Mailing List Archive: [Bug 926] pam_session_close called as user or not at all

[Bug 926] pam_session_close called as user or not at all

Aug 19, 2006, 10:58 PM

Post #1 of 3 (496 views)

http://bugzilla.mindrot.org/show_bug.cgi?id=926

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO|1155 |
nThis| |

------- Comment #22 from dtucker@zip.com.au 2006-08-20 15:58 -------
(In reply to comment #21)
> The patch causes a regression with pam_krb5 module.
> See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341

Thanks for giving it a spin in Fedora. Does this particular problem
also occur with PrivSep=no?

> As I said above I think that the only correct solution which would
> solve all cases (privsep yes/no, root/regular user) would be to add
> another fork before the setuid calls and shell process exec.

Would there be any downside to setting KRB5CCNAME in the parent too?

(since it causes a regression, I'm taking this bug out of the list for
4.4 pending further work.)

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 926] pam_session_close called as user or not at all [ In reply to ]

bugzilla-daemon

Aug 4, 2006, 8:18 AM

Post #2 of 3 (288 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=926

------- Comment #21 from t8m@centrum.cz 2006-08-05 01:18 -------
The patch causes a regression with pam_krb5 module.

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341

As I said above I think that the only correct solution which would
solve all cases (privsep yes/no, root/regular user) would be to add
another fork before the setuid calls and shell process exec.

login does this:
1. call pam_open_session
2. fork
3. parent waits for child, child impersonates user, execs shell
4. when child exits, parent calls pam_close_session

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 926] pam_session_close called as user or not at all [ In reply to ]

bugzilla-daemon at mindrot

Aug 23, 2006, 5:03 AM

Post #3 of 3 (471 views)

Permalink

http://bugzilla.mindrot.org/show_bug.cgi?id=926

------- Comment #23 from t8m@centrum.cz 2006-08-23 22:03 -------
(In reply to comment #22)
> (In reply to comment #21)
> > The patch causes a regression with pam_krb5 module.
> > See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341
>
> Thanks for giving it a spin in Fedora. Does this particular problem
> also occur with PrivSep=no?

I don't think that this occurs with privsep disabled.

> > As I said above I think that the only correct solution which would
> > solve all cases (privsep yes/no, root/regular user) would be to add
> > another fork before the setuid calls and shell process exec.
>
> Would there be any downside to setting KRB5CCNAME in the parent too?

I don't know of any however note that with privsep disabled or when
called as root the pam_session_close still won't be called correctly.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs