All, Could someone explain the purpose of the uidswap functions with respect to ssh ( the client ). From what I gathered , ssh installs as setuid root and swaps ids when reading potential key files that may be read only by root. Also , I think when binding to a privileged port ssh swaps id. Is that so? What are the consequnences if you do not install ssh setuid root? ( As far I as know no uid swaping occurs ) Thanks Doug Chimento
On Thu, May 16, 2002 at 04:32:11PM -0400, Chimento, Douglas wrote:> What are the consequnences if you do not install ssh setuid > root? ( As far I as know no uid swaping occurs )hostbased authentication won't work.
Thanks Markkus.
Please excuse my ignorance , I am not much of a UNIX programmer but I
believe I see a potential issue.
Suppose ssh in NOT installed setuid root. If you take a look at the function
permanently_set_uid() in uidswap.c ( line 146 in 3.1p1 ) I believe these
lines below can fail unexpectedly:
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
Here's why , Suppose you "switch" primary group id with the newgrp
command.
( For instance:
[doug at host ~]$ id
uid=1065(doug) gid=100(staff)
[doug at host ~]$ newgrp test
[doug at host ~]$ id
uid=1065(doug) gid=1001(test)
[doug at host ~]$
)
Now clearly pw->pw_gid != getgid() and so setgid(pw->pw_gid) will always
fail because the user is no longer a part of pw->pw_gid group. ( I hope
that made sense ).
I think the solution would be to do what is done in the restore_uid()
function ( line 108 in uidswap.c ). That is, check to see if the user is
"privileged".
So we could have this in permanently_set_uid():
{
if (temporarily_use_uid_effective)
fatal("restore_uid: temporarily_use_uid effective");
if (!privileged)
return;
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
if (setuid(pw->pw_uid) < 0)
fatal("setuid %u: %.100s", (u_int) pw->pw_uid,
strerror(errno));
}
instead of....
{
if (temporarily_use_uid_effective)
fatal("restore_uid: temporarily_use_uid effective");
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
if (setuid(pw->pw_uid) < 0)
fatal("setuid %u: %.100s", (u_int) pw->pw_uid,
strerror(errno));
}
What are your thoughts?
Thanks for your time.
-----Original Message-----
From: Markus Friedl [mailto:markus at openbsd.org]
Sent: Thursday, May 16, 2002 7:18 PM
To: Chimento, Douglas
Cc: openssh-unix-dev at mindrot.org
Subject: Re: uidswap
On Thu, May 16, 2002 at 04:32:11PM -0400, Chimento, Douglas
wrote:> What are the consequnences if you do not install ssh setuid
> root? ( As far I as know no uid swaping occurs )
hostbased authentication won't work.
This bug has already been reported as bug 136, Sorry to be a bother
-----Original Message-----
From: Chimento, Douglas [mailto:Douglas.Chimento at fmr.com]
Sent: Friday, May 17, 2002 10:27 AM
To: openssh-unix-dev at mindrot.org
Subject: RE: uidswap
Thanks Markkus.
Please excuse my ignorance , I am not much of a UNIX programmer but I
believe I see a potential issue.
Suppose ssh in NOT installed setuid root. If you take a look at the function
permanently_set_uid() in uidswap.c ( line 146 in 3.1p1 ) I believe these
lines below can fail unexpectedly:
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
Here's why , Suppose you "switch" primary group id with the newgrp
command.
( For instance:
[doug at host ~]$ id
uid=1065(doug) gid=100(staff)
[doug at host ~]$ newgrp test
[doug at host ~]$ id
uid=1065(doug) gid=1001(test)
[doug at host ~]$
)
Now clearly pw->pw_gid != getgid() and so setgid(pw->pw_gid) will always
fail because the user is no longer a part of pw->pw_gid group. ( I hope
that made sense ).
I think the solution would be to do what is done in the restore_uid()
function ( line 108 in uidswap.c ). That is, check to see if the user is
"privileged".
So we could have this in permanently_set_uid():
{
if (temporarily_use_uid_effective)
fatal("restore_uid: temporarily_use_uid effective");
if (!privileged)
return;
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
if (setuid(pw->pw_uid) < 0)
fatal("setuid %u: %.100s", (u_int) pw->pw_uid,
strerror(errno));
}
instead of....
{
if (temporarily_use_uid_effective)
fatal("restore_uid: temporarily_use_uid effective");
if (setgid(pw->pw_gid) < 0)
fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
if (setuid(pw->pw_uid) < 0)
fatal("setuid %u: %.100s", (u_int) pw->pw_uid,
strerror(errno));
}
What are your thoughts?
Thanks for your time.
-----Original Message-----
From: Markus Friedl [mailto:markus at openbsd.org]
Sent: Thursday, May 16, 2002 7:18 PM
To: Chimento, Douglas
Cc: openssh-unix-dev at mindrot.org
Subject: Re: uidswap
On Thu, May 16, 2002 at 04:32:11PM -0400, Chimento, Douglas
wrote:> What are the consequnences if you do not install ssh setuid
> root? ( As far I as know no uid swaping occurs )
hostbased authentication won't work.
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Apparently Analagous Threads
- Question about a recent change to uidswap.c in the portability snapshot
- [Bug 1182] uid 0, gid !=0 fools defensive check in uidswap.c
- OpenSSH-3.9p1 permanently_set_uid behavior on Linux
- [PATCH] permanently_set_uid: Don't try restoring gid on Cygwin
- Porting OpenSSH 2.9.9p2 to Dynix V4.4.4