Bug 1249

Summary:

pam_open_session called with dropped privs

Product:

Portable OpenSSH

Reporter:

David Leonard <David.Leonard>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

dtucker

Priority:

Version:

4.4p1

Hardware:

PPC

OS:

AIX

Bug Depends on:

Bug Blocks:

1560

Attachments:

Description	Flags
move setpcred() to just before permanently_set_uid()	none

Description David Leonard 2006-10-09 11:48:32 AEST

pam_open_session() is being called with euid/uid set to the authenticated user (instead of root)

It seems that do_setusercontext() calls setpcred() early, but setpcred() has the effect of setting uid/euid to the authenticated user. This can't be undone, and the subsequent calls to do_pam_session() are unprivileged.

This is bad for our pam module that creates missing home directories.

Reproduced on oslevels 4330-11, 5100-03, 5200-04

See also: bug 261

Comment 1 David Leonard 2006-10-09 11:51:41 AEST

(In reply to comment #0)
> Reproduced on oslevels 4330-11, 5100-03, 5200-04

clarification: the 4330-11 refers to my instrumenting of the setpcred call; no pam was involved on aix4.3.3

Comment 2 Darren Tucker 2006-10-09 11:54:41 AEST

FWIW I think the right way to deal with this is via the same method proposed in bug #926: move the PAM session open/close into the monitor.  (That is not without its own issues as you can see from the bug, but if we can get those sorted then I think it's the best long-term solution).

Comment 3 David Leonard 2006-10-09 13:00:59 AEST

Created attachment 1200 [details]
move setpcred() to just before permanently_set_uid()

moving setpcred till later works for me.

(see also: bug 969)

Comment 4 Darren Tucker 2008-06-15 05:27:49 AEST

I think this was fixed with the change for bug #926.  Can you confirm?

Also, how does the setpcred change relate to this bug and is it still needed?

Thanks.

Comment 5 Darren Tucker 2009-07-31 10:37:33 AEST

I think the patch in bug #1249 will also solve it: it uses setpcred to set up everying in the LAM except for real userid, and then lets permanently_set_uid() take care of the latter.

Comment 6 Darren Tucker 2009-08-20 16:22:24 AEST

Applied with a slight variation, thanks!  This will be in the 5.3p1 release.

Comment 7 Damien Miller 2009-10-06 15:03:24 AEDT

Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.