diff options
| author | Damien Miller <djm@mindrot.org> | 2001-03-27 16:12:24 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2001-03-27 16:12:24 +1000 |
| commit | f9e93009478075ec04f0ee407e8f83ab2558a892 (patch) | |
| tree | 48327e0001087c3d25a13a4a53111519c5b0145c | |
| parent | 771bbac73327304cbac69ca37e33b5771e01fc17 (diff) | |
- (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and suggested
fix from Nalin Dahyabhai <nalin@redhat.com>
| -rw-r--r-- | ChangeLog | 16 | ||||
| -rw-r--r-- | auth-pam.c | 7 | ||||
| -rw-r--r-- | auth-pam.h | 4 | ||||
| -rw-r--r-- | session.c | 13 |
4 files changed, 25 insertions, 15 deletions
@@ -1,10 +1,3 @@ -20010328 - - OpenBSD CVS Sync - - markus@cvs.openbsd.org 2001/03/26 08:07:09 - [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c - sshconnect.h sshconnect1.c sshconnect2.c sshd.c] - simpler key load/save interface, see authfile.h - 20010327 - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz @@ -17,6 +10,13 @@ [servconf.c servconf.h session.c sshd.8 sshd_config] PrintLastLog option; from chip@valinux.com with some minor changes by me. ok markus@ + - markus@cvs.openbsd.org 2001/03/26 08:07:09 + [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c + sshconnect.h sshconnect1.c sshconnect2.c sshd.c] + simpler key load/save interface, see authfile.h + - (djm) Reestablish PAM credentials (which can be supplemental group + memberships) after initgroups() blows them away. Report and suggested + fix from Nalin Dahyabhai <nalin@redhat.com> 20010324 - Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>. @@ -4725,4 +4725,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1020 2001/03/26 13:44:06 mouring Exp $ +$Id: ChangeLog,v 1.1021 2001/03/27 06:12:24 djm Exp $ @@ -33,7 +33,7 @@ #include "canohost.h" #include "readpass.h" -RCSID("$Id: auth-pam.c,v 1.33 2001/03/21 02:01:35 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.34 2001/03/27 06:12:24 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname) } /* Set PAM credentials */ -void do_pam_setcred(void) +void do_pam_setcred(int init) { int pam_retval; do_pam_set_conv(&conv); debug("PAM establishing creds"); - pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(__pamh, + init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */ +/* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */ #include "includes.h" #ifdef USE_PAM @@ -12,7 +12,7 @@ char **fetch_pam_environment(void); int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); -void do_pam_setcred(void); +void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