uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd)

Toni L. Harbaugh-Blackford harbaugh at nciaxp.ncifcrf.gov
Thu Sep 5 01:43:43 EST 2002


What do we loose by not having post-auth privsep?

What code is executed between authorization and actual setting of the
effective uid?

On Tue, 3 Sep 2002, Chris Adams wrote:

  > Once upon a time, Toni L. Harbaugh-Blackford <harbaugh at nciaxp.ncifcrf.gov> said:
  > > It appears that the integration of the sia session setup will either
  > > have to be rethought or abandoned in order for privsep to work.
  > 
  > That was the conclusion I came to a while back.  I'd like to keep
  > pre-auth privsep (because that works fine and does help somewhat), but I
  > don't think it is possible to do post-auth privsep on Tru64, at least
  > when Enhanced Security or auditing are enabled (if they aren't, I think
  > you can still do "--disable-sia", although I haven't tried that in a
  > long time now).
  > 
  > I was hoping that Ben Lindstrom would prove me wrong (and I appologize
  > for not ever getting around to helping - I've got all fifty-some list
  > messages about Tru64 and privsep still saved, but work's been crazy, I
  > only have access to a Tru64 devel box at work, and this isn't a priority
  > to work with the other stuff going on).  When I last looked at it in
  > depth I hadn't really gotten a good handle on how privsep worked, so I
  > figured I was just missing something.
  > 

Where exactly *is* the privsep transition made?

At what point does the process that eventually runs do_child()
get its uid set to the real user?  Could the setup_sia() routine
be moved out of the do_child() function to an earlier phase before
the uid is changed?

It appears that if setup_sia() were to be moved out of do_child()
that would mean that no pty would be passed to the session unless
creation of the pty were moved out also.

But then again whether this is worth doing depends on what we loose if
we drop post-auth privsep.

  > I'd suggest the following patch against openssh-SNAP-20020826.  Most of
  > it is cleanup patch from a while back that I submitted too late for
  > 3.4p1 and didn't resend after that I guess.  The other defines
  > DISABLE_FD_PASSING when SIA is enabled, which effectively turns off
  > post-auth privsep.

So if DISABLE_FD_PASSING turns privsep off, does that mean that
session_setup_sia() will be run directly by do_child(), which
at that point will be effective uid 0?

  >  Note that I haven't been able to try it with the
  > latest snapshot, as I'm not at my devel box and I don't have the correct
  > version of autoconf installed at the moment (need the old one for some
  > other stuff I've got and haven't finagled them into working together
  > yet).
  >

I'll give the patch a try.

Thanks,
Toni

  > diff -urN openssh-SNAP-20020826/auth-sia.c openssh/auth-sia.c
  > --- openssh-SNAP-20020826/auth-sia.c	Fri Apr 12 10:36:08 2002
  > +++ openssh/auth-sia.c	Tue Sep  3 22:03:16 2002
  > @@ -45,27 +45,25 @@
  >  extern int saved_argc;
  >  extern char **saved_argv;
  >  
  > -extern int errno;
  > -
  >  int
  >  auth_sia_password(Authctxt *authctxt, char *pass)
  >  {
  >  	int ret;
  >  	SIAENTITY *ent = NULL;
  >  	const char *host;
  > -	char *user = authctxt->user;
  >  
  >  	host = get_canonical_hostname(options.verify_reverse_mapping);
  >  
  > -	if (!user || !pass || pass[0] == '\0')
  > +	if (!authctxt->user || !pass || pass[0] == '\0')
  >  		return(0);
  >  
  > -	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0,
  > -	    NULL) != SIASUCCESS)
  > +	if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
  > +	    NULL, 0, NULL) != SIASUCCESS)
  >  		return(0);
  >  
  >  	if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
  > -		error("Couldn't authenticate %s from %s", user, host);
  > +		error("Couldn't authenticate %s from %s", authctxt->user,
  > +		    host);
  >  		if (ret & SIASTOP)
  >  			sia_ses_release(&ent);
  >  		return(0);
  > @@ -77,48 +75,35 @@
  >  }
  >  
  >  void
  > -session_setup_sia(char *user, char *tty)
  > +session_setup_sia(struct passwd *pw, char *tty)
  >  {
  > -	struct passwd *pw;
  >  	SIAENTITY *ent = NULL;
  >  	const char *host;
  >  
  > -	host = get_canonical_hostname (options.verify_reverse_mapping);
  > +	host = get_canonical_hostname(options.verify_reverse_mapping);
  >  
  > -	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0,
  > -	    NULL) != SIASUCCESS) {
  > +	if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty,
  > +	    0, NULL) != SIASUCCESS)
  >  		fatal("sia_ses_init failed");
  > -	}
  >  
  > -	if ((pw = getpwnam(user)) == NULL) {
  > -		sia_ses_release(&ent);
  > -		fatal("getpwnam: no user: %s", user);
  > -	}
  >  	if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
  >  		sia_ses_release(&ent);
  >  		fatal("sia_make_entity_pwd failed");
  >  	}
  >  
  >  	ent->authtype = SIA_A_NONE;
  > -	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) {
  > -		fatal("Couldn't establish session for %s from %s", user,
  > -		    host);
  > -	}
  > -
  > -	if (setpriority(PRIO_PROCESS, 0, 0) == -1) {
  > -		sia_ses_release(&ent);
  > -		fatal("setpriority: %s", strerror (errno));
  > -	}
  > +	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
  > +		fatal("Couldn't establish session for %s from %s",
  > +		    pw->pw_name, host);
  >  
  > -	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) {
  > -		fatal("Couldn't launch session for %s from %s", user, host);
  > -	}
  > +	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
  > +		fatal("Couldn't launch session for %s from %s", pw->pw_name,
  > +		    host);
  >  	
  >  	sia_ses_release(&ent);
  >  
  > -	if (setreuid(geteuid(), geteuid()) < 0) {
  > +	if (setreuid(geteuid(), geteuid()) < 0)
  >  		fatal("setreuid: %s", strerror(errno));
  > -	}
  >  }
  >  
  >  #endif /* HAVE_OSF_SIA */
  > diff -urN openssh-SNAP-20020826/auth-sia.h openssh/auth-sia.h
  > --- openssh-SNAP-20020826/auth-sia.h	Fri Apr 12 10:36:08 2002
  > +++ openssh/auth-sia.h	Tue Sep  3 22:03:16 2002
  > @@ -27,6 +27,6 @@
  >  #ifdef HAVE_OSF_SIA
  >  
  >  int	auth_sia_password(Authctxt *authctxt, char *pass);
  > -void	session_setup_sia(char *user, char *tty);
  > +void	session_setup_sia(struct passwd *pw, char *tty);
  >  
  >  #endif /* HAVE_OSF_SIA */
  > diff -urN openssh-SNAP-20020826/configure.ac openssh/configure.ac
  > --- openssh-SNAP-20020826/configure.ac	Tue Aug 13 20:52:11 2002
  > +++ openssh/configure.ac	Tue Sep  3 22:07:41 2002
  > @@ -314,6 +314,7 @@
  >  			AC_MSG_RESULT(yes)
  >  			AC_DEFINE(HAVE_OSF_SIA)
  >  			AC_DEFINE(DISABLE_LOGIN)
  > +			AC_DEFINE(DISABLE_FD_PASSING)
  >  			LIBS="$LIBS -lsecurity -ldb -lm -laud"
  >  		else
  >  			AC_MSG_RESULT(no)
  > diff -urN openssh-SNAP-20020826/session.c openssh/session.c
  > --- openssh-SNAP-20020826/session.c	Wed Jul 31 20:28:39 2002
  > +++ openssh/session.c	Tue Sep  3 22:03:16 2002
  > @@ -1280,7 +1280,7 @@
  >  	 */
  >  	if (!options.use_login) {
  >  #ifdef HAVE_OSF_SIA
  > -		session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
  > +		session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
  >  		if (!check_quietlogin(s, command))
  >  			do_motd();
  >  #else /* HAVE_OSF_SIA */
  > _______________________________________________
  > openssh-unix-dev at mindrot.org mailing list
  > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
  > 

-----------------------------------------------------------------------
Toni Harbaugh-Blackford                     harbaugh at nciaxp.ncifcrf.gov
AlphaServer 8400 System Administrator
SAIC/NCI Frederick Advanced Biomedical Computing Center





More information about the openssh-unix-dev mailing list