+

+		/*

+		 * rsync is linked with popt, which recognizes a configuration

+		 * file ~/.popt that can, among other things, define aliases.

+		 * If someone can write to the home directory of the rssh

+		 * user, they can upload a ~/.popt file that contains

+		 * something like "rsync alias --server --rsh" and then

+		 * execute commands they upload.  popt does not try to read

+		 * its configuration file if HOME is not set, so unset HOME to

+		 * disable this behavior.

+		 */

+		if ( unsetenv("HOME") < 0 ){

+			log_msg("cannot unsetenv() HOME");

+			return NULL;

+		}

+

 	/* No match, return NULL */

Workaround for basename(3) that is POSIX compliant since r308264 in FreeBSD 12

--- log.c.orig	2012-11-27 00:25:13 UTC

+++ log.c

@@ -93,10 +93,14 @@ char *log_make_ident( const char *name )

 	}

 	/* assign new value to ident from name */

 	if ( !name ) return (ident = NULL);

-	ident = strdup(basename((char*)name));

-	/* remove leading '-' from ident, if there is one */

-	if ( ident[0] == '-' ){

-		temp = strdup(ident + 1);

+	/* clone name in case basename() is POSIX-compliant */

+	temp = strdup ((char *) name);

+	/* always pass writeable string to basename() */

+	ident = strdup (basename (temp));

+	free (temp);

+	/* safely remove leading '-' from ident, if there is one */

+	if ((ident != NULL) && (ident[0] == '-')){

+		temp = strdup(&ident[1]);

 		free(ident);

 		ident = temp;

 	}

Workaround for basename(3) that is POSIX compliant since r308264 in FreeBSD 12

Incorporates also a patch to check the command line after chroot. Taken from

Debian ("0010-Check-command-line-after-chroot.patch")

--- rssh_chroot_helper.c.orig	2006-12-21 22:22:35 UTC

+++ rssh_chroot_helper.c

@@ -159,7 +159,7 @@ int main( int argc, char **argv )

 	opts.chroot_path = NULL;

 	/* figure out our name, and give it to the log module */

-	progname = strdup(log_make_ident(basename(argv[0])));

+	progname = strdup(log_make_ident(basename(strdup (argv[0]))));

 	/* get user's passwd info */

 	if ( (temp = getpwuid(getuid())) ){

@@ -217,6 +217,12 @@ int main( int argc, char **argv )

 	if ( !(argvec = build_arg_vector(argv[2], 0)) )

 		ch_fatal_error("build_arg_vector()", argv[2],

 				"bad expansion");

+

+	/* check the command for safety */

+	if ( !check_command_line(argvec, &opts) ){

+		fprintf(stderr, "\n");

+		exit(1);

+	}

 	/* 

 	 * This is the old way to figure out what program to run.  Since we're

Workaround for basename(3) that is POSIX compliant since r308264 in FreeBSD 12

Fixes buffer allocation for the fail message. Taken from Debian

("0003-Fix-buffer-allocation-buffer-for-fail-message").

Tightens the check for scp command line arguments that fixes also

"CVE-2019-1000018". Taken from Debian ("0009-Verify-scp-command-options").

Please note that with this patch the scp option "-3" can no longer be used.

--- util.c.orig	2012-11-27 01:14:49 UTC

+++ util.c

@@ -84,7 +84,7 @@ void fail( int flags, int argc, char **argv )

 	/* create msg indicating what is allowed */

 	if ( !size ) cmd = "This user is locked out.";

 	else {

-		size += 18;

+		size += 18 + 1;

 		if ( !(cmd = (char *)malloc(size)) ){

 			log_msg("fatal error: out of mem allocating log msg");

 			exit(1);

@@ -165,6 +165,7 @@ bool check_command( char *cl, ShellOptions_t *opts, ch

 {

 	char	*prog;		/* basename of cmd */

 	char 	*tmp = cl;

+	char    *tmp2 = NULL;

 	bool	need_free = FALSE;

 	bool	rc = FALSE;

 	int 	i;

@@ -186,11 +187,17 @@ bool check_command( char *cl, ShellOptions_t *opts, ch

 		}

 		/* compare tmp to cmd and prog for match */

-		prog = basename(cmd);

+		tmp2 = strdup (cmd);

+		if (tmp2 == NULL) {

+			log_msg ("strdup() failed in check_command()");

+			return FALSE;

+		}

+		prog = basename(tmp2);

 		if ( !(strcmp(tmp, cmd)) || !(strcmp(tmp, prog))){

 			log_msg("cmd '%s' approved", prog);

 			rc = TRUE;

 		}	

+		free (tmp2);

 	}

 	if (need_free) free(tmp);

 	return rc;

@@ -198,6 +205,43 @@ bool check_command( char *cl, ShellOptions_t *opts, ch

 /*

+ * scp_okay() - take the command line and check that it is a hopefully-safe scp

+ *		server command line, accepting only very specific options.

+ *		Returns FALSE if the command line should not be allowed, TRUE

+ *		if it is okay.

+ */

+static int scp_okay( char **vec )

+{

+	int saw_f_or_t = FALSE;

+

+	for ( vec++; vec && *vec; vec++ ){

+		/* Allowed options. */

+		if ( strcmp(*vec, "-v") == 0 ) continue;

+		if ( strcmp(*vec, "-r") == 0 ) continue;

+		if ( strcmp(*vec, "-p") == 0 ) continue;

+		if ( strcmp(*vec, "-d") == 0 ) continue;

+		if ( strcmp(*vec, "-f") == 0 || strcmp(*vec, "-pf") == 0 ){

+			saw_f_or_t = TRUE;

+			continue;

+		}

+		if ( strcmp(*vec, "-t") == 0 || strcmp(*vec, "-pt") == 0 ){

+			saw_f_or_t = TRUE;

+			continue;

+		}

+

+		/* End of arguments. */

+		if ( strcmp(*vec, "--") == 0 ) break;

+

+		/* Any other argument is not allowed. */

+		if ( *vec[0] == '-' ) return FALSE;

+	}

+

+	/* Either -f or -t must have been given. */

+	return saw_f_or_t;

+}

+

+

+/*

  * check_command_line() - take the command line passed to rssh, and verify

  *			  that the specified command is one the user is

  *			  allowed to run and validate the arguments.  Return the

@@ -212,8 +256,11 @@ char *check_command_line( char **cl, ShellOptions_t *o

 		return PATH_SFTP_SERVER;

 	if ( check_command(*cl, opts, PATH_SCP, RSSH_ALLOW_SCP) ){

-		/* filter -S option */

-		if ( opt_filter(cl, 'S') ) return NULL;

+		if ( !scp_okay(cl) ){

+			fprintf(stderr, "\ninsecure scp option not allowed.");

+			log_msg("insecure scp option in scp command line");

+			return NULL;

+		}

 		return PATH_SCP;

 	}