Bug 325

Summary: PermitRootLogin forced-commands-only & privsep - not working together
Product: Portable OpenSSH Reporter: jfm
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED DUPLICATE    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: ix86   
OS: Linux   

Description jfm 2002-06-30 09:37:40 AEST 
After upgrading to the latest OpenSSH version 3.4p1, a couple of my backup
scripts failed w/ "Permission denied.".  After, I disabled privsep w/
"UsePrivilegeSeparation no", the backup scripts started working again.

Of course, I would like to re-enable privsep.  If additional information from me
would be helpful, please don't hesitate to ask.
Comment 1 Hank Leininger 2002-07-13 06:14:28 AEST 
Seeing this here too; it appears that when auth2.c:userauth_finish is called,
forced_command has been cleared (or perhaps, never set in that forked sshd) so
the call to auth_root_allowed(method) returns 0.  The following patch makes
forced-command logins as root work again, but I doubt this is the right fix.  In
fact the below may have serious problems; no warranties.

Looking at (but not testing) today's snapshot, this appears to still be a
problem.  If so I'm surpised more people haven't run into this...?

--- openssh-3.4p1/auth2.c       Fri Jun 21 02:21:11 2002
+++ openssh-3.4p1-hap-2/auth2.c Fri Jul 12 15:35:52 2002
@@ -206,6 +206,7 @@
 
	/* Special handling for root */
	if (authenticated && authctxt->pw->pw_uid == 0 &&
+	    !options.permit_root_login == PERMIT_FORCED_ONLY &&
	    !auth_root_allowed(method))
		authenticated = 0;
Comment 2 Markus Friedl 2002-08-22 07:45:25 AEST 

*** This bug has been marked as a duplicate of 387 ***
Comment 3 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED