Privsep for osf/1 .. still need a bit of help

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Jun 29 13:44:16 EST 2002 

This privsepifies OSF/1 SIA, but I'm still being told the same error
occurs.  I'm stumped.

Without an OSF/1 box near me I can't do too much more help unless someone
can either tell me what is wrong or show me why SIA is failing in their
logs.

(And tell me if it's different w/ or w/out this patch)

- Ben


Index: auth-sia.c
===================================================================
RCS file: /var/cvs/openssh/auth-sia.c,v
retrieving revision 1.7
diff -u -r1.7 auth-sia.c
--- auth-sia.c	12 Apr 2002 15:36:08 -0000	1.7
+++ auth-sia.c	29 Jun 2002 03:19:18 -0000
@@ -77,7 +77,7 @@
 }

 void
-session_setup_sia(char *user, char *tty)
+setup_sia(char *user, char *tty)
 {
 	struct passwd *pw;
 	SIAENTITY *ent = NULL;
@@ -86,9 +86,8 @@
 	host = get_canonical_hostname (options.verify_reverse_mapping);

 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
-	    NULL) != SIASUCCESS) {
+	    NULL) != SIASUCCESS)
 		fatal("sia_ses_init failed");
-	}

 	if ((pw = getpwnam(user)) == NULL) {
 		sia_ses_release(&ent);
@@ -100,25 +99,22 @@
 	}

 	ent->authtype = SIA_A_NONE;
-	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
+	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
 		fatal("Couldn't establish session for %s from %s", user,
 		    host);
-	}

 	if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
 		sia_ses_release(&ent);
 		fatal("setpriority: %s", strerror (errno));
 	}

-	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
+	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
 		fatal("Couldn't launch session for %s from %s", user, host);
-	}

 	sia_ses_release(&ent);

-	if (setreuid(geteuid(), geteuid()) < 0) {
+	/* XXX: Should this be be around a if (!use_privsep) ? */
+	if (setreuid(geteuid(), geteuid()) < 0)
 		fatal("setreuid: %s", strerror(errno));
-	}
 }
-
 #endif /* HAVE_OSF_SIA */
Index: auth-sia.h
===================================================================
RCS file: /var/cvs/openssh/auth-sia.h,v
retrieving revision 1.3
diff -u -r1.3 auth-sia.h
--- auth-sia.h	12 Apr 2002 15:36:08 -0000	1.3
+++ auth-sia.h	29 Jun 2002 03:19:18 -0000
@@ -27,6 +27,6 @@
 #ifdef HAVE_OSF_SIA

 int	auth_sia_password(Authctxt *authctxt, char *pass);
-void	session_setup_sia(char *user, char *tty);
+void	setup_sia(char *user, char *tty);

 #endif /* HAVE_OSF_SIA */
Index: monitor.c
===================================================================
RCS file: /var/cvs/openssh/monitor.c,v
retrieving revision 1.22
diff -u -r1.22 monitor.c
--- monitor.c	27 Jun 2002 00:12:58 -0000	1.22
+++ monitor.c	29 Jun 2002 03:19:27 -0000
@@ -120,6 +120,10 @@
 int mm_answer_pam_start(int, Buffer *);
 #endif

+#ifdef HAVE_OSF_SIA
+int mm_answer_setup_sia(int, Buffer *);
+#endif
+
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */

@@ -176,6 +180,9 @@
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+    {MONITOR_REQ_SETUP_SIA, 0, mm_answer_setup_sia},
+#endif
     {0, 0, NULL}
 };

@@ -206,6 +213,9 @@
     {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef HAVE_OSF_SIA
+    {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia},
+#endif
     {0, 0, NULL}
 };

@@ -307,10 +317,16 @@
 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+		monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif

 	} else {
 		mon_dispatch = mon_dispatch_postauth15;
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef HAVE_OSF_SIA
+		monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1);
+#endif
 	}
 	if (!no_pty_flag) {
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -716,6 +732,22 @@
 	auth_method = "skey";

 	return (authok != 0);
+}
+#endif
+
+#ifdef HAVE_OSF_SIA
+int
+mm_answer_setup_sia(int socket, Buffer *m)
+{
+	char *user, *tty;
+
+	user = buffer_get_string(m, NULL);
+	tty = buffer_get_string(m, NULL);
+
+	setup_sia(user, tty);
+
+	xfree(user);
+	xfree(tty);
 }
 #endif

Index: monitor.h
===================================================================
RCS file: /var/cvs/openssh/monitor.h,v
retrieving revision 1.8
diff -u -r1.8 monitor.h
--- monitor.h	11 Jun 2002 16:42:49 -0000	1.8
+++ monitor.h	29 Jun 2002 03:19:27 -0000
@@ -50,6 +50,7 @@
 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
 	MONITOR_REQ_PAM_START,
+	MONITOR_REQ_SETUP_SIA,
 	MONITOR_REQ_TERM
 };

Index: monitor_wrap.c
===================================================================
RCS file: /var/cvs/openssh/monitor_wrap.c,v
retrieving revision 1.13
diff -u -r1.13 monitor_wrap.c
--- monitor_wrap.c	27 Jun 2002 00:23:03 -0000	1.13
+++ monitor_wrap.c	29 Jun 2002 03:19:30 -0000
@@ -649,6 +649,24 @@
 	s->ttyfd = -1;
 }

+#ifdef HAVE_OSF_SIA
+void
+mm_setup_sia(char *name, char *tty)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, name);
+	buffer_put_cstring(&m, tty);
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SETUP_SIA, &m);
+
+	buffer_free(&m);
+}
+#endif
+
 #ifdef USE_PAM
 void
 mm_start_pam(char *user)
Index: monitor_wrap.h
===================================================================
RCS file: /var/cvs/openssh/monitor_wrap.h,v
retrieving revision 1.6
diff -u -r1.6 monitor_wrap.h
--- monitor_wrap.h	13 May 2002 01:07:42 -0000	1.6
+++ monitor_wrap.h	29 Jun 2002 03:19:30 -0000
@@ -59,6 +59,10 @@
 void mm_start_pam(char *);
 #endif

+#ifdef HAVE_OSF_SIA
+void mm_setup_sia(char *, char *);
+#endif
+
 void mm_terminate(void);
 int mm_pty_allocate(int *, int *, char *, int);
 void mm_session_pty_cleanup2(void *);
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.208
diff -u -r1.208 session.c
--- session.c	26 Jun 2002 13:51:06 -0000	1.208
+++ session.c	29 Jun 2002 03:19:42 -0000
@@ -57,6 +57,7 @@
 #include "canohost.h"
 #include "session.h"
 #include "monitor_wrap.h"
+#include "auth-sia.h"

 #ifdef HAVE_CYGWIN
 #include <windows.h>
@@ -1269,7 +1270,7 @@
 	 */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
+		PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty));
 		if (!check_quietlogin(s, command))
 			do_motd();
 #else /* HAVE_OSF_SIA */

More information about the openssh-unix-dev mailing list