[PATCH] Use login_getpwclass() instead of login_getclass() so that the root vs. default login class distinction is made correctly.

Ed Maste emaste at FreeBSD.org
Tue Feb 16 06:10:00 AEDT 2021

From: Brian Feldman <green at FreeBSD.org>

>From FreeBSD 885a59f2e067 by Brian Feldman <green at FreeBSD.org>.

Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary:

> sshd uses the "default" login class for users with uid=0 instead of
> the "root" login class when setting up the user's session.
> ...
> How-To-Repeat: 
> I added a :umask=002: entry to the default login class and a :umask=022:
> entry to the root login class in </etc/login.conf>. After this, if root
> logs in via a getty on a virtual console or via telnet, the umask is
> 022 as expected, but if root logs in via ssh the umask is 002. However,
> if root's password entry is changed to mention the root login class
> explicitly, the umask is set to 022 when root logs in via ssh.

Posted for discussion; if accepted I will see about adding autoconf goop,
if necessary (i.e. if some systems have login_getclass but not
 auth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth.c b/auth.c
index 9a5498b66..c8e1ed074 100644
--- a/auth.c
+++ b/auth.c
@@ -600,7 +600,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
 	if (!allowed_user(ssh, pw))
 		return (NULL);
-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
+	if ((lc = login_getpwclass(pw)) == NULL) {
 		debug("unable to get login class: %s", user);
 		return (NULL);

More information about the openssh-unix-dev mailing list