Re: [PATCH] Use login_getpwclass() instead of login_getclass() so that the root vs. default login class distinction is made correctly.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 15 Feb 2021, Ed Maste wrote:

> From: Brian Feldman <green@xxxxxxxxxxx>
> 
> From FreeBSD 885a59f2e067 by Brian Feldman <green@xxxxxxxxxxx>.
> 
> Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary:
> 
> > sshd uses the "default" login class for users with uid=0 instead of
> > the "root" login class when setting up the user's session.
> > ...
> > How-To-Repeat: 
> > I added a :umask=002: entry to the default login class and a :umask=022:
> > entry to the root login class in </etc/login.conf>. After this, if root
> > logs in via a getty on a virtual console or via telnet, the umask is
> > 022 as expected, but if root logs in via ssh the umask is 002. However,
> > if root's password entry is changed to mention the root login class
> > explicitly, the umask is set to 022 when root logs in via ssh.
> 
> Posted for discussion; if accepted I will see about adding autoconf goop,
> if necessary (i.e. if some systems have login_getclass but not
> login_getpwclass).

I think we could do something like this:

diff --git a/auth.c b/auth.c
index 2b77abca..a0e3cd6f 100644
--- a/auth.c
+++ b/auth.c
@@ -604,7 +604,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
 	if (!allowed_user(ssh, pw))
 		return (NULL);
 #ifdef HAVE_LOGIN_CAP
-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
+	if ((lc = login_getpwclass(pw)) == NULL) {
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}
diff --git a/configure.ac b/configure.ac
index 63c239e0..6b75cf97 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1841,6 +1841,7 @@ AC_CHECK_FUNCS([ \
 	llabs \
 	localtime_r \
 	login_getcapbool \
+	login_getpwclass \
 	md5_crypt \
 	memmem \
 	memmove \
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 50bac587..542ae58d 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -48,6 +48,10 @@
 #include "blf.h"
 #include "fnmatch.h"
 
+#if defined(HAVE_LOGIN_CAP) && !defined(HAVE_LOGIN_GETPWCLASS)
+# define login_getpwclass(pw) login_getclass(pw->pw_class)
+#endif
+
 #ifndef HAVE_BASENAME
 char *basename(const char *path);
 #endif
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux