OSF/1 or Tru64 patch for Privsep

Ben Lindstrom mouring at etoh.eviladmin.org
Mon Aug 12 08:37:50 EST 2002


Either this never made it to the list or no one cares about Tru64.  This
is the last time I'll send this patch to the list.  If no one steps up and
finishes it or provides me with enough information to fix any remaining
bugs (one being complaint that 'ssh site cmd' does not work right).

If there is no activity on this for a week.  I'll post it to bugzilla and
will ignore any request for me to fix Tru64.

I do thank everyone that has privately contributed help in regards to
testing and such.

This patch may apply to 3.4p1, but I'd perfer testing to be done on -cvs.

- Ben

diff -ur openssh-3.4p1/auth-sia.c openssh-3.4p1+/auth-sia.c
--- openssh-3.4p1/auth-sia.c	Fri Apr 12 11:36:08 2002
+++ openssh-3.4p1+/auth-sia.c	Mon Jul 22 23:34:37 2002
@@ -41,9 +41,11 @@
 #include <unistd.h>
 #include <string.h>

+/* import */
 extern ServerOptions options;
 extern int saved_argc;
 extern char **saved_argv;
+extern int use_privsep;

 extern int errno;

@@ -77,7 +79,7 @@
 }

 void
-session_setup_sia(char *user, char *tty)
+setup_sia(char *user, char *tty)
 {
 	struct passwd *pw;
 	SIAENTITY *ent = NULL;
@@ -86,9 +88,8 @@
 	host = get_canonical_hostname (options.verify_reverse_mapping);

 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
-	    NULL) != SIASUCCESS) {
+	    NULL) != SIASUCCESS)
 		fatal("sia_ses_init failed");
-	}

 	if ((pw = getpwnam(user)) == NULL) {
 		sia_ses_release(&ent);
@@ -100,25 +101,24 @@
 	}

 	ent->authtype = SIA_A_NONE;
-	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
+	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
 		fatal("Couldn't establish session for %s from %s", user,
 		    host);
-	}

 	if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
 		sia_ses_release(&ent);
 		fatal("setpriority: %s", strerror (errno));
 	}

-	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
+	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
 		fatal("Couldn't launch session for %s from %s", user, host);
-	}
-
+
 	sia_ses_release(&ent);

-	if (setreuid(geteuid(), geteuid()) < 0) {
-		fatal("setreuid: %s", strerror(errno));
+	/* XXX: Should this be be around a if (!use_privsep) ? */
+	if (!use_privsep) {
+		if (setreuid(geteuid(), geteuid()) < 0)
+			fatal("setreuid: %s", strerror(errno));
 	}
 }
-
 #endif /* HAVE_OSF_SIA */
diff -ur openssh-3.4p1/auth-sia.h openssh-3.4p1+/auth-sia.h
--- openssh-3.4p1/auth-sia.h	Fri Apr 12 11:36:08 2002
+++ openssh-3.4p1+/auth-sia.h	Sun Jul 21 22:53:14 2002
@@ -27,6 +27,6 @@
 #ifdef HAVE_OSF_SIA

 int	auth_sia_password(Authctxt *authctxt, char *pass);
-void	session_setup_sia(char *user, char *tty);
+void	setup_sia(char *user, char *tty);

 #endif /* HAVE_OSF_SIA */
diff -ur openssh-3.4p1/monitor.c openssh-3.4p1+/monitor.c
--- openssh-3.4p1/monitor.c	Wed Jun 26 09:27:11 2002
+++ openssh-3.4p1+/monitor.c	Sun Jul 21 22:53:14 2002
@@ -120,6 +120,10 @@
 int mm_answer_pam_start(int, Buffer *);
 #endif

+#ifdef HAVE_OSF_SIA
+int mm_answer_setup_sia(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */

@@ -176,6 +180,9 @@
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+    {MONITOR_REQ_SETUP_SIA, 0, mm_answer_setup_sia},
+#endif
     {0, 0, NULL}
 };

@@ -206,6 +213,9 @@
     {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+    {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia},
+#endif
     {0, 0, NULL}
 };

@@ -307,10 +317,16 @@
 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+		monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif

 	} else {
 		mon_dispatch = mon_dispatch_postauth15;
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+		monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif
 	}
 	if (!no_pty_flag) {
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -717,6 +733,22 @@

 	return (authok != 0);
 }
+#endif
+
+#ifdef HAVE_OSF_SIA
+int
+mm_answer_setup_sia(int socket, Buffer *m)
+{
+	char *user, *tty;
+
+	user = buffer_get_string(m, NULL);
+	tty = buffer_get_string(m, NULL);
+
+	setup_sia(user, tty);
+
+	xfree(user);
+	xfree(tty);
+}
 #endif

 #ifdef USE_PAM
diff -ur openssh-3.4p1/monitor.h openssh-3.4p1+/monitor.h
--- openssh-3.4p1/monitor.h	Tue Jun 11 12:42:49 2002
+++ openssh-3.4p1+/monitor.h	Sun Jul 21 22:53:14 2002
@@ -50,6 +50,7 @@
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
+	MONITOR_REQ_SETUP_SIA,
 	MONITOR_REQ_TERM
 };

diff -ur openssh-3.4p1/monitor_wrap.c openssh-3.4p1+/monitor_wrap.c
--- openssh-3.4p1/monitor_wrap.c	Thu Jun 20 20:43:43 2002
+++ openssh-3.4p1+/monitor_wrap.c	Sun Jul 21 22:53:14 2002
@@ -649,6 +649,24 @@
 	s->ttyfd = -1;
 }

+#ifdef HAVE_OSF_SIA
+void
+mm_setup_sia(char *name, char *tty)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, name);
+	buffer_put_cstring(&m, tty);
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SETUP_SIA, &m);
+
+	buffer_free(&m);
+}
+#endif
+
 #ifdef USE_PAM
 void
 mm_start_pam(char *user)
diff -ur openssh-3.4p1/monitor_wrap.h openssh-3.4p1+/monitor_wrap.h
--- openssh-3.4p1/monitor_wrap.h	Sun May 12 21:07:42 2002
+++ openssh-3.4p1+/monitor_wrap.h	Sun Jul 21 22:53:14 2002
@@ -59,6 +59,10 @@
 void mm_start_pam(char *);
 #endif

+#ifdef HAVE_OSF_SIA
+void mm_setup_sia(char *, char *);
+#endif
+
 void mm_terminate(void);
 int mm_pty_allocate(int *, int *, char *, int);
 void mm_session_pty_cleanup2(void *);
diff -ur openssh-3.4p1/session.c openssh-3.4p1+/session.c
--- openssh-3.4p1/session.c	Wed Jun 26 09:51:06 2002
+++ openssh-3.4p1+/session.c	Sun Jul 21 23:26:49 2002
@@ -57,6 +57,7 @@
 #include "canohost.h"
 #include "session.h"
 #include "monitor_wrap.h"
+#include "auth-sia.h"

 #ifdef HAVE_CYGWIN
 #include <windows.h>
@@ -1269,7 +1270,7 @@
 	 */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
+		PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty));
 		if (!check_quietlogin(s, command))
 			do_motd();
 #else /* HAVE_OSF_SIA */




More information about the openssh-unix-dev mailing list