diff options
author | Darren Tucker <dtucker@zip.com.au> | 2010-03-07 13:21:12 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2010-03-07 13:21:12 +1100 |
commit | c738e6c646aa0b588f50e953b4d3931c29e9ab28 (patch) | |
tree | 8b4ec045539c608e14ccd8d43af5024e6ca683fa | |
parent | b3d20a3ff0f822e2b39c3f6d31bfdea89f577465 (diff) |
- (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
do not set real uid, since that's needed for the chroot, and will be set
by permanently_set_uid.
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | session.c | 22 |
2 files changed, 21 insertions, 4 deletions
@@ -2,6 +2,9 @@ - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that it gets the passwd struct from the LAM that knows about the user which is not necessarily the default. Patch from Alexandre Letourneau. + - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and + do not set real uid, since that's needed for the chroot, and will be set + by permanently_set_uid. 20100305 - OpenBSD CVS Sync @@ -1530,6 +1530,24 @@ do_setusercontext(struct passwd *pw) } # endif /* USE_LIBIAF */ #endif +#ifdef HAVE_SETPCRED + /* + * If we have a chroot directory, we set all creds except real + * uid which we will need for chroot. If we don't have a + * chroot directory, we don't override anything. + */ + { + char **creds, *chroot_creds[] = + { "REAL_USER=root", NULL }; + + if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) + creds = chroot_creds; + + if (setpcred(pw->pw_name, creds) == -1) + fatal("Failed to set process credentials"); + } +#endif /* HAVE_SETPCRED */ if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { @@ -1542,10 +1560,6 @@ do_setusercontext(struct passwd *pw) free(chroot_path); } -#ifdef HAVE_SETPCRED - if (setpcred(pw->pw_name, (char **)NULL) == -1) - fatal("Failed to set process credentials"); -#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { perror("unable to set user context (setuser)"); |