From: dtucker <dtucker>
Date: Tue, 12 Jan 2010 08:45:26 +0000 (+0000)
Subject:    - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/9739784146a8af7f57abf2b3ddf08881f0094e2c?hp=6bbbf0b8c1319938bb1496df0349b2826f48455c

   - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
     [session.c]
     Do not allow logins if /etc/nologin exists but is not readable by the user
     logging in.  Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
---

diff --git a/ChangeLog b/ChangeLog
index 0317221e..ddfa8af4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -27,6 +27,10 @@
      [roaming_common.c]
      delete with extreme prejudice a debug() that fired with every keypress;
      ok dtucker deraadt
+   - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
+     [session.c]
+     Do not allow logins if /etc/nologin exists but is not readable by the user
+     logging in.  Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
 
 20100110
  - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
diff --git a/session.c b/session.c
index 733b5a90..6cd07d4f 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.249 2009/11/20 00:15:41 dtucker Exp $ */
+/* $OpenBSD: session.c,v 1.250 2010/01/12 01:31:05 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1387,10 +1387,12 @@ do_nologin(struct passwd *pw)
 	if (pw->pw_uid)
 		f = fopen(_PATH_NOLOGIN, "r");
 #endif
-	if (f) {
+	if (f != NULL || errno == EPERM) {
 		/* /etc/nologin exists.  Print its contents and exit. */
 		logit("User %.100s not allowed because %s exists",
 		    pw->pw_name, _PATH_NOLOGIN);
+		if (f == NULL)
+			exit(254);
 		while (fgets(buf, sizeof(buf), f))
 			fputs(buf, stderr);
 		fclose(f);