Bug 2425

Summary:

sshd doesn't need to call setproject() when configured to use PAM on Solaris

Product:

Portable OpenSSH

Reporter:

brent.paulson

Component:

sshd

Assignee:

Darren Tucker <dtucker>

Status:

CLOSED FIXED

Severity:

minor

CC:

dtucker

Priority:

Version:

6.9p1

Hardware:

SPARC

OS:

Solaris

Bug Depends on:

Bug Blocks:

2543

Attachments:

Description	Flags
patch to limit setproject(3PROJECT) calls to non-PAM configurations	none
Check PAM at runtime before setting Solaris project	none

Description brent.paulson 2015-07-07 07:06:19 AEST

Created attachment 2661 [details]
patch to limit setproject(3PROJECT) calls to non-PAM configurations

The OpenSSH bug:

1824 Added project(4) support for Solaris 10
https://bugzilla.mindrot.org/show_bug.cgi?id=1824

added code to call setproject(3PROJECT) on Solaris when
USE_SOLARIS_PROJECTS is defined.  The USE_SOLARIS_PROJECTS #define is
set when --with-solaris-projects is supplied to the configure script.

Ever since the introduction of projects in Solaris 9 a user's project
membership has been set by PAM.  As of Solaris 10, released in January
2005, the updating of a user's project information happens via
pam_unix_cred(5).  This PAM module must be present in all authentication
PAM transactions and is part of all PAM stacks shipped with Solaris and
thus when PAM is configured for OpenSSH (--with-pam) it is not necessary
to separately call setproject(3PROJECT).  In short, I'm suggesting
including '&& !defined(USE_PAM)' to the lines containing
'USE_SOLARIS_PROJECTS' in the portable OpenSSH source.

Comment 1 Darren Tucker 2015-07-07 16:26:20 AEST

Comment on attachment 2661 [details]
patch to limit setproject(3PROJECT) calls to non-PAM configurations

>-#ifdef USE_SOLARIS_PROJECTS
>+#ifdef USE_SOLARIS_PROJECTS && !defined(USE_PAM)

This part isn't correct: USE_PAM is a compile time flag but PAM can be enabled and disabled at runtime.

>        /* if solaris projects were detected, set the default now */
>        if (getuid() == 0 || geteuid() == 0)
>                solaris_set_default_project(pw);

I think that should be something like

if ((getuid() == 0 || geteuid() == 0) && !options.use_pam)
        solaris_set_default_project(pw);

Comment 2 Darren Tucker 2015-10-29 12:43:20 AEDT

Created attachment 2742 [details]
Check PAM at runtime before setting Solaris project

Could you please confirm that this diff works as expected?  Thanks.

Comment 3 Darren Tucker 2016-02-26 14:43:06 AEDT

We haven't received confirmation that this works so pushing to next release.

Comment 4 brent.paulson 2016-03-15 03:23:56 AEDT

> Could you please confirm that this diff works as expected?  Thanks.

Yes, I've confirmed the patch works as expected.  Thanks!

Comment 5 Darren Tucker 2016-03-15 09:27:36 AEDT

Thanks, applied.

Comment 6 Damien Miller 2016-12-09 12:21:21 AEDT

Bulk mark issues CLOSED in 7.3 release