Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Damien Miller wrote: > Dag-Erling Smorgrav wrote: > > Markus Friedl writes: > > >but shouldn't it do something like > > >seteuid(getuid()); > > >setuid(getuid()); > > >executing ssh-agent? > > > > It should. It currently uses popen(3), which doesn't. It needs > > popen(3)-like functionality because it reads ssh-agent's output in > > order to set $SSH_AGENT_PID and $SSH_AUTH_SOCK. Rewriting it to use > > pipe(2) + fork(2) + execve(2) so it can frob the UID after forking but > > before exec'ing is possible and desirable but not trivial. I'll see > > what I can do later this week. > > There is code in sftp.c::connect_to_server() which does something close > to this (pipe+fork+exec w/ args), adding uid frobbage should be easy. > Though it doesn't do all the signal handling of popen()... This is such a common case, it seems to me that it should use common code. See attached patch, which adds an "supopen(3)" to libc. The man page addition to popen(3) is left as an exercise for someone who cares... -- Terry Index: lib/libc/gen/popen.c === RCS file: /cvs/src/lib/libc/gen/popen.c,v retrieving revision 1.16 diff -c -r1.16 popen.c *** lib/libc/gen/popen.c1 Feb 2002 01:08:48 - 1.16 --- lib/libc/gen/popen.c7 Nov 2002 19:03:34 - *** *** 65,70 --- 65,81 popen(command, type) const char *command, *type; { + return( supopen( command, type, 0, 0, 0); + } + + + FILE * + supopen(command, type, set, uid, gid) + const char *command, *type; + int set; + uid_t uid; + gid_t uid; + { struct pid *cur; FILE *iop; int pdes[2], pid, twoway; *** *** 105,110 --- 116,127 return (NULL); /* NOTREACHED */ case 0: /* Child. */ + if (set) { + setegid( gid); + setgid( gid); + seteuid( uid); + setuid( uid); + } if (*type == 'r') { /* * The _dup2() to STDIN_FILENO is repeated to avoid Index: include/stdio.h === RCS file: /cvs/src/include/stdio.h,v retrieving revision 1.50 diff -c -r1.50 stdio.h *** include/stdio.h 14 Oct 2002 11:18:21 - 1.50 --- include/stdio.h 7 Nov 2002 18:55:49 - *** *** 286,291 --- 286,294 #if __POSIX_VISIBLE >= 199209 intpclose(FILE *); FILE *popen(const char *, const char *); + #if !defined(_ANSI_SOURCE) && !defined(_POSIX_SOURCE) + FILE *supopen(const char *, const char *, int, uid_t, gid_t); + #endif #endif #if __POSIX_VISIBLE >= 199506
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Dag-Erling Smorgrav wrote: Markus Friedl writes: >but shouldn't it do something like >seteuid(getuid()); >setuid(getuid()); >executing ssh-agent? It should. It currently uses popen(3), which doesn't. It needs popen(3)-like functionality because it reads ssh-agent's output in order to set $SSH_AGENT_PID and $SSH_AUTH_SOCK. Rewriting it to use pipe(2) + fork(2) + execve(2) so it can frob the UID after forking but before exec'ing is possible and desirable but not trivial. I'll see what I can do later this week. There is code in sftp.c::connect_to_server() which does something close to this (pipe+fork+exec w/ args), adding uid frobbage should be easy. Though it doesn't do all the signal handling of popen()... -d To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Markus Friedl <[EMAIL PROTECTED]> writes: > but shouldn't it do something like > seteuid(getuid()); > setuid(getuid()); > executing ssh-agent? It should. It currently uses popen(3), which doesn't. It needs popen(3)-like functionality because it reads ssh-agent's output in order to set $SSH_AGENT_PID and $SSH_AUTH_SOCK. Rewriting it to use pipe(2) + fork(2) + execve(2) so it can frob the UID after forking but before exec'ing is possible and desirable but not trivial. I'll see what I can do later this week. In any case, this doesn't seem to be an OpenSSH bug. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
On Tue, Nov 05, 2002 at 03:01:02PM +0100, Dag-Erling Smorgrav wrote: > Markus Friedl <[EMAIL PROTECTED]> writes: > > yes, geteuid() could work, too, but why is ssh-agent running > > with a privileged user id? shouldn't both the real and > > effective user id be the uid of the user? > > ssh-agent is started by pam_ssh which is run under xdm's uid (i.e. 0). > It switches to the user's egid and euid before starting ssh-agent. but shouldn't it do something like seteuid(getuid()); setuid(getuid()); executing ssh-agent? > FreeBSD's execve() does not change the real user id (I don't think > POSIX allows it) so ssh-agent has real user-id 0. It should do > setuid(geteuid()) early on to guard against this. Alternatively, > pam_ssh could use a home-grown privilege-dropping popen() instead of > libc's popen() to start ssh-agent. > > DES > -- > Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Markus Friedl <[EMAIL PROTECTED]> writes: > yes, geteuid() could work, too, but why is ssh-agent running > with a privileged user id? shouldn't both the real and > effective user id be the uid of the user? ssh-agent is started by pam_ssh which is run under xdm's uid (i.e. 0). It switches to the user's egid and euid before starting ssh-agent. FreeBSD's execve() does not change the real user id (I don't think POSIX allows it) so ssh-agent has real user-id 0. It should do setuid(geteuid()) early on to guard against this. Alternatively, pam_ssh could use a home-grown privilege-dropping popen() instead of libc's popen() to start ssh-agent. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
On Mon, 04 Nov 2002 12:11:40 +0100 Dag-Erling Smorgrav <[EMAIL PROTECTED]> wrote: > Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > > There seems to be a bug in our pam_ssh(8). It switches to user > > privileges when reading the user's keys, but switches back before > > starting the agent, instead of after. > > Umm, wait, that was too easy. It doesn't. I got the start_agent and > !start_agent cases mixed up. Alexander, could you check what UID > ssh-agent runs as (ps auxw | grep agent)? What version of XFree86 do It runs with my UID: ---snip--- (5) netchild@ttyp2 % ps auxww |grep \[s\]sh-agent netchild 757 0.0 0.2 1976 1188 ?? Is9:00am 0:00.01 ssh-agent ---snip--- > you run, and did you compile it yourself or did you install binaries? Myself. > How long ago did you install it? What does 'ldd /usr/X11R6/bin/xdm' Oct 25. > say? If it's pretty old, it might still be using Linux-PAM and an old No, it uses our PAM: ---snip--- libpam.so.2 => /usr/lib/libpam.so.2 (0x281eb000) (6) netchild@ttyp0 % ll /usr/lib/libpam.* -r--r--r-- 1 root wheel127K 3 Nov 20:04 /usr/lib/libpam.a lrwxr-xr-x 1 root wheel 11B 3 Nov 20:04 /usr/lib/libpam.so@ -> libpam.so.2 -r--r--r-- 1 root wheel 25K 3 Nov 20:04 /usr/lib/libpam.so.2 ---snip--- > non-credential-dropping pam_ssh(8). Bye, Alexander. -- Press every key to continue. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > There seems to be a bug in our pam_ssh(8). It switches to user > privileges when reading the user's keys, but switches back before > starting the agent, instead of after. Umm, wait, that was too easy. It doesn't. I got the start_agent and !start_agent cases mixed up. Alexander, could you check what UID ssh-agent runs as (ps auxw | grep agent)? What version of XFree86 do you run, and did you compile it yourself or did you install binaries? How long ago did you install it? What does 'ldd /usr/X11R6/bin/xdm' say? If it's pretty old, it might still be using Linux-PAM and an old non-credential-dropping pam_ssh(8). DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Markus Friedl <[EMAIL PROTECTED]> writes: > yes, geteuid() could work, too, but why is ssh-agent running > with a privileged user id? shouldn't both the real and > effective user id be the uid of the user? There seems to be a bug in our pam_ssh(8). It switches to user privileges when reading the user's keys, but switches back before starting the agent, instead of after. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
yes, geteuid() could work, too, but why is ssh-agent running with a privileged user id? shouldn't both the real and effective user id be the uid of the user? On Sun, Nov 03, 2002 at 08:49:02PM +0100, Alexander Leidinger wrote: > Hi, > > [Markus: this is on FreeBSD-current with > $OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $] > > I use pam_ssh in pam.d/xdm and after an update to todays -current, it > doesn't add my key anymore. In /var/log/messages I see the following if > I try a "ssh-add -l": > ---snip--- > ssh-agent[6438]: error: uid mismatch: peer euid 1000 != uid 0 > ---snip--- > > ssh-agent.c:after_select() contains: > ---snip--- > if ((euid != 0) && (getuid() != euid)) { > error("uid mismatch: " > "peer euid %u != uid %u", > (u_int) euid, (u_int) getuid()); > close(sock); > break; > } > ---snip--- > > As ssh_agent gets startet from pam_ssh in xdm (which runs as root -> > getuid() = 0, geteuid() = 1000), it is obvious why it doesn't work. > > At the moment I have this piece of code commented out, but I think this > should get changed to use geteuid() instead of getuid(). Or did I > misunderstood the idea behind the above code? > > Bye, > Alexander. > > -- > Loose bits sink chips. > > http://www.Leidinger.net Alexander @ Leidinger.net > GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)
Hi, [Markus: this is on FreeBSD-current with $OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $] I use pam_ssh in pam.d/xdm and after an update to todays -current, it doesn't add my key anymore. In /var/log/messages I see the following if I try a "ssh-add -l": ---snip--- ssh-agent[6438]: error: uid mismatch: peer euid 1000 != uid 0 ---snip--- ssh-agent.c:after_select() contains: ---snip--- if ((euid != 0) && (getuid() != euid)) { error("uid mismatch: " "peer euid %u != uid %u", (u_int) euid, (u_int) getuid()); close(sock); break; } ---snip--- As ssh_agent gets startet from pam_ssh in xdm (which runs as root -> getuid() = 0, geteuid() = 1000), it is obvious why it doesn't work. At the moment I have this piece of code commented out, but I think this should get changed to use geteuid() instead of getuid(). Or did I misunderstood the idea behind the above code? Bye, Alexander. -- Loose bits sink chips. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message