openssh bugs - Jan 2005 - [Bug 969] early setpcred() stomps on PAM

http://bugzilla.mindrot.org/show_bug.cgi?id=969

           Summary: early setpcred() stomps on PAM
           Product: Portable OpenSSH
           Version: 3.9p1
          Platform: All
        OS/Version: AIX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: dleonard at vintela.com


The early call to setpcred() in do_setusercontext() seems to drop the euid to
the user's uid on AIX5.1. This stops the future call to initgroups() from
working if setpcred() doesn't get the supplementary group list right. Which
it
doesn't with PAM.

The symptoms are a 'successful' login, but the session exits
immediately, with
sshd logging "initgroups: Permission denied".

setpcred() must still be called at some stage to correctly set up the process
rlimits and auditing class. I found that moving it to the end of
do_setusercontext() works.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=969





------- Additional Comments From dleonard at vintela.com  2005-01-05 14:59
-------
I just found a similar kind of setpcred problem fixed in
http://archives.neohapsis.com/archives/aix/2002-q3/0003.html:

| A call to initgroups failed after a call to
| setpcred. Changed order of calls so initgroups
| is called first.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=969

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED



------- Additional Comments From dtucker at zip.com.au  2005-01-06 10:02 -------
I'll take a look at this.

One thought off the top of my head: what if some module in the PAM stack causes
pam_setcred to drop the privs setpcred needs?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=969

dleonard at vintela.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From dleonard at vintela.com  2005-01-06 18:15
-------
someone here pointed out the aix system I was using is at maintennance level
(oslevel -r) 5100-02.

I've upgraded to 5100-07 and the problem has gone away!!
It seems to be an AIX bug, so I'm marking this bug invalid.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.