diff options
| author | Damien Miller <djm@mindrot.org> | 2001-03-27 16:13:46 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2001-03-27 16:13:46 +1000 |
| commit | 3bdb3461313b2c8e185f7f886f58bc3d63b19da6 (patch) | |
| tree | 8a8a4139a041643ab0dc41eccc3832450ff4065e | |
| parent | 09573fcc7ca8a516a8ed404f00889469e0264309 (diff) | |
- (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and suggested
fix from Nalin Dahyabhai <nalin@redhat.com>
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | auth-pam.c | 7 | ||||
| -rw-r--r-- | auth-pam.h | 4 | ||||
| -rw-r--r-- | session.c | 13 |
4 files changed, 23 insertions, 8 deletions
@@ -1,3 +1,8 @@ +20010327 + - (djm) Reestablish PAM credentials (which can be supplemental group + memberships) after initgroups() blows them away. Report and suggested + fix from Nalin Dahyabhai <nalin@redhat.com> + 20010324 - Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>. - OpenBSD CVS Sync @@ -4673,4 +4678,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.991.2.10 2001/03/24 04:53:32 mouring Exp $ +$Id: ChangeLog,v 1.991.2.11 2001/03/27 06:13:46 djm Exp $ @@ -33,7 +33,7 @@ #include "canohost.h" #include "readpass.h" -RCSID("$Id: auth-pam.c,v 1.31.2.1 2001/03/21 02:12:13 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.31.2.2 2001/03/27 06:13:47 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname) } /* Set PAM credentials */ -void do_pam_setcred(void) +void do_pam_setcred(int init) { int pam_retval; do_pam_set_conv(&conv); debug("PAM establishing creds"); - pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(__pamh, + init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */ +/* $Id: auth-pam.h,v 1.10.6.1 2001/03/27 06:13:48 djm Exp $ */ #include "includes.h" #ifdef USE_PAM @@ -12,7 +12,7 @@ char **fetch_pam_environment(void); int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); -void do_pam_setcred(void); +void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); void do_pam_chauthtok(void); @@ -481,7 +481,7 @@ do_exec_no_pty(Session *s, const char *command, struct passwd * pw) session_proctitle(s); #if defined(USE_PAM) - do_pam_setcred(); + do_pam_setcred(1); #endif /* USE_PAM */ /* Fork the child. */ @@ -598,7 +598,7 @@ do_exec_pty(Session *s, const char *command, struct passwd * pw) #if defined(USE_PAM) do_pam_session(pw->pw_name, s->tty); - do_pam_setcred(); + do_pam_setcred(1); #endif /* Fork the child. */ @@ -1095,6 +1095,15 @@ do_child(Session *s, const char *command) exit(1); } endgrent(); +# ifdef USE_PAM + /* + * PAM credentials may take the form of + * supplementary groups. These will have been + * wiped by the above initgroups() call. + * Reestablish them here. + */ + do_pam_setcred(0); +# endif /* USE_PAM */ # ifdef WITH_IRIX_JOBS jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); if (jid == -1) { |