- (djm) Reestablish PAM credentials (which can be supplemental group

   memberships) after initgroups() blows them away. Report and suggested
   fix from Nalin Dahyabhai <nalin@redhat.com>

diff --git a/ChangeLog b/ChangeLog
index 4853070c2a96caef47380f59bc869f2d5c2bfda8..1c8a59a6c87cb541c1eea7cac7a44ef4c56ac6d1 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,3 @@
-20010328
- - OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2001/03/26 08:07:09
-     [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c 
-      sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
-     simpler key load/save interface, see authfile.h
-
 20010327
  - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID)
  - Fix pointer issues in waitpid() and wait() replaces.  Patch by Lutz 
@@ -17,6 +10,13 @@
      [servconf.c servconf.h session.c sshd.8 sshd_config]
      PrintLastLog option; from chip@valinux.com with some minor
      changes by me.  ok markus@
+   - markus@cvs.openbsd.org 2001/03/26 08:07:09
+     [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c 
+      sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
+     simpler key load/save interface, see authfile.h
+ - (djm) Reestablish PAM credentials (which can be supplemental group 
+   memberships) after initgroups() blows them away. Report and suggested
+   fix from Nalin Dahyabhai <nalin@redhat.com>
 
 20010324
  - Fixed permissions ssh-keyscan.  Thanks to Christopher Linn <celinn@mtu.edu>.

diff --git a/auth-pam.c b/auth-pam.c
index 4781058b2291ba74105cd48001c645f6cb4a3cd5..a8362cb7fc8943b5e185a850b82e23b1eebf8835 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname)
 }
 
 /* Set PAM credentials */
-void do_pam_setcred(void)
+void do_pam_setcred(int init)
 {
        int pam_retval;
 
        do_pam_set_conv(&conv);
 
        debug("PAM establishing creds");
-       pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
+       pam_retval = pam_setcred(__pamh, 
+           init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
        if (pam_retval != PAM_SUCCESS) {
                if (was_authenticated)
                        fatal("PAM setcred failed[%d]: %.200s",

diff --git a/auth-pam.h b/auth-pam.h
index 580c8d16aaf0e282ca21e807cbe2a648e2f717cd..30e4df51081077b7ae1a30827589a054981e8a7d 100644 (file)
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -12,7 +12,7 @@ char **fetch_pam_environment(void);
 int do_pam_authenticate(int flags);
 int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
-void do_pam_setcred(void);
+void do_pam_setcred(int init);
 void print_pam_messages(void);
 int is_pam_password_change_required(void);
 void do_pam_chauthtok(void);

diff --git a/session.c b/session.c
index dfe1498ad7bcb6ea1d623886a7dace88b8c725d8..ac026e4fdb7e83b3c695c34260b5242dd378adb0 100644 (file)
--- a/session.c
+++ b/session.c
@@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command)
        session_proctitle(s);
 
 #if defined(USE_PAM)
-       do_pam_setcred();
+       do_pam_setcred(1);
 #endif /* USE_PAM */
 
        /* Fork the child. */
@@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command)
 
 #if defined(USE_PAM)
        do_pam_session(s->pw->pw_name, s->tty);
-       do_pam_setcred();
+       do_pam_setcred(1);
 #endif
 
        /* Fork the child. */
@@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command)
                                exit(1);
                        }
                        endgrent();
+#  ifdef USE_PAM
+                       /*
+                        * PAM credentials may take the form of 
+                        * supplementary groups. These will have been 
+                        * wiped by the above initgroups() call.
+                        * Reestablish them here.
+                        */
+                       do_pam_setcred(0);
+#  endif /* USE_PAM */
 #  ifdef WITH_IRIX_JOBS
                        jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
                        if (jid == -1) {