Re: [PATCH 2/2] shell: pay attention to exit status from 'help' command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jonathan Nieder <jrnieder@xxxxxxxxx> writes:

> Junio C Hamano wrote:
>> Jonathan Nieder <jrnieder@xxxxxxxxx> writes:
>
>>> +To disable interactive logins, displaying a greeting instead:
>>> ++
>>> +----------------
>>> +$ chsh -s /usr/bin/git-shell
>>> +$ mkdir $HOME/git-shell-commands
>>> +$ cat >$HOME/git-shell-commands/help <<\EOF
>>> +#!/bin/sh
>>> +printf '%s\n' "Hi $USER! You've successfully authenticated, but I do not"
>>
>> Where in the sshd to git-shell exec chain is $USER variable set for
>> the user?  Just being curious if this is the simplest but one of the
>> more robust ways to get the user's name.
>
> That's a good question.  environment= in an authorized_keys file is
> obsolete, so USER generally represents the actual logged in user.
>
> That means the main way to base behavior on private key (letting one
> system user represent multiple people) is a gitolite-style command=
> wrapper that checks SSH_ORIGINAL_COMMAND.  In that setup, there is no
> reason to forward simple no-args "are you there?" requests to the
> git-shell, so we can forget about it here.
>
> So by the time we get to git-shell, most likely either
>
>  A) this is a generic system user, with a username like "git", and the
>     above example would insult the client with "Hi git!" or "Hi
>     project-x-git!"
>
> or
>
>  B) each person has a separate account on the system, perhaps to help
>     the admin to set filesystem permissions based on users and groups,
>     and the above would address the user by her normal name.

What return value getuid(2) would give us was not something I was
worried about.  Use of git-shell would be pointless if that does not
work to offer isolation between users.

I was wondering who would set the $USER variable based on the uid
assigned to the process during the remote login process and it is a
behaviour we can rely on across platforms.  It appears that when
coming over ssh, it is the ssh daemon that sets USER (and LOGNAME,
HOME, etc.) before running the login shell (session.c::do_child()
that is called from do_exec_pty() or do_exec_no_pty() in openssh).


--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]