Project

General

Profile

Bug #6475

/hipster sshd[15422]: missing privilege "proc_setid"

Added by Predrag Zečević over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Category:
OI-Userland
Target version:
-
Start date:
2015-11-24
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Hi,

tried to install openssh:

$ pfexec pkg install -v pkg:/network/openssh
           Packages to install:         1
            Packages to change:         1
           Mediators to change:         1
            Services to change:         1
     Estimated space available:  82.20 GB
Estimated space to be consumed: 300.32 MB
       Create boot environment:        No
Create backup boot environment:       Yes
          Rebuild boot archive:        No

Changed mediators:
  mediator ssh:
    implementation: sunssh (system default) -> openssh (vendor default)

Changed packages:
openindiana.org
  network/openssh
    None -> 7.1.0.1-2015.0.2.0
  network/ssh
    0.5.11-2015.0.2.15407

Services:
  restart_fmri:
    svc:/network/ssh:default

Planning linked: 0/1 done; 1 working: zone:hipster
Linked image 'zone:hipster' output:
|      Estimated space available:  82.20 GB
| Estimated space to be consumed: 285.03 MB
|           Rebuild boot archive:        No
`
Planning linked: 1/1 done
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                2/2         28/28      2.2/2.2  3.8M/s

Downloading linked: 0/1 done; 1 working: zone:hipster
Downloading linked: 1/1 done
PHASE                                          ITEMS
Removing old actions                             5/5
Installing new actions                          1/80Action install failed for 'sshd' (pkg://openindiana.org/network/openssh):
  ActionExecutionError: Requested operation failed for package pkg://openindiana.org/network/openssh@7.1.0.1,5.11-2015.0.2.0:20151119T114206Z:
sshd is an unknown or invalid group

The Boot Environment oi151_hipster2015_1124 failed to be updated. A snapshot was taken before the failed attempt and is mounted here /export/tmp/tmpy05huJ. Use 'beadm unmount oi151_hipster2015_1124-1' and then 'beadm activate oi151_hipster2015_1124-1' if you wish to boot to this BE.

pkg: Requested operation failed for package pkg://openindiana.org/network/openssh@7.1.0.1,5.11-2015.0.2.0:20151119T114206Z:
sshd is an unknown or invalid group

Looks like it expected user group sshd, which is there:

$ ls -al /etc/group
-rw-r--r-- 1 root bin 702 Nov 24 08:49 /etc/group

$ grep sshd /etc/group
sshd::22:

Not sure why it has failed...


Files

hipster-openssh-re_install.txt (8.99 KB) hipster-openssh-re_install.txt Predrag Zečević, 2015-11-27 11:13 AM
#1

Updated by Predrag Zečević over 5 years ago

Hi,

actually, it has failed because user sshd was there and had wrong GID:

$ grep ssh /etc/passwd /etc/group 
/etc/passwd:sshd:x:640:640:OpenSSH privsep pseudo-user:/var/empty:/usr/bin/false
/etc/group:sshd::22:

which is probably leftover from an earlier /dev openssh installation.

$ pfexec usermod -g 22 -u 22 sshd
UX: usermod: WARNING: uid 22 is reserved.

$ grep ssh /etc/passwd /etc/group 
/etc/passwd:sshd:x:22:22:OpenSSH privsep pseudo-user:/var/empty:/usr/bin/false
/etc/group:sshd::22:

Repeated installation and has managed to finish

#2

Updated by Predrag Zečević over 5 years ago

Well, also /etc/ssh/sshd_config (and maybe /etc/ssh/ssh_config) needs update from SunSSH to OpenSSH - somehow it has to be merged, because thare are lot of new stuff in openssh, for example

PubkeyAcceptedKeyTypes +ssh-dss

to enable use of old keys.
Regards.

P.S: Thanks for this update, it is great improvement

#3

Updated by Predrag Zečević over 5 years ago

Another thing:

I cannot use it... Server starts, but when trying to connect I am getting:

Connection to solarix closed by remote host.

and /vr/log/auth.log shows:
[2015-11-25 08:39:07] solarix sshd[12558]: [ID 800047 auth.crit] fatal: permanently_set_uid: was able to restore old [e]uid

error, which also appears in /var/adm/messages:
[2015-11-25 08:39:07] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[12557]: missing privilege "proc_setid" (euid = 22, syscall = 46) needed at secpolicy_allow_setid+0x39#012
[2015-11-25 08:39:07] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[12557]: missing privilege "proc_setid" (euid = 22, syscall = 136) needed at secpolicy_allow_setid+0x39#012
[2015-11-25 08:39:07] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[12557]: missing privilege "ALL" (euid = 22, syscall = 23) needed at secpolicy_allow_setid+0x39#012
[2015-11-25 08:39:07] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[12557]: missing privilege "ALL" (euid = 22, syscall = 141) needed at secpolicy_allow_setid+0x39#012
[2015-11-25 08:39:07] solarix sshd[12558]: [ID 800047 auth.crit] fatal: permanently_set_uid: was able to restore old [e]uid
.
I did some google-ing, but I have found is very old or related to other OS-es.

/etc/ssh/sshd_config I took from self compiled OpenSSH 7.1p1 version, which works (using another port, of course!).

Any idea?

Best rergards.

#4

Updated by Predrag Zečević over 5 years ago

Hi,

I see in https://github.com/OpenIndiana/oi-userland/commit/114481fbb83ab2ba79adeb6a91c43102d09f7bf2 that this is passed to configure script:

+CONFIGURE_OPTIONS += --with-audit=solaris
+CONFIGURE_OPTIONS += --with-libedit
+CONFIGURE_OPTIONS += --with-kerberos5
+CONFIGURE_OPTIONS += --with-pam
+CONFIGURE_OPTIONS += --with-sandbox=no
+CONFIGURE_OPTIONS += --with-solaris-contracts
+CONFIGURE_OPTIONS += --with-tcp-wrappers
+CONFIGURE_OPTIONS += --with-4in6
+CONFIGURE_OPTIONS += --with-xauth=/usr/bin/xauth
+CONFIGURE_OPTIONS += --enable-strip=no
+CONFIGURE_OPTIONS += --without-rpath
+CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
+CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh
+CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh
+CONFIGURE_OPTIONS += --bindir=/usr/bin
+CONFIGURE_OPTIONS += --disable-lastlog

why is sandbox excluded?

Regards.

P.S: I have replaced "UsePrivilegeSeparation sandbox" to "UsePrivilegeSeparation yes" - but no change, same error appears...

#5

Updated by Alexander Pyhalov over 5 years ago

Sandbox is excluded, because OpenSSH doesn't support any sandbox method on illumos. What about running it with default config?

#6

Updated by Predrag Zečević over 5 years ago

I have tried again (see attached file:hipster-openssh-re_install.txt) but it fails with same error!

Regards.

#7

Updated by Alexander Pyhalov over 5 years ago

What does ps -ef |grep ssh say? Does it run as root?

#8

Updated by Predrag Zečević over 5 years ago

Hi,

yes:

$ ps -ef| grep ssh[d]
  global     root   944     1   0   Nov 30 ?           0:00 /usr/lib/ssh/sshd
  global     root   905     1   0   Nov 30 ?           0:00 /opt/SFW/sbin/sshd
  global     root 15424   905   0 20:52:12 ?           0:00 /opt/SFW/sbin/sshd -R
  global predrag* 15426 15424   0 20:52:12 ?           0:00 /opt/SFW/sbin/sshd -R

and SFW one runs in sandbox :-)

What I find funny are privileges, for /hipster openssh:

[2015-12-01 20:51:41] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[15422]: missing privilege "proc_setid" (euid = 22, syscall = 46) needed at secpolicy_allow_setid+0x39#012
[2015-12-01 20:51:41] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[15422]: missing privilege "proc_setid" (euid = 22, syscall = 136) needed at secpolicy_allow_setid+0x39#012
[2015-12-01 20:51:41] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[15422]: missing privilege "ALL" (euid = 22, syscall = 23) needed at secpolicy_allow_setid+0x39#012
[2015-12-01 20:51:41] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[15422]: missing privilege "ALL" (euid = 22, syscall = 141) needed at secpolicy_allow_setid+0x39#012
[2015-12-01 20:51:42] solarix sshd[15423]: [ID 800047 auth.crit] fatal: permanently_set_uid: was able to restore old [e]uid

and for SFW one:
[2015-12-01 20:52:12] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[15426]: missing privilege "ALL" (euid = 1961, syscall = 23) needed at secpolicy_allow_setid+0x39#012
[2015-12-01 20:52:12] solarix genunix: [ID 864859 kern.notice] NOTICE: sshd[15426]: missing privilege "ALL" (euid = 1961, syscall = 141) needed at secpolicy_allow_setid+0x39#012

I have tried to set it:

$ pfexec svccfg -s ssh setprop start/privileges = astring: proc_setid,ALL
$ pfexec svcadm refresh ssh
$ pfexec svcadm restart ssh

Regards.

#9

Updated by Alexander Pyhalov over 5 years ago

Have you tried to run it with default sshd_config ?

$ telnet localhost 22
Trying ::1...
Connected to openindiana.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.1

$ grep -v '^$' /etc/ssh/sshd_config |grep -v '^#'
Protocol 2
Port 22
ListenAddress ::
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries 6
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PermitRootLogin no
Subsystem sftp internal-sftp
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes

#10

Updated by Predrag Zečević over 5 years ago

Hi,

yes, I have re-installi it (and fixed, see comment https://www.illumos.org/issues/6475#note-6 attachment)...

Telnet works:

$ telnet solarix 22
Trying ::1...
Connected to solarix.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.1
^]^D
telnet> Connection to solarix closed.

and this is setup:
$ grep -v '^$' /etc/ssh/sshd_config  |grep -v '^#'
Protocol 2
Port 22
ListenAddress ::
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 600
MaxAuthTries    6
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PermitRootLogin no
Subsystem       sftp    internal-sftp
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes

which is identical to yours... But still connection does not work:
$ ssh predrag_zecevic@solarix
Connection to solarix closed by remote host.
Connection to solarix closed.

with error (grep "2015-12-02 08:" /var/log/auth.log - just tried this morning - telnet, then ssh):
[2015-12-02 08:14:40] solarix sshd[18570]: [ID 800047 auth.info] rexec line 103: Deprecated option MaxAuthTriesLog
[2015-12-02 08:14:40] solarix sshd[18570]: [ID 800047 auth.info] rexec line 132: Deprecated option RhostsAuthentication
[2015-12-02 08:14:43] solarix sshd[18570]: [ID 800047 auth.info] Did not receive identification string from ::1
[2015-12-02 08:16:33] solarix sshd[18572]: [ID 800047 auth.info] rexec line 103: Deprecated option MaxAuthTriesLog
[2015-12-02 08:16:33] solarix sshd[18572]: [ID 800047 auth.info] rexec line 132: Deprecated option RhostsAuthentication
[2015-12-02 08:16:33] solarix gnome-keyring-daemon[1706]: [ID 702911 auth.notice] couldn't open store file: /export/home/predrag/.gnome2/keyrings/user.keystore: Resource temporarily unavailable
[2015-12-02 08:16:33] solarix sshd[18572]: [ID 800047 auth.info] Accepted publickey for predrag_zecevic from 192.168.222.169 port 43603 ssh2: DSA SHA256:ZIWzK/MAWTDayPmIXwNaifXC5hxsGb2pC3sjRiyRsBc
[2015-12-02 08:16:33] solarix sshd[18574]: [ID 800047 auth.crit] fatal: permanently_set_uid: was able to restore old [e]uid

Regards.

#11

Updated by Alexander Pyhalov over 5 years ago

  • Subject changed from /hipster openssh installation fails to /hipster sshd[15422]: missing privilege "proc_setid"
#13

Updated by Predrag Zečević over 5 years ago

Hi Alexander,

yes, it works now:

$ ps -ef| grep ssh[d]
  global predrag*  2104  2102   0 08:28:45 ?           0:00 /usr/lib/ssh/sshd -R
  global     root   894     1   0 08:17:27 ?           0:00 /opt/SFW/sbin/sshd
  global     root  1062     1   0 08:17:30 ?           0:00 /usr/lib/ssh/sshd
  global     root  2102  1062   0 08:28:44 ?           0:00 /usr/lib/ssh/sshd -R

and /var/log/auth.log:
[2015-12-03 08:28:44] solarix sshd[2102]: [ID 800047 auth.info] rexec line 103: Deprecated option MaxAuthTriesLog
[2015-12-03 08:28:44] solarix sshd[2102]: [ID 800047 auth.info] rexec line 132: Deprecated option RhostsAuthentication
[2015-12-03 08:28:44] solarix gnome-keyring-daemon[1824]: [ID 702911 auth.notice] couldn't open store file: /export/home/predrag/.gnome2/keyrings/user.keystore: Resource temporarily unavailable
[2015-12-03 08:28:45] solarix sshd[2102]: [ID 800047 auth.info] Accepted publickey for predrag_zecevic from 192.168.222.169 port 46001 ssh2: DSA SHA256:ZIWzK/MAWTDayPmIXwNaifXC5hxsGb2pC3sjRiyRsBc
[2015-12-03 08:29:56] solarix sshd[2104]: [ID 800047 auth.info] Received disconnect from 192.168.222.169: 11: disconnected by user
[2015-12-03 08:29:56] solarix sshd[2104]: [ID 800047 auth.info] Disconnected from 192.168.222.169

no errors in /var/adm/messages ....

Best regards.

P.S. Maybe to handle unsupported options as well?

#14

Updated by Alexander Pyhalov over 5 years ago

These options are not unsupported, they are deprecated. It means sshd will not fail to start when they are present, but will ignore them and warn user. It's the intended behavior.

#15

Updated by Alexander Pyhalov over 5 years ago

  • Category deleted (PKG (Image Packaging System))
  • Status changed from New to Resolved
  • Assignee changed from OI PKG to Alexander Pyhalov
#16

Updated by Alexander Pyhalov over 5 years ago

  • Category set to OI-Userland

Also available in: Atom PDF