On Wed, 2020-05-27 at 09:27 +0200, Jakub Jelen wrote: > On Tue, 2020-05-26 at 17:11 +0200, Hans Petter Jansson wrote: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-February/037556.html > > > > That's the last mention of this I could find in the archives. Was a > > final decision reached on whether that patch (or something similar) > > would be accepted? > > Did you try that patch and it solved the issue for you? We tried and > we > were not able to verify it fixes the described issue. > > Moreover this original patch is broken in systems where two users > have > same UID. > > I tried to tweak it a bit (see the attached patch) to avoid these > issues, but still we were not able to verify it fixes the described > issue so we do not ship it. > > I did not look into this much, but if I am right, the group > information > is cached in uidswap.c too so it might need some more work to be > working. Whether it will be accepted here, is other question. > > Hope it helps, Thanks, it does. I haven't tried the patch from Andreas, but I got positive feedback on one I wrote. That one may be bad for other reasons, though :) I'm attaching it anyway. Reportedly this only works with nscd disabled. Otherwise it will also cache the bad GID. -- Hans Petter
From f3c4487c74f3b65848b41dcf290526c2c2945430 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson <hpj@xxxxx> Date: Thu, 7 May 2020 23:36:53 +0200 Subject: [PATCH] Refresh primary group ID after successful authentication. In certain environments (e.g. using winbind), getpwnam() will return a placeholder primary group ID until the user has been successfully authenticated. As a workaround, we refresh this value with an additional call to getpwnam() after a successful authentication. For a longer explanation of why this is needed, see the Samba 4.6 release notes, winbind section: https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes --- sshd.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sshd.c b/sshd.c index 6f8f11a3..99c1d3c6 100644 --- a/sshd.c +++ b/sshd.c @@ -1502,6 +1502,7 @@ main(int ac, char **av) int keytype; Authctxt *authctxt; struct connection_info *connection_info = NULL; + struct passwd *newpw; #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); @@ -2217,6 +2218,15 @@ main(int ac, char **av) startup_pipe = -1; } + /* Refresh GID; The correct primary group ID may not be available until + * after successful authentication. */ + newpw = getpwnam(authctxt->user); + if (newpw != NULL) { + debug ("GID refresh: old=%d, new=%d", + (int) authctxt->pw->pw_gid, (int) newpw->pw_gid); + authctxt->pw->pw_gid = newpw->pw_gid; + } + #ifdef SSH_AUDIT_EVENTS audit_event(ssh, SSH_AUTH_SUCCESS); #endif -- 2.26.2
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
