Toni L. Harbaugh-Blackford
2002-Sep-11 16:33 UTC
tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms
Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that a utmp entry does get made for the tty. There are several issues I see with this configuration, but I don't think any pose insurmountable problems: - There is an #if'd-out call to do_setusercontext() in the subroutine privsep_preauth_child(), which means that the SSH_PRIVSEP_USER would be run through the session_setup_sia() should the '#if 0' preprocessor directive be removed. I don't want SSH_PRIVSEP_USER to be passed through session_setup_sia(), because I like that account to be locked and the session setup stuff would fail in this case. So for HAVE_OSF_SIA this should stay #if'd-out. - If you are using the audit subsystem, the link between a tty and successive processes may be lost in the audit records. But I do extensive auditing, and ptys seem to be pretty much useless in audit trails; it's the process tree that is most useful. - Tru64 5.0x has the /dev/ptmx device, so the HAVE_DEV_PTMX logic can be used to access grantpty() in sshpty.c. But OS versions prior to 5.0x do not have /dev/ptmx, although they *DO HAVE* grantpty. So appropriate changes and testing will have to be done for earlier versions to see that grantpty() and all the terminal setup gets done appropriately. - Since session_setup_sia() works in do_child() when privsep is NOT in use, I'm fairly sure we want to leave it there in that case. It can safely override any grantpty() settings. - stty terminal settings are screwy when privsep is used, and I don't know why. It may relate to the fact that the tty is not initialized by the sia stuff, but I have to admit that I haven't delved into the details of this yet. It seems that the terminal settings could be corrected outside of SIA. Does anyone see any other problems with moving session_setup_sia() to do_setusercontext() when privsep is in use? Any comments on the list above? Toni ----------------------------------------------------------------------- Toni Harbaugh-Blackford harbaugh at nciaxp.ncifcrf.gov AlphaServer 8400 System Administrator SAIC/NCI Frederick Advanced Biomedical Computing Center
Chris Adams
2002-Sep-12 20:31 UTC
tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms
Once upon a time, Toni L. Harbaugh-Blackford <harbaugh at nciaxp.ncifcrf.gov> said:> Does anyone see any other problems with moving session_setup_sia() to > do_setusercontext() when privsep is in use? Any comments on the > list above?The biggest one is that you lose functionality from the SIA layer. If SIA doesn't have a terminal, it can't tell the user their password is expired or their account is locked (or the last successful and failed logins), the user can't change expired password at login, etc. Any of that will just cause the connection to fail silently, which IMHO is not acceptable. Obviously right now, the connection will fail silently for non-TTY logins to locked accounts, etc., but an TTY login will give the user the error. -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Possibly Parallel Threads
- uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)
- no, I see now, tru64 pty ownership wrong on entry to setup_sia, may need /usr/lbin/chgpt (WAS Re: Tru64 privsep patch testing)
- tru64 patch: openssh-SNAP-20020826.tar.gz does not contain 'configure', so how to build?
- Where to implement user limit settings ?
- Tru64 UNIX SIA in 2.5.2p1 is hosed (still)