From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Tue, 1 Jun 2021 00:44:41 +0000 (+0100)
Subject: ssh: Forbid SetRestrictedSshScope after SelectAccount
X-Git-Tag: otter-0.7.0~163
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=cb3c8d17e8e61bdfe672999da4fa1211d1a58818;p=otter.git

ssh: Forbid SetRestrictedSshScope after SelectAccount

SelectAccount generates an Authorisation in the stream state.  We
don't want to preserve that after we drop privs.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/daemon/cmdlistener.rs b/daemon/cmdlistener.rs
index 744dfafa..6dc11dd4 100644
--- a/daemon/cmdlistener.rs
+++ b/daemon/cmdlistener.rs
@@ -175,6 +175,7 @@ fn execute_and_respond<W>(cs: &mut CommandStreamData, cmd: MgmtCommand,
       })
     }
     MC::SetRestrictedSshScope { key } => {
+      if cs.account.is_some() { throw!(ME::AccountSpecified) }
       let good_uid = Some(config().ssh_proxy_uid);
       let auth = cs.authorised_uid(good_uid, Some("SetRestrictedScope"))
         .map_err(|_| ME::AuthorisationError)?;
diff --git a/src/commands.rs b/src/commands.rs
index 04234759..4a073039 100644
--- a/src/commands.rs
+++ b/src/commands.rs
@@ -277,6 +277,7 @@ pub enum MgmtError {
   #[error("ssh key not found")]                      SshKeyNotFound,
   #[error("ssh key id default, ie invalid")]         InvalidSshKeyId,
   #[error("ssh key invalid: {0}")] InvalidSshKey(#[from] sshkeys::KeyError),
+  #[error("command forbides account specified")]     AccountSpecified,
 }
 
 impl From<InternalError> for MgmtError {