the gitaccess script would call
itself. This is now checked for.
If a user tried executing any command in a non-interractive shell, it
would succeed if they could authenticate. This was becuase the user's
command was passed through verbatim to a bash subshell, which doesn't
check for command allowance like git-shell does. Now we pass the user's
command through to 'git shell -c', which performs permissions checking
on the command.
NOTE: This fixes 2 attack vectors. However, these vectors were only
available to users that had successfully authenticated via a
private key.
| -rwxr-xr-x | gitaccess | 12 |
1 files changed, 11 insertions, 1 deletions
@@ -30,9 +30,19 @@ # command="~/bin/gitaccess <username>" ecdsa-sha2-nistp521 AAAAE2v.... # +# Detect if someone tries to launch this script from this script, thus creating +# an infinite recursive loop spawning subshells. +if [ "${SSH_ORIGINAL_COMMAND:-}" == "$(basename ${0})" ]; then + printf "ERROR: Blocking infinite recursion\n" + exit 1 +fi + + +# All checks passed... + # The first argument should be the username, as defailed in the script # instructions export GIT_USER="${1}" # Environmental variables set up. Proceed as was originally planned. -/usr/bin/bash -c "${SSH_ORIGINAL_COMMAND}" +/usr/bin/env git shell -c "${SSH_ORIGINAL_COMMAND}" |