Displaying 20 results from an estimated 47 matches for "do_setusercontext".
2002 Sep 11
1
tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms
Hi-
Under privsep, I experimented with moving the session_setup_sia() out of
do_child() and into do_setusercontext(), which is where the uids/gids are set
to the final execution user. The call is made with a NULL tty, and this
is functional provided that any later pty allocation uses grantpty() to
set the device permissions. Logging in with this method shows that a utmp
entry does get made for the tty. There...
2018 Nov 29
2
Where to implement user limit settings ?
...check_quietlogin(s, command))
do_motd();
#else /* HAVE_OSF_SIA */
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam) {
do_nologin(pw);
setup_limits(pw); /* Setting up user limits */
}
do_setusercontext(pw);
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
* login then display them too.
*/
if (!check_quietlogin(s, command))
display_loginmsg();
But I found a problem - in t...
2006 Apr 27
0
bug in OpenSSH_4.3p2: pam_open_session() called but not close for root users
..._open_session is called, but not pam_close_session.
sshd behavior is broken for root logins because if pam session
is run from the child, close is never called due to exec:
on open
since use_privsep is not set, parent calls do_exec_pty(),
which does not open session. then, it skips calling do_setusercontext(),
so it does not open session.
child calls do_setusercontext(), which opens session.
on close
child will not close sesion, because it exec'd the
shell, and the sshd task is gone!
parent will not close session, since session was not opened by
parent, sshpam_session_op...
2004 Aug 23
8
[Bug 918] ssh_gssapi_storecreds called to late to be usable by PAM in sesion.c
http://bugzilla.mindrot.org/show_bug.cgi?id=918
Summary: ssh_gssapi_storecreds called to late to be usable by PAM
in sesion.c
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo:
2003 Jan 09
1
[PATCH] Allow multiple accounts on Windows 9x/Me
...rinna
Index: session.c
===================================================================
RCS file: /cvs/openssh_cvs/session.c,v
retrieving revision 1.227
diff -u -p -r1.227 session.c
--- session.c 7 Jan 2003 06:38:59 -0000 1.227
+++ session.c 9 Jan 2003 22:23:15 -0000
@@ -1204,7 +1204,7 @@ void
do_setusercontext(struct passwd *pw)
{
#ifdef HAVE_CYGWIN
- if (is_winnt) {
+ {
#else /* HAVE_CYGWIN */
if (getuid() == 0 || geteuid() == 0) {
#endif /* HAVE_CYGWIN */
@@ -1257,6 +1257,9 @@ do_setusercontext(struct passwd *pw)
permanently_set_uid(pw);
#endif
}
+#ifdef HAVE_CYGWIN
+ if (is_winnt)
+#endif...
2002 Jun 25
3
BSD/OS with privsep
I need this for BSD/OS 4.2 + privsep
perhaps we should not call do_setusercontext() after
chroot().
--- sshd.c.orig Fri Jun 21 03:09:47 2002
+++ sshd.c Tue Jun 25 13:11:03 2002
@@ -548,21 +548,35 @@
/* Change our root directory*/
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
strerror(errno));...
2002 Jul 15
0
[Bug 354] New: sshd with privsep doesn't do pam session setup properly
...limits are allowed to specify arbitrarily high limits for users
listed. The problem appears to be that do_pam_session is being called after we
drop to the user's uid. Without privsep turned on, this all work, as we drop to
the user's uid after do_pam_session. Specifically: with privsep on,
do_setusercontext in privsep_postauth (sshd.c) is called before do_pam_session
in do_exec_pty (session.c). Without privsep, we only drop root privs in do_child
(session.c), which is after we do_exec_pty, since (obviously) the former
code/call to do_setusercontext is unreached.
A possible (does appear to work, though...
2010 Nov 05
2
test request: SCO with setluid() (i686-pc-sco3.2v5.0.7, possibly others)
Hi all.
I am cleaning up (I hope) one of the nastier pieces of code in openssh:
do_setusercontext which is/was a twisty maze of platform-specific
nested ifdefs. I made a series of changes[1] where I moved each
platform-specific piece into a portable-only file platform.c, which does
not need to be kept in sync with OpenBSD.
The changes did not (I hope!) change the semantics, but there's on...
2005 Jan 05
3
[Bug 969] early setpcred() stomps on PAM
...Version: 3.9p1
Platform: All
OS/Version: AIX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: dleonard at vintela.com
The early call to setpcred() in do_setusercontext() seems to drop the euid to
the user's uid on AIX5.1. This stops the future call to initgroups() from
working if setpcred() doesn't get the supplementary group list right. Which it
doesn't with PAM.
The symptoms are a 'successful' login, but the session exits immediately, with...
2002 Jul 15
1
Patch: remove unused tty variable from session.c
...Index: session.c
===================================================================
RCS file: /cvs/openssh/session.c,v
retrieving revision 1.210
diff -u -r1.210 session.c
--- session.c 4 Jul 2002 03:08:41 -0000 1.210
+++ session.c 15 Jul 2002 11:50:14 -0000
@@ -1159,8 +1159,6 @@
void
do_setusercontext(struct passwd *pw)
{
- char tty='\0';
-
#ifdef HAVE_CYGWIN
if (is_winnt) {
#else /* HAVE_CYGWIN */
--
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the expe...
2003 Sep 23
1
3.7.1p1 appears to break pam session.
Hi,
I am running FreeBSD 4.7 and openssh 3.7.1p1. I have enabled
PAM usage and indeed, I can use PAM for authentication purposes.
Since configure does login_cap.h, the preprocessor is side stepping
do_pam_session()
altogether in session.c:do_setusercontext().
Here is my patch for session.c. My understanding about
portability issues is rather limited. I would very much appreciate if
you guys could check this and verify that I am not introducing more
problems with this. So far this works for me.
--- session.c Tue Sep 23 10:14:47 2003
+++ sessio...
2004 Jun 29
0
Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no
...rivsep=no, do_pam_session is called
*after* display_loginmsg, so the PAM messages are stored too late to be
displayed to the user.
One option would be to move display_loginmsg later, but that would
change the message order on other platforms, so the attached patch just
adds another call after do_setusercontext (the buffer is cleared after
each, so there won't be duplicate messages).
It would also be possible to use pam_tty_conv for privsep=no if we have
a tty. This would allow a session module that needs to interact with
the user to work too, but it would require more surgery to
do_setusercont...
2006 Jan 04
0
ssh and pam-script
...th pam-script and ssh. pam-script is a module for PAM
that enables execution of given script while pam session opens and/or closes.
I try to use it with ssh while logging in and out: it is kind of login
and logout scripts.
PAM session creation is done in function do_pam_session which is invoked
by do_setusercontext which is invoked by do_child. do_child function
is invoked after fork. In a child process do_pam_session function sets
global variable sshpam_session_open to remember that session was opened.
After execution of do_setusercontext and do_pam_session function do_child
does something and then invokes b...
2008 Dec 02
0
SSHD does not cleanup kerberos ticket while root logins
...from Debian 4.0 (stable), but the
same problem is with original OpenSSH 4.3p2. When root logins with his
kerberos ticket and then logout, his ticket remains on the machine. I
found in source (sshd.c) in privsep_postauth function, that if root
logins then use_privsep is set to 0 and call of function
do_setusercontext is skipped. But the function do_setusercontext calls
ssh_gssapi_storecreds where structure client->store.filename is filled
with the filename of kerberos ticket. So then if
ssh_gssapi_cleanup_creds is called it does nothing because
gssapi_client.store.filename is empty.
We are using also pam_kr...
2013 Mar 13
1
[patch] Incorrect umask in FreeBSD
Normally, in the !UseLogin case on a system with login classes, the
umask is set implicitly by the first setusercontext() call in
do_setusercontext() in session.c. However, FreeBSD treats the umask
differently from other login settings: unless running with the target
user's UID, it will only apply the value from /etc/login.conf, not that
from the user's ~/.login.conf. The patch below addresses this (although
not in the most efficient...
2002 Jun 25
1
PrivSep and AIX 4.3.2
With 3.3p1 built on AIX 4.3.2:
$ ssh [blah]
Couldn't set usrinfo: Not owner
debug1: Calling cleanup 0x20019080(0x200219a0)
debug3: mm_request_send entering: type 27
debug1: Calling cleanup 0x20018dd4(0x0)
Connection to songohan closed by remote host.
Connection to songohan closed.
Output from sshd -d -d -d:
...
debug3: tty_parse_modes: 92 0
debug3: tty_parse_modes: 93 0
2014 Dec 28
2
Compiling a static openssh server
...bc version used for
linking
groupaccess.o: In function `ga_init':
/home/john/Downloads/openssh-6.6p1/groupaccess.c:67: warning: Using
'getgrouplist' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/home/john/Downloads/openssh-6.6p1/session.c:1535: warning: Using
'initgroups' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/home/john/Downloads/openssh-6.6p1/groupaccess.c:...
2002 Jun 26
5
[PATCH] improved chroot handling
...quot;, strerror(errno));
-
- /* Drop our privileges */
+ /* Change our root directory and drop privileges */
+ if (chroot(".") < 0)
+ fatal("chroot(): %s\n", strerror(errno));
debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
(u_int)pw->pw_gid);
do_setusercontext(pw);
@@ -561,6 +556,7 @@
static Authctxt*
privsep_preauth(void)
{
+ char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX";
Authctxt *authctxt = NULL;
int status;
pid_t pid;
@@ -570,12 +566,31 @@
/* Store a pointer to the kex for later rekeying */
pmonitor->m_pkex = &xxx_kex;...
2012 Mar 06
6
openssh static build - mission impossible?
...c version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess.c:66: warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
session.o: In function `do_setusercontext':
/builddir/build/BUILD/openssh-5.6p1/session.c:1509: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
groupaccess.o: In function `ga_init':
/builddir/build/BUILD/openssh-5.6p1/groupaccess....
2002 Jun 28
3
AIX usrinfo() cleanup.
Can we do this? Or should we drop the whole char *tty; ? There will
be no way of setting the TTY= correctly while using privsep (Mainly for
multiple streams over single session).
The only thing we really could do is do:
In do_setusercontext()
if (use_privsep)
aix_usrinfo(pw, NULL);
and back in the old spot put:
if (!use_privsep)
aix_usrinfo(pw, s->ttyfd == -1 ? NULL : s->tty);
that should allow users who need TTY set to at least have a working
OpenSSH. Maybe add in a line to INSTALL or README about this issue.
I'm mo...