1 /*
   2  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   3  *                    All rights reserved
   4  *
   5  * As far as I am concerned, the code I have written for this software
   6  * can be used freely for any purpose.  Any derived versions of this
   7  * software must be clearly marked as such, and if the derived work is
   8  * incompatible with the protocol description in the RFC file, it must be
   9  * called by a name other than "ssh" or "Secure Shell".
  10  *
  11  * SSH2 support by Markus Friedl.
  12  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  13  *
  14  * Redistribution and use in source and binary forms, with or without
  15  * modification, are permitted provided that the following conditions
  16  * are met:
  17  * 1. Redistributions of source code must retain the above copyright
  18  *    notice, this list of conditions and the following disclaimer.
  19  * 2. Redistributions in binary form must reproduce the above copyright
  20  *    notice, this list of conditions and the following disclaimer in the
  21  *    documentation and/or other materials provided with the distribution.
  22  *
  23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  24  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  25  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  26  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  33  */
  34 /*
  35  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  36  * Use is subject to license terms.
  37  */
  38 
  39 #include "includes.h"
  40 RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $");
  41 
  42 #ifdef HAVE_DEFOPEN
  43 #include <deflt.h>
  44 #include <ulimit.h>
  45 #endif /* HAVE_DEFOPEN */
  46 
  47 #ifdef HAVE_LIBGEN_H
  48 #include <libgen.h>
  49 #endif
  50 
  51 #include <priv.h>
  52 
  53 #include "ssh.h"
  54 #include "ssh1.h"
  55 #include "ssh2.h"
  56 #include "xmalloc.h"
  57 #include "sshpty.h"
  58 #include "packet.h"
  59 #include "buffer.h"
  60 #include "mpaux.h"
  61 #include "uidswap.h"
  62 #include "compat.h"
  63 #include "channels.h"
  64 #include "bufaux.h"
  65 #include "auth.h"
  66 #include "auth-options.h"
  67 #include "pathnames.h"
  68 #include "log.h"
  69 #include "servconf.h"
  70 #include "sshlogin.h"
  71 #include "serverloop.h"
  72 #include "canohost.h"
  73 #include "session.h"
  74 #include "tildexpand.h"
  75 #include "misc.h"
  76 #include "sftp.h"
  77 
  78 #ifdef USE_PAM
  79 #include <security/pam_appl.h>
  80 #endif /* USE_PAM */
  81 
  82 #ifdef GSSAPI
  83 #include "ssh-gss.h"
  84 #endif
  85 
  86 #ifdef ALTPRIVSEP
  87 #include "altprivsep.h"
  88 #endif /* ALTPRIVSEP */
  89 
  90 #ifdef HAVE_CYGWIN
  91 #include <windows.h>
  92 #include <sys/cygwin.h>
  93 #define is_winnt       (GetVersion() < 0x80000000)
  94 #endif
  95 
  96 /* func */
  97 
  98 Session *session_new(void);
  99 void    session_set_fds(Session *, int, int, int);
 100 void    session_pty_cleanup(void *);
 101 void    session_xauthfile_cleanup(void *s);
 102 void    session_proctitle(Session *);
 103 int     session_setup_x11fwd(Session *);
 104 void    do_exec_pty(Session *, const char *);
 105 void    do_exec_no_pty(Session *, const char *);
 106 void    do_exec(Session *, const char *);
 107 void    do_login(Session *, const char *);
 108 void    do_child(Session *, const char *);
 109 void    do_motd(void);
 110 int     check_quietlogin(Session *, const char *);
 111 
 112 static void do_authenticated1(Authctxt *);
 113 static void do_authenticated2(Authctxt *);
 114 
 115 static int  session_pty_req(Session *);
 116 static int  session_env_req(Session *s);
 117 static void session_free_env(char ***envp);
 118 static void safely_chroot(const char *path, uid_t uid);
 119 static void drop_privs(uid_t uid);
 120 
 121 #ifdef USE_PAM
 122 static void session_do_pam(Session *, int);
 123 #endif /* USE_PAM */
 124 
 125 /* import */
 126 extern ServerOptions options;
 127 extern char *__progname;
 128 extern int log_stderr;
 129 extern int debug_flag;
 130 extern u_int utmp_len;
 131 extern void destroy_sensitive_data(void);
 132 
 133 #ifdef GSSAPI
 134 extern Gssctxt *xxx_gssctxt;
 135 #endif /* GSSAPI */
 136 
 137 /* original command from peer. */
 138 const char *original_command = NULL;
 139 
 140 /* data */
 141 #define MAX_SESSIONS 10
 142 Session sessions[MAX_SESSIONS];
 143 
 144 #define SUBSYSTEM_NONE          0
 145 #define SUBSYSTEM_EXT           1
 146 #define SUBSYSTEM_INT_SFTP      2
 147 
 148 #ifdef HAVE_LOGIN_CAP
 149 login_cap_t *lc;
 150 #endif
 151 
 152 /* Name and directory of socket for authentication agent forwarding. */
 153 static char *auth_sock_name = NULL;
 154 static char *auth_sock_dir = NULL;
 155 
 156 /* removes the agent forwarding socket */
 157 
 158 static void
 159 auth_sock_cleanup_proc(void *_pw)
 160 {
 161         struct passwd *pw = _pw;
 162 
 163         if (auth_sock_name != NULL) {
 164                 temporarily_use_uid(pw);
 165                 unlink(auth_sock_name);
 166                 rmdir(auth_sock_dir);
 167                 auth_sock_name = NULL;
 168                 restore_uid();
 169         }
 170 }
 171 
 172 static int
 173 auth_input_request_forwarding(struct passwd * pw)
 174 {
 175         Channel *nc;
 176         int sock;
 177         struct sockaddr_un sunaddr;
 178 
 179         if (auth_sock_name != NULL) {
 180                 error("authentication forwarding requested twice.");
 181                 return 0;
 182         }
 183 
 184         /* Temporarily drop privileged uid for mkdir/bind. */
 185         temporarily_use_uid(pw);
 186 
 187         /* Allocate a buffer for the socket name, and format the name. */
 188         auth_sock_name = xmalloc(MAXPATHLEN);
 189         auth_sock_dir = xmalloc(MAXPATHLEN);
 190         strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
 191 
 192         /* Create private directory for socket */
 193         if (mkdtemp(auth_sock_dir) == NULL) {
 194                 packet_send_debug("Agent forwarding disabled: "
 195                     "mkdtemp() failed: %.100s", strerror(errno));
 196                 restore_uid();
 197                 xfree(auth_sock_name);
 198                 xfree(auth_sock_dir);
 199                 auth_sock_name = NULL;
 200                 auth_sock_dir = NULL;
 201                 return 0;
 202         }
 203         snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld",
 204                  auth_sock_dir, (long) getpid());
 205 
 206         /* delete agent socket on fatal() */
 207         fatal_add_cleanup(auth_sock_cleanup_proc, pw);
 208 
 209         /* Create the socket. */
 210         sock = socket(AF_UNIX, SOCK_STREAM, 0);
 211         if (sock < 0)
 212                 packet_disconnect("socket: %.100s", strerror(errno));
 213 
 214         /* Bind it to the name. */
 215         memset(&sunaddr, 0, sizeof(sunaddr));
 216         sunaddr.sun_family = AF_UNIX;
 217         strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
 218 
 219         if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
 220                 packet_disconnect("bind: %.100s", strerror(errno));
 221 
 222         /* Restore the privileged uid. */
 223         restore_uid();
 224 
 225         /* Start listening on the socket. */
 226         if (listen(sock, 5) < 0)
 227                 packet_disconnect("listen: %.100s", strerror(errno));
 228 
 229         /* Allocate a channel for the authentication agent socket. */
 230         nc = channel_new("auth socket",
 231             SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
 232             CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 233             0, xstrdup("auth socket"), 1);
 234         strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
 235         return 1;
 236 }
 237 
 238 
 239 void
 240 do_authenticated(Authctxt *authctxt)
 241 {
 242         /* setup the channel layer */
 243         if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
 244                 channel_permit_all_opens();
 245 
 246         if (compat20)
 247                 do_authenticated2(authctxt);
 248         else
 249                 do_authenticated1(authctxt);
 250 
 251         /* remove agent socket */
 252         if (auth_sock_name != NULL)
 253                 auth_sock_cleanup_proc(authctxt->pw);
 254 #ifdef KRB4
 255         if (options.kerberos_ticket_cleanup)
 256                 krb4_cleanup_proc(authctxt);
 257 #endif
 258 #ifdef KRB5
 259         if (options.kerberos_ticket_cleanup)
 260                 krb5_cleanup_proc(authctxt);
 261 #endif
 262 }
 263 
 264 /*
 265  * Prepares for an interactive session.  This is called after the user has
 266  * been successfully authenticated.  During this message exchange, pseudo
 267  * terminals are allocated, X11, TCP/IP, and authentication agent forwardings
 268  * are requested, etc.
 269  */
 270 static void
 271 do_authenticated1(Authctxt *authctxt)
 272 {
 273         Session *s;
 274         char *command;
 275         int success, type, screen_flag;
 276         int enable_compression_after_reply = 0;
 277         u_int proto_len, data_len, dlen, compression_level = 0;
 278 
 279         s = session_new();
 280         s->authctxt = authctxt;
 281         s->pw = authctxt->pw;
 282 
 283         /*
 284          * We stay in this loop until the client requests to execute a shell
 285          * or a command.
 286          */
 287         for (;;) {
 288                 success = 0;
 289 
 290                 /* Get a packet from the client. */
 291                 type = packet_read();
 292 
 293                 /* Process the packet. */
 294                 switch (type) {
 295                 case SSH_CMSG_REQUEST_COMPRESSION:
 296                         compression_level = packet_get_int();
 297                         packet_check_eom();
 298                         if (compression_level < 1 || compression_level > 9) {
 299                                 packet_send_debug("Received illegal compression level %d.",
 300                                     compression_level);
 301                                 break;
 302                         }
 303                         if (!options.compression) {
 304                                 debug2("compression disabled");
 305                                 break;
 306                         }
 307                         /* Enable compression after we have responded with SUCCESS. */
 308                         enable_compression_after_reply = 1;
 309                         success = 1;
 310                         break;
 311 
 312                 case SSH_CMSG_REQUEST_PTY:
 313                         success = session_pty_req(s);
 314                         break;
 315 
 316                 case SSH_CMSG_X11_REQUEST_FORWARDING:
 317                         s->auth_proto = packet_get_string(&proto_len);
 318                         s->auth_data = packet_get_string(&data_len);
 319 
 320                         screen_flag = packet_get_protocol_flags() &
 321                             SSH_PROTOFLAG_SCREEN_NUMBER;
 322                         debug2("SSH_PROTOFLAG_SCREEN_NUMBER: %d", screen_flag);
 323 
 324                         if (packet_remaining() == 4) {
 325                                 if (!screen_flag)
 326                                         debug2("Buggy client: "
 327                                             "X11 screen flag missing");
 328                                 s->screen = packet_get_int();
 329                         } else {
 330                                 s->screen = 0;
 331                         }
 332                         packet_check_eom();
 333                         success = session_setup_x11fwd(s);
 334                         if (!success) {
 335                                 xfree(s->auth_proto);
 336                                 xfree(s->auth_data);
 337                                 s->auth_proto = NULL;
 338                                 s->auth_data = NULL;
 339                         }
 340                         break;
 341 
 342                 case SSH_CMSG_AGENT_REQUEST_FORWARDING:
 343                         if (no_agent_forwarding_flag || compat13) {
 344                                 debug("Authentication agent forwarding not permitted for this authentication.");
 345                                 break;
 346                         }
 347                         debug("Received authentication agent forwarding request.");
 348                         success = auth_input_request_forwarding(s->pw);
 349                         break;
 350 
 351                 case SSH_CMSG_PORT_FORWARD_REQUEST:
 352                         if (no_port_forwarding_flag) {
 353                                 debug("Port forwarding not permitted for this authentication.");
 354                                 break;
 355                         }
 356                         if (!options.allow_tcp_forwarding) {
 357                                 debug("Port forwarding not permitted.");
 358                                 break;
 359                         }
 360                         debug("Received TCP/IP port forwarding request.");
 361                         channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports);
 362                         success = 1;
 363                         break;
 364 
 365                 case SSH_CMSG_MAX_PACKET_SIZE:
 366                         if (packet_set_maxsize(packet_get_int()) > 0)
 367                                 success = 1;
 368                         break;
 369 
 370 #if defined(AFS) || defined(KRB5)
 371                 case SSH_CMSG_HAVE_KERBEROS_TGT:
 372                         if (!options.kerberos_tgt_passing) {
 373                                 verbose("Kerberos TGT passing disabled.");
 374                         } else {
 375                                 char *kdata = packet_get_string(&dlen);
 376                                 packet_check_eom();
 377 
 378                                 /* XXX - 0x41, see creds_to_radix version */
 379                                 if (kdata[0] != 0x41) {
 380 #ifdef KRB5
 381                                         krb5_data tgt;
 382                                         tgt.data = kdata;
 383                                         tgt.length = dlen;
 384 
 385                                         if (auth_krb5_tgt(s->authctxt, &tgt))
 386                                                 success = 1;
 387                                         else
 388                                                 verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
 389 #endif /* KRB5 */
 390                                 } else {
 391 #ifdef AFS
 392                                         if (auth_krb4_tgt(s->authctxt, kdata))
 393                                                 success = 1;
 394                                         else
 395                                                 verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
 396 #endif /* AFS */
 397                                 }
 398                                 xfree(kdata);
 399                         }
 400                         break;
 401 #endif /* AFS || KRB5 */
 402 
 403 #ifdef AFS
 404                 case SSH_CMSG_HAVE_AFS_TOKEN:
 405                         if (!options.afs_token_passing || !k_hasafs()) {
 406                                 verbose("AFS token passing disabled.");
 407                         } else {
 408                                 /* Accept AFS token. */
 409                                 char *token = packet_get_string(&dlen);
 410                                 packet_check_eom();
 411 
 412                                 if (auth_afs_token(s->authctxt, token))
 413                                         success = 1;
 414                                 else
 415                                         verbose("AFS token refused for %.100s",
 416                                             s->authctxt->user);
 417                                 xfree(token);
 418                         }
 419                         break;
 420 #endif /* AFS */
 421 
 422                 case SSH_CMSG_EXEC_SHELL:
 423                 case SSH_CMSG_EXEC_CMD:
 424                         if (type == SSH_CMSG_EXEC_CMD) {
 425                                 command = packet_get_string(&dlen);
 426                                 debug("Exec command '%.500s'", command);
 427                                 do_exec(s, command);
 428                                 xfree(command);
 429                         } else {
 430                                 do_exec(s, NULL);
 431                         }
 432                         packet_check_eom();
 433                         session_close(s);
 434                         return;
 435 
 436                 default:
 437                         /*
 438                          * Any unknown messages in this phase are ignored,
 439                          * and a failure message is returned.
 440                          */
 441                         log("Unknown packet type received after authentication: %d", type);
 442                 }
 443                 packet_start(success ? SSH_SMSG_SUCCESS : SSH_SMSG_FAILURE);
 444                 packet_send();
 445                 packet_write_wait();
 446 
 447                 /* Enable compression now that we have replied if appropriate. */
 448                 if (enable_compression_after_reply) {
 449                         enable_compression_after_reply = 0;
 450                         packet_start_compression(compression_level);
 451                 }
 452         }
 453 }
 454 
 455 /*
 456  * This is called to fork and execute a command when we have no tty.  This
 457  * will call do_child from the child, and server_loop from the parent after
 458  * setting up file descriptors and such.
 459  */
 460 void
 461 do_exec_no_pty(Session *s, const char *command)
 462 {
 463         pid_t pid;
 464 
 465         int inout[2], err[2];
 466         /* Uses socket pairs to communicate with the program. */
 467         if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 ||
 468             socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0)
 469                 packet_disconnect("Could not create socket pairs: %.100s",
 470                                   strerror(errno));
 471         if (s == NULL)
 472                 fatal("do_exec_no_pty: no session");
 473 
 474         session_proctitle(s);
 475 
 476         /* Fork the child. */
 477         if ((pid = fork()) == 0) {
 478                 fatal_remove_all_cleanups();
 479 
 480                 /* Child.  Reinitialize the log since the pid has changed. */
 481                 log_init(__progname, options.log_level, options.log_facility, log_stderr);
 482 
 483                 /*
 484                  * Create a new session and process group since the 4.4BSD
 485                  * setlogin() affects the entire process group.
 486                  */
 487                 if (setsid() < 0)
 488                         error("setsid failed: %.100s", strerror(errno));
 489 
 490                 /*
 491                  * Redirect stdin, stdout, and stderr.  Stdin and stdout will
 492                  * use the same socket, as some programs (particularly rdist)
 493                  * seem to depend on it.
 494                  */
 495                 close(inout[1]);
 496                 close(err[1]);
 497                 if (dup2(inout[0], 0) < 0)   /* stdin */
 498                         perror("dup2 stdin");
 499                 if (dup2(inout[0], 1) < 0)   /* stdout.  Note: same socket as stdin. */
 500                         perror("dup2 stdout");
 501                 if (s->is_subsystem) {
 502                         /*
 503                          * Redirect the subsystem's stderr to /dev/null. We might send it
 504                          * over to the other side but changing that might break existing
 505                          * SSH clients.
 506                          */
 507                         close(err[0]);
 508                         if ((err[0] = open(_PATH_DEVNULL, O_WRONLY)) == -1)
 509                                 fatal("Cannot open /dev/null: %.100s", strerror(errno));
 510                 } 
 511                 if (dup2(err[0], 2) < 0)     /* stderr */
 512                         perror("dup2 stderr");
 513 
 514 #ifdef _UNICOS
 515                 cray_init_job(s->pw); /* set up cray jid and tmpdir */
 516 #endif
 517 
 518                 /* Do processing for the child (exec command etc). */
 519                 do_child(s, command);
 520                 /* NOTREACHED */
 521         }
 522 #ifdef _UNICOS
 523         signal(WJSIGNAL, cray_job_termination_handler);
 524 #endif /* _UNICOS */
 525 #ifdef HAVE_CYGWIN
 526         if (is_winnt)
 527                 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
 528 #endif
 529         if (pid < 0)
 530                 packet_disconnect("fork failed: %.100s", strerror(errno));
 531 
 532         s->pid = pid;
 533         /* Set interactive/non-interactive mode. */
 534         packet_set_interactive(s->display != NULL);
 535 
 536         /* We are the parent.  Close the child sides of the socket pairs. */
 537         close(inout[0]);
 538         close(err[0]);
 539 
 540         /*
 541          * Enter the interactive session.  Note: server_loop must be able to
 542          * handle the case that fdin and fdout are the same.
 543          */
 544         if (compat20) {
 545                 session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]);
 546                 if (s->is_subsystem)
 547                         close(err[1]);
 548                 /* Don't close channel before sending exit-status! */
 549                 channel_set_wait_for_exit(s->chanid, 1);
 550         } else {
 551                 server_loop(pid, inout[1], inout[1], err[1]);
 552                 /* server_loop has closed inout[1] and err[1]. */
 553         }
 554 }
 555 
 556 /*
 557  * This is called to fork and execute a command when we have a tty.  This
 558  * will call do_child from the child, and server_loop from the parent after
 559  * setting up file descriptors, controlling tty, updating wtmp, utmp,
 560  * lastlog, and other such operations.
 561  */
 562 void
 563 do_exec_pty(Session *s, const char *command)
 564 {
 565         int fdout, ptyfd, ttyfd, ptymaster, pipe_fds[2];
 566         pid_t pid;
 567 
 568         if (s == NULL)
 569                 fatal("do_exec_pty: no session");
 570         ptyfd = s->ptyfd;
 571         ttyfd = s->ttyfd;
 572 
 573 #ifdef USE_PAM
 574         session_do_pam(s, 1);   /* pam_open_session() */
 575 #endif /* USE_PAM */
 576 
 577         /*
 578          * This pipe lets sshd wait for child to exec or exit.  This is
 579          * particularly important for ALTPRIVSEP because the child is
 580          * the one to call the monitor to request a record_login() and
 581          * we don't want the child and the parent to compete for the
 582          * monitor's attention.  But this is generic code and doesn't
 583          * hurt to have here even if ALTPRIVSEP is not used.
 584          */
 585         if (pipe(pipe_fds) != 0)
 586                 packet_disconnect("pipe failed: %.100s", strerror(errno));
 587 
 588         (void) fcntl(pipe_fds[0], F_SETFD, FD_CLOEXEC);
 589         (void) fcntl(pipe_fds[1], F_SETFD, FD_CLOEXEC);
 590 
 591         /* Fork the child. */
 592         if ((pid = fork()) == 0) {
 593                 (void) close(pipe_fds[0]);
 594 
 595                 fatal_remove_all_cleanups();
 596 
 597                 /* Child.  Reinitialize the log because the pid has changed. */
 598                 log_init(__progname, options.log_level, options.log_facility, log_stderr);
 599                 /* Close the master side of the pseudo tty. */
 600                 close(ptyfd);
 601 
 602                 /* Make the pseudo tty our controlling tty. */
 603                 pty_make_controlling_tty(&ttyfd, s->tty);
 604 
 605                 /* Redirect stdin/stdout/stderr from the pseudo tty. */
 606                 if (dup2(ttyfd, 0) < 0)
 607                         error("dup2 stdin: %s", strerror(errno));
 608                 if (dup2(ttyfd, 1) < 0)
 609                         error("dup2 stdout: %s", strerror(errno));
 610                 if (dup2(ttyfd, 2) < 0)
 611                         error("dup2 stderr: %s", strerror(errno));
 612 
 613                 /* Close the extra descriptor for the pseudo tty. */
 614                 close(ttyfd);
 615 
 616                 /* record login, etc. similar to login(1) */
 617                 do_login(s, command);
 618 
 619                 /*
 620                  * Close the pipe to the parent so it can re-enter its event
 621                  * loop and service the ptm; if enough debug messages get
 622                  * written to the pty before this happens there will be a
 623                  * deadlock.
 624                  */
 625                 close(pipe_fds[1]);
 626 
 627                 /*
 628                  * do_motd() was called originally in do_login(). However,
 629                  * when the /etc/motd file is large, a deadlock would happen,
 630                  * because
 631                  * - The child is blocked at fputs() to pty, when pty buffer
 632                  *   is full.
 633                  * - The parent can not consume the pty buffer, because it is
 634                  *   still blocked at read(pipe_fds[0]).
 635                  *
 636                  * To resolve the deadlock issue, we defer do_motd() after
 637                  * close(pipe_fds[1]).
 638                  */
 639                 do_motd();
 640 
 641                 /* Do common processing for the child, such as execing the command. */
 642                 do_child(s, command);
 643                 /* NOTREACHED */
 644         }
 645 
 646         /* Wait for child to exec() or exit() */
 647         (void) close(pipe_fds[1]);
 648         (void) read(pipe_fds[0], &pipe_fds[1], sizeof(int));
 649 
 650 #ifdef _UNICOS
 651         signal(WJSIGNAL, cray_job_termination_handler);
 652 #endif /* _UNICOS */
 653 #ifdef HAVE_CYGWIN
 654         if (is_winnt)
 655                 cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
 656 #endif
 657         if (pid < 0)
 658                 packet_disconnect("fork failed: %.100s", strerror(errno));
 659         s->pid = pid;
 660 
 661         /* Parent.  Close the slave side of the pseudo tty. */
 662         close(ttyfd);
 663 
 664         /*
 665          * Create another descriptor of the pty master side for use as the
 666          * standard input.  We could use the original descriptor, but this
 667          * simplifies code in server_loop.  The descriptor is bidirectional.
 668          */
 669         fdout = dup(ptyfd);
 670         if (fdout < 0)
 671                 packet_disconnect("dup #1 failed: %.100s", strerror(errno));
 672 
 673         /* we keep a reference to the pty master */
 674         ptymaster = dup(ptyfd);
 675         if (ptymaster < 0)
 676                 packet_disconnect("dup #2 failed: %.100s", strerror(errno));
 677         s->ptymaster = ptymaster;
 678 
 679         /* Enter interactive session. */
 680         packet_set_interactive(1);
 681         if (compat20) {
 682                 session_set_fds(s, ptyfd, fdout, -1);
 683                 /* Don't close channel before sending exit-status! */
 684                 channel_set_wait_for_exit(s->chanid, 1);
 685         } else {
 686                 server_loop(pid, ptyfd, fdout, -1);
 687                 /* server_loop _has_ closed ptyfd and fdout. */
 688         }
 689 }
 690 
 691 /*
 692  * This is called to fork and execute a command.  If another command is
 693  * to be forced, execute that instead.
 694  */
 695 void
 696 do_exec(Session *s, const char *command)
 697 {
 698         if (command)
 699                 s->command = xstrdup(command);
 700 
 701         if (forced_command) {
 702                 original_command = command;
 703                 command = forced_command;
 704                 debug("Forced command '%.900s'", command);
 705         }
 706 
 707         if (s->ttyfd != -1)
 708                 do_exec_pty(s, command);
 709         else
 710                 do_exec_no_pty(s, command);
 711 
 712         original_command = NULL;
 713 }
 714 
 715 
 716 /* administrative, login(1)-like work */
 717 void
 718 do_login(Session *s, const char *command)
 719 {
 720         char *time_string;
 721 #ifndef ALTPRIVSEP
 722         struct passwd * pw = s->pw;
 723 #endif /* ALTPRIVSEP*/
 724         pid_t pid = getpid();
 725 
 726         /* Record that there was a login on that tty from the remote host. */
 727 #ifdef ALTPRIVSEP
 728         debug3("Recording SSHv2 channel login in utmpx/wtmpx");
 729         altprivsep_record_login(pid, s->tty);
 730 #endif /* ALTPRIVSEP*/
 731 
 732         if (check_quietlogin(s, command))
 733                 return;
 734 
 735 #ifdef USE_PAM
 736                 print_pam_messages();
 737 #endif /* USE_PAM */
 738 #ifdef WITH_AIXAUTHENTICATE
 739         if (aixloginmsg && *aixloginmsg)
 740                 printf("%s\n", aixloginmsg);
 741 #endif /* WITH_AIXAUTHENTICATE */
 742 
 743 #ifndef NO_SSH_LASTLOG
 744         if (options.print_lastlog && s->last_login_time != 0) {
 745                 time_string = ctime(&s->last_login_time);
 746                 if (strchr(time_string, '\n'))
 747                         *strchr(time_string, '\n') = 0;
 748                 if (strcmp(s->hostname, "") == 0)
 749                         printf("Last login: %s\r\n", time_string);
 750                 else
 751                         printf("Last login: %s from %s\r\n", time_string,
 752                             s->hostname);
 753         }
 754 #endif /* NO_SSH_LASTLOG */
 755 
 756 }
 757 
 758 /*
 759  * Display the message of the day.
 760  */
 761 void
 762 do_motd(void)
 763 {
 764         FILE *f;
 765         char buf[256];
 766 
 767         if (options.print_motd) {
 768 #ifdef HAVE_LOGIN_CAP
 769                 f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
 770                     "/etc/motd"), "r");
 771 #else
 772                 f = fopen("/etc/motd", "r");
 773 #endif
 774                 if (f) {
 775                         while (fgets(buf, sizeof(buf), f))
 776                                 fputs(buf, stdout);
 777                         fclose(f);
 778                 }
 779         }
 780 }
 781 
 782 
 783 /*
 784  * Check for quiet login, either .hushlogin or command given.
 785  */
 786 int
 787 check_quietlogin(Session *s, const char *command)
 788 {
 789         char buf[256];
 790         struct passwd *pw = s->pw;
 791         struct stat st;
 792 
 793         /* Return 1 if .hushlogin exists or a command given. */
 794         if (command != NULL)
 795                 return 1;
 796         snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
 797 #ifdef HAVE_LOGIN_CAP
 798         if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
 799                 return 1;
 800 #else
 801         if (stat(buf, &st) >= 0)
 802                 return 1;
 803 #endif
 804         return 0;
 805 }
 806 
 807 /*
 808  * Sets the value of the given variable in the environment.  If the variable
 809  * already exists, its value is overriden.
 810  */
 811 void
 812 child_set_env(char ***envp, u_int *envsizep, const char *name,
 813         const char *value)
 814 {
 815         debug3("child_set_env(%s, %s)", name, value);
 816         child_set_env_silent(envp, envsizep, name, value);
 817 }
 818 
 819 
 820 void
 821 child_set_env_silent(char ***envp, u_int *envsizep, const char *name,
 822         const char *value)
 823 {
 824         u_int i, namelen;
 825         char **env;
 826 
 827         /*
 828          * Find the slot where the value should be stored.  If the variable
 829          * already exists, we reuse the slot; otherwise we append a new slot
 830          * at the end of the array, expanding if necessary.
 831          */
 832         env = *envp;
 833         namelen = strlen(name);
 834         for (i = 0; env[i]; i++)
 835                 if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=')
 836                         break;
 837         if (env[i]) {
 838                 /* Reuse the slot. */
 839                 xfree(env[i]);
 840         } else {
 841                 /* New variable.  Expand if necessary. */
 842                 if (i >= (*envsizep) - 1) {
 843                         if (*envsizep >= 1000)
 844                                 fatal("child_set_env: too many env vars,"
 845                                     " skipping: %.100s", name);
 846                         (*envsizep) += 50;
 847                         env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
 848                 }
 849                 /* Need to set the NULL pointer at end of array beyond the new slot. */
 850                 env[i + 1] = NULL;
 851         }
 852 
 853         /* Allocate space and format the variable in the appropriate slot. */
 854         env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1);
 855         snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value);
 856 }
 857 
 858 /*
 859  * Reads environment variables from the given file and adds/overrides them
 860  * into the environment.  If the file does not exist, this does nothing.
 861  * Otherwise, it must consist of empty lines, comments (line starts with '#')
 862  * and assignments of the form name=value.  No other forms are allowed.
 863  */
 864 static void
 865 read_environment_file(char ***env, u_int *envsize,
 866         const char *filename)
 867 {
 868         FILE *f;
 869         char buf[4096];
 870         char *cp, *value;
 871         u_int lineno = 0;
 872 
 873         f = fopen(filename, "r");
 874         if (!f)
 875                 return;
 876 
 877         while (fgets(buf, sizeof(buf), f)) {
 878                 if (++lineno > 1000)
 879                         fatal("Too many lines in environment file %s", filename);
 880                 for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
 881                         ;
 882                 if (!*cp || *cp == '#' || *cp == '\n')
 883                         continue;
 884                 if (strchr(cp, '\n'))
 885                         *strchr(cp, '\n') = '\0';
 886                 value = strchr(cp, '=');
 887                 if (value == NULL) {
 888                         fprintf(stderr, gettext("Bad line %u in %.100s\n"),
 889                                 lineno, filename);
 890                         continue;
 891                 }
 892                 /*
 893                  * Replace the equals sign by nul, and advance value to
 894                  * the value string.
 895                  */
 896                 *value = '\0';
 897                 value++;
 898                 child_set_env(env, envsize, cp, value);
 899         }
 900         fclose(f);
 901 }
 902 
 903 void copy_environment(char **source, char ***env, u_int *envsize)
 904 {
 905         char *var_name, *var_val;
 906         int i;
 907 
 908         if (source == NULL)
 909                 return;
 910 
 911         for(i = 0; source[i] != NULL; i++) {
 912                 var_name = xstrdup(source[i]);
 913                 if ((var_val = strstr(var_name, "=")) == NULL) {
 914                         xfree(var_name);
 915                         continue;
 916                 }
 917                 *var_val++ = '\0';
 918 
 919                 debug3("Copy environment: %s=%s", var_name, var_val);
 920                 child_set_env(env, envsize, var_name, var_val);
 921                 
 922                 xfree(var_name);
 923         }
 924 }
 925 
 926 #ifdef HAVE_DEFOPEN
 927 static
 928 void
 929 deflt_do_setup_env(Session *s, const char *shell, char ***env, u_int *envsize)
 930 {
 931         int     flags;
 932         char    *ptr;
 933         mode_t  Umask = 022;
 934 
 935         if (defopen(_PATH_DEFAULT_LOGIN))
 936                 return;
 937 
 938         /* Ignore case */
 939         flags = defcntl(DC_GETFLAGS, 0);
 940         TURNOFF(flags, DC_CASE);
 941         (void) defcntl(DC_SETFLAGS, flags);
 942 
 943         /* TZ & HZ */
 944         if ((ptr = defread("TIMEZONE=")) != NULL)
 945                 child_set_env(env, envsize, "TZ", ptr);
 946         if ((ptr = defread("HZ=")) != NULL)
 947                 child_set_env(env, envsize, "HZ", ptr);
 948 
 949         /* PATH */
 950         if (s->pw->pw_uid != 0 && (ptr = defread("PATH=")) != NULL)
 951                 child_set_env(env, envsize, "PATH", ptr);
 952         if (s->pw->pw_uid == 0 && (ptr = defread("SUPATH=")) != NULL)
 953                 child_set_env(env, envsize, "PATH", ptr);
 954 
 955         /* SHELL */
 956         if ((ptr = defread("ALTSHELL=")) != NULL) {
 957                 if (strcasecmp("YES", ptr) == 0)
 958                         child_set_env(env, envsize, "SHELL", shell);
 959                 else
 960                         child_set_env(env, envsize, "SHELL", "");
 961         }
 962 
 963         /* UMASK */
 964         if ((ptr = defread("UMASK=")) != NULL &&
 965             sscanf(ptr, "%lo", &Umask) == 1 &&
 966             Umask <= (mode_t)0777)
 967                 (void) umask(Umask);
 968         else
 969                 (void) umask(022);
 970 
 971         /* ULIMIT */
 972         if ((ptr = defread("ULIMIT=")) != NULL && atol(ptr) > 0L &&
 973             ulimit(UL_SETFSIZE, atol(ptr)) < 0L)
 974                 error("Could not set ULIMIT to %ld from %s\n", atol(ptr),
 975                         _PATH_DEFAULT_LOGIN);
 976 
 977         (void) defopen(NULL);
 978 }
 979 #endif /* HAVE_DEFOPEN */
 980 
 981 static char **
 982 do_setup_env(Session *s, const char *shell)
 983 {
 984         char buf[256];
 985         char path_maildir[] = _PATH_MAILDIR;
 986         u_int i, envsize, pm_len;
 987         char **env;
 988         struct passwd *pw = s->pw;
 989 
 990         /* Initialize the environment. */
 991         envsize = 100;
 992         env = xmalloc(envsize * sizeof(char *));
 993         env[0] = NULL;
 994 
 995 #ifdef HAVE_CYGWIN
 996         /*
 997          * The Windows environment contains some setting which are
 998          * important for a running system. They must not be dropped.
 999          */
1000         copy_environment(environ, &env, &envsize);
1001 #endif
1002 
1003 #ifdef GSSAPI
1004         /* Allow any GSSAPI methods that we've used to alter 
1005          * the childs environment as they see fit
1006          */
1007         ssh_gssapi_do_child(xxx_gssctxt, &env,&envsize);
1008 #endif
1009 
1010         /* Set basic environment. */
1011         child_set_env(&env, &envsize, "USER", pw->pw_name);
1012         child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
1013         child_set_env(&env, &envsize, "HOME", pw->pw_dir);
1014 #ifdef HAVE_LOGIN_CAP
1015         if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
1016                 child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
1017         else
1018                 child_set_env(&env, &envsize, "PATH", getenv("PATH"));
1019 #else /* HAVE_LOGIN_CAP */
1020 # ifndef HAVE_CYGWIN
1021         /*
1022          * There's no standard path on Windows. The path contains
1023          * important components pointing to the system directories,
1024          * needed for loading shared libraries. So the path better
1025          * remains intact here.
1026          */
1027 #  ifdef SUPERUSER_PATH
1028         child_set_env(&env, &envsize, "PATH", 
1029             s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
1030 #  else 
1031         child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
1032 #  endif /* SUPERUSER_PATH */
1033 # endif /* HAVE_CYGWIN */
1034 #endif /* HAVE_LOGIN_CAP */
1035 
1036         pm_len = strlen(path_maildir);
1037         if (path_maildir[pm_len - 1] == '/' && pm_len > 1)
1038                 path_maildir[pm_len - 1] = NULL;
1039         snprintf(buf, sizeof buf, "%.200s/%.50s",
1040                  path_maildir, pw->pw_name);
1041         child_set_env(&env, &envsize, "MAIL", buf);
1042 
1043         /* Normal systems set SHELL by default. */
1044         child_set_env(&env, &envsize, "SHELL", shell);
1045 
1046 #ifdef HAVE_DEFOPEN
1047         deflt_do_setup_env(s, shell, &env, &envsize);
1048 #endif /* HAVE_DEFOPEN */
1049 
1050 #define PASS_ENV(x) \
1051         if (getenv(x)) \
1052                 child_set_env(&env, &envsize, x, getenv(x));
1053 
1054         if (getenv("TZ"))
1055                 child_set_env(&env, &envsize, "TZ", getenv("TZ"));
1056 
1057         if (s->auth_file != NULL)
1058                 child_set_env(&env, &envsize, "XAUTHORITY", s->auth_file);
1059 
1060         PASS_ENV("LANG")
1061         PASS_ENV("LC_ALL")
1062         PASS_ENV("LC_CTYPE")
1063         PASS_ENV("LC_COLLATE")
1064         PASS_ENV("LC_TIME")
1065         PASS_ENV("LC_NUMERIC")
1066         PASS_ENV("LC_MONETARY")
1067         PASS_ENV("LC_MESSAGES")
1068 
1069 #undef PASS_ENV
1070 
1071         if (s->env != NULL)
1072                 copy_environment(s->env, &env, &envsize);
1073 
1074         /* Set custom environment options from RSA authentication. */
1075         while (custom_environment) {
1076                 struct envstring *ce = custom_environment;
1077                 char *str = ce->s;
1078 
1079                 for (i = 0; str[i] != '=' && str[i]; i++)
1080                         ;
1081                 if (str[i] == '=') {
1082                         str[i] = 0;
1083                         child_set_env(&env, &envsize, str, str + i + 1);
1084                 }
1085                 custom_environment = ce->next;
1086                 xfree(ce->s);
1087                 xfree(ce);
1088         }
1089 
1090         /* SSH_CLIENT deprecated */
1091         snprintf(buf, sizeof buf, "%.50s %d %d",
1092             get_remote_ipaddr(), get_remote_port(), get_local_port());
1093         child_set_env(&env, &envsize, "SSH_CLIENT", buf);
1094 
1095         snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
1096             get_remote_ipaddr(), get_remote_port(),
1097             get_local_ipaddr(packet_get_connection_in()), get_local_port());
1098         child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
1099 
1100         if (s->ttyfd != -1)
1101                 child_set_env(&env, &envsize, "SSH_TTY", s->tty);
1102         if (s->term)
1103                 child_set_env(&env, &envsize, "TERM", s->term);
1104         if (s->display)
1105                 child_set_env(&env, &envsize, "DISPLAY", s->display);
1106         if (original_command)
1107                 child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
1108                     original_command);
1109 
1110 #ifdef _UNICOS
1111         if (cray_tmpdir[0] != '\0')
1112                 child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
1113 #endif /* _UNICOS */
1114 
1115 #ifdef _AIX
1116         {
1117                 char *cp;
1118 
1119                 if ((cp = getenv("AUTHSTATE")) != NULL)
1120                         child_set_env(&env, &envsize, "AUTHSTATE", cp);
1121                 if ((cp = getenv("KRB5CCNAME")) != NULL)
1122                         child_set_env(&env, &envsize, "KRB5CCNAME", cp);
1123                 read_environment_file(&env, &envsize, "/etc/environment");
1124         }
1125 #endif
1126 #ifdef KRB4
1127         if (s->authctxt->krb4_ticket_file)
1128                 child_set_env(&env, &envsize, "KRBTKFILE",
1129                     s->authctxt->krb4_ticket_file);
1130 #endif
1131 #ifdef KRB5
1132         if (s->authctxt->krb5_ticket_file)
1133                 child_set_env(&env, &envsize, "KRB5CCNAME",
1134                     s->authctxt->krb5_ticket_file);
1135 #endif
1136 #ifdef USE_PAM
1137         /*
1138          * Pull in any environment variables that may have
1139          * been set by PAM.
1140          */
1141         {
1142                 char **p;
1143 
1144                 p = fetch_pam_environment(s->authctxt);
1145                 copy_environment(p, &env, &envsize);
1146                 free_pam_environment(p);
1147         }
1148 #endif /* USE_PAM */
1149 
1150         if (auth_sock_name != NULL)
1151                 child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
1152                     auth_sock_name);
1153 
1154         /* read $HOME/.ssh/environment. */
1155         if (options.permit_user_env) {
1156                 snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
1157                     strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
1158                 read_environment_file(&env, &envsize, buf);
1159         }
1160         if (debug_flag) {
1161                 /* dump the environment */
1162                 fprintf(stderr, gettext("Environment:\n"));
1163                 for (i = 0; env[i]; i++)
1164                         fprintf(stderr, "  %.200s\n", env[i]);
1165         }
1166         return env;
1167 }
1168 
1169 /*
1170  * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
1171  * first in this order).
1172  */
1173 static void
1174 do_rc_files(Session *s, const char *shell)
1175 {
1176         FILE *f = NULL;
1177         char cmd[1024];
1178         int do_xauth;
1179         struct stat st;
1180 
1181         do_xauth =
1182             s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
1183 
1184         /* ignore _PATH_SSH_USER_RC for subsystems */
1185         if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
1186                 snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
1187                     shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
1188                 if (debug_flag)
1189                         fprintf(stderr, "Running %s\n", cmd);
1190                 f = popen(cmd, "w");
1191                 if (f) {
1192                         if (do_xauth)
1193                                 fprintf(f, "%s %s\n", s->auth_proto,
1194                                     s->auth_data);
1195                         pclose(f);
1196                 } else
1197                         fprintf(stderr, "Could not run %s\n",
1198                             _PATH_SSH_USER_RC);
1199         } else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) {
1200                 if (debug_flag)
1201                         fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
1202                             _PATH_SSH_SYSTEM_RC);
1203                 f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w");
1204                 if (f) {
1205                         if (do_xauth)
1206                                 fprintf(f, "%s %s\n", s->auth_proto,
1207                                     s->auth_data);
1208                         pclose(f);
1209                 } else
1210                         fprintf(stderr, "Could not run %s\n",
1211                             _PATH_SSH_SYSTEM_RC);
1212         } else if (do_xauth && options.xauth_location != NULL) {
1213                 /* Add authority data to .Xauthority if appropriate. */
1214                 if (debug_flag) {
1215                         fprintf(stderr,
1216                             "Running %.500s add "
1217                             "%.100s %.100s %.100s\n",
1218                             options.xauth_location, s->auth_display,
1219                             s->auth_proto, s->auth_data);
1220                 }
1221                 snprintf(cmd, sizeof cmd, "%s -q -",
1222                     options.xauth_location);
1223                 f = popen(cmd, "w");
1224                 if (f) {
1225                         fprintf(f, "add %s %s %s\n",
1226                             s->auth_display, s->auth_proto,
1227                             s->auth_data);
1228                         pclose(f);
1229                 } else {
1230                         fprintf(stderr, "Could not run %s\n",
1231                             cmd);
1232                 }
1233         }
1234 }
1235 
1236 /* Disallow logins if /etc/nologin exists. This does not apply to root. */
1237 static void
1238 do_nologin(struct passwd *pw)
1239 {
1240         FILE *f = NULL;
1241         char buf[1024];
1242         struct stat sb;
1243 
1244         if (pw->pw_uid == 0)
1245                 return;
1246 
1247         if (stat(_PATH_NOLOGIN, &sb) == -1)
1248                return;
1249 
1250         /* /etc/nologin exists.  Print its contents if we can and exit. */
1251         log("User %.100s not allowed because %s exists.", pw->pw_name,
1252             _PATH_NOLOGIN);
1253         if ((f = fopen(_PATH_NOLOGIN, "r")) != NULL) {
1254                 while (fgets(buf, sizeof(buf), f))
1255                         fputs(buf, stderr);
1256                 fclose(f);
1257         }
1258         exit(254);
1259 }
1260 
1261 /* Chroot into ChrootDirectory if the option is set. */
1262 void
1263 chroot_if_needed(struct passwd *pw)
1264 {
1265         char *chroot_path, *tmp;
1266 
1267         if (chroot_requested(options.chroot_directory)) {
1268                 tmp = tilde_expand_filename(options.chroot_directory,
1269                     pw->pw_uid);
1270                 chroot_path = percent_expand(tmp, "h", pw->pw_dir,
1271                     "u", pw->pw_name, (char *)NULL);
1272                 safely_chroot(chroot_path, pw->pw_uid);
1273                 free(tmp);
1274                 free(chroot_path);
1275         }
1276 }
1277 
1278 /*
1279  * Chroot into a directory after checking it for safety: all path components
1280  * must be root-owned directories with strict permissions.
1281  */
1282 static void
1283 safely_chroot(const char *path, uid_t uid)
1284 {
1285         const char *cp;
1286         char component[MAXPATHLEN];
1287         struct stat st;
1288 
1289         if (*path != '/')
1290                 fatal("chroot path does not begin at root");
1291         if (strlen(path) >= sizeof(component))
1292                 fatal("chroot path too long");
1293 
1294         /*
1295          * Descend the path, checking that each component is a
1296          * root-owned directory with strict permissions.
1297          */
1298         for (cp = path; cp != NULL;) {
1299                 if ((cp = strchr(cp, '/')) == NULL)
1300                         strlcpy(component, path, sizeof(component));
1301                 else {
1302                         cp++;
1303                         memcpy(component, path, cp - path);
1304                         component[cp - path] = '\0';
1305                 }
1306         
1307                 debug3("%s: checking '%s'", __func__, component);
1308 
1309                 if (stat(component, &st) != 0)
1310                         fatal("%s: stat(\"%s\"): %s", __func__,
1311                             component, strerror(errno));
1312                 if (st.st_uid != 0 || (st.st_mode & 022) != 0)
1313                         fatal("bad ownership or modes for chroot "
1314                             "directory %s\"%s\"", 
1315                             cp == NULL ? "" : "component ", component);
1316                 if (!S_ISDIR(st.st_mode))
1317                         fatal("chroot path %s\"%s\" is not a directory",
1318                             cp == NULL ? "" : "component ", component);
1319         }
1320 
1321         if (chdir(path) == -1)
1322                 fatal("Unable to chdir to chroot path \"%s\": "
1323                     "%s", path, strerror(errno));
1324         if (chroot(path) == -1)
1325                 fatal("chroot(\"%s\"): %s", path, strerror(errno));
1326         if (chdir("/") == -1)
1327                 fatal("%s: chdir(/) after chroot: %s",
1328                     __func__, strerror(errno));
1329         verbose("Changed root directory to \"%s\"", path);
1330 }
1331 
1332 static void
1333 launch_login(struct passwd *pw, const char *hostname)
1334 {
1335         /* Launch login(1). */
1336 
1337         execl(LOGIN_PROGRAM, "login", "-h", hostname,
1338 #ifdef xxxLOGIN_NEEDS_TERM
1339                     (s->term ? s->term : "unknown"),
1340 #endif /* LOGIN_NEEDS_TERM */
1341 #ifdef LOGIN_NO_ENDOPT
1342             "-p", "-f", pw->pw_name, (char *)NULL);
1343 #else
1344             "-p", "-f", "--", pw->pw_name, (char *)NULL);
1345 #endif
1346 
1347         /* Login couldn't be executed, die. */
1348 
1349         perror("login");
1350         exit(1);
1351 }
1352 
1353 /*
1354  * Performs common processing for the child, such as setting up the
1355  * environment, closing extra file descriptors, setting the user and group
1356  * ids, and executing the command or shell.
1357  */
1358 #define ARGV_MAX 10
1359 void
1360 do_child(Session *s, const char *command)
1361 {
1362         extern char **environ;
1363         char **env;
1364         char *argv[ARGV_MAX];
1365         const char *shell, *shell0;
1366         struct passwd *pw = s->pw;
1367 
1368         /* remove hostkey from the child's memory */
1369         destroy_sensitive_data();
1370 
1371         do_nologin(pw);
1372         chroot_if_needed(pw);
1373 
1374         /*
1375          * Get the shell from the password data.  An empty shell field is
1376          * legal, and means /bin/sh.
1377          */
1378         shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
1379 #ifdef HAVE_LOGIN_CAP
1380         shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
1381 #endif
1382 
1383         env = do_setup_env(s, shell);
1384 
1385         /*
1386          * Close the connection descriptors; note that this is the child, and
1387          * the server will still have the socket open, and it is important
1388          * that we do not shutdown it.  Note that the descriptors cannot be
1389          * closed before building the environment, as we call
1390          * get_remote_ipaddr there.
1391          */
1392         if (packet_get_connection_in() == packet_get_connection_out())
1393                 close(packet_get_connection_in());
1394         else {
1395                 close(packet_get_connection_in());
1396                 close(packet_get_connection_out());
1397         }
1398         /*
1399          * Close all descriptors related to channels.  They will still remain
1400          * open in the parent.
1401          */
1402         /* XXX better use close-on-exec? -markus */
1403         channel_close_all();
1404 
1405         /*
1406          * Close any extra file descriptors.  Note that there may still be
1407          * descriptors left by system functions.  They will be closed later.
1408          */
1409         endpwent();
1410 
1411         /*
1412          * Must switch to the new environment variables so that .ssh/rc,
1413          * /etc/ssh/sshrc, and xauth are run in the proper environment.
1414          */
1415         environ = env;
1416 
1417         /*
1418          * New environment has been installed. We need to update locale
1419          * so that error messages beyond this point have the proper
1420          * character encoding.
1421          */
1422         (void) setlocale(LC_ALL, ""); 
1423 
1424         /*
1425          * Close any extra open file descriptors so that we don\'t have them
1426          * hanging around in clients.  Note that we want to do this after
1427          * initgroups, because at least on Solaris 2.3 it leaves file
1428          * descriptors open.
1429          */
1430         closefrom(STDERR_FILENO + 1);
1431 
1432 #ifdef AFS
1433         /* Try to get AFS tokens for the local cell. */
1434         if (k_hasafs()) {
1435                 char cell[64];
1436 
1437                 if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
1438                         krb_afslog(cell, 0);
1439 
1440                 krb_afslog(0, 0);
1441         }
1442 #endif /* AFS */
1443 
1444         /* Change current directory to the user's home directory. */
1445         if (chdir(pw->pw_dir) < 0) {
1446                 /* Suppress missing homedir warning for chroot case */
1447                 if (!chroot_requested(options.chroot_directory))
1448                         fprintf(stderr, "Could not chdir to home "
1449                             "directory %s: %s\n", pw->pw_dir,
1450                             strerror(errno));
1451         }
1452 
1453         do_rc_files(s, shell);
1454 
1455         /* restore SIGPIPE for child */
1456         signal(SIGPIPE,  SIG_DFL);
1457 
1458         if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {
1459                 int i;
1460                 char *p, *args;
1461                 extern int optind, optreset;
1462 
1463                 /* This will set the E/P sets here, simulating exec(2). */
1464                 drop_privs(pw->pw_uid);
1465 
1466                 setproctitle("%s@internal-sftp-server", s->pw->pw_name);
1467                 args = xstrdup(command ? command : "sftp-server");
1468 
1469                 i = 0;
1470                 for ((p = strtok(args, " ")); p != NULL; (p = strtok(NULL, " "))) {
1471                         if (i < ARGV_MAX - 1)
1472                                 argv[i++] = p;
1473                 }
1474 
1475                 argv[i] = NULL;
1476                 optind = optreset = 1;
1477                 __progname = argv[0];
1478                 exit(sftp_server_main(i, argv, s->pw));
1479         }
1480 
1481         /* Get the last component of the shell name. */
1482         if ((shell0 = strrchr(shell, '/')) != NULL)
1483                 shell0++;
1484         else
1485                 shell0 = shell;
1486 
1487         /*
1488          * If we have no command, execute the shell.  In this case, the shell
1489          * name to be passed in argv[0] is preceded by '-' to indicate that
1490          * this is a login shell.
1491          */
1492         if (!command) {
1493                 char argv0[256];
1494 
1495                 /* Start the shell.  Set initial character to '-'. */
1496                 argv0[0] = '-';
1497 
1498                 if (strlcpy(argv0 + 1, shell0, sizeof(argv0) - 1)
1499                     >= sizeof(argv0) - 1) {
1500                         errno = EINVAL;
1501                         perror(shell);
1502                         exit(1);
1503                 }
1504 
1505                 /* Execute the shell. */
1506                 argv[0] = argv0;
1507                 argv[1] = NULL;
1508                 execve(shell, argv, env);
1509 
1510                 /* Executing the shell failed. */
1511                 perror(shell);
1512                 exit(1);
1513         }
1514         /*
1515          * Execute the command using the user's shell.  This uses the -c
1516          * option to execute the command.
1517          */
1518         argv[0] = (char *) shell0;
1519         argv[1] = "-c";
1520         argv[2] = (char *) command;
1521         argv[3] = NULL;
1522         execve(shell, argv, env);
1523         perror(shell);
1524         exit(1);
1525 }
1526 
1527 Session *
1528 session_new(void)
1529 {
1530         int i;
1531         static int did_init = 0;
1532         if (!did_init) {
1533                 debug("session_new: init");
1534                 for (i = 0; i < MAX_SESSIONS; i++) {
1535                         sessions[i].used = 0;
1536                 }
1537                 did_init = 1;
1538         }
1539         for (i = 0; i < MAX_SESSIONS; i++) {
1540                 Session *s = &sessions[i];
1541                 if (! s->used) {
1542                         memset(s, 0, sizeof(*s));
1543                         s->chanid = -1;
1544                         s->ptyfd = -1;
1545                         s->ttyfd = -1;
1546                         s->used = 1;
1547                         s->self = i;
1548                         s->env = NULL;
1549                         debug("session_new: session %d", i);
1550                         return s;
1551                 }
1552         }
1553         return NULL;
1554 }
1555 
1556 static void
1557 session_dump(void)
1558 {
1559         int i;
1560         for (i = 0; i < MAX_SESSIONS; i++) {
1561                 Session *s = &sessions[i];
1562                 debug("dump: used %d session %d %p channel %d pid %ld",
1563                     s->used,
1564                     s->self,
1565                     s,
1566                     s->chanid,
1567                     (long)s->pid);
1568         }
1569 }
1570 
1571 int
1572 session_open(Authctxt *authctxt, int chanid)
1573 {
1574         Session *s = session_new();
1575         debug("session_open: channel %d", chanid);
1576         if (s == NULL) {
1577                 error("no more sessions");
1578                 return 0;
1579         }
1580         s->authctxt = authctxt;
1581         s->pw = authctxt->pw;
1582         if (s->pw == NULL)
1583                 fatal("no user for session %d", s->self);
1584         debug("session_open: session %d: link with channel %d", s->self, chanid);
1585         s->chanid = chanid;
1586         return 1;
1587 }
1588 
1589 #ifndef lint
1590 Session *
1591 session_by_tty(char *tty)
1592 {
1593         int i;
1594         for (i = 0; i < MAX_SESSIONS; i++) {
1595                 Session *s = &sessions[i];
1596                 if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
1597                         debug("session_by_tty: session %d tty %s", i, tty);
1598                         return s;
1599                 }
1600         }
1601         debug("session_by_tty: unknown tty %.100s", tty);
1602         session_dump();
1603         return NULL;
1604 }
1605 #endif /* lint */
1606 
1607 static Session *
1608 session_by_channel(int id)
1609 {
1610         int i;
1611         for (i = 0; i < MAX_SESSIONS; i++) {
1612                 Session *s = &sessions[i];
1613                 if (s->used && s->chanid == id) {
1614                         debug("session_by_channel: session %d channel %d", i, id);
1615                         return s;
1616                 }
1617         }
1618         debug("session_by_channel: unknown channel %d", id);
1619         session_dump();
1620         return NULL;
1621 }
1622 
1623 static Session *
1624 session_by_pid(pid_t pid)
1625 {
1626         int i;
1627         debug("session_by_pid: pid %ld", (long)pid);
1628         for (i = 0; i < MAX_SESSIONS; i++) {
1629                 Session *s = &sessions[i];
1630                 if (s->used && s->pid == pid)
1631                         return s;
1632         }
1633         error("session_by_pid: unknown pid %ld", (long)pid);
1634         session_dump();
1635         return NULL;
1636 }
1637 
1638 static int
1639 session_window_change_req(Session *s)
1640 {
1641         s->col = packet_get_int();
1642         s->row = packet_get_int();
1643         s->xpixel = packet_get_int();
1644         s->ypixel = packet_get_int();
1645         packet_check_eom();
1646         pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
1647         return 1;
1648 }
1649 
1650 static int
1651 session_pty_req(Session *s)
1652 {
1653         u_int len;
1654         int n_bytes;
1655 
1656         if (no_pty_flag) {
1657                 debug("Allocating a pty not permitted for this authentication.");
1658                 return 0;
1659         }
1660         if (s->ttyfd != -1) {
1661                 packet_disconnect("Protocol error: you already have a pty.");
1662                 return 0;
1663         }
1664         /* Get the time and hostname when the user last logged in. */
1665         if (options.print_lastlog) {
1666                 s->hostname[0] = '\0';
1667                 s->last_login_time = get_last_login_time(s->pw->pw_uid,
1668                     s->pw->pw_name, s->hostname, sizeof(s->hostname));
1669                 
1670                 /*
1671                  * PAM may update the last login date.
1672                  *
1673                  * Ideally PAM would also show the last login date as a
1674                  * PAM_TEXT_INFO conversation message, and then we could just
1675                  * always force the use of keyboard-interactive just so we can
1676                  * pass any such PAM prompts and messages from the account and
1677                  * session stacks, but skip pam_authenticate() if other userauth
1678                  * has succeeded and the user's password isn't expired.
1679                  *
1680                  * Unfortunately this depends on support for keyboard-
1681                  * interactive in the client, and support for lastlog messages
1682                  * in some PAM module.
1683                  *
1684                  * As it is Solaris updates the lastlog in PAM, but does
1685                  * not show the lastlog date in PAM.  If and when this state of
1686                  * affairs changes this hack can be reconsidered, and, maybe,
1687                  * removed.
1688                  *
1689                  * So we're stuck with a crude hack: get the lastlog
1690                  * time before calling pam_open_session() and store it
1691                  * in the Authctxt and then use it here once.  After
1692                  * that, if the client opens any more pty sessions we'll
1693                  * show the last lastlog entry since userauth.
1694                  */
1695                 if (s->authctxt != NULL && s->authctxt->last_login_time > 0) {
1696                         s->last_login_time = s->authctxt->last_login_time;
1697                         (void) strlcpy(s->hostname,
1698                                        s->authctxt->last_login_host,
1699                                        sizeof(s->hostname));
1700                         s->authctxt->last_login_time = 0;
1701                         s->authctxt->last_login_host[0] = '\0';
1702                 }
1703         }
1704 
1705         s->term = packet_get_string(&len);
1706 
1707         if (compat20) {
1708                 s->col = packet_get_int();
1709                 s->row = packet_get_int();
1710         } else {
1711                 s->row = packet_get_int();
1712                 s->col = packet_get_int();
1713         }
1714         s->xpixel = packet_get_int();
1715         s->ypixel = packet_get_int();
1716 
1717         if (strcmp(s->term, "") == 0) {
1718                 xfree(s->term);
1719                 s->term = NULL;
1720         }
1721 
1722         /* Allocate a pty and open it. */
1723         debug("Allocating pty.");
1724         if (!pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty))) {
1725                 if (s->term)
1726                         xfree(s->term);
1727                 s->term = NULL;
1728                 s->ptyfd = -1;
1729                 s->ttyfd = -1;
1730                 error("session_pty_req: session %d alloc failed", s->self);
1731                 return 0;
1732         }
1733         debug("session_pty_req: session %d alloc %s", s->self, s->tty);
1734 
1735         /* for SSH1 the tty modes length is not given */
1736         if (!compat20)
1737                 n_bytes = packet_remaining();
1738         tty_parse_modes(s->ttyfd, &n_bytes);
1739 
1740         /*
1741          * Add a cleanup function to clear the utmp entry and record logout
1742          * time in case we call fatal() (e.g., the connection gets closed).
1743          */
1744         fatal_add_cleanup(session_pty_cleanup, (void *)s);
1745         pty_setowner(s->pw, s->tty);
1746 
1747         /* Set window size from the packet. */
1748         pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
1749 
1750         packet_check_eom();
1751         session_proctitle(s);
1752         return 1;
1753 }
1754 
1755 static int
1756 session_subsystem_req(Session *s)
1757 {
1758         struct stat st;
1759         u_int len;
1760         int success = 0;
1761         char *prog, *cmd, *subsys = packet_get_string(&len);
1762         u_int i;
1763 
1764         packet_check_eom();
1765         log("subsystem request for %.100s", subsys);
1766 
1767         for (i = 0; i < options.num_subsystems; i++) {
1768                 if (strcmp(subsys, options.subsystem_name[i]) == 0) {
1769                         prog = options.subsystem_command[i];
1770                         cmd = options.subsystem_args[i];
1771                         if (strcmp(INTERNAL_SFTP_NAME, prog) == 0) {
1772                                 s->is_subsystem = SUBSYSTEM_INT_SFTP;
1773                         /*
1774                          * We must stat(2) the subsystem before we chroot in
1775                          * order to be able to send a proper error message.
1776                          */
1777                         } else if (chroot_requested(options.chroot_directory)) {
1778                                 char chdirsub[MAXPATHLEN];
1779 
1780                                 strlcpy(chdirsub, options.chroot_directory,
1781                                     sizeof (chdirsub));
1782                                 strlcat(chdirsub, "/", sizeof (chdirsub));
1783                                 strlcat(chdirsub, prog, sizeof (chdirsub));
1784                                 if (stat(chdirsub, &st) < 0) {
1785                                         error("subsystem: cannot stat %s under "
1786                                             "chroot directory %s: %s", prog,
1787                                             options.chroot_directory,
1788                                             strerror(errno));
1789                                         if (strcmp(subsys, "sftp") == 0)
1790                                                 error("subsystem: please see "
1791                                                     "the Subsystem option in "
1792                                                     "sshd_config(4) for an "
1793                                                     "explanation of '%s'.",
1794                                                     INTERNAL_SFTP_NAME);
1795                                         break;
1796                                 }
1797                         } else if (stat(prog, &st) < 0) {
1798                                 error("subsystem: cannot stat %s: %s", prog,
1799                                     strerror(errno));
1800                                 break;
1801                         } else {
1802                                 s->is_subsystem = SUBSYSTEM_EXT;
1803                         }
1804                         debug("subsystem: exec() %s", cmd);
1805                         do_exec(s, cmd);
1806                         success = 1;
1807                         break;
1808                 }
1809         }
1810 
1811         if (!success)
1812                 log("subsystem request for %.100s failed, subsystem not found",
1813                     subsys);
1814 
1815         xfree(subsys);
1816         return success;
1817 }
1818 
1819 /*
1820  * Serve "x11-req" channel request for X11 forwarding for the current session
1821  * channel.
1822  */
1823 static int
1824 session_x11_req(Session *s)
1825 {
1826         int success, fd;
1827         char xauthdir[] = "/tmp/ssh-xauth-XXXXXX";
1828 
1829         s->single_connection = packet_get_char();
1830         s->auth_proto = packet_get_string(NULL);
1831         s->auth_data = packet_get_string(NULL);
1832         s->screen = packet_get_int();
1833         packet_check_eom();
1834 
1835         success = session_setup_x11fwd(s);
1836         if (!success) {
1837                 xfree(s->auth_proto);
1838                 xfree(s->auth_data);
1839                 s->auth_proto = NULL;
1840                 s->auth_data = NULL;
1841                 return (success);
1842         }
1843 
1844         /*
1845          * Create per session X authority file so that different sessions
1846          * don't contend for one common file. The reason for this is that
1847          * xauth(1) locking doesn't work too well over network filesystems.
1848          *
1849          * If mkdtemp() or open() fails then s->auth_file remains NULL which
1850          * means that we won't set XAUTHORITY variable in child's environment
1851          * and xauth(1) will use the default location for the authority file.
1852          */
1853         if (mkdtemp(xauthdir) != NULL) {
1854                 s->auth_file = xmalloc(MAXPATHLEN);
1855                 snprintf(s->auth_file, MAXPATHLEN, "%s/xauthfile",
1856                     xauthdir);
1857                 /*
1858                  * we don't want that "creating new authority file" message to
1859                  * be printed by xauth(1) so we must create that file
1860                  * beforehand.
1861                  */
1862                 if ((fd = open(s->auth_file, O_CREAT | O_EXCL | O_RDONLY,
1863                     S_IRUSR | S_IWUSR)) == -1) {
1864                         error("failed to create the temporary X authority "
1865                             "file %s: %.100s; will use the default one",
1866                             s->auth_file, strerror(errno));
1867                         xfree(s->auth_file);
1868                         s->auth_file = NULL;
1869                         if (rmdir(xauthdir) == -1) {
1870                                 error("cannot remove xauth directory %s: %.100s",
1871                                     xauthdir, strerror(errno));
1872                         }
1873                 } else {
1874                         close(fd);
1875                         debug("temporary X authority file %s created",
1876                             s->auth_file);
1877 
1878                         /*
1879                          * add a cleanup function to remove the temporary
1880                          * xauth file in case we call fatal() (e.g., the
1881                          * connection gets closed).
1882                          */
1883                         fatal_add_cleanup(session_xauthfile_cleanup, (void *)s);
1884                 }
1885         }
1886         else {
1887                 error("failed to create a directory for the temporary X "
1888                     "authority file: %.100s; will use the default xauth file",
1889                     strerror(errno));
1890         }
1891 
1892         return (success);
1893 }
1894 
1895 static int
1896 session_shell_req(Session *s)
1897 {
1898         packet_check_eom();
1899         do_exec(s, NULL);
1900         return 1;
1901 }
1902 
1903 static int
1904 session_exec_req(Session *s)
1905 {
1906         u_int len;
1907         char *command = packet_get_string(&len);
1908         packet_check_eom();
1909         do_exec(s, command);
1910         xfree(command);
1911         return 1;
1912 }
1913 
1914 static int
1915 session_auth_agent_req(Session *s)
1916 {
1917         static int called = 0;
1918         packet_check_eom();
1919         if (no_agent_forwarding_flag) {
1920                 debug("session_auth_agent_req: no_agent_forwarding_flag");
1921                 return 0;
1922         }
1923         if (called) {
1924                 return 0;
1925         } else {
1926                 called = 1;
1927                 return auth_input_request_forwarding(s->pw);
1928         }
1929 }
1930 
1931 static int
1932 session_loc_env_check(char *var, char *val)
1933 {
1934         char *current;
1935         int cat, ret;
1936 
1937         if (strcmp(var, "LANG") == 0)
1938                 cat = LC_ALL;
1939         else if (strcmp(var, "LC_ALL") == 0)
1940                 cat = LC_ALL;
1941         else if (strcmp(var, "LC_CTYPE") == 0)
1942                 cat = LC_CTYPE;
1943         else if (strcmp(var, "LC_COLLATE") == 0)
1944                 cat = LC_COLLATE;
1945         else if (strcmp(var, "LC_TIME") == 0)
1946                 cat = LC_TIME;
1947         else if (strcmp(var, "LC_NUMERIC") == 0)
1948                 cat = LC_NUMERIC;
1949         else if (strcmp(var, "LC_MONETARY") == 0)
1950                 cat = LC_MONETARY;
1951         else if (strcmp(var, "LC_MESSAGES") == 0)
1952                 cat = LC_MESSAGES;
1953 
1954         current = setlocale(cat, NULL);
1955 
1956         ret = (setlocale(cat, val) != NULL);
1957         (void) setlocale(cat, current);
1958         return (ret);
1959 }
1960 
1961 static int
1962 session_env_req(Session *s)
1963 {
1964         Channel *c;
1965         char *var, *val, *e;
1966         char **p;
1967         size_t len;
1968         int ret = 0;
1969 
1970         /* Get var/val from the rest of this packet */
1971         var = packet_get_string(NULL);
1972         val = packet_get_string(NULL);
1973 
1974         /*
1975          * We'll need the channel ID for the packet_send_debug messages,
1976          * so get it now.
