Bugzilla – Attachment 916 Details for
Bug 980
sshd does not write the session leader pid to utmp when priv-separation is enabled
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for logging,clearing shell pid during login and logout
LogShellpid_PrivSepyes.patch (text/plain), 9.33 KB, created by
senthilkumar
on 2005-05-16 23:38:26 AEST
(
hide
)
Description:
Patch for logging,clearing shell pid during login and logout
Filename:
MIME Type:
Creator:
senthilkumar
Created:
2005-05-16 23:38:26 AEST
Size:
9.33 KB
patch
obsolete
>diff -Nur openssh-4.0p1/monitor.c openssh-4.0p1-logname/monitor.c >--- openssh-4.0p1/monitor.c 2005-03-06 17:01:36.000000000 +0530 >+++ openssh-4.0p1-logname/monitor.c 2005-05-16 16:59:00.000000000 +0530 >@@ -127,6 +127,9 @@ > int mm_answer_sesskey(int, Buffer *); > int mm_answer_sessid(int, Buffer *); > >+int mm_answer_writelogin(int, Buffer *); >+int mm_answer_record_logout(int, Buffer *); >+ > #ifdef USE_PAM > int mm_answer_pam_start(int, Buffer *); > int mm_answer_pam_account(int, Buffer *); >@@ -219,6 +222,8 @@ > {MONITOR_REQ_PTY, 0, mm_answer_pty}, > {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, > {MONITOR_REQ_TERM, 0, mm_answer_term}, >+ {MONITOR_REQ_WRITELOGIN, 0, mm_answer_writelogin}, >+ {MONITOR_REQ_LOGOUT, 0, mm_answer_record_logout}, > #ifdef SSH_AUDIT_EVENTS > {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, > {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, >@@ -261,6 +266,8 @@ > {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, > {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, > {MONITOR_REQ_TERM, 0, mm_answer_term}, >+ {MONITOR_REQ_WRITELOGIN, 0, mm_answer_writelogin}, >+ {MONITOR_REQ_LOGOUT, 0, mm_answer_record_logout}, > #ifdef SSH_AUDIT_EVENTS > {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, > {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command}, >@@ -396,6 +403,8 @@ > if (!no_pty_flag) { > monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); > monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); >+ monitor_permit(mon_dispatch, MONITOR_REQ_WRITELOGIN, 1); >+ monitor_permit(mon_dispatch, MONITOR_REQ_LOGOUT, 1); > } > > for (;;) >@@ -1216,10 +1225,7 @@ > cleanup_exit(255); > } > } >- /* Record that there was a login on that tty from the remote host. */ >- record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, >- get_remote_name_or_ip(utmp_len, options.use_dns), >- (struct sockaddr *)&from, fromlen); >+ store_lastlog_message(pw->pw_name, pw->pw_uid); > } > > static void >@@ -1916,3 +1922,68 @@ > return (authenticated); > } > #endif /* GSSAPI */ >+ >+/* >+ Receive a "write login" request from the unpriviledged >+ process. The priviledged process will receive the pid >+ of the shell process, and the tty name. Record the login. >+*/ >+int mm_answer_writelogin(int socket, Buffer *m) >+{ >+ pid_t pid; >+ char tty[TTYSZ]; >+ socklen_t fromlen; >+ struct sockaddr_storage from; >+ struct passwd *pw; >+ >+ memset(tty, 0, TTYSZ); >+ buffer_get(m, &pid, sizeof(pid_t)); >+ buffer_get(m, tty, TTYSZ); >+ debug("Priviledged process: received pid %d tty %s", pid, tty); >+ /* >+ * Get IP address of client. If the connection is not a socket, let >+ * the address be 0.0.0.0. >+ */ >+ memset(&from, 0, sizeof(from)); >+ fromlen = sizeof(from); >+ if (packet_connection_is_on_socket()) { >+ if (getpeername(packet_get_connection_in(), >+ (struct sockaddr *) & from, &fromlen) < 0) { >+ debug("getpeername: %.100s", strerror(errno)); >+ cleanup_exit(255); >+ } >+ } >+ pw = authctxt->pw; >+ >+ /* Record that there was a login on that tty from the remote host. */ >+ record_login(pid, tty, pw->pw_name, pw->pw_uid, >+ get_remote_name_or_ip(utmp_len, options.use_dns), >+ (struct sockaddr *)&from, fromlen); >+ >+} >+ >+/* LOGOUT FIX >+ Receive a "record logout" request from the unpriviledged >+ process. The priviledged process will receive the pid >+ of the shell process, and the tty name. Record the logout. >+*/ >+int mm_answer_record_logout(int socket, Buffer *m) >+{ >+ pid_t pid; >+ char tty[TTYSZ]; >+ char *pwname; >+ struct passwd *pw; >+ >+ memset(tty, 0, TTYSZ); >+ buffer_get(m, &pid, sizeof(pid_t)); >+ buffer_get(m, tty, TTYSZ); >+ pwname = buffer_get_string(m,NULL); >+ debug("Priviledged process: received pid for logout %d tty %s", pid, tty); >+ pw = authctxt->pw; >+ >+ if (pid != 0) >+ record_logout(pid, tty, pw->pw_name); >+ xfree(pwname); >+} >+ >+ >diff -Nur openssh-4.0p1/monitor.h openssh-4.0p1-logname/monitor.h >--- openssh-4.0p1/monitor.h 2005-02-02 18:50:53.000000000 +0530 >+++ openssh-4.0p1-logname/monitor.h 2005-05-16 17:10:06.000000000 +0530 >@@ -60,7 +60,9 @@ > MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, > MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, > MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, >- MONITOR_REQ_TERM >+ MONITOR_REQ_LOGOUT, >+ MONITOR_REQ_TERM, >+ MONITOR_REQ_WRITELOGIN > }; > > struct mm_master; >diff -Nur openssh-4.0p1/monitor_wrap.c openssh-4.0p1-logname/monitor_wrap.c >--- openssh-4.0p1/monitor_wrap.c 2005-02-08 16:22:48.000000000 +0530 >+++ openssh-4.0p1-logname/monitor_wrap.c 2005-05-16 17:05:11.000000000 +0530 >@@ -1218,3 +1218,39 @@ > return (authenticated); > } > #endif /* GSSAPI */ >+ >+/* Only the priviledged process can update the login recording files. >+ Send the pid of the shell process, and the session tty name >+ to the priviledged process. >+*/ >+ >+void mm_write_login(pid_t pid, const char *tty, int len) >+{ >+ Buffer m; >+ buffer_init(&m); >+ buffer_append(&m, (void *)&pid, sizeof(pid_t)); >+ buffer_append(&m, tty, TTYSZ); >+ debug("Writing pid %d tty %s to priviledged process ", pid, tty); >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_WRITELOGIN, &m); >+ buffer_free(&m); >+} >+ >+/* LOGOUT FIX >+ Only the priviledged process can update the logout recording files. >+ Send the pid of the shell process, and the session tty name >+ to the priviledged process. >+*/ >+void mm_record_logout(pid_t pid, const char *tty, const char *pwname) >+{ >+ Buffer m; >+ buffer_init(&m); >+ buffer_append(&m, (void *)&pid, sizeof(pid_t)); >+ buffer_append(&m, tty, TTYSZ); >+ buffer_put_string(&m, pwname, strlen(pwname)); >+ debug("Writing pid %d tty %s to priviledged process ", >+ pid, tty); >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_LOGOUT, &m); >+ buffer_free(&m); >+} >+ >+ >diff -Nur openssh-4.0p1/monitor_wrap.h openssh-4.0p1-logname/monitor_wrap.h >--- openssh-4.0p1/monitor_wrap.h 2005-02-08 16:22:48.000000000 +0530 >+++ openssh-4.0p1-logname/monitor_wrap.h 2005-05-16 16:58:23.000000000 +0530 >@@ -111,4 +111,7 @@ > void mm_zfree(struct mm_master *, void *); > void mm_init_compression(struct mm_master *); > >+void mm_write_login(pid_t pid, const char *tty, int len); >+void mm_record_logout(pid_t pid, const char *tty, const char *pwname); >+ > #endif /* _MM_H_ */ >diff -Nur openssh-4.0p1/session.c openssh-4.0p1-logname/session.c >--- openssh-4.0p1/session.c 2005-03-06 17:08:52.000000000 +0530 >+++ openssh-4.0p1-logname/session.c 2005-05-16 16:57:51.000000000 +0530 >@@ -475,6 +475,11 @@ > if (pid < 0) > packet_disconnect("fork failed: %.100s", strerror(errno)); > s->pid = pid; >+ >+ /* Send the utmpx information to the priviledged process */ >+ if (use_privsep) >+ mm_write_login(pid, s->tty, TTYSZ); >+ > /* Set interactive/non-interactive mode. */ > packet_set_interactive(s->display != NULL); > #ifdef USE_PIPES >@@ -2011,7 +2016,7 @@ > debug("session_pty_cleanup: session %d release %s", s->self, s->tty); > > /* Record that the user has logged out. */ >- if (s->pid != 0) >+ if (s->pid != 0 && !use_privsep) > record_logout(s->pid, s->tty, s->pw->pw_name); > > /* Release the pseudo-tty. */ >@@ -2108,6 +2113,9 @@ > int i; > > debug("session_close: session %d pid %ld", s->self, (long)s->pid); >+ /* Send the utmpx information to the priviledged process */ >+ if (use_privsep) >+ mm_record_logout(s->pid, s->tty, s->pw->pw_name); > if (s->ttyfd != -1) > session_pty_cleanup(s); > if (s->term) >diff -Nur openssh-4.0p1/sshlogin.c openssh-4.0p1-logname/sshlogin.c >--- openssh-4.0p1/sshlogin.c 2004-08-13 16:51:47.000000000 +0530 >+++ openssh-4.0p1-logname/sshlogin.c 2005-05-16 14:47:32.000000000 +0530 >@@ -69,7 +69,7 @@ > * Generate and store last login message. This must be done before > * login_login() is called and lastlog is updated. > */ >-static void >+void > store_lastlog_message(const char *user, uid_t uid) > { > char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512]; >diff -Nur openssh-4.0p1/sshlogin.h openssh-4.0p1-logname/sshlogin.h >--- openssh-4.0p1/sshlogin.h 2003-01-02 05:13:56.000000000 +0530 >+++ openssh-4.0p1-logname/sshlogin.h 2005-05-16 14:51:01.000000000 +0530 >@@ -25,4 +25,6 @@ > struct sockaddr *, socklen_t); > #endif > >+void store_lastlog_message(const char *user, uid_t uid); >+ > #endif
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 980
:
802
|
821
| 916