| Summary: | Insufficient privileges to chroot() on AIX | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Xavier Lapie <bana> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | major | CC: | cartmanltd, cristi.terpea, dtucker |
| Priority: | P2 | ||
| Version: | 5.2p1 | ||
| Hardware: | PPC | ||
| OS: | AIX | ||
| Bug Depends on: | |||
| Bug Blocks: | 1560, 1626 | ||
| Attachments: | |||
|
Description
Xavier Lapie
2009-03-07 00:59:11 AEDT
This is related to [Bug 1575] OpenSSH 5.2p1 failure using ChrootDirectory option on AIX. *** Bug 1575 has been marked as a duplicate of this bug. *** Created attachment 1661 [details]
move setpcred (and usrinfo) on AIX to after chroot
I think the usefulness of setpcred depends on which LAMs you have on your system. We can probably move the setpcred to after the chroot.
Created attachment 1662 [details]
override the real uid in setpcred and leave it to permanently_set_uid to set
Hrm, except that doesn't seem to actually work. This one seems to, though.
Comment on attachment 1662 [details] override the real uid in setpcred and leave it to permanently_set_uid to set >--- session.c 21 Jun 2009 09:50:08 -0000 1.383 >+++ session.c 12 Jul 2009 14:04:22 -0000 ... > #ifdef HAVE_SETPCRED >- if (setpcred(pw->pw_name, (char **)NULL) == -1) >+ /* set all creds except real user ID */ >+ char *creds[] = { "REAL_USER=root", NULL }; Maybe mention that RUID=root is needed for chroot() in the comment. Created attachment 1669 [details]
Same as #1662, but only override if chroot directory is set.
Added comment as suggested, also made behave differently only if needed (ie chroot directory set).
Apparently I'm a moron and pasted this into the wrong bug last time: I think the patch in bug #1249 will also solve it: it uses setpcred to set up everying in the LAM except for real userid, and then lets permanently_set_uid() take care of the latter. Anyway, target 5.3 for David's fix (ie moving setpcred). Fixed with the patch from bug #1249, which will be in the 5.3p1 release. Thanks for the report. Mass move of RESOLVED bugs to CLOSED now that 5.3 is out. Created attachment 1728 [details]
truss log on AIX 6.1
Created attachment 1729 [details]
patch for setpcred with chroot
I tested openssh-5.3p1 on 3 machines: AIX ... 1 5 004036AA4C00 AIX ... 3 5 0040D7CB4C00 AIX ... 1 6 0003EADAD300 on each of them I got the same result: ... debug3: safely_chroot: checking '/home/test' Changed root directory to "/home/test" Failed to set process credentials then it quits. I attached the truss log from AIX 6.1 (truss_log.txt) I also attached the fix that worked for me (this code was posted already in https://bugzilla.mindrot.org/attachment.cgi?id=1669 ). I call setpcred before chroot. Look at this (again) for 5.4 *** Bug 1678 has been marked as a duplicate of this bug. *** Created attachment 1807 [details]
Updated AIX setpcred/chroot patch
Patch applied, will be in 5.4p1 With the release of 5.4p1, this bug is now considered closed. |