[scponly] PATCH: support for multiple users with the same uid

Steve Kehlet stevek at webreachinc.com
Mon Jun 4 17:28:29 EDT 2007 

The attached patch to scponly provides support for multiple users  
with the same unix user id.  Please let me know what you think.

Patch notes: instead of doing a getpwuid(getuid()) to retrieve passwd  
information (which will return incorrect home directory/jail  
information for all but the first user with the matching uid), this  
patch changes scponly to first check for the USER environment  
variable (which is set by sshd), and if found, looks up the passwd  
entry via getpwnam().  As a sanity check, the uid value found is  
verified against getuid().  If it doesn't find USER (for whatever  
reason) it falls back to the previous behavior.

It seems like no more than the usual concerns apply, in particular  
watch your AcceptEnv and PermitUserEnv, make sure the user can't  
write to his ~/.ssh directory, etc.  However even on a poorly set up  
system, where somehow the user was able to pass in an arbitrary USER  
value, 1. if the uid obtained from passwd doesn't match getuid(), the  
user is disconnected, or 2. if the uid is a match then the behavior  
is no worse than it is now where the user gets the home dir info from  
the first passwd entry with a matching uid, quite likely someone else.

I acknowledge sharing uids in general is not considered a best  
practice, but it's a nice solution for what I'm doing (I'll spare you  
the details).  As far as I can tell, the above change seems safe,  
provides arguably more correct/expected behavior, and may be useful  
for others too.  But, I submit it here for review, so please post if  
you see something I haven't or if you otherwise disagree :-).   
Hopefully you'll like the patch and merge it in.  Many thanks, I  
think scponly is a very handy package.

Steve



-------------- next part --------------
A non-text attachment was scrubbed...
Name: scponly-4.6-uid-overloading.patch
Type: application/octet-stream
Size: 1584 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20070604/7d23854e/attachment.obj 
-------------- next part --------------

More information about the scponly mailing list