Mailing List Archive

On Mon, 15 Feb 2021, Ed Maste wrote:

> From: Brian Feldman <green@FreeBSD.org>
>
> From FreeBSD 885a59f2e067 by Brian Feldman <green@FreeBSD.org>.
>
> Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary:
>
> > sshd uses the "default" login class for users with uid=0 instead of
> > the "root" login class when setting up the user's session.
> > ...
> > How-To-Repeat:
> > I added a :umask=002: entry to the default login class and a :umask=022:
> > entry to the root login class in </etc/login.conf>. After this, if root
> > logs in via a getty on a virtual console or via telnet, the umask is
> > 022 as expected, but if root logs in via ssh the umask is 002. However,
> > if root's password entry is changed to mention the root login class
> > explicitly, the umask is set to 022 when root logs in via ssh.
>
> Posted for discussion; if accepted I will see about adding autoconf goop,
> if necessary (i.e. if some systems have login_getclass but not
> login_getpwclass).

I think we could do something like this:

diff --git a/auth.c b/auth.c
index 2b77abca..a0e3cd6f 100644
--- a/auth.c
+++ b/auth.c
@@ -604,7 +604,7 @@ getpwnamallow(struct ssh *ssh, const char *user)
if (!allowed_user(ssh, pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
+ if ((lc = login_getpwclass(pw)) == NULL) {
debug("unable to get login class: %s", user);
return (NULL);
}
diff --git a/configure.ac b/configure.ac
index 63c239e0..6b75cf97 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1841,6 +1841,7 @@ AC_CHECK_FUNCS([ \
llabs \
localtime_r \
login_getcapbool \
+ login_getpwclass \
md5_crypt \
memmem \
memmove \
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 50bac587..542ae58d 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -48,6 +48,10 @@
#include "blf.h"
#include "fnmatch.h"

+#if defined(HAVE_LOGIN_CAP) && !defined(HAVE_LOGIN_GETPWCLASS)
+# define login_getpwclass(pw) login_getclass(pw->pw_class)
+#endif
+
#ifndef HAVE_BASENAME
char *basename(const char *path);
#endif
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Wed, 17 Feb 2021 at 19:10, Damien Miller <djm@mindrot.org> wrote:
>
> On Mon, 15 Feb 2021, Ed Maste wrote:
>
> > From: Brian Feldman <green@FreeBSD.org>
> >
> > From FreeBSD 885a59f2e067 by Brian Feldman <green@FreeBSD.org>.
> >
> > Details in FreeBSD PR 37416 https://bugs.freebsd.org/37416 - summary:
> >
> > > sshd uses the "default" login class for users with uid=0 instead of
> > > the "root" login class when setting up the user's session.
> > > ...
> diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
> index 50bac587..542ae58d 100644
> --- a/openbsd-compat/openbsd-compat.h
> +++ b/openbsd-compat/openbsd-compat.h
> @@ -48,6 +48,10 @@
> #include "blf.h"
> #include "fnmatch.h"
>
> +#if defined(HAVE_LOGIN_CAP) && !defined(HAVE_LOGIN_GETPWCLASS)
> +# define login_getpwclass(pw) login_getclass(pw->pw_class)
> +#endif
> +
> #ifndef HAVE_BASENAME
> char *basename(const char *path);
> #endif

LGTM

Not sure if you want to move the openbsd-compat.h hunk to follow
HAVE_GETCWD, keeping them in alphabeticalish order?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev