- markus@cvs.openbsd.org 2002/05/13 20:44:58

[openssh.git] / sshd.c

diff --git a/sshd.c b/sshd.c
index 8b1ebb46294f0000962edd38c1dbb9f94d10a2b1..589a1160d36182ba87480bde5690cdc77511cbf2 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -48,6 +48,10 @@ RCSID("$OpenBSD: sshd.c,v 1.240 2002/04/23 22:16:29 djm Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 #include <openssl/rand.h>
+#ifdef HAVE_SECUREWARE
+#include <sys/security.h>
+#include <prot.h>
+#endif
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -786,6 +790,9 @@ main(int ac, char **av)
        Key *key;
        int ret, key_used = 0;
 
+#ifdef HAVE_SECUREWARE
+       (void)set_auth_parameters(ac, av);
+#endif
        __progname = get_progname(av[0]);
        init_rng();
 
@@ -998,9 +1005,15 @@ main(int ac, char **av)
        if (test_flag)
                exit(0);
 
-#ifdef HAVE_SCO_PROTECTED_PW
-       (void) set_auth_parameters(ac, av);
-#endif
+       /*
+        * Clear out any supplemental groups we may have inherited.  This
+        * prevents inadvertent creation of files with bad modes (in the
+        * portable version at least, it's certainly possible for PAM 
+        * to create a file, and we can't control the code in every 
+        * module which might be used).
+        */
+       if (setgroups(0, NULL) < 0)
+               debug("setgroups() failed: %.200s", strerror(errno));
 
        /* Initialize the log (it is reinitialized below in case we forked). */
        if (debug_flag && !inetd_flag)