openssh unix dev - Apr 2015 - [PATCH] Optionally allow pam_setcred to override gid

I would like to allow pam_setcred/pam_sm_setcred to override the gid 
that is normally set for a user.  Currently the openssh code calls 
do_pam_setcred then it sets the gid to the user's gid as listed in 
/etc/passwd, LDAP, or whatever regardless of what the pam module set it 
to.  I would instead like a pam module to be able to set the gid with 
setgid() and not have it overwritten by openssh.

I wrote a patch that does just that by comparing getgid() before and 
after calling do_pam_setcred.  If the gid changes it sets pw->gid to the 
new gid, which is used in later functions.  I don't know if this is 
considered the proper way to achieve that behavior in a safe way but it 
seemed logical to me.  The behavior is optional; PermitGidOverride=no is 
the default.

As for the reasoning, this is for a scheduled environment using Slurm.  
I am developing a pam module that "adopts" ssh processes into the 
appropriate batch job on the node.  Users can launch jobs via Slurm that 
run with their gid as one of their supplementary groups.  As part of the 
adoption of the ssh process, I would like to set the ssh process's gid 
equal to that of the job it is being adopted into.

Ryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh_permit_gid_override.diff
Type: text/x-patch
Size: 8651 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150413/88f497b1/attachment.bin>

Any thoughts on this approach?  (Bugzilla entry added since the last 
email: https://bugzilla.mindrot.org/show_bug.cgi?id=2380)

Thanks,
Ryan

On 04/13/2015 11:54 AM, Ryan Cox wrote:
> I would like to allow pam_setcred/pam_sm_setcred to override the gid 
> that is normally set for a user.  Currently the openssh code calls 
> do_pam_setcred then it sets the gid to the user's gid as listed in 
> /etc/passwd, LDAP, or whatever regardless of what the pam module set 
> it to.  I would instead like a pam module to be able to set the gid 
> with setgid() and not have it overwritten by openssh.
>
> I wrote a patch that does just that by comparing getgid() before and 
> after calling do_pam_setcred.  If the gid changes it sets pw->gid to 
> the new gid, which is used in later functions.  I don't know if this 
> is considered the proper way to achieve that behavior in a safe way 
> but it seemed logical to me.  The behavior is optional; 
> PermitGidOverride=no is the default.
>
> As for the reasoning, this is for a scheduled environment using 
> Slurm.  I am developing a pam module that "adopts" ssh processes
into
> the appropriate batch job on the node.  Users can launch jobs via 
> Slurm that run with their gid as one of their supplementary groups.  
> As part of the adoption of the ssh process, I would like to set the 
> ssh process's gid equal to that of the job it is being adopted into.
>
> Ryan
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev