Another round of testing calls.

[Ed Phillips]

On Thu, 25 Oct 2001, Darren Moffat wrote:

> Date: Thu, 25 Oct 2001 09:59:50 -0700 (PDT)
> From: Darren Moffat <Darren.Moffat at eng.sun.com>
> To: ed at UDel.Edu
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Another round of testing calls.
>
> >What is pam_setid?  Do you mean pam_setcred?  pam_setcred has always been
>
> yes I meant setcred.
>
> >a little fuzzy... the pam_setcred from pam_unix.so has changed function
> >between Sol2.6 and Sol7.  In 2.6, pam_sm_setcred did nothing and
> >initgroups() was called by login or other apps directly.  In Sol7,
> >pam_sm_setcred actually called initgroups() and the apps were made
> >to call pam_setcred with expectations of it calling initgroups().
>
> That is not correct.  The code for pam_sm_setcred in pam_unix hasn't
> actually changed between 2.6 and the current builds of the next release
> of Solaris.   Well that isn't quite true there were a few minor changes
> but that was fixing a broken cast to remove a compiler warning and
> chaning the wording of one of the messages that prints it out.
> I've just checked the code (and BTW this is one of my areas of Solaris
> responsibility).

Sorry... I was remembering from the wrong point of view.  When we
implemented our own pam_udel.so modules to stack on top of pam_unix.so,
the behavior of the applications changed such that our pam_sm_setcred() in
2.6 was doing nothing, and our pam_sm_setcred() in 7 and later HAD to call
initgroups() or certain applications would not get the proper set of
groups.  I'm having a hard time remembering why at the moment (and I'm
searching though the Sol8 FCS source but can't seem to locate the 2.6
source at the moment).  Do you recall way back in 2.6 when the
applications didn't all completely use PAM "correctly" and not very
consistently?  Anyway, we had to add a call to initgroups() in our
pam_sm_setcred() to get the correct set of groups in Sol7+ whereas we
didn't back in 2.6.  Also, we have a custom NSS back-end that might have
be a factor at some level (because initgroups() would look up groups in
our backend.

[Where the heck is the source to /usr/bin/login in the Sol8 source tree
anyway?]

On Solaris 8, the basic set of "applications" are:

in.telnetd	(which just runs login)
in.rlogind	(which just runs login)
in.rshd		(which does PAM calls but no pam_open_session() calls)
in.rexecd	(uses PAM now, but didn't in previous versions)
in.ftpd		(does full array of PAM calls + initgroups())
		Side note: in.ftpd set PAM_TTY to "ftp%ld" filling in the
		pid - so it avoids falling prey to the bug in pam_unix.so
login		(does full array of PAM calls + initgroups() + session)
		Side note: login can actually set PAM_TTY to a real tty name ;-)
dtlogin		(we couldn't use dtlogin - we've always compiled our own xdm)

and of course, sshd. ;-)

> The last time that initgroups didn't happen in the application but
> happened in the module was 2.5.1 - when PAM was in prerelease state and
> not configurable or public.
>
> Having said all of that what you were suggesting had happened is actually
> the correct way to go, initgroups probably should be called from the
> pam_unix pam_setcred and not the application since your supplementary groups
> are your unix creds.  However we don't currently do that - if Solaris ever
> does get to that stage then OpenSSH should be updated to not do the
> initgroups calls if being built to run on that release of Solaris.

I agree.

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key