ssh: Forbid SetRestrictedSshScope after SelectAccount

SelectAccount generates an Authorisation in the stream state.  We
don't want to preserve that after we drop privs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/daemon/cmdlistener.rs b/daemon/cmdlistener.rs
index 744dfafaf3bbc2ba39a879e37a97dbbca88b4530..6dc11dd41c0f3a2a4168c988d7b42f11f053a26e 100644 (file)
--- a/daemon/cmdlistener.rs
+++ b/daemon/cmdlistener.rs
@@ -175,6 +175,7 @@ fn execute_and_respond<W>(cs: &mut CommandStreamData, cmd: MgmtCommand,
       })
     }
     MC::SetRestrictedSshScope { key } => {
+      if cs.account.is_some() { throw!(ME::AccountSpecified) }
       let good_uid = Some(config().ssh_proxy_uid);
       let auth = cs.authorised_uid(good_uid, Some("SetRestrictedScope"))
         .map_err(|_| ME::AuthorisationError)?;

diff --git a/src/commands.rs b/src/commands.rs
index 04234759d0f1b38ee39de99915571e791baf81d9..4a073039fadac6a2487c218bafa46918f695015f 100644 (file)
--- a/src/commands.rs
+++ b/src/commands.rs
@@ -277,6 +277,7 @@ pub enum MgmtError {
   #[error("ssh key not found")]                      SshKeyNotFound,
   #[error("ssh key id default, ie invalid")]         InvalidSshKeyId,
   #[error("ssh key invalid: {0}")] InvalidSshKey(#[from] sshkeys::KeyError),
+  #[error("command forbides account specified")]     AccountSpecified,
 }
 
 impl From<InternalError> for MgmtError {