Any thoughts on this approach? (Bugzilla entry added since the last
email: https://bugzilla.mindrot.org/show_bug.cgi?id=2380)
Thanks,
Ryan
On 04/13/2015 11:54 AM, Ryan Cox wrote:> I would like to allow pam_setcred/pam_sm_setcred to override the gid
> that is normally set for a user. Currently the openssh code calls
> do_pam_setcred then it sets the gid to the user's gid as listed in
> /etc/passwd, LDAP, or whatever regardless of what the pam module set
> it to. I would instead like a pam module to be able to set the gid
> with setgid() and not have it overwritten by openssh.
>
> I wrote a patch that does just that by comparing getgid() before and
> after calling do_pam_setcred. If the gid changes it sets pw->gid to
> the new gid, which is used in later functions. I don't know if this
> is considered the proper way to achieve that behavior in a safe way
> but it seemed logical to me. The behavior is optional;
> PermitGidOverride=no is the default.
>
> As for the reasoning, this is for a scheduled environment using
> Slurm. I am developing a pam module that "adopts" ssh processes
into
> the appropriate batch job on the node. Users can launch jobs via
> Slurm that run with their gid as one of their supplementary groups.
> As part of the adoption of the ssh process, I would like to set the
> ssh process's gid equal to that of the job it is being adopted into.
>
> Ryan
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev