Re: pam_sm_close_session doesn't run without privilege seperation

From: Darren Tucker (dtucker_at_zip.com.au)
Date: 09/04/04

  • Next message: Nick Payne-Roberts: "~user on sftp-server having entire shell access..."
    Date: Sat, 04 Sep 2004 14:21:52 +1000
    To: Chris Jensen <cjensen@gmail.com>
    
    

    Chris Jensen wrote:
    > I've got pam_mount set up mostly with openssh. Except for one catch,
    > it'll mount fine, the pam_sm_open_session function gets called (as
    > root) at session start and it mounts the directory I want.
    >
    > But when I exit the session, pam_sm_close_session gets called, but it
    > only runs as the user that was logged in, so it doesn't have
    > permission to unmount the directory.

    Someone mentioned that (again, apparently, I missed the first message) a
    couple of days ago. I have opened a bug (with patch):
    http://bugzilla.mindrot.org/show_bug.cgi?id=926

    Could you please try the patch and let me know if it resolves the
    problem? (Privately or to the bug, please, unless there's additional
    info that might be of interest to secureshell@ readers).

    I need to think a bit more about the !privsep case, though.

    -- 
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
         Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.
    

  • Next message: Nick Payne-Roberts: "~user on sftp-server having entire shell access..."

    Relevant Pages

    • Re: OpenSSH 4.0p1 on AIX 5.3
      ... Unfortunately there's a bug in the handling of AIX password ... The bug report is here: ... If the patch doesn't resolve your problem then please open a new bug at ... Good judgement comes with experience. ...
      (comp.unix.aix)
    • Weekly Python Patch/Bug Summary
      ... Patch / Bug Summary ... http://python.org/sf/606098 closed by rhettinger ... http://python.org/sf/1088716 closed by loewis ...
      (comp.lang.python)
    • [Full-Disclosure] RE: [kinda-but-not-really-Full-Disclosure-so-we-feel-warm-and-fuzzy] Re: <to va
      ... Because it must be realised that as soon as a patch and or advisory is ... there are global teams of people working to discover and exploit said bug. ... quiet and MS just released patches for 'undisclosed' problems... ... > engineer a ms patch to find the changed code and produce a working ...
      (Full-Disclosure)
    • Re: Getting rid of atomic_load_acq_int(&fdp->fd_nfiles)) from fget_unlocked
      ... looked at the patch 1. ... A cast of a value to a qualified type has no effect; ... using volatile semantics, the technique is to cast the address of the ... just the first bug in it. ...
      (freebsd-arch)
    • Re: Cant take skilled talent?
      ... least playing an easier version of the game than everyone else has. ... mind changing or removing the patch if TB emailed me about it. ... -fixing skilled bug is good ... The patch simply stops the monsters from growing too powerful compared to the ...
      (rec.games.roguelike.adom)