ssh/tailssh: change to user directory when running login/command

On redhat 9 and similarly locked down systems, root user does not have access to a users directory. This fix does not set a directory for the incubator process and instead sets the directory when the actual process requested by remote user is executed. Fixes #8118 Signed-off-by: Derek Burdick <derek-burdick@users.noreply.github.com>
2024-11-29 04:55:31 +00:00 · 2023-06-14 15:00:59 -07:00 · 2023-06-14 15:00:59 -07:00 · dc5bc32d8f
commit dc5bc32d8f
parent 6697690b55
1 changed files with 10 additions and 10 deletions
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@ -113,6 +113,7 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
 		"--remote-ip=" + ci.src.Addr().String(),
 		"--has-tty=false", // updated in-place by startWithPTY
 		"--tty-name=",     // updated in-place by startWithPTY
+		"--pwd=" + ss.conn.localUser.HomeDir,
 	}

 	if isSFTP {
@ -177,6 +178,7 @@ type incubatorArgs struct {
 	isShell      bool
 	loginCmdPath string
 	cmdArgs      []string
+	pwd          string
 }

 func parseIncubatorArgs(args []string) (a incubatorArgs) {
@ -193,6 +195,7 @@ func parseIncubatorArgs(args []string) (a incubatorArgs) {
 	flags.BoolVar(&a.isShell, "shell", false, "is launching a shell (with no cmds)")
 	flags.BoolVar(&a.isSFTP, "sftp", false, "run sftp server (cmd is ignored)")
 	flags.StringVar(&a.loginCmdPath, "login-cmd", "", "the path to `login` cmd")
+	flags.StringVar(&a.pwd, "pwd", "/", "process initial working directory, if possible. else / is used")
 	flags.Parse(args)
 	a.cmdArgs = flags.Args()
 	return a
@ -279,6 +282,12 @@ func beIncubator(args []string) error {
 	cmd.Stderr = os.Stderr
 	cmd.Env = os.Environ()

+	if _, err := os.Stat(ia.pwd); err != nil && os.IsNotExist(err) {
+		cmd.Dir = "/"
+	} else {
+		cmd.Dir = ia.pwd
+	}
+
 	if ia.hasTTY {
 		// If we were launched with a tty then we should
 		// mark that as the ctty of the child. However,
@ -428,16 +437,7 @@ func (ss *sshSession) launchProcess() error {
 	ss.cmd = ss.newIncubatorCommand()

 	cmd := ss.cmd
-	homeDir := ss.conn.localUser.HomeDir
-	if _, err := os.Stat(homeDir); err == nil {
-		cmd.Dir = homeDir
-	} else if os.IsNotExist(err) {
-		// If the home directory doesn't exist, we can't chdir to it.
-		// Instead, we'll chdir to the root directory.
-		cmd.Dir = "/"
-	} else {
-		return err
-	}
+
 	cmd.Env = envForUser(ss.conn.localUser)
 	for _, kv := range ss.Environ() {
 		if acceptEnvPair(kv) {