On Mon, 15 Feb 2021, Ed Maste wrote: > From: Brian Feldman <green@xxxxxxxxxxx> > > From FreeBSD 885a59f2e067 by Brian Feldman <green@xxxxxxxxxxx>. > > Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary: > > > sshd uses the "default" login class for users with uid=0 instead of > > the "root" login class when setting up the user's session. > > ... > > How-To-Repeat: > > I added a :umask=002: entry to the default login class and a :umask=022: > > entry to the root login class in </etc/login.conf>. After this, if root > > logs in via a getty on a virtual console or via telnet, the umask is > > 022 as expected, but if root logs in via ssh the umask is 002. However, > > if root's password entry is changed to mention the root login class > > explicitly, the umask is set to 022 when root logs in via ssh. > > Posted for discussion; if accepted I will see about adding autoconf goop, > if necessary (i.e. if some systems have login_getclass but not > login_getpwclass). I think we could do something like this: diff --git a/auth.c b/auth.c index 2b77abca..a0e3cd6f 100644 --- a/auth.c +++ b/auth.c @@ -604,7 +604,7 @@ getpwnamallow(struct ssh *ssh, const char *user) if (!allowed_user(ssh, pw)) return (NULL); #ifdef HAVE_LOGIN_CAP - if ((lc = login_getclass(pw->pw_class)) == NULL) { + if ((lc = login_getpwclass(pw)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } diff --git a/configure.ac b/configure.ac index 63c239e0..6b75cf97 100644 --- a/configure.ac +++ b/configure.ac @@ -1841,6 +1841,7 @@ AC_CHECK_FUNCS([ \ llabs \ localtime_r \ login_getcapbool \ + login_getpwclass \ md5_crypt \ memmem \ memmove \ diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 50bac587..542ae58d 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -48,6 +48,10 @@ #include "blf.h" #include "fnmatch.h" +#if defined(HAVE_LOGIN_CAP) && !defined(HAVE_LOGIN_GETPWCLASS) +# define login_getpwclass(pw) login_getclass(pw->pw_class) +#endif + #ifndef HAVE_BASENAME char *basename(const char *path); #endif _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev