From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 9882 invoked from network); 9 Dec 2022 00:06:40 -0000 Received: from tb-ob1.topicbox.com (64.147.108.173) by inbox.vuxu.org with ESMTPUTF8; 9 Dec 2022 00:06:40 -0000 Received: from tb-mx1.topicbox.com (tb-mx1.nyi.icgroup.com [10.90.30.61]) by tb-ob1.topicbox.com (Postfix) with ESMTP id D318732131 for ; Thu, 8 Dec 2022 19:06:37 -0500 (EST) (envelope-from bounce.mM32b0c9ee1d3d680c6ba88ca5.r522be890-2105-11eb-b15e-8d699134e1fa@9fans.bounce.topicbox.com) Received: by tb-mx1.topicbox.com (Postfix, from userid 1132) id C440C67B174; Thu, 8 Dec 2022 19:06:37 -0500 (EST) ARC-Authentication-Results: i=2; topicbox.com; arc=pass; dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=hb/ZbceS header.a=rsa-sha256 header.s=20210112 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; spf=pass smtp.mailfrom=sstallion@gmail.com smtp.helo=mail-il1-f174.google.com; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:from:date:mime-version :content-type:list-help:list-id:list-post:list-subscribe :reply-to:subject:content-transfer-encoding:list-unsubscribe; s= sysmsg-1; t=1670544397; bh=MyXLvcRaqc9TwZQkaujM/aFs/Kd6nk6V2RTKb dKOov4=; b=cX7ukWAySav48vAmiHdMJ3T+iBPGv47FQg9ZDlR3ZyPvnGexfkDVU kL649bEMvTamzWIEgvgOWTrCgIprEokZsL14KEcgAeHXSYCizrYLA+6QvipAaRLX bTNDYroOFWo7fR4fN6C7tTrsnoBzJ4H73Fbxg917gRQOQYfr0FN92M= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=topicbox.com; s=sysmsg-1; t= 1670544397; b=NRJvnd8xUzzBjsK8gH9S7/Fgt79tcNRHqaOeQqiCHRKzNC8OW9 Lx9MfRiRuxO+5s9UjsdzX9niXLZhz2xdYCwmAoY7HGDU2xOP3eMA7lrvzZMew05s SoZ+npaJKyHkjejI0iiN+0ri7NnT9R4tS2aQC+wjceYTasBbltdGNcpY4= Authentication-Results: topicbox.com; arc=pass; dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=hb/ZbceS header.a=rsa-sha256 header.s=20210112 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; spf=pass smtp.mailfrom=sstallion@gmail.com smtp.helo=mail-il1-f174.google.com; x-internal-arc=fail (as.1.topicbox.com=pass, ams.1.topicbox.com=fail (message has been altered)) (Message modified while forwarding at Topicbox) X-Received-Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=hb/ZbceS header.a=rsa-sha256 header.s=20210112 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; iprev=pass smtp.remote-ip=209.85.166.174 (mail-il1-f174.google.com); spf=pass smtp.mailfrom=sstallion@gmail.com smtp.helo=mail-il1-f174.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=2Ix0aFIj; x-me-sender=none; x-ptr=pass smtp.helo=mail-il1-f174.google.com policy.ptr=mail-il1-f174.google.com; x-return-mx=pass header.domain=gmail.com policy.is_org=yes (MX Records found: alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com); x-return-mx=pass smtp.domain=gmail.com policy.is_org=yes (MX Records found: alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=9fans.net; h=message-id :to:from:date:mime-version:content-type:list-help:list-id :list-post:list-subscribe:reply-to:subject :content-transfer-encoding:list-unsubscribe; s=dkim-1; t= 1670544397; x=1670630797; bh=uoEDCNRL4h+QAOMFE1mvG7893186HYm5nsz LuT2qQuk=; b=FjZflYwwlhyWsCwcoXWyRh7wwJiV4wjcwcWxm2Y6rGA9JCl9bgl V/4HXgWvJ/oTEtce1L9z6p5Ee+wROoUgEAa841RX2Nn+xEBPgrmBWcoFflBqFLWn STqHeURRyz72iJ7oYLeWRm0uKsD7pBRPX+lTvyn2NYUtdqJw0za0NvYc= Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id BBCB167AD43 for <9fans@9fans.net>; Thu, 8 Dec 2022 19:06:24 -0500 (EST) (envelope-from sstallion@gmail.com) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id 287E9F5F808; Thu, 8 Dec 2022 19:06:24 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1670544384; b=I+oqu3U9t1DKTo/oACD7BTLfqMKawX+4GEiPF7xsF9fuMRWjvI LIu1LtvhFQfv/pssW9PJJAFWbBMiCBBtlt/6YOxIgPPCNDvrke+UUNnv6gzNJvSj 451uKnuLNZlhex6k8ubmNh2UzrdndA6WJIcof6sMrJDG78o0Yx0Kf5GThW62YZzy GGKwLzWSCoq6VrMqzBA7YPY/Zaa4VBKSyd/DbPU8PXkNN9TP5pzTQ52BnFrrtQo2 0gqmpWDpIKHAa4Jy/VrY+gNTNn3j+R/bikaJk9fRrQo+VNI3O0K/3Zik3EcWZbyh C7rWjRa0gZ1EHGHQXGHvz+RR8R9kh04/1MQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:to:subject:from:date:mime-version :content-type; s=arcseal; t=1670544384; bh=HKkKLVtql5DjTWFh4UFfb ZuncvEOVeT1WJCQ84bNYyk=; b=ak4sXtYRyVk8KIphf1wlashMZRpWtKrcQznjK jmPeZces7+DArwBqUNvksDgi38ie/JeH8cRxtfNzKcUGbbB7SdCt9RghtAiS7N6T vG9HYlQw/zda0w3HyCbLRY/YkpKvPIaPvXOkbGMUouaE89u62nj/yBQnu5b9eHQ5 wOaGlFIogwxsOwKZhn8OelDan0tadBrsya6B+xNp0EwfPyD5twYpfKAL9N4/DNac 1SdBFrW20Q3nlXSEscACNcT9nzQhNTD5a8ldymsX/D5zczMVgNOY/ROISJgEkH1j pdJbwfkRAPfB/Pv4sF9cnlxGKzFF1HRnEuxxlD+gDILGY9W4A== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=hb/ZbceS header.a=rsa-sha256 header.s=20210112 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; iprev=pass smtp.remote-ip=209.85.166.174 (mail-il1-f174.google.com); spf=pass smtp.mailfrom=sstallion@gmail.com smtp.helo=mail-il1-f174.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=2Ix0aFIj; x-me-sender=none; x-ptr=pass smtp.helo=mail-il1-f174.google.com policy.ptr=mail-il1-f174.google.com; x-return-mx=pass header.domain=gmail.com policy.is_org=yes (MX Records found: alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com); x-return-mx=pass smtp.domain=gmail.com policy.is_org=yes (MX Records found: alt1.gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddugddukecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepkffvuffhff ggtgesmhdtjhertddtvdenucfhrhhomhepfdfuthgvvhgvnhcuufhtrghllhhiohhnfdcu oehsshhtrghllhhiohhnsehgmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpedtte elhfejudeivdevffevjeevtefhveffueejudejheejgefhkeejkeehleevtdenucfkphep vddtledrkeehrdduieeirddujeegpddufeejrddviedrfeeirdegieenucevlhhushhtvg hrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpedvtdelrdekhedrudeiiedrudejgedp hhgvlhhopehmrghilhdqihhluddqfhdujeegrdhgohhoghhlvgdrtghomhdpmhgrihhlfh hrohhmpeeoshhsthgrlhhlihhonhesghhmrghilhdrtghomheq X-ME-VSScore: 0 X-ME-VSCategory: clean Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'sstallion@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="sstallion@gmail.com"; helo=mail-il1-f174.google.com; client-ip=209.85.166.174 Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Thu, 8 Dec 2022 19:06:24 -0500 (EST) (envelope-from sstallion@gmail.com) Received: by mail-il1-f174.google.com with SMTP id y2so1943445ily.5 for <9fans@9fans.net>; Thu, 08 Dec 2022 16:06:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:date:from:subject:to:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=HKkKLVtql5DjTWFh4UFfbZuncvEOVeT1WJCQ84bNYyk=; b=2Ix0aFIjkU7AXwv+/VrJ0uzC9RXpCl1XZ6TXptcYAD2xoUmA549uxzwT0AFgvVhp2d GWgQGRVhf67qavF1jI49xiZeECRL89tQdpY4H665cA53+qZeLaoncNCJ9ywCozpf/KJ2 A1TnXZxw/SvEzkDSYi8+0zlcbCzMI3FXjfJBC3NJsSqZfPJ5KF2qWQRf8BHw1ccwqTY6 JJ4zQIlI2zf4gJ0zr+Rt3VFpryJFqwz2dQ+1dp2/a2IW2qkP2C45mSu24z7O3TaCNjgm 9A7Uidp/Yc2Y5UBOYzx0vA69088+LgTThX2Xwnj3W7Yra0Zs+pmO75voerBsD+1KS9cd mrkg== X-Gm-Message-State: ANoB5plshpZIo8oShMCzt2GJlQb1HwpRTh0FJortO9wl1BDBWEOisZBm YYZctYvvN0Fupva841X5Nr1k7VqYyqQ= X-Google-Smtp-Source: AA0mqf6pEco7x+FqusoUhlZ3sIRxM1hmJsUaJv2VOdAlrOxd2Ox81VwQyEr1+0k6US0W44YfmlPNrg== X-Received: by 2002:a92:cc92:0:b0:2fc:ce25:a2a7 with SMTP id x18-20020a92cc92000000b002fcce25a2a7mr2206747ilo.24.1670544382994; Thu, 08 Dec 2022 16:06:22 -0800 (PST) Received: from mail.quuxotic.net (quuxotic.net. [137.26.36.46]) by smtp.gmail.com