From fanf@dotat.at  Wed Apr 24 07:05:03 2002
Return-Path: <fanf@dotat.at>
Received: from hand.dotat.at (host217-39-18-221.in-addr.btopenworld.com [217.39.18.221])
	by hub.freebsd.org (Postfix) with ESMTP id 8678E37B405
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Apr 2002 07:05:02 -0700 (PDT)
Received: from fanf by hand.dotat.at with local (Exim 3.35 #1)
	id 170NNG-0004Ff-00
	for FreeBSD-gnats-submit@freebsd.org; Wed, 24 Apr 2002 14:03:58 +0000
Message-Id: <E170NNG-0004Ff-00@hand.dotat.at>
Date: Wed, 24 Apr 2002 14:03:58 +0000
From: Tony Finch <dot@dotat.at>
Reply-To: Tony Finch <dot@dotat.at>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] sshd doesn't set the root login class properly
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         37416
>Category:       bin
>Synopsis:       [PATCH] sshd doesn't set the root login class properly
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    fanf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 24 07:10:01 PDT 2002
>Closed-Date:    Thu Aug 01 10:30:25 PDT 2002
>Last-Modified:  Thu Aug 01 10:30:25 PDT 2002
>Originator:     Tony Finch
>Release:        FreeBSD 4.5-STABLE-20020312 i386
>Organization:
dotat labs
>Environment:
System: FreeBSD hand.dotat.at 4.5-STABLE-20020312 FreeBSD 4.5-STABLE-20020312 #19: Tue Mar 12 13:45:49 GMT 2002 fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/SHARP i386
>Description:

sshd uses the "default" login class for users with uid=0 instead of
the "root" login class when setting up the user's session.

>How-To-Repeat:

I added a :umask=002: entry to the default login class and a :umask=022:
entry to the root login class in </etc/login.conf>. After this, if root
logs in via a getty on a virtual console or via telnet, the umask is
022 as expected, but if root logs in via ssh the umask is 002. However,
if root's password entry is changed to mention the root login class
explicitly, the umask is set to 022 when root logs in via ssh.

>Fix:

It isn't clear to me whether the bug is entirely in sshd or whether
some of the problem lies in libutil.

Only login_getpwclass does the special handling of uid=0 users. This
is a wart since none of the rest of the (low-level) API includes this
support. (setusercontext and setclasscontext inherit the behaviour.)
This wart appears to be the origin of the sshd bug: although sshd
calls setusercontext, setusercontext doesn't call getpwclass if
the login_cap_t argument has been initialized, and sshd initializes
it incorrectly. It turns out to be quite easy to fix sshd though :-)

(A general observation: there appear to be a number of incorrect
comments in the source for libutil which is rather irritating.)

--- session.c	3 Dec 2001 00:53:28 -0000	1.4.2.11
+++ session.c	24 Apr 2002 13:56:44 -0000
@@ -149,7 +149,7 @@
 		startup_pipe = -1;
 	}
 #ifdef HAVE_LOGIN_CAP
-	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
+	if ((lc = login_getpwclass(authctxt->pw)) == NULL) {
 		error("unable to get login class");
 		return;
 	}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: johan 
State-Changed-When: Thu May 2 18:25:12 PDT 2002 
State-Changed-Why:  
This has already been fixed in rev 1.19 in current. 
This is a MFC remined. 


Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: johan 
Responsible-Changed-When: Thu May 2 18:25:12 PDT 2002 
Responsible-Changed-Why:  
Over to green who made the commit to current. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37416 
State-Changed-From-To: patched->closed 
State-Changed-By: des 
State-Changed-When: Thu May 23 15:56:09 PDT 2002 
State-Changed-Why:  
MFCed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37416 
State-Changed-From-To: closed->open 
State-Changed-By: fanf 
State-Changed-When: Fri Jul 26 09:52:55 PDT 2002 
State-Changed-Why:  
This bug has returned with the introduction of openssh-3.4p1. 


Responsible-Changed-From-To: green->fanf 
Responsible-Changed-By: fanf 
Responsible-Changed-When: Fri Jul 26 09:52:55 PDT 2002 
Responsible-Changed-Why:  
I'm investigating this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37416 

From: Tony Finch <fanf@FreeBSD.org>
To: des@freebsd.org, freebsd-gnats-submit@freebsd.org
Cc: dot@dotat.at, green@FreeBSD.org
Subject: Re: bin/37416: [PATCH] sshd doesn't set the root login class properly
Date: Fri, 26 Jul 2002 23:08:47 +0100

 This re-fixes the login class handling in recent versions of sshd.
 Shall I commit?
 
 
 --- auth.c	3 Jul 2002 22:11:41 -0000	1.3.2.5
 +++ auth.c	26 Jul 2002 21:52:05 -0000
 @@ -24,6 +24,7 @@
  
  #include "includes.h"
  RCSID("$OpenBSD: auth.c,v 1.43 2002/05/17 14:27:55 millert Exp $");
 +RCSID("$FreeBSD$");
  
  #ifdef HAVE_LOGIN_H
  #include <login.h>
 @@ -479,7 +480,7 @@
  	if (pw == NULL || !allowed_user(pw))
  		return (NULL);
  #ifdef HAVE_LOGIN_CAP
 -	if ((lc = login_getclass(pw->pw_class)) == NULL) {
 +	if ((lc = login_getpwclass(pw)) == NULL) {
  		debug("unable to get login class: %s", user);
  		return (NULL);
  	}
 
 
 Tony.
 -- 
 f.a.n.finch <dot@dotat.at> http://dotat.at/
 WEST FORTIES CROMARTY FORTH TYNE DOGGER: VARIABLE BECOMING SOUTHERLY 3 OR 4,
 OCCASIONALLY 5 LATER. FAIR. GOOD BECOMING MODERATE OR POOR.

From: Dag-Erling Smorgrav <des@ofug.org>
To: Tony Finch <fanf@FreeBSD.org>
Cc: freebsd-gnats-submit@freebsd.org, dot@dotat.at, green@FreeBSD.org
Subject: Re: bin/37416: [PATCH] sshd doesn't set the root login class properly
Date: 27 Jul 2002 13:50:10 +0200

 Tony Finch <fanf@FreeBSD.org> writes:
 > This re-fixes the login class handling in recent versions of sshd.
 > Shall I commit?
 
 Yeah, thanks.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
State-Changed-From-To: open->patched 
State-Changed-By: fanf 
State-Changed-When: Sun Jul 28 17:36:46 PDT 2002 
State-Changed-Why:  
Fix committed to -CURRENT 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37416 
State-Changed-From-To: patched->closed 
State-Changed-By: fanf 
State-Changed-When: Thu Aug 1 10:30:03 PDT 2002 
State-Changed-Why:  
Fix MFCed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37416 
>Unformatted:
