[Bug 789] pam_setcred() not being called as root
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jan 16 12:53:56 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=789
------- Additional Comments From dtucker at zip.com.au 2004-01-16 12:53 -------
Short answer: Set UsePrivilegeSeparation=no or change the PAM module.
Long answer:
I can't find any reference to PAM modules being guaranteed to run as root in
either the Open Group PAM RFC [1] or the Linux PAM documentation [2], so an
alternative viewpoint could be that pam_group is making unwarranted assumptions
about its environment, doing unnecessary things and failing because of it :-)
Assume for a moment that the 2nd call to pam_setcred is required in some
configurations and that it needs the tty set (I'm guessing Kerberos, but the
line predates my involvement in the project, so perhaps someone could help me
out here?). The ssh2 protocol allows the client to request a pty at any time,
and when privsep is on, the main daemon is already running as the user at that
point, as you found. Changing this means disabling privsep, for which there's a
run-time option.
Also note that due to the wide variety of PAM implementations and modules out
there, non-trivial changes to fix breakage on one platform/configuration usually
results in breakage on another.
I took a look at the pam_group code, and changing it seems to be a 3-line patch:
http://www.zip.com.au/~dtucker/patches/linux-pam-0.77-pam_group_noreset.patch
[1] http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt
[2] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list