with ESMTPSA id p20-20020a92b314000000b003030e36d9bfsm1205398ilh.46.2022.12.08.16.06.21 for <9fans@9fans.net> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Dec 2022 16:06:22 -0800 (PST) Received: from gunge.quuxotic.net (gunge.quuxotic.net [10.50.0.42]) by mail.quuxotic.net (Postfix) with ESMTPSA id 3937541167 for <9fans@9fans.net>; Thu, 8 Dec 2022 18:06:21 -0600 (CST) Message-ID: <65783ea3fbfc44547885aa314e993718@gunge.quuxotic.net> To: 9fans@9fans.net From: "Steven Stallion" Date: Thu, 8 Dec 2022 18:06:21 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=upas-hcfsdaiovxefracnqbduocduyp Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 55173a5c-7755-11ed-8aed-859130b9caaa Archived-At: =?UTF-8?B?PGh0dHBzOi8vOWZhbnMudG9waWNib3guY29tL2dyb3Vwcy85?= =?UTF-8?B?ZmFucy9UYTM0MzEwMGYxNjU0NjMxZS1NMzJiMGM5ZWUxZDNkNjgwYzZiYTg4?= =?UTF-8?B?Y2E1Pg==?= List-Help: List-Id: "9fans" <9fans.9fans.net> List-Post: List-Software: Topicbox v0 List-Subscribe: Precedence: list Reply-To: 9fans <9fans@9fans.net> Subject: [9fans] Re: Fun with sshsession Content-Transfer-Encoding: 7bit List-Unsubscribe: , Topicbox-Delivery-ID: 2:9fans:437d30aa-c441-11e9-8a57-d036212d11b0:522be890-2105-11eb-b15e-8d699134e1fa:M32b0c9ee1d3d680c6ba88ca5:1:F9JY5S-EqV3yhHALjAb9ztz6dC4DAbhBOPd5otQOX6M --upas-hcfsdaiovxefracnqbduocduyp Content-Disposition: inline Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-ID: <16705443930.e2A9a.366240@tb-mx1> > I found another interesting wrinkle. It appears this issue seems to > only affect diskless CPU servers. I'm able to SSH successfully to my > auth and file servers. Mystery solved! It turns out this was the same issue Cinap fixed in auth/as last year. sshsession was inheriting the host owner factotum after capuse, which was leading to breakage on hosts other than the file server. I've attached (and submitted to 9legacy) a patch to address the issue in the Labs implementation. To wit, I was able to duplicate this issue on every implementation of SSH v2 that's available. Cheers, Steve ------------------------------------------ 9fans: 9fans Permalink: https://9fans.topicbox.com/groups/9fans/Ta343100f1654631e-M32b0c= 9ee1d3d680c6ba88ca5 Delivery options: https://9fans.topicbox.com/groups/9fans/subscription --upas-hcfsdaiovxefracnqbduocduyp Content-Disposition: attachment; filename=ssh2-factotum.diff Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Content-ID: <16705443931.FD9B.366240@tb-mx1> This patch corrects non-host owner filesystem permissions in sshsession. Prior to these changes, SSH sessions would inherit the host owner factotum, which lead to incorrect permissions on hosts other than the file server. These changes are similar to those submitted by Cinap Lenrek to address a related issue in auth/as: https://git.9front.org/plan9front/plan9front/55a0abdd439964793a5ebceb23776d162a0436d2/patch --- /n/sources/plan9/sys/src/cmd/ssh2/sshsession.c Sun May 6 14:55:41 2012 +++ /sys/src/cmd/ssh2/sshsession.c Thu Dec 8 17:14:10 2022 @@ -89,6 +89,27 @@ } /* + * mount factotum after auth + */ +static void +mountfactotum(int ctlfd) +{ + int fd; + + fd = open("/srv/factotum", ORDWR); + if (fd < 0) { + syslog(0, "ssh", "can't open /srv/factotum: %r"); + hangup(ctlfd); + exits("open"); + } + if (mount(fd, -1, "/mnt", MREPL, "") < 0) { + syslog(0, "ssh", "can't mount /srv/factotum in /mnt: %r"); + hangup(ctlfd); + exits("can't mount"); + } +} + +/* * mount tunnel if there isn't one visible. */ static void @@ -135,6 +156,7 @@ return 0; auth(buf, n, ctlfd); + mountfactotum(ctlfd); p = strchr(buf, '@'); if (p == nil) --upas-hcfsdaiovxefracnqbduocduyp--