On Linux (at least -- I don´t know about BSD), trying to use a non-suid-root ssh client while having switched to a group other than the calling user's primary group (by sg or newgrp) fails with an error message: setgid <primary group>: Operation not permitted Looking for the reason of the failure, I found it in the function permanently_set_uid() in uidswap.c: It tries to set the gid to the value from /etc/passwd, which (at least on Linux) can only succeed if either the process has superuser privileges (the binary is installed suid root) or the real or effective gid is already that value. If a user is currently using a gid of a group that she is member of but which isn't her primary group from /etc/passwd, setgid() fails. A solution could be either - to do nothing in permanently_set_uid() when euid != 0 (this is similar to the behaviour of temporarily_use_uid()). I'll append the short patch for this; I'm using it as a quick solution. - or to set the uid/gid to the real uid/gid, thereby dropping any privileges that a suid-non-root binary might have. This might be a bit cleaner and needs a little more changing (I haven't done this yet, but can do on demand). Regards, Daniel Müller --- uidswap.c~ Thu Aug 16 01:17:22 2001 +++ uidswap.c Thu Mar 7 16:12:25 2002 @@ -147,6 +147,7 @@ { if (temporarily_use_uid_effective) fatal("restore_uid: temporarily_use_uid effective"); + if (geteuid() != 0) return; if (setgid(pw->pw_gid) < 0) fatal("setgid %u: %.100s", (u_int) pw->pw_gid, strerror(errno)); if (setuid(pw->pw_uid) < 0)
i will look at this.
This occurs on Solaris 2.6 and 2.8 as well. Furthermore, in the function restore_uid would if (geteuid() != 0) return; make more sense then if (!privileged) return ; just a thought. Thanks
fixed in OpenSSH 3.3
Mass change of RESOLVED bugs to CLOSED