From 9afbfcfa54d11bdfbafaba863108de8e6ecd309f Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 27 Mar 2001 06:12:24 +0000 Subject: [PATCH] - (djm) Reestablish PAM credentials (which can be supplemental group memberships) after initgroups() blows them away. Report and suggested fix from Nalin Dahyabhai --- ChangeLog | 14 +++++++------- auth-pam.c | 5 +++-- auth-pam.h | 2 +- session.c | 13 +++++++++++-- 4 files changed, 22 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4853070c..1c8a59a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,3 @@ -20010328 - - OpenBSD CVS Sync - - markus@cvs.openbsd.org 2001/03/26 08:07:09 - [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c - sshconnect.h sshconnect1.c sshconnect2.c sshd.c] - simpler key load/save interface, see authfile.h - 20010327 - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz @@ -17,6 +10,13 @@ [servconf.c servconf.h session.c sshd.8 sshd_config] PrintLastLog option; from chip@valinux.com with some minor changes by me. ok markus@ + - markus@cvs.openbsd.org 2001/03/26 08:07:09 + [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c + sshconnect.h sshconnect1.c sshconnect2.c sshd.c] + simpler key load/save interface, see authfile.h + - (djm) Reestablish PAM credentials (which can be supplemental group + memberships) after initgroups() blows them away. Report and suggested + fix from Nalin Dahyabhai 20010324 - Fixed permissions ssh-keyscan. Thanks to Christopher Linn . diff --git a/auth-pam.c b/auth-pam.c index 4781058b..a8362cb7 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname) } /* Set PAM credentials */ -void do_pam_setcred(void) +void do_pam_setcred(int init) { int pam_retval; do_pam_set_conv(&conv); debug("PAM establishing creds"); - pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(__pamh, + init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", diff --git a/auth-pam.h b/auth-pam.h index 580c8d16..30e4df51 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -12,7 +12,7 @@ char **fetch_pam_environment(void); int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); -void do_pam_setcred(void); +void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); void do_pam_chauthtok(void); diff --git a/session.c b/session.c index dfe1498a..ac026e4f 100644 --- a/session.c +++ b/session.c @@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); #if defined(USE_PAM) - do_pam_setcred(); + do_pam_setcred(1); #endif /* USE_PAM */ /* Fork the child. */ @@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command) #if defined(USE_PAM) do_pam_session(s->pw->pw_name, s->tty); - do_pam_setcred(); + do_pam_setcred(1); #endif /* Fork the child. */ @@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command) exit(1); } endgrent(); +# ifdef USE_PAM + /* + * PAM credentials may take the form of + * supplementary groups. These will have been + * wiped by the above initgroups() call. + * Reestablish them here. + */ + do_pam_setcred(0); +# endif /* USE_PAM */ # ifdef WITH_IRIX_JOBS jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); if (jid == -1) { -- 2.45.2