HAVE_LOGIN_CAP & USE_PAM [Was: What is print_pam_messages() used for ?
Ralf Hack
ralf.hack at pipex.net
Fri Jan 16 18:25:55 EST 2004
Hi,
midnight emailing typo: Replace HAVE_SETPCRED with HAVE_LOGIN_CAP in
my previous email. HAVE_LOGIN_CAP does have an #else branch and it
does have USE_PAM _only_ in the #else branch. Sorry for the confusion.
Here is the snag I encounter:
>
>I have to agree.. I've found no chatter on bugzilla nor in the mailing
>archives here at home.
>
>Can we please repost what this is about?
Problem: pam_mkhomedir does not get called when logging in.
It is called as 'session' module in PAM.
Reason: I traced this down to do_setusercontext() which is
supposedly calling do_pam_session(). However, if HAVE_SETPCRED is set
then the precompiler will not compile do_pam_session() in.
I send a patch a few weeks back which didn't make it far (yet).
System: FreeBSD 4.7, openssh as recent as latest snapshot.
Example below shows openssh-SNAP-20040109.tar.gz
**** FUNCTION IN QUESTION:
/* Set login name, uid, gid, and groups. */
void
do_setusercontext(struct passwd *pw)
{
#ifndef HAVE_CYGWIN
if (getuid() == 0 || geteuid() == 0)
#endif /* HAVE_CYGWIN */
{
#ifdef HAVE_SETPCRED
if (setpcred(pw->pw_name, (char **)NULL) == -1)
fatal("Failed to set process credentials");
#endif /* HAVE_SETPCRED */
#ifdef HAVE_LOGIN_CAP
# ifdef __bsdi__
setpgid(0, 0);
# endif
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
perror("unable to set user context");
exit(1);
}
#else
# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
/* Sets login uid for accounting */
if (getluid() == -1 && setluid(pw->pw_uid) == -1)
error("setluid: %s", strerror(errno));
# endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */
if (setlogin(pw->pw_name) < 0)
error("setlogin failed: %s", strerror(errno));
if (setgid(pw->pw_gid) < 0) {
perror("setgid");
exit(1);
}
/* Initialize the group list. */
if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
perror("initgroups");
exit(1);
}
endgrent();
# ifdef USE_PAM
/*
* PAM credentials may take the form of supplementary groups.
* These will have been wiped by the above initgroups() call.
* Reestablish them here.
*/
if (options.use_pam) {
do_pam_session();
do_pam_setcred(0);
}
# endif /* USE_PAM */
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) ||
defined(WITH_IRIX_ARRAY)
irix_setusercontext(pw);
# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) ||
defined(WITH_IRIX_ARRAY) */
# ifdef _AIX
aix_usrinfo(pw);
# endif /* _AIX */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
}
#ifdef HAVE_CYGWIN
if (is_winnt)
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
}
****** after running just the precompiler:
bash-2.05b$ gcc -E -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
-I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DSSH_RAND_HELPER=\"/usr/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -o
session.S -c session.c
******** the following is left (minus the empty lines):
do_setusercontext(struct passwd *pw)
{
if (getuid() == 0 || geteuid() == 0)
{
if (setusercontext(lc, pw, pw->pw_uid,
(0x00ff & ~0x0004 )) < 0) {
perror("unable to set user context");
exit(1);
}
# 1285 "session.c"
}
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
}
Obviously, on my configuration do_pam_session() does not get compiled
in. Hence, pam_mkhomedir or any other session module does not get
called.
I hope you find this helpful. The patch is a four liner including the
do_pam_session() bit in the HAVE_LOGIN_CAP branch.
Ralf.
More information about the openssh-unix-dev
mailing list