search for: setusercontext

Normally, in the !UseLogin case on a system with login classes, the umask is set implicitly by the first setusercontext() call in do_setusercontext() in session.c. However, FreeBSD treats the umask differently from other login settings: unless running with the target user's UID, it will only apply the value from /etc/login.conf, not that from the user's ~/.login.conf. The patch below addresses this (althou...

I need this for BSD/OS 4.2 + privsep perhaps we should not call do_setusercontext() after chroot(). --- sshd.c.orig Fri Jun 21 03:09:47 2002 +++ sshd.c Tue Jun 25 13:11:03 2002 @@ -548,21 +548,35 @@ /* Change our root directory*/ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, strerror(errno));...

...following are patches against openssh 2.1.1p4 to add support for the BSD_AUTH authentication mechanisms. It allows the use of non-challenge/response style mechanisms (which styles are allowed my be limited by appropriate auth-ssh entries in login.conf). The patches also add support for calling setusercontext for the appropriate class when called with a command (so that the PATH, limits, etc. are set appropriately for the class the user is part of). login -h takes care of this when ssh is called for a regular login. To have access to the class when setting up the session, I had to add preserving it...

...en_session is called, but not pam_close_session. sshd behavior is broken for root logins because if pam session is run from the child, close is never called due to exec: on open since use_privsep is not set, parent calls do_exec_pty(), which does not open session. then, it skips calling do_setusercontext(), so it does not open session. child calls do_setusercontext(), which opens session. on close child will not close sesion, because it exec'd the shell, and the sshd task is gone! parent will not close session, since session was not opened by parent, sshpam_session_op...

...(u_char)(c)) >= '0' && ((u_char)(c)) <= '7') Index: session.c --- session.c 2001/02/13 07:43:17 1.1 +++ session.c 2001/02/13 07:45:46 1.2 @@ -1155,7 +1155,9 @@ child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH); - child_set_env(&env, &envsize, "PATH", getenv("PATH")); + /* update the path to the one setusercontext set for us */ + if (getenv("PATH")) + child_set_env(&env, &envsize, "PATH", getenv("PATH&q...

..._PATH_MAILDIR, pw->pw_name); + child_set_env(&env, &envsize, "MAIL", buf); + + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); + + /* Save parent environment */ + tmpenv = environ; + environ = env; + + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0) + fatal("setusercontext failed: %s", strerror(errno)); + + /* Restore parent environment */ + env = environ; + environ = tmpenv; + + for (envsize = 0; env[envsize] != NULL; ++envsize) + ; + envsize = (envsize < 100) ? 100 : envsize...

http://bugzilla.mindrot.org/show_bug.cgi?id=423 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |627 nThis| | Status|NEW |ASSIGNED ------- Additional

...*new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +# endif /* DOT_CHROOT */ # ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -----------------------------< cut here >------------------------------- -- Civilisation: where they cut down the trees and name streets after them.

...debugging mode. Connection from 148.59.19.13 port 1015 debug1: Client protocol version 1.5; client software version 1.2.27 debug1: match: 1.2.27 pat 1.2.1*,1.2.2*,1.2.3* debug1: Local version string SSH-1.99-OpenSSH_3.3 unable to set user context: Bad file descriptor gdb says: #0 0x805c8c3 in do_setusercontext (pw=0x813c000) at session.c:1164 1164 if (setusercontext(lc, pw, pw->pw_uid, (gdb) print lc $1 = (login_cap_t *) 0x0 (gdb) print *pw $2 = {pw_name = 0x8141000 "sshd", pw_passwd = 0x8141005 "", pw_uid = 10658, pw_gid = 1010, pw_change = 0, pw_class = 0x8141...

http://bugzilla.mindrot.org/show_bug.cgi?id=298 ------- Additional Comments From sshbugs at wayne47.com 2002-06-26 11:05 ------- Problem appears to be that setusercontext is being called after a chroot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...v, &envsize, "LOGNAME", pw->pw_name); + #ifdef _AIX + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); + #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Hi, I am running FreeBSD 4.7 and openssh 3.7.1p1. I have enabled PAM usage and indeed, I can use PAM for authentication purposes. Since configure does login_cap.h, the preprocessor is side stepping do_pam_session() altogether in session.c:do_setusercontext(). Here is my patch for session.c. My understanding about portability issues is rather limited. I would very much appreciate if you guys could check this and verify that I am not introducing more problems with this. So far this works for me. --- session.c Tue Sep 23 10:14:47 2003 +++ sessio...

Hi, I was investigating why I don't see any warnings from pam_ldap indicating the pending expiration of passwords as well as for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not have a conversation function. Also, there is a function print_pam_messages (currently empty) which look suspiciously like it is ear marked to show just those error messages: /* auth-pam.c

...c/nologin if "UseLogin no" since login(1) may have its own policy on determining who is allowed to login when /etc/nologin is present. Also use the _PATH_NOLOGIN define. - millert at cvs.openbsd.org 2000/08/20 12:42:43 [auth1.c auth2.c session.c ssh.c] Add calls to setusercontext() and login_get*(). We basically call setusercontext() in most places where previously we did a setlogin(). Add default login.conf file and put root in the "daemon" login class. - millert at cvs.openbsd.org 2000/08/21 10:23:31 [session.c] Fix incorrect PATH setting...

Hi, I'm sure I'll get a few "RTFM", but I hope I'll allay those feelings. I'm getting the "scp: command not found". I've read the FAQ. I've read bugs 42 and 82 in bugzilla. Hopefully, I didn't overlook something. At a minimum, defines.h has : #ifdef USER_PATH # ifdef _PATH_STDPATH # undef _PATH_STDPATH # endif # define _PATH_STDPATH

Hello I have some issues with OpenBSM which i cannot resolve, so i decided to ask there. 1) I found some bugs in the auditreduce utility and created patch for it - http://www.freebsd.org/cgi/query-pr.cgi?pr=114534. Please, someone from freebsd team - take it, i think its better to fix this before next release. 2) I found that when i`m using XDM as login manager with OpenBSM, all my audit

...or_wrap.h" +#include "match.h" +#include "readconf.h" #ifdef HAVE_CYGWIN #include <windows.h> @@ -64,6 +66,8 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#define CHROOT + /* func */ Session *session_new(void); @@ -1160,6 +1164,12 @@ do_setusercontext(struct passwd *pw) { char tty='\0'; + int i; +#ifdef CHROOT + char *new_root = "/"; + const char *hostname = NULL; + const char *ipaddr = NULL; +#endif /* CHROOT */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1187,6 +1197,26 @@ if (setlogin(pw->p...

http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From djm at mindrot.org 2003-03-10 15:49 ------- Created an attachment (id=247) --> (http://bugzilla.mindrot.org/attachment.cgi?id=247&action=view) Call pam_session after child fork() Hopefully this patch will allow people to gather the feedback necessary to close this bug. ------- You are receiving this

https://bugzilla.mindrot.org/show_bug.cgi?id=3715 Bug ID: 3715 Summary: safely_chroot is a little too restrictive: noexec or nosuid should be enough Product: Portable OpenSSH Version: 9.8p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5