subject:"ssh\-agent broken with pam_ssh for xdm \(\+ fix for ssh\-agent.c\)"

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-07 Thread Damien Miller

Dag-Erling Smorgrav wrote:


Markus Friedl  writes:

but shouldn't it do something like
seteuid(getuid());
setuid(getuid());
executing ssh-agent?


It should.  It currently uses popen(3), which doesn't.  It needs
popen(3)-like functionality because it reads ssh-agent's output in
order to set $SSH_AGENT_PID and $SSH_AUTH_SOCK.  Rewriting it to use
pipe(2) + fork(2) + execve(2) so it can frob the UID after forking but
before exec'ing is possible and desirable but not trivial.  I'll see
what I can do later this week.


There is code in sftp.c::connect_to_server() which does something close 
to this (pipe+fork+exec w/ args), adding uid frobbage should be easy. 
Though it doesn't do all the signal handling of popen()...

-d


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-07 Thread Terry Lambert

Damien Miller wrote:
 Dag-Erling Smorgrav wrote:
  Markus Friedl  writes:
  but shouldn't it do something like
  seteuid(getuid());
  setuid(getuid());
  executing ssh-agent?
 
  It should.  It currently uses popen(3), which doesn't.  It needs
  popen(3)-like functionality because it reads ssh-agent's output in
  order to set $SSH_AGENT_PID and $SSH_AUTH_SOCK.  Rewriting it to use
  pipe(2) + fork(2) + execve(2) so it can frob the UID after forking but
  before exec'ing is possible and desirable but not trivial.  I'll see
  what I can do later this week.
 
 There is code in sftp.c::connect_to_server() which does something close
 to this (pipe+fork+exec w/ args), adding uid frobbage should be easy.
 Though it doesn't do all the signal handling of popen()...

This is such a common case, it seems to me that it should use
common code.  See attached patch, which adds an supopen(3) to
libc.

The man page addition to popen(3) is left as an exercise for someone who
cares...

-- Terry
Index: lib/libc/gen/popen.c
===
RCS file: /cvs/src/lib/libc/gen/popen.c,v
retrieving revision 1.16
diff -c -r1.16 popen.c
*** lib/libc/gen/popen.c1 Feb 2002 01:08:48 -   1.16
--- lib/libc/gen/popen.c7 Nov 2002 19:03:34 -
***
*** 65,70 
--- 65,81 
  popen(command, type)
const char *command, *type;
  {
+   return( supopen( command, type, 0, 0, 0);
+ }
+ 
+ 
+ FILE *
+ supopen(command, type, set, uid, gid)
+   const char *command, *type;
+   int set;
+   uid_t uid;
+   gid_t uid;
+ {
struct pid *cur;
FILE *iop;
int pdes[2], pid, twoway;
***
*** 105,110 
--- 116,127 
return (NULL);
/* NOTREACHED */
case 0: /* Child. */
+   if (set) {
+   setegid( gid);
+   setgid( gid);
+   seteuid( uid);
+   setuid( uid);
+   }
if (*type == 'r') {
/*
 * The _dup2() to STDIN_FILENO is repeated to avoid
Index: include/stdio.h
===
RCS file: /cvs/src/include/stdio.h,v
retrieving revision 1.50
diff -c -r1.50 stdio.h
*** include/stdio.h 14 Oct 2002 11:18:21 -  1.50
--- include/stdio.h 7 Nov 2002 18:55:49 -
***
*** 286,291 
--- 286,294 
  #if __POSIX_VISIBLE = 199209
  intpclose(FILE *);
  FILE  *popen(const char *, const char *);
+ #if !defined(_ANSI_SOURCE)  !defined(_POSIX_SOURCE)
+ FILE  *supopen(const char *, const char *, int, uid_t, gid_t);
+ #endif
  #endif
  
  #if __POSIX_VISIBLE = 199506

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-05 Thread Dag-Erling Smorgrav

Markus Friedl [EMAIL PROTECTED] writes:
 yes, geteuid() could work, too, but why is ssh-agent running
 with a privileged user id?  shouldn't both the real and
 effective user id be the uid of the user?

ssh-agent is started by pam_ssh which is run under xdm's uid (i.e. 0).
It switches to the user's egid and euid before starting ssh-agent.
FreeBSD's execve() does not change the real user id (I don't think
POSIX allows it) so ssh-agent has real user-id 0.  It should do
setuid(geteuid()) early on to guard against this.  Alternatively,
pam_ssh could use a home-grown privilege-dropping popen() instead of
libc's popen() to start ssh-agent.

DES
-- 
Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-05 Thread Markus Friedl

On Tue, Nov 05, 2002 at 03:01:02PM +0100, Dag-Erling Smorgrav wrote:
 Markus Friedl [EMAIL PROTECTED] writes:
  yes, geteuid() could work, too, but why is ssh-agent running
  with a privileged user id?  shouldn't both the real and
  effective user id be the uid of the user?
 
 ssh-agent is started by pam_ssh which is run under xdm's uid (i.e. 0).
 It switches to the user's egid and euid before starting ssh-agent.

but shouldn't it do something like
seteuid(getuid());
setuid(getuid());
executing ssh-agent?

 FreeBSD's execve() does not change the real user id (I don't think
 POSIX allows it) so ssh-agent has real user-id 0.  It should do
 setuid(geteuid()) early on to guard against this.  Alternatively,
 pam_ssh could use a home-grown privilege-dropping popen() instead of
 libc's popen() to start ssh-agent.
 
 DES
 -- 
 Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-05 Thread Dag-Erling Smorgrav

Markus Friedl [EMAIL PROTECTED] writes:
 but shouldn't it do something like
 seteuid(getuid());
 setuid(getuid());
 executing ssh-agent?

It should.  It currently uses popen(3), which doesn't.  It needs
popen(3)-like functionality because it reads ssh-agent's output in
order to set $SSH_AGENT_PID and $SSH_AUTH_SOCK.  Rewriting it to use
pipe(2) + fork(2) + execve(2) so it can frob the UID after forking but
before exec'ing is possible and desirable but not trivial.  I'll see
what I can do later this week.

In any case, this doesn't seem to be an OpenSSH bug.

DES
-- 
Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-04 Thread Markus Friedl

yes, geteuid() could work, too, but why is ssh-agent running
with a privileged user id?  shouldn't both the real and
effective user id be the uid of the user?

On Sun, Nov 03, 2002 at 08:49:02PM +0100, Alexander Leidinger wrote:
 Hi,
 
 [Markus: this is on FreeBSD-current with
 $OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $]
 
 I use pam_ssh in pam.d/xdm and after an update to todays -current, it
 doesn't add my key anymore. In /var/log/messages I see the following if
 I try a ssh-add -l:
 ---snip---
 ssh-agent[6438]: error: uid mismatch: peer euid 1000 != uid 0
 ---snip---
 
 ssh-agent.c:after_select() contains:
 ---snip---
 if ((euid != 0)  (getuid() != euid)) {
 error(uid mismatch: 
 peer euid %u != uid %u,
 (u_int) euid, (u_int) getuid());
 close(sock);
 break;
 }
 ---snip---
 
 As ssh_agent gets startet from pam_ssh in xdm (which runs as root -
 getuid() = 0, geteuid() = 1000), it is obvious why it doesn't work.
 
 At the moment I have this piece of code commented out, but I think this
 should get changed to use geteuid() instead of getuid(). Or did I
 misunderstood the idea behind the above code?
 
 Bye,
 Alexander.
 
 -- 
   Loose bits sink chips.
 
 http://www.Leidinger.net   Alexander @ Leidinger.net
   GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-04 Thread Dag-Erling Smorgrav

Markus Friedl [EMAIL PROTECTED] writes:
 yes, geteuid() could work, too, but why is ssh-agent running
 with a privileged user id?  shouldn't both the real and
 effective user id be the uid of the user?

There seems to be a bug in our pam_ssh(8).  It switches to user
privileges when reading the user's keys, but switches back before
starting the agent, instead of after.

DES
-- 
Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-04 Thread Alexander Leidinger

On Mon, 04 Nov 2002 12:11:40 +0100
Dag-Erling Smorgrav [EMAIL PROTECTED] wrote:

 Dag-Erling Smorgrav [EMAIL PROTECTED] writes:
  There seems to be a bug in our pam_ssh(8).  It switches to user
  privileges when reading the user's keys, but switches back before
  starting the agent, instead of after.
 
 Umm, wait, that was too easy.  It doesn't.  I got the start_agent and
 !start_agent cases mixed up.  Alexander, could you check what UID
 ssh-agent runs as (ps auxw | grep agent)?  What version of XFree86 do

It runs with my UID:
---snip---
(5) netchild@ttyp2 % ps auxww |grep \[s\]sh-agent
netchild   757  0.0  0.2  1976 1188  ??  Is9:00am   0:00.01 ssh-agent
---snip---

 you run, and did you compile it yourself or did you install binaries?

Myself.

 How long ago did you install it?  What does 'ldd /usr/X11R6/bin/xdm'

Oct 25.

 say?  If it's pretty old, it might still be using Linux-PAM and an old

No, it uses our PAM:
---snip---
libpam.so.2 = /usr/lib/libpam.so.2 (0x281eb000)

(6) netchild@ttyp0 % ll /usr/lib/libpam.*
-r--r--r--  1 root  wheel127K  3 Nov 20:04 /usr/lib/libpam.a
lrwxr-xr-x  1 root  wheel 11B  3 Nov 20:04 /usr/lib/libpam.so@ - libpam.so.2
-r--r--r--  1 root  wheel 25K  3 Nov 20:04 /usr/lib/libpam.so.2
---snip---

 non-credential-dropping pam_ssh(8).

Bye,
Alexander.

-- 
   Press every key to continue.

http://www.Leidinger.net   Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

2002-11-03 Thread Alexander Leidinger

Hi,

[Markus: this is on FreeBSD-current with
$OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $]

I use pam_ssh in pam.d/xdm and after an update to todays -current, it
doesn't add my key anymore. In /var/log/messages I see the following if
I try a ssh-add -l:
---snip---
ssh-agent[6438]: error: uid mismatch: peer euid 1000 != uid 0
---snip---

ssh-agent.c:after_select() contains:
---snip---
if ((euid != 0)  (getuid() != euid)) {
error(uid mismatch: 
peer euid %u != uid %u,
(u_int) euid, (u_int) getuid());
close(sock);
break;
}
---snip---

As ssh_agent gets startet from pam_ssh in xdm (which runs as root -
getuid() = 0, geteuid() = 1000), it is obvious why it doesn't work.

At the moment I have this piece of code commented out, but I think this
should get changed to use geteuid() instead of getuid(). Or did I
misunderstood the idea behind the above code?

Bye,
Alexander.

-- 
  Loose bits sink chips.

http://www.Leidinger.net   Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

Re: ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

ssh-agent broken with pam_ssh for xdm (+ fix for ssh-agent.c)

9 matches

Site Navigation

Mail list logo

Footer information