Any thoughts on this approach? (Bugzilla entry added since the last
email: https://bugzilla.mindrot.org/show_bug.cgi?id=2380)
Thanks,
Ryan
On 04/13/2015 11:54 AM, Ryan Cox wrote:
I would like to allow pam_setcred/pam_sm_setcred to override the gid
that is normally set for a user. Currently the openssh code calls
do_pam_setcred then it sets the gid to the user's gid as listed in
/etc/passwd, LDAP, or whatever regardless of what the pam module set
it to. I would instead like a pam module to be able to set the gid
with setgid() and not have it overwritten by openssh.
I wrote a patch that does just that by comparing getgid() before and
after calling do_pam_setcred. If the gid changes it sets pw->gid to
the new gid, which is used in later functions. I don't know if this
is considered the proper way to achieve that behavior in a safe way
but it seemed logical to me. The behavior is optional;
PermitGidOverride=no is the default.
As for the reasoning, this is for a scheduled environment using
Slurm. I am developing a pam module that "adopts" ssh processes into
the appropriate batch job on the node. Users can launch jobs via
Slurm that run with their gid as one of their supplementary groups.
As part of the adoption of the ssh process, I would like to set the
ssh process's gid equal to that of the job it is being adopted into.
Ryan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
