diff --git a/bin/shell/connect.pl b/bin/shell/connect.pl index 127deba..fd40f80 100755 --- a/bin/shell/connect.pl +++ b/bin/shell/connect.pl @@ -54,7 +54,7 @@ eval { # As we're going to system() something passed to us via @ARGV, # we want to be sure we're being called by something we know. -# Yes. I'm fucking paranoid. +# Yes, we are paranoid. if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) { my $cmdline = do { local $/ = undef; <$fh> }; close($fh); @@ -62,7 +62,7 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) { # now check our parent infos. # regular case: ssh - if (@pargv == 1 and $pargv[0] =~ /^sshd: /) { + if (@pargv == 1 and $pargv[0] =~ /^sshd(-session)?: /) { ; # ok, our parent is sshd, legitimate use } @@ -76,6 +76,11 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) { print STDERR "\n\nHmm, hijack of " . $pargv[2] . " by root detected... debug I guess... okay, but it's really because it's you.\n\n"; + # at that point, we don't have required the proper libs yet, require them before using the log func + require File::Basename; + require '' ## no critic (BarewordIncludes) ## I trust __FILE__, no worries + . File::Basename::dirname(__FILE__) . '/../../lib/perl/OVH/Bastion.pm'; + OVH::Bastion::warn_syslog("Hijack of " . $pargv[2] . " detected, allowing because it's root"); } # mosh @@ -107,9 +112,14 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) { ; # we're being called by the interactive mode of osh.pl, ok } - # else: it sucks. + # else: unknown case, log and die else { - #foreach (@pargv) { print "<".$_.">\n" }; + # at that point, we don't have required the proper libs yet, require them before using the log func + require File::Basename; + require '' ## no critic (BarewordIncludes) ## I trust __FILE__, no worries + . File::Basename::dirname(__FILE__) . '/../../lib/perl/OVH/Bastion.pm'; + OVH::Bastion::warn_syslog("connect.pl: unknown parent, aborting: " . @pargv); + # foreach (@pargv) { print "<" . $_ . ">\n" } die("SECURITY VIOLATION, ABORTING."); } }