1977          */
1978         if ((c = channel_lookup(s->chanid)) == NULL)
1979                 goto done;      /* shouldn't happen! */
1980 
1981         debug2("Received request for environment variable %s=%s", var, val);
1982 
1983         /* For now allow only LANG and LC_* */
1984         if (strcmp(var, "LANG") != 0 && strncmp(var, "LC_", 3) != 0) {
1985                 debug2("Rejecting request for environment variable %s", var);
1986                 goto done;
1987         }
1988 
1989         if (!session_loc_env_check(var, val)) {
1990                 packet_send_debug(gettext("Missing locale support for %s=%s"),
1991                         var, val);
1992                 goto done;
1993         }
1994 
1995         packet_send_debug(gettext("Channel %d set: %s=%s"), c->remote_id,
1996                 var, val);
1997 
1998         /*
1999          * Always append new environment variables without regard to old
2000          * ones being overriden.  The way these are actually added to
2001          * the environment of the session process later settings
2002          * override earlier ones; see copy_environment().
2003          */
2004         if (s->env == NULL) {
2005                 char **env;
2006 
2007                 env = xmalloc(sizeof (char **) * 2);
2008                 memset(env, 0, sizeof (char **) * 2);
2009 
2010                 s->env = env;
2011                 p = env;
2012         } else {
2013                 for (p = s->env; *p != NULL ; p++);
2014 
2015                 s->env = xrealloc(s->env, (p - s->env + 2) * sizeof (char **));
2016 
2017                 for (p = s->env; *p != NULL ; p++);
2018         }
2019 
2020         len = snprintf(NULL, 0, "%s=%s", var, val);
2021         e = xmalloc(len + 1);
2022         (void) snprintf(e, len + 1, "%s=%s", var, val);
2023 
2024         (*p++) = e;
2025         *p = NULL;
2026 
2027         ret = 1;
2028 
2029 done:
2030         xfree(var);
2031         xfree(val);
2032 
2033         return (ret);
2034 }
2035 
2036 static void
2037 session_free_env(char ***envp)
2038 {
2039         char **env, **p;
2040 
2041         if (envp == NULL || *envp == NULL)
2042                 return;
2043 
2044         env = *envp;
2045 
2046         *envp = NULL;
2047 
2048         for (p = env; *p != NULL; p++)
2049                 xfree(*p);
2050 
2051         xfree(env);
2052 }
2053 
2054 int
2055 session_input_channel_req(Channel *c, const char *rtype)
2056 {
2057         int success = 0;
2058         Session *s;
2059 
2060         if ((s = session_by_channel(c->self)) == NULL) {
2061                 log("session_input_channel_req: no session %d req %.100s",
2062                     c->self, rtype);
2063                 return 0;
2064         }
2065         debug("session_input_channel_req: session %d req %s", s->self, rtype);
2066 
2067         /*
2068          * a session is in LARVAL state until a shell, a command
2069          * or a subsystem is executed
2070          */
2071         if (c->type == SSH_CHANNEL_LARVAL) {
2072                 if (strcmp(rtype, "shell") == 0) {
2073                         success = session_shell_req(s);
2074                 } else if (strcmp(rtype, "exec") == 0) {
2075                         success = session_exec_req(s);
2076                 } else if (strcmp(rtype, "pty-req") == 0) {
2077                         success =  session_pty_req(s);
2078                 } else if (strcmp(rtype, "x11-req") == 0) {
2079                         success = session_x11_req(s);
2080                 } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
2081                         success = session_auth_agent_req(s);
2082                 } else if (strcmp(rtype, "subsystem") == 0) {
2083                         success = session_subsystem_req(s);
2084                 } else if (strcmp(rtype, "env") == 0) {
2085                         success = session_env_req(s);
2086                 }
2087         }
2088         if (strcmp(rtype, "window-change") == 0) {
2089                 success = session_window_change_req(s);
2090         }
2091         return success;
2092 }
2093 
2094 void
2095 session_set_fds(Session *s, int fdin, int fdout, int fderr)
2096 {
2097         if (!compat20)
2098                 fatal("session_set_fds: called for proto != 2.0");
2099         /*
2100          * now that have a child and a pipe to the child,
2101          * we can activate our channel and register the fd's
2102          */
2103         if (s->chanid == -1)
2104                 fatal("no channel for session %d", s->self);
2105         channel_set_fds(s->chanid,
2106             fdout, fdin, fderr,
2107             fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
2108             1,
2109             CHAN_SES_WINDOW_DEFAULT);
2110 }
2111 
2112 /*
2113  * Function to perform pty cleanup. Also called if we get aborted abnormally
2114  * (e.g., due to a dropped connection).
2115  */
2116 void
2117 session_pty_cleanup2(void *session)
2118 {
2119         Session *s = session;
2120 
2121         if (s == NULL) {
2122                 error("session_pty_cleanup: no session");
2123                 return;
2124         }
2125         if (s->ttyfd == -1)
2126                 return;
2127 
2128         debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
2129 
2130 #ifdef USE_PAM
2131         session_do_pam(s, 0);
2132 #endif /* USE_PAM */
2133 
2134         /* Record that the user has logged out. */
2135         if (s->pid != 0) {
2136                 debug3("Recording SSHv2 channel logout in utmpx/wtmpx");
2137 #ifdef ALTPRIVSEP
2138                 altprivsep_record_logout(s->pid);
2139 #endif /* ALTPRIVSEP */
2140         }
2141 
2142         /* Release the pseudo-tty. */
2143         if (getuid() == 0)
2144                 pty_release(s->tty);
2145 
2146         /*
2147          * Close the server side of the socket pairs.  We must do this after
2148          * the pty cleanup, so that another process doesn't get this pty
2149          * while we're still cleaning up.
2150          */
2151         if (close(s->ptymaster) < 0)
2152                 error("close(s->ptymaster/%d): %s", s->ptymaster, strerror(errno));
2153 
2154         /* unlink pty from session */
2155         s->ttyfd = -1;
2156 }
2157 
2158 void
2159 session_pty_cleanup(void *session)
2160 {
2161         session_pty_cleanup2(session);
2162 }
2163 
2164 /*
2165  * We use a different temporary X authority file per every session so we
2166  * should remove those files when fatal() is called.
2167  */
2168 void
2169 session_xauthfile_cleanup(void *session)
2170 {
2171         Session *s = session;
2172 
2173         if (s == NULL) {
2174                 error("session_xauthfile_cleanup: no session");
2175                 return;
2176         }
2177 
2178         debug("session_xauthfile_cleanup: session %d removing %s", s->self,
2179             s->auth_file);
2180 
2181         if (unlink(s->auth_file) == -1) {
2182                 error("session_xauthfile_cleanup: cannot remove xauth file: "
2183                     "%.100s", strerror(errno));
2184                 return;
2185         }
2186 
2187         /* dirname() will modify s->auth_file but that's ok */
2188         if (rmdir(dirname(s->auth_file)) == -1) {
2189                 error("session_xauthfile_cleanup: "
2190                     "cannot remove xauth directory: %.100s", strerror(errno));
2191                 return;
2192         }
2193 }
2194 
2195 static char *
2196 sig2name(int sig)
2197 {
2198 #define SSH_SIG(x) if (sig == SIG ## x) return #x
2199         SSH_SIG(ABRT);
2200         SSH_SIG(ALRM);
2201         SSH_SIG(FPE);
2202         SSH_SIG(HUP);
2203         SSH_SIG(ILL);
2204         SSH_SIG(INT);
2205         SSH_SIG(KILL);
2206         SSH_SIG(PIPE);
2207         SSH_SIG(QUIT);
2208         SSH_SIG(SEGV);
2209         SSH_SIG(TERM);
2210         SSH_SIG(USR1);
2211         SSH_SIG(USR2);
2212 #undef  SSH_SIG
2213         return "SIG@openssh.com";
2214 }
2215 
2216 static void
2217 session_exit_message(Session *s, int status)
2218 {
2219         Channel *c;
2220 
2221         if ((c = channel_lookup(s->chanid)) == NULL)
2222                 fatal("session_exit_message: session %d: no channel %d",
2223                     s->self, s->chanid);
2224         debug("session_exit_message: session %d channel %d pid %ld",
2225             s->self, s->chanid, (long)s->pid);
2226 
2227         if (WIFEXITED(status)) {
2228                 channel_request_start(s->chanid, "exit-status", 0);
2229                 packet_put_int(WEXITSTATUS(status));
2230                 packet_send();
2231         } else if (WIFSIGNALED(status)) {
2232                 channel_request_start(s->chanid, "exit-signal", 0);
2233                 packet_put_cstring(sig2name(WTERMSIG(status)));
2234 #ifdef WCOREDUMP
2235                 packet_put_char(WCOREDUMP(status));
2236 #else /* WCOREDUMP */
2237                 packet_put_char(0);
2238 #endif /* WCOREDUMP */
2239                 packet_put_cstring("");
2240                 packet_put_cstring("");
2241                 packet_send();
2242         } else {
2243                 /* Some weird exit cause.  Just exit. */
2244                 packet_disconnect("wait returned status %04x.", status);
2245         }
2246 
2247         /* Ok to close channel now */
2248         channel_set_wait_for_exit(s->chanid, 0);
2249 
2250         /* disconnect channel */
2251         debug("session_exit_message: release channel %d", s->chanid);
2252         channel_cancel_cleanup(s->chanid);
2253         /*
2254          * emulate a write failure with 'chan_write_failed', nobody will be
2255          * interested in data we write.
2256          * Note that we must not call 'chan_read_failed', since there could
2257          * be some more data waiting in the pipe.
2258          */
2259         if (c->ostate != CHAN_OUTPUT_CLOSED)
2260                 chan_write_failed(c);
2261         s->chanid = -1;
2262 }
2263 
2264 void
2265 session_close(Session *s)
2266 {
2267         debug("session_close: session %d pid %ld", s->self, (long)s->pid);
2268         if (s->ttyfd != -1) {
2269                 fatal_remove_cleanup(session_pty_cleanup, (void *)s);
2270                 session_pty_cleanup(s);
2271         }
2272         if (s->auth_file != NULL) {
2273                 fatal_remove_cleanup(session_xauthfile_cleanup, (void *)s);
2274                 session_xauthfile_cleanup(s);
2275                 xfree(s->auth_file);
2276         }
2277         if (s->term)
2278                 xfree(s->term);
2279         if (s->display)
2280                 xfree(s->display);
2281         if (s->auth_display)
2282                 xfree(s->auth_display);
2283         if (s->auth_data)
2284                 xfree(s->auth_data);
2285         if (s->auth_proto)
2286                 xfree(s->auth_proto);
2287         if (s->command)
2288                 xfree(s->command);
2289         session_free_env(&s->env);
2290         s->used = 0;
2291         session_proctitle(s);
2292 }
2293 
2294 void
2295 session_close_by_pid(pid_t pid, int status)
2296 {
2297         Session *s = session_by_pid(pid);
2298         if (s == NULL) {
2299                 debug("session_close_by_pid: no session for pid %ld",
2300                     (long)pid);
2301                 return;
2302         }
2303         if (s->chanid != -1)
2304                 session_exit_message(s, status);
2305         session_close(s);
2306 }
2307 
2308 /*
2309  * This is called when a channel dies before the session 'child' itself dies.
2310  * It can happen for example if we exit from an interactive shell before we
2311  * exit from forwarded X11 applications.
