aherman
/
the-bastion
mirror of https://github.com/ovh/the-bastion
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: recent versions of sshd have a separate sshd-session $0

Browse Source
pull/570/head
Stéphane Lesimple 9 months ago committed by Stéphane Lesimple
parent 7cac4dc911
commit 9779d68cc8
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File

18
bin/shell/connect.pl
Unescape View File

@ -54,7 +54,7 @@ eval {
# As we're going to system() something passed to us via @ARGV,
# we want to be sure we're being called by something we know.
# Yes. I'm fucking paranoid.
# Yes, we are paranoid.
if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) {
my $cmdline = do { local $/ = undef; <$fh> };
close($fh);
@ -62,7 +62,7 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) {
# now check our parent infos.
# regular case: ssh
if (@pargv == 1 and $pargv[0] =~ /^sshd: /) {
if (@pargv == 1 and $pargv[0] =~ /^sshd(-session)?: /) {
; # ok, our parent is sshd, legitimate use
}
@ -76,6 +76,11 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) {
print STDERR "\n\nHmm, hijack of "
. $pargv[2]
. " by root detected... debug I guess... okay, but it's really because it's you.\n\n";
# at that point, we don't have required the proper libs yet, require them before using the log func
require File::Basename;
require '' ## no critic (BarewordIncludes) ## I trust __FILE__, no worries
. File::Basename::dirname(__FILE__) . '/../../lib/perl/OVH/Bastion.pm';
OVH::Bastion::warn_syslog("Hijack of " . $pargv[2] . " detected, allowing because it's root");
}
# mosh
@ -107,9 +112,14 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) {
; # we're being called by the interactive mode of osh.pl, ok
}
# else: it sucks.
# else: unknown case, log and die
else {
#foreach (@pargv) { print "<".$_.">\n" };
# at that point, we don't have required the proper libs yet, require them before using the log func
require File::Basename;
require '' ## no critic (BarewordIncludes) ## I trust __FILE__, no worries
. File::Basename::dirname(__FILE__) . '/../../lib/perl/OVH/Bastion.pm';
OVH::Bastion::warn_syslog("connect.pl: unknown parent, aborting: " . @pargv);
# foreach (@pargv) { print "<" . $_ . ">\n" }
die("SECURITY VIOLATION, ABORTING.");
}
}

Write Preview
Loading…
Cancel
Save