- (djm) Reestablish PAM credentials (which can be supplemental group

[openssh.git] / session.c

diff --git a/session.c b/session.c
index dfe1498ad7bcb6ea1d623886a7dace88b8c725d8..ac026e4fdb7e83b3c695c34260b5242dd378adb0 100644 (file)
--- a/session.c
+++ b/session.c
@@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command)
        session_proctitle(s);
 
 #if defined(USE_PAM)
-       do_pam_setcred();
+       do_pam_setcred(1);
 #endif /* USE_PAM */
 
        /* Fork the child. */
@@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command)
 
 #if defined(USE_PAM)
        do_pam_session(s->pw->pw_name, s->tty);
-       do_pam_setcred();
+       do_pam_setcred(1);
 #endif
 
        /* Fork the child. */
@@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command)
                                exit(1);
                        }
                        endgrent();
+#  ifdef USE_PAM
+                       /*
+                        * PAM credentials may take the form of 
+                        * supplementary groups. These will have been 
+                        * wiped by the above initgroups() call.
+                        * Reestablish them here.
+                        */
+                       do_pam_setcred(0);
+#  endif /* USE_PAM */
 #  ifdef WITH_IRIX_JOBS
                        jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
                        if (jid == -1) {