bugzilla-daemon at bugzilla.mindrot.org
2009-Mar-06 13:59 UTC
[Bug 1567] New: Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Summary: Insufficient privileges to chroot() on AIX
Product: Portable OpenSSH
Version: 5.2p1
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: major
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: bana at docisland.org
I need to use sftp-only accounts, chroot()ed in their home dirs, on AIX
5.3 with OpenSSH_5.2p1.
But there is a problem with the chroot() call.
In the do_setusercontext() function, chroot() is called after the
setpcred() (only AIX is concerned by the setpcred() call), so
privileges are already dropped when chroot() is called.
When not calling setpcred(), the chroot() does not fail and the
privileges
are dropped anyway within the permanently_set_uid() call, just after
the
safely_chroot() call.
Is the setpcred() really usefull ?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Mar-20 05:33 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Kieron Curtis <cartmanltd at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cartmanltd at hotmail.com
--- Comment #1 from Kieron Curtis <cartmanltd at hotmail.com> 2009-03-20
16:33:57 ---
This is related to [Bug 1575] OpenSSH 5.2p1 failure using
ChrootDirectory option on AIX.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-12 12:35 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2009-07-12 22:35:56 --- *** Bug 1575 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-12 12:56 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2009-07-12 22:56:13 --- Created an attachment (id=1661) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1661) move setpcred (and usrinfo) on AIX to after chroot I think the usefulness of setpcred depends on which LAMs you have on your system. We can probably move the setpcred to after the chroot. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-12 14:22 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1661|0 |1
is obsolete| |
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2009-07-13
00:22:30 ---
Created an attachment (id=1662)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1662)
override the real uid in setpcred and leave it to permanently_set_uid
to set
Hrm, except that doesn't seem to actually work. This one seems to,
though.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-31 00:36 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1662| |ok+
Flag| |
--- Comment #5 from Damien Miller <djm at mindrot.org> 2009-07-31
10:36:53 ---
(From update of attachment 1662)>--- session.c 21 Jun 2009 09:50:08 -0000 1.383
>+++ session.c 12 Jul 2009 14:04:22 -0000
...> #ifdef HAVE_SETPCRED
>- if (setpcred(pw->pw_name, (char **)NULL) == -1)
>+ /* set all creds except real user ID */
>+ char *creds[] = { "REAL_USER=root", NULL };
Maybe mention that RUID=root is needed for chroot() in the comment.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-31 00:37 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1249
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-16 23:56 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1662|0 |1
is obsolete| |
--- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2009-08-17
09:56:33 EST ---
Created an attachment (id=1669)
Same as #1662, but only override if chroot directory is set.
Added comment as suggested, also made behave differently only if needed
(ie chroot directory set).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-18 01:03 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Blocks|1249 |1560
--- Comment #7 from Darren Tucker <dtucker at zip.com.au> 2009-08-18
11:03:22 EST ---
Apparently I'm a moron and pasted this into the wrong bug last time:
I think the patch in bug #1249 will also solve it: it uses setpcred to
set up everying in the LAM except for real userid, and then lets
permanently_set_uid() take care of the latter.
Anyway, target 5.3 for David's fix (ie moving setpcred).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-20 06:23 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2009-08-20
16:23:41 EST ---
Fixed with the patch from bug #1249, which will be in the 5.3p1
release. Thanks for the report.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 04:02 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #9 from Damien Miller <djm at mindrot.org> 2009-10-06 15:02:55
EST ---
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 12:18 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567 --- Comment #10 from Cristi Terpea <cristi.terpea at fortech.ro> 2009-11-20 23:18:39 EST --- Created an attachment (id=1728) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1728) truss AIX 6.1 setpcred chroot -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 12:19 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567 --- Comment #11 from Cristi Terpea <cristi.terpea at fortech.ro> 2009-11-20 23:19:17 EST --- Created an attachment (id=1729) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1729) patch for setpcred with chroot -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 12:19 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567 --- Comment #12 from Cristi Terpea <cristi.terpea at fortech.ro> 2009-11-20 23:19:56 EST --- I tested openssh-5.3p1 on 3 machines: AIX ... 1 5 004036AA4C00 AIX ... 3 5 0040D7CB4C00 AIX ... 1 6 0003EADAD300 on each of them I got the same result: ... debug3: safely_chroot: checking '/home/test' Changed root directory to "/home/test" Failed to set process credentials then it quits. I attached the truss log from AIX 6.1 (truss_log.txt) I also attached the fix that worked for me (this code was posted already in https://bugzilla.mindrot.org/attachment.cgi?id=1669 ). I call setpcred before chroot. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 12:20 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Cristi Terpea <cristi.terpea at fortech.ro> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1728|truss AIX 6.1 setpcred |truss log on AIX 6.1
description|chroot |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Nov-20 12:21 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Cristi Terpea <cristi.terpea at fortech.ro> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cristi.terpea at fortech.ro
Status|CLOSED |REOPENED
Resolution|FIXED |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-07 00:07 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1626
Status|REOPENED |NEW
--- Comment #13 from Darren Tucker <dtucker at zip.com.au> 2009-12-07
11:07:31 EST ---
Look at this (again) for 5.4
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-07 00:08 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567 --- Comment #14 from Darren Tucker <dtucker at zip.com.au> 2009-12-07 11:08:26 EST --- *** Bug 1678 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-07 01:54 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1669|0 |1
is obsolete| |
Attachment #1728|0 |1
is obsolete| |
Attachment #1729|0 |1
is obsolete| |
--- Comment #15 from Darren Tucker <dtucker at zip.com.au> 2010-03-07
12:54:37 EST ---
Created an attachment (id=1807)
--> (https://bugzilla.mindrot.org/attachment.cgi?id=1807)
Updated AIX setpcred/chroot patch
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-07 02:21 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #16 from Darren Tucker <dtucker at zip.com.au> 2010-03-07
13:21:36 EST ---
Patch applied, will be in 5.4p1
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-25 23:51 UTC
[Bug 1567] Insufficient privileges to chroot() on AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1567
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #17 from Darren Tucker <dtucker at zip.com.au> 2010-03-26
10:51:39 EST ---
With the release of 5.4p1, this bug is now considered closed.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 1678] New: Insufficient privileges to chroot() on AIX
- Further comment on chroot patch for openssh-3.4p1
- [Bug 1249] pam_open_session called with dropped privs
- [Bug 1243] Multiple including of paths.h on AIX 5.1 systems.
- [Bug 969] early setpcred() stomps on PAM