From dc5bc32d8fbacd7e1dd34d138de542d401a11ebd Mon Sep 17 00:00:00 2001 From: Derek Burdick Date: Wed, 14 Jun 2023 15:00:59 -0700 Subject: [PATCH] ssh/tailssh: change to user directory when running login/command On redhat 9 and similarly locked down systems, root user does not have access to a users directory. This fix does not set a directory for the incubator process and instead sets the directory when the actual process requested by remote user is executed. Fixes #8118 Signed-off-by: Derek Burdick --- ssh/tailssh/incubator.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ssh/tailssh/incubator.go b/ssh/tailssh/incubator.go index 4de3e2b88..849826350 100644 --- a/ssh/tailssh/incubator.go +++ b/ssh/tailssh/incubator.go @@ -113,6 +113,7 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) { "--remote-ip=" + ci.src.Addr().String(), "--has-tty=false", // updated in-place by startWithPTY "--tty-name=", // updated in-place by startWithPTY + "--pwd=" + ss.conn.localUser.HomeDir, } if isSFTP { @@ -177,6 +178,7 @@ type incubatorArgs struct { isShell bool loginCmdPath string cmdArgs []string + pwd string } func parseIncubatorArgs(args []string) (a incubatorArgs) { @@ -193,6 +195,7 @@ func parseIncubatorArgs(args []string) (a incubatorArgs) { flags.BoolVar(&a.isShell, "shell", false, "is launching a shell (with no cmds)") flags.BoolVar(&a.isSFTP, "sftp", false, "run sftp server (cmd is ignored)") flags.StringVar(&a.loginCmdPath, "login-cmd", "", "the path to `login` cmd") + flags.StringVar(&a.pwd, "pwd", "/", "process initial working directory, if possible. else / is used") flags.Parse(args) a.cmdArgs = flags.Args() return a @@ -279,6 +282,12 @@ func beIncubator(args []string) error { cmd.Stderr = os.Stderr cmd.Env = os.Environ() + if _, err := os.Stat(ia.pwd); err != nil && os.IsNotExist(err) { + cmd.Dir = "/" + } else { + cmd.Dir = ia.pwd + } + if ia.hasTTY { // If we were launched with a tty then we should // mark that as the ctty of the child. However, @@ -428,16 +437,7 @@ func (ss *sshSession) launchProcess() error { ss.cmd = ss.newIncubatorCommand() cmd := ss.cmd - homeDir := ss.conn.localUser.HomeDir - if _, err := os.Stat(homeDir); err == nil { - cmd.Dir = homeDir - } else if os.IsNotExist(err) { - // If the home directory doesn't exist, we can't chdir to it. - // Instead, we'll chdir to the root directory. - cmd.Dir = "/" - } else { - return err - } + cmd.Env = envForUser(ss.conn.localUser) for _, kv := range ss.Environ() { if acceptEnvPair(kv) {