[colug-432] Okay, I've got to be doing something stupid... any thoughts on what?

[R P Herrold]

On Sat, 11 Jul 2015, William Yang wrote:

> There was nothing in the audit log except a bunch of success reports from
> 'login'... but that go me to thinking about login processes.  OpenSSH does
> not invoke login unless you explicitly tell it to, and by default invokes
> shells itself.  So, maybe that was why ssh logins worked, but login didn't....
> 
> When I set sshd to 'UseLogin yes' and tried to log in....

on the client side, there is also the -t option to ssh


> 1. Write a C wrapper that pretty much just exec's perl with the script.
> Not ridiculous, but requires another object (making it as kludgy as the
> restricted shell solution, though probably a more secure approach) and
> still requires secondary development, debug, and maintenance.

This has been done 'forever' as scripts generally do not 
permit SUID / SGID permissions, so a 'helper' C program to 
carry the permissions, and then EXEC out to the shell script 
in the desired UID/GID
 
==============

'forcing' allocation of a shell and setting UID with 'su' also 
comes to mind.  I see this in my archive as to CHROOT work

chroot $COPY su -m -s /bin/sh - builder -c '/bin/mkdir \
	/home/builder/rpmbuild/RPMS/i386'

which at the time needed to run under (keyed) SSH as well on a 
'builder' for CAOS, early on -- no end user accounts where 
permitted on builders as a policy matter

-- Russ herrold