2312  */
2313 void
2314 session_close_by_channel(int id, void *arg)
2315 {
2316         Session *s = session_by_channel(id);
2317         if (s == NULL) {
2318                 debug("session_close_by_channel: no session for id %d", id);
2319                 return;
2320         }
2321         debug("session_close_by_channel: channel %d child %ld",
2322             id, (long)s->pid);
2323         if (s->pid != 0) {
2324                 debug("session_close_by_channel: channel %d: has child", id);
2325                 /*
2326                  * delay detach of session, but release pty, since
2327                  * the fd's to the child are already closed
2328                  */
2329                 if (s->ttyfd != -1) {
2330                         fatal_remove_cleanup(session_pty_cleanup, (void *)s);
2331                         session_pty_cleanup(s);
2332                 }
2333                 return;
2334         }
2335         /* detach by removing callback */
2336         channel_cancel_cleanup(s->chanid);
2337         s->chanid = -1;
2338         session_close(s);
2339 }
2340 
2341 void
2342 session_destroy_all(void (*closefunc)(Session *))
2343 {
2344         int i;
2345         for (i = 0; i < MAX_SESSIONS; i++) {
2346                 Session *s = &sessions[i];
2347                 if (s->used) {
2348                         if (closefunc != NULL)
2349                                 closefunc(s);
2350                         else
2351                                 session_close(s);
2352                 }
2353         }
2354 }
2355 
2356 static char *
2357 session_tty_list(void)
2358 {
2359         static char buf[1024];
2360         int i;
2361         buf[0] = '\0';
2362         for (i = 0; i < MAX_SESSIONS; i++) {
2363                 Session *s = &sessions[i];
2364                 if (s->used && s->ttyfd != -1) {
2365                         if (buf[0] != '\0')
2366                                 strlcat(buf, ",", sizeof buf);
2367                         strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf);
2368                 }
2369         }
2370         if (buf[0] == '\0')
2371                 strlcpy(buf, "notty", sizeof buf);
2372         return buf;
2373 }
2374 
2375 void
2376 session_proctitle(Session *s)
2377 {
2378         if (s->pw == NULL)
2379                 error("no user for session %d", s->self);
2380         else
2381                 setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
2382 }
2383 
2384 int
2385 session_setup_x11fwd(Session *s)
2386 {
2387         struct stat st;
2388         char display[512], auth_display[512];
2389         char hostname[MAXHOSTNAMELEN];
2390 
2391         if (no_x11_forwarding_flag) {
2392                 packet_send_debug("X11 forwarding disabled in user configuration file.");
2393                 return 0;
2394         }
2395         if (!options.x11_forwarding) {
2396                 debug("X11 forwarding disabled in server configuration file.");
2397                 return 0;
2398         }
2399         if (!options.xauth_location ||
2400             (stat(options.xauth_location, &st) == -1)) {
2401                 packet_send_debug("No xauth program; cannot forward with spoofing.");
2402                 return 0;
2403         }
2404         if (s->display != NULL) {
2405                 debug("X11 display already set.");
2406                 return 0;
2407         }
2408         if (x11_create_display_inet(options.x11_display_offset,
2409             options.x11_use_localhost, s->single_connection,
2410             &s->display_number) == -1) {
2411                 debug("x11_create_display_inet failed.");
2412                 return 0;
2413         }
2414 
2415         /* Set up a suitable value for the DISPLAY variable. */
2416         if (gethostname(hostname, sizeof(hostname)) < 0)
2417                 fatal("gethostname: %.100s", strerror(errno));
2418         /*
2419          * auth_display must be used as the displayname when the
2420          * authorization entry is added with xauth(1).  This will be
2421          * different than the DISPLAY string for localhost displays.
2422          */
2423         if (options.x11_use_localhost) {
2424                 snprintf(display, sizeof display, "localhost:%u.%u",
2425                     s->display_number, s->screen);
2426                 snprintf(auth_display, sizeof auth_display, "unix:%u.%u",
2427                     s->display_number, s->screen);
2428                 s->display = xstrdup(display);
2429                 s->auth_display = xstrdup(auth_display);
2430         } else {
2431 #ifdef IPADDR_IN_DISPLAY
2432                 struct hostent *he;
2433                 struct in_addr my_addr;
2434 
2435                 he = gethostbyname(hostname);
2436                 if (he == NULL) {
2437                         error("Can't get IP address for X11 DISPLAY.");
2438                         packet_send_debug("Can't get IP address for X11 DISPLAY.");
2439                         return 0;
2440                 }
2441                 memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
2442                 snprintf(display, sizeof display, "%.50s:%u.%u", inet_ntoa(my_addr),
2443                     s->display_number, s->screen);
2444 #else
2445                 snprintf(display, sizeof display, "%.400s:%u.%u", hostname,
2446                     s->display_number, s->screen);
2447 #endif
2448                 s->display = xstrdup(display);
2449                 s->auth_display = xstrdup(display);
2450         }
2451 
2452         return 1;
2453 }
2454 
2455 #ifdef USE_PAM
2456 int session_do_pam_conv(int, struct pam_message **,
2457                         struct pam_response **, void *);
2458 
2459 static struct pam_conv session_pam_conv = {
2460         session_do_pam_conv,
2461         NULL
2462 };
2463 
2464 static void
2465 session_do_pam(Session *s, int do_open)
2466 {
2467         int pam_retval;
2468         char *where, *old_tty, *old_tty_copy = NULL;
2469         struct pam_conv old_conv, *old_conv_ptr;
2470 
2471         if (!s || !s->authctxt || !s->authctxt->pam || !s->authctxt->pam->h)
2472                 return;
2473 
2474         /* Save current PAM item values */
2475         where = "getting PAM_CONV";
2476         pam_retval = pam_get_item(s->authctxt->pam->h, PAM_CONV,
2477                                   (void **) &old_conv_ptr);
2478         if (pam_retval != PAM_SUCCESS)
2479                 goto done;
2480         old_conv = *old_conv_ptr;
2481 
2482         where = "getting PAM_TTY";
2483         pam_retval = pam_get_item(s->authctxt->pam->h, PAM_TTY,
2484                                   (void **) &old_tty);
2485         if (pam_retval != PAM_SUCCESS)
2486                 goto done;
2487         old_tty_copy = xstrdup(old_tty);
2488 
2489         /* Change PAM_TTY and PAM_CONV items */
2490         where = "setting PAM_TTY";
2491         pam_retval = pam_set_item(s->authctxt->pam->h, PAM_TTY, s->tty);
2492         if (pam_retval != PAM_SUCCESS)
2493                 goto done;
2494 
2495         where = "setting PAM_CONV";
2496         session_pam_conv.appdata_ptr = s;
2497         pam_retval = pam_set_item(s->authctxt->pam->h,
2498                                   PAM_CONV, &session_pam_conv);
2499         if (pam_retval != PAM_SUCCESS)
2500                 goto done;
2501 
2502         /* Call pam_open/close_session() */
2503         if (do_open) {
2504                 where = "calling pam_open_session()";
2505                 pam_retval = pam_open_session(s->authctxt->pam->h, 0);
2506         }
2507         else {
2508                 where = "calling pam_close_session()";
2509                 pam_retval = pam_close_session(s->authctxt->pam->h, 0);
2510         }
2511 
2512         /* Reset PAM_TTY and PAM_CONV items to previous values */
2513         where = "setting PAM_TTY";
2514         pam_retval = pam_set_item(s->authctxt->pam->h, PAM_TTY, old_tty_copy);
2515         if (pam_retval != PAM_SUCCESS)
2516                 goto done;
2517 
2518         where = "setting PAM_CONV";
2519         pam_retval = pam_set_item(s->authctxt->pam->h, PAM_CONV, &old_conv);
2520         if (pam_retval != PAM_SUCCESS)
2521                 goto done;
2522 
2523         session_pam_conv.appdata_ptr = NULL;
2524 
2525 done:
2526         if (old_tty_copy)
2527                 xfree(old_tty_copy);
2528 
2529         if (pam_retval == PAM_SUCCESS)
2530                 return;
2531 
2532         /* fatal()? probably not... */
2533         log("PAM failed[%d] while %s: %s", pam_retval, where,
2534             PAM_STRERROR(s->authctxt->pam->h, pam_retval));
2535 }
2536 
2537 int
2538 session_do_pam_conv(int num_prompts,
2539                     struct pam_message **prompts,
2540                     struct pam_response **resp,
2541                     void *app_data)
2542 {
2543         Session *s = (Session *) app_data;
2544 
2545         struct pam_response *reply;
2546         int count;
2547         char *prompt;
2548 
2549         if (channel_lookup(s->chanid) == NULL)
2550                 return PAM_CONV_ERR;
2551 
2552         /* PAM will free this later */
2553         reply = xmalloc(num_prompts * sizeof(*reply));
2554 
2555         (void) memset(reply, 0, num_prompts * sizeof(*reply));
2556         for (count = 0; count < num_prompts; count++) {
2557                 switch(PAM_MSG_MEMBER(prompts, count, msg_style)) {
2558                 case PAM_TEXT_INFO:
2559                         /* Write to stdout of channel */
2560                         prompt = PAM_MSG_MEMBER(prompts, count, msg);
2561                         if (prompt != NULL && s->ttyfd != -1) {
2562                                 debug2("session_do_pam_conv: text info "
2563                                        "prompt: %s", prompt);
2564                                 (void) write(s->ttyfd, prompt, strlen(prompt));
2565                                 (void) write(s->ttyfd, "\n", 1);
2566                         }
2567                         reply[count].resp = xstrdup("");
2568                         reply[count].resp_retcode = PAM_SUCCESS;
2569                         break;
2570                 case PAM_ERROR_MSG:
2571                         /* Write to stderr of channel */
2572                         prompt = PAM_MSG_MEMBER(prompts, count, msg);
2573                         if (prompt != NULL && s->ttyfd != -1) {
2574                                 debug2("session_do_pam_conv: error "
2575                                        "prompt: %s", prompt);
2576                                 (void) write(s->ttyfd, prompt, strlen(prompt));
2577                                 (void) write(s->ttyfd, "\n", 1);
2578                         }
2579                         reply[count].resp = xstrdup("");
2580                         reply[count].resp_retcode = PAM_SUCCESS;
2581                         break;
2582                 case PAM_PROMPT_ECHO_ON:
2583                 case PAM_PROMPT_ECHO_OFF:
2584                     /*
2585                      * XXX Someday add support for echo on/off prompts
2586                      *     here on sessions with ttys.
2587                      */
2588                 default:
2589                         xfree(reply);
2590                         return PAM_CONV_ERR;
2591                 }
2592         }
2593 
2594         *resp = reply;
2595 
2596         return PAM_SUCCESS;
2597 }
2598 #endif /* USE_PAM */
2599 
2600 static void
2601 do_authenticated2(Authctxt *authctxt)
2602 {
2603         server_loop2(authctxt);
2604 }
2605 
2606 /*
2607  * Drop the privileges. We need this for the in-process SFTP server only. For
2608  * the shell and the external subsystem the exec(2) call will do the P = E = I
2609  * assignment itself. Never change the privileges if the connecting user is
2610  * root. See privileges(5) if the terminology used here is not known to you.
2611  */
2612 static void
2613 drop_privs(uid_t uid)
2614 {
2615         priv_set_t *priv_inherit;
2616 
2617         /* If root is connecting we are done. */
2618         if (uid == 0)
2619                 return;
2620 
2621         if ((priv_inherit = priv_allocset()) == NULL)
2622                 fatal("priv_allocset: %s", strerror(errno));
2623         if (getppriv(PRIV_INHERITABLE, priv_inherit) != 0)
2624                 fatal("getppriv: %s", strerror(errno));
2625 
2626         /*
2627          * This will limit E as well. Note that before this P was a
2628          * superset of I, see permanently_set_uid().
2629          */
2630         if (setppriv(PRIV_SET, PRIV_PERMITTED, priv_inherit) == -1)
2631                 fatal("setppriv: %s", strerror(errno));
2632 
2633         priv_freeset(priv_inherit);
2634 
2635         /*
2636          * By manipulating the P set above we entered a PA mode which we
2637          * do not need to retain in.
2638          */
2639         if (setpflags(PRIV_AWARE, 0) == -1)
2640                 fatal("setpflags: %s", strerror(errno));
2641 }