Ed Maste
2021-Feb-15 19:10 UTC
[PATCH] Use login_getpwclass() instead of login_getclass() so that the root vs. default login class distinction is made correctly.
From: Brian Feldman <green at FreeBSD.org>>From FreeBSD 885a59f2e067 by Brian Feldman <green at FreeBSD.org>.Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary:> sshd uses the "default" login class for users with uid=0 instead of > the "root" login class when setting up the user's session. > ... > How-To-Repeat: > I added a :umask=002: entry to the default login class and a :umask=022: > entry to the root login class in </etc/login.conf>. After this, if root > logs in via a getty on a virtual console or via telnet, the umask is > 022 as expected, but if root logs in via ssh the umask is 002. However, > if root's password entry is changed to mention the root login class > explicitly, the umask is set to 022 when root logs in via ssh.Posted for discussion; if accepted I will see about adding autoconf goop, if necessary (i.e. if some systems have login_getclass but not login_getpwclass). --- auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth.c b/auth.c index 9a5498b66..c8e1ed074 100644 --- a/auth.c +++ b/auth.c @@ -600,7 +600,7 @@ getpwnamallow(struct ssh *ssh, const char *user) if (!allowed_user(ssh, pw)) return (NULL); #ifdef HAVE_LOGIN_CAP - if ((lc = login_getclass(pw->pw_class)) == NULL) { + if ((lc = login_getpwclass(pw)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } -- 2.30.0
Damien Miller
2021-Feb-18 00:10 UTC
[PATCH] Use login_getpwclass() instead of login_getclass() so that the root vs. default login class distinction is made correctly.
On Mon, 15 Feb 2021, Ed Maste wrote:> From: Brian Feldman <green at FreeBSD.org> > > From FreeBSD 885a59f2e067 by Brian Feldman <green at FreeBSD.org>. > > Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary: > > > sshd uses the "default" login class for users with uid=0 instead of > > the "root" login class when setting up the user's session. > > ... > > How-To-Repeat: > > I added a :umask=002: entry to the default login class and a :umask=022: > > entry to the root login class in </etc/login.conf>. After this, if root > > logs in via a getty on a virtual console or via telnet, the umask is > > 022 as expected, but if root logs in via ssh the umask is 002. However, > > if root's password entry is changed to mention the root login class > > explicitly, the umask is set to 022 when root logs in via ssh. > > Posted for discussion; if accepted I will see about adding autoconf goop, > if necessary (i.e. if some systems have login_getclass but not > login_getpwclass).I think we could do something like this: diff --git a/auth.c b/auth.c index 2b77abca..a0e3cd6f 100644 --- a/auth.c +++ b/auth.c @@ -604,7 +604,7 @@ getpwnamallow(struct ssh *ssh, const char *user) if (!allowed_user(ssh, pw)) return (NULL); #ifdef HAVE_LOGIN_CAP - if ((lc = login_getclass(pw->pw_class)) == NULL) { + if ((lc = login_getpwclass(pw)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } diff --git a/configure.ac b/configure.ac index 63c239e0..6b75cf97 100644 --- a/configure.ac +++ b/configure.ac @@ -1841,6 +1841,7 @@ AC_CHECK_FUNCS([ \ llabs \ localtime_r \ login_getcapbool \ + login_getpwclass \ md5_crypt \ memmem \ memmove \ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 50bac587..542ae58d 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -48,6 +48,10 @@ #include "blf.h" #include "fnmatch.h" +#if defined(HAVE_LOGIN_CAP) && !defined(HAVE_LOGIN_GETPWCLASS) +# define login_getpwclass(pw) login_getclass(pw->pw_class) +#endif + #ifndef HAVE_BASENAME char *basename(const char *path); #endif