bugzilla-daemon at mindrot.org
2002-Jul-15 07:05 UTC
[Bug 354] New: sshd with privsep doesn't do pam session setup properly
http://bugzilla.mindrot.org/show_bug.cgi?id=354 Summary: sshd with privsep doesn't do pam session setup properly Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rudolph at getsystems.com when logging in to an openssh >=3.4p1 sshd (I haven't tested earlier than that, but I have tested up to the snapshot from the 14/7/2002) setrlimit, through the pam session setup, isn't called in the appropriate place to allow specified users to have higher ulimits than the server is started with. This ought to work, as pam limits are allowed to specify arbitrarily high limits for users listed. The problem appears to be that do_pam_session is being called after we drop to the user's uid. Without privsep turned on, this all work, as we drop to the user's uid after do_pam_session. Specifically: with privsep on, do_setusercontext in privsep_postauth (sshd.c) is called before do_pam_session in do_exec_pty (session.c). Without privsep, we only drop root privs in do_child (session.c), which is after we do_exec_pty, since (obviously) the former code/call to do_setusercontext is unreached. A possible (does appear to work, though not properly tested) solution is to simply call do_pam_session in privsep_postauth before the do_setusercontext call, though I am unsure of the ramifications of this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- bug in OpenSSH_4.3p2: pam_open_session() called but not close for root users
- Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no
- ssh and pam-script
- tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms
- OpenSSH 3.9p1 bug, .hushlogin is ignored