Date: Wed, 24 Apr 2002 14:03:58 +0000 From: Tony Finch <dot@dotat.at> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/37416: [PATCH] sshd doesn't set the root login class properly Message-ID: <E170NNG-0004Ff-00@hand.dotat.at>
next in thread | raw e-mail | index | archive | help
>Number: 37416
>Category: bin
>Synopsis: [PATCH] sshd doesn't set the root login class properly
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 24 07:10:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Tony Finch
>Release: FreeBSD 4.5-STABLE-20020312 i386
>Organization:
dotat labs
>Environment:
System: FreeBSD hand.dotat.at 4.5-STABLE-20020312 FreeBSD 4.5-STABLE-20020312 #19: Tue Mar 12 13:45:49 GMT 2002 fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/SHARP i386
>Description:
sshd uses the "default" login class for users with uid=0 instead of
the "root" login class when setting up the user's session.
>How-To-Repeat:
I added a :umask=002: entry to the default login class and a :umask=022:
entry to the root login class in </etc/login.conf>. After this, if root
logs in via a getty on a virtual console or via telnet, the umask is
022 as expected, but if root logs in via ssh the umask is 002. However,
if root's password entry is changed to mention the root login class
explicitly, the umask is set to 022 when root logs in via ssh.
>Fix:
It isn't clear to me whether the bug is entirely in sshd or whether
some of the problem lies in libutil.
Only login_getpwclass does the special handling of uid=0 users. This
is a wart since none of the rest of the (low-level) API includes this
support. (setusercontext and setclasscontext inherit the behaviour.)
This wart appears to be the origin of the sshd bug: although sshd
calls setusercontext, setusercontext doesn't call getpwclass if
the login_cap_t argument has been initialized, and sshd initializes
it incorrectly. It turns out to be quite easy to fix sshd though :-)
(A general observation: there appear to be a number of incorrect
comments in the source for libutil which is rather irritating.)
--- session.c 3 Dec 2001 00:53:28 -0000 1.4.2.11
+++ session.c 24 Apr 2002 13:56:44 -0000
@@ -149,7 +149,7 @@
startup_pipe = -1;
}
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(authctxt->pw)) == NULL) {
error("unable to get login class");
return;
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E170NNG-0004Ff-00>