/*-1* Copyright (c) 2011-2013 Baptiste Daroussin <[email protected]>2* All rights reserved.3*4* Redistribution and use in source and binary forms, with or without5* modification, are permitted provided that the following conditions6* are met:7* 1. Redistributions of source code must retain the above copyright8* notice, this list of conditions and the following disclaimer9* in this position and unchanged.10* 2. Redistributions in binary form must reproduce the above copyright11* notice, this list of conditions and the following disclaimer in the12* documentation and/or other materials provided with the distribution.13*14* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR15* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES16* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.17* IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,18* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT19* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,20* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY21* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT22* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF23* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.24*/2526#if __has_include(<sys/capsicum.h>)27#include <sys/capsicum.h>28#define HAVE_CAPSICUM 129#endif3031#include <stdio.h>32#include <unistd.h>33#include <fcntl.h>34#include <err.h>35#include <errno.h>3637#include <pkg.h>3839#include "pkgcli.h"4041void42usage_ssh(void)43{44fprintf(stderr, "Usage: pkg ssh\n\n");45fprintf(stderr, "For more information see 'pkg help ssh'.\n");46}4748int49exec_ssh(int argc, char **argv __unused)50{51int fd = -1;52const char *restricted = NULL;5354#ifdef HAVE_CAPSICUM55cap_rights_t rights;56#endif5758if (argc > 1) {59usage_ssh();60return (EXIT_FAILURE);61}6263restricted = pkg_object_string(pkg_config_get("SSH_RESTRICT_DIR"));64if (restricted == NULL)65restricted = "/";6667if ((fd = open(restricted, O_DIRECTORY|O_RDONLY|O_CLOEXEC)) < 0) {68warn("Impossible to open the restricted directory");69return (EXIT_FAILURE);70}7172#ifdef HAVE_CAPSICUM73cap_rights_init(&rights, CAP_READ, CAP_FSTATAT, CAP_FCNTL);74if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS ) {75warn("cap_rights_limit() failed");76close(fd);77return (EXIT_FAILURE);78}7980#ifndef COVERAGE81if (cap_enter() < 0 && errno != ENOSYS) {82warn("cap_enter() failed");83close(fd);84return (EXIT_FAILURE);85}86#endif8788#endif89if (pkg_sshserve(fd) != EPKG_OK) {90close(fd);91return (EXIT_FAILURE);92}9394close(fd);95return (EXIT_SUCCESS);96}979899