diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2009-08-20 16:20:50 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2009-08-20 16:20:50 +1000 |
| commit | 82edf23fffc4accf7686da08367e9fd5b5baa487 (patch) | |
| tree | 34ffab829333d3e6c583edb7e49956773fe9540b | |
| parent | 2a5588daeb27c118a3a55a203a7be14978d96bf7 (diff) | |
- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
the setpcred call on AIX to immediately before the permanently_set_uid().
Ensures that we still have privileges when we call chroot and
pam_open_sesson. Based on a patch from David Leonard.
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.h | 7 | ||||
| -rw-r--r-- | session.c | 9 |
3 files changed, 14 insertions, 6 deletions
@@ -2,6 +2,10 @@ - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not using it since the type conflicts can cause problems on FreeBSD. Patch from Jonathan Chen. + - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move + the setpcred call on AIX to immediately before the permanently_set_uid(). + Ensures that we still have privileges when we call chroot and + pam_open_sesson. Based on a patch from David Leonard. 20090817 - (dtucker) [configure.ac] Check for headers before libraries for openssl an diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 967bc723..3ac76ae1 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */ /* * @@ -71,6 +71,11 @@ int passwdexpired(char *, char **); # include <sys/timers.h> #endif +/* for setpcred and friends */ +#ifdef HAVE_USERSEC_H +# include <usersec.h> +#endif + /* * According to the setauthdb man page, AIX password registries must be 15 * chars or less plus terminating NUL. @@ -1466,11 +1466,6 @@ do_setusercontext(struct passwd *pw) if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ { - -#ifdef HAVE_SETPCRED - if (setpcred(pw->pw_name, (char **)NULL) == -1) - fatal("Failed to set process credentials"); -#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP # ifdef __bsdi__ setpgid(0, 0); @@ -1538,6 +1533,10 @@ do_setusercontext(struct passwd *pw) free(chroot_path); } +#ifdef HAVE_SETPCRED + if (setpcred(pw->pw_name, (char **)NULL) == -1) + fatal("Failed to set process credentials"); +#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { perror("unable to set user context (setuser)"); |