Compiled on linux gcc 2.7.2.3, kernel 2.0.38 on i586. Latest zlib and openssl packages were in place. Compile completes apparently successfully. When logging in, the password is accepted, the system MOTD is displayed; but then, the connection immediately closes. Errors in syslog show: sshd[7319]: fatal: setresgid 100: Function not implemented Configure says 'yes' to the check for setresgid and sets the define HAVE_SETRESGID in config.h. Commenting out the define seems to fix the problem. I wos told by someone more knowlegeable than I that the setresgid function wasn't implemented until later kernels, implying the test done by ./configure dosen't properly yield the right answer.
Created attachment 406 [details] Test setresuid call We need a way to detect this at build time without needing root privs to build. What does the attached program return? This is what I get from RH 8. $ gcc setresgidtest.c $ ./a.out setresgid returned 0, errno 0 setresuid returned 0, errno 0
The problem is that your libc is advertising the availability of a setresuid library routing, but not actually implementing it. This is a thouroughly broken state of affairs. What distribution are you using?
The distribution was originally slackware, but various parts upgraded now and then, usually to deal with something like inability to compile some needed routine (typically, some security patch issue such as this round). libc shows libc.so.4.7.6 and libc.so.5.4.44 The machine is a main server with over 100 accounts and other functions, so not easily replaced. It's been rock solid for years with uptimes over 450 days and that was cut short when the ups ran down. I'm half scared to mess with it except in a crisis! :) The test provided won't compile, either: tiger:~# gcc setresgidtest.c /tmp/cca015121.o: In function `main': /tmp/cca015121.o(.text+0x5f): undefined reference to `setresuid'
I've got the same issue on an old x86 RedHat box with a 2.0.35 kernel. The box is scheduled to retire soon (for like 3 years now). Not important, to me anyway, but these comments may or may not help others. 3.6.1p2 works fine. If it seems a worthy cause I can post the output of strace or perform other tests. gcc-2.7.2.3-13 glibc-2.0.7-19 # gcc setresgidtest.c # ./a.out setresgid returned -1, errno 0 setresuid returned -1, errno 38
It looks like that test program catches the problem (the fact that it doesn't compile in comment #3 is good since we want to detect a failure). Any volunteers to do a patch and test it?
I am willing to try the patch if it makes sense to you. setresgidtest.c compiled fine on my target sys (as a non root user too), but fails to execute properly (comment 4). Otherwise the system has the same symptoms the original poster described. (builds fine, but all logins fail with authentication failed errors).
correction: "but all logins fail with authentication failed errors" is wrong -that was another unrelated issue. "fatal: setresgid nnn: Function not implemented" is the reported error.
From the 3.71.p2 announcement: "* Workaround problems related to unimplemented or broken setresuid/setreuid functions on several platforms." 3.7.1p2 still fails in this regard - for me. Same install as described in comment 4. Commenting both setresuid/setreuid solves this. I've only seen this issue reported here. I don't really see this as an ssh bug - maybe this should be closed.
Created attachment 487 [details] Test setresuid and setresguid for "not implemented" Please try this patch. You will need to run "autoreconf" after applying, then ./configure && make.
I applied the patch, but the machine dosen't have 'autoreconf" so I created two fresh untarred packages and patched only one. Both incorrectly set the 'setresgid' define in the resulting config.h file (diff says both config.h files are the same). If autoreconf does some additional magic I can't do, I'd be happy to try with a tarred up package wich is ready for configure to be run.
Autoreconf (part of the autoconf package) does magic you need. I have put a complete tarball of -current + this patch temporarily here: http://dodgynet.dyndns.org/~dtucker/tmp/openssh-uid.tar.gz
Ran configure on the test source provided, but the setresgid remained defined. Diff with unpached version shows: tiger:/archive2/openssh-uid# diff config.h ../openssh-3.7.1p2/config.h 3c3 < /* $Id: acconfig.h,v 1.168 2003/10/15 06:57:57 dtucker Exp $ */ --- > /* $Id: acconfig.h,v 1.166 2003/09/16 01:52:19 dtucker Exp $ */ 46,51d45 < /* Define if your setreuid() is broken */ < /* #undef BROKEN_SETRESUID */ < < /* Define if your setregid() is broken */ < /* #undef BROKEN_SETRESGID */ < 100,102d93 < /* Define if you have the basename function. */ < #define HAVE_BASENAME 1 < 428a420,422 > /* Define if DNS support is to be activated */ > /* #undef DNS */ > 447a442,444 > /* Define if you have the `basename' function. */ > #define HAVE_BASENAME 1 > 835,837d831 < /* Define if you have the `strtoul' function. */ < #define HAVE_STRTOUL 1 < 956c950 < #define HAVE__GETLONG 1 --- > /* #undef HAVE__GETLONG */ 962c956 < #define HAVE__GETSHORT 1 --- > /* #undef HAVE__GETSHORT */ If other tests/outputs would be helpful, let me know.
Please look in config.log, there will be 2 entries for setres[gu]id. I'm interested in the one that starts with: "checking if setresuid seems to work" and the following 10-30 lines up to the "result: [whatever]" line (and similarly for the setresgid line). As far as config.h goes, you only need to show the lines with HAVE_SETRESUID and BROKEN_SETRESUID (and the same for setresgid).
Created attachment 488 [details] Setres config.log extract
Created attachment 489 [details] Check setresuid for "not implemented", take 2. From the log, it's detecting OK but I got the AC_DEFINEs wrong. I have updated the tarball in comment #11.
The latest config sets the following: /* Define if you have the `setresgid' function. */ #define HAVE_SETRESGID 1/* /* Define if you have the `setresuid' function. */ /* #undef HAVE_SETRESUID */ but also /* Define if your setresuid() is broken */ #define BROKEN_SETRESUID 1 /* Define if your setresgid() is broken */ #define BROKEN_SETRESGID 1 (Note I didn't notice if the previoius version set broken defines, as I was only expecting to see the setres ones eo be either defined or not.) I went through a complete compile, and everything seems to work according to a quick try. Anything else I need to try or report?
No, that's fine. I'll commit the patch unless there are objections. The BROKEN_* defines weren't set by the earlier patch (you can tell from the diff you posted).
Patch #489 has been committed to both HEAD and the 3.7 branch, so this is now fixed.
Mass change of RESOLVED bugs to CLOSED