Description of problem: sshd with "UsePrivilegeSeparation no" configured isn't able to drop privileged if tries to execute a command. In do_setusercontext(struct passwd *pw) pw->pw_uid = 5000; platform_privileged_uidswap() return 1 (we are root) is_child is 1 This means if (platform_privileged_uidswap() && !is_child) is false and we directly jump to the end: if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); and we die here. Version-Release number of selected component (if applicable): openssh-7.1p2-3.fc23.x86_64
Related to the bug #1269072, which modified behaviour WITH PrivilegeSeparation according to SELinux. Little focus was given to the behaviour without PrivilegeSeparation. If PrivilegeSeparation is on, the privileges are dropped earlier in the child and this branch does not really make any sense. I built scratch build. Can you give it a try if it does solve your problem: http://koji.fedoraproject.org/koji/taskinfo?taskID=12800487 Proposed patch is getting ugly by adding one more check to run this branch without privsep: diff --git a/openssh-6.6p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch index 87f53df..d7817e5 100644 --- a/openssh-6.6p1-privsep-selinux.patch +++ b/openssh-6.6p1-privsep-selinux.patch @@ -141,7 +141,7 @@ index 684f867..09048bc 100644 platform_setusercontext(pw); - if (platform_privileged_uidswap()) { -+ if (platform_privileged_uidswap() && !is_child) { ++ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
The following tests passed: torture_request_env 100% tests passed, 0 tests failed out of 1 Looks good :)
openssh-7.1p2-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-25e3f1c255
openssh-7.1p2-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-25e3f1c255
openssh-7.1p2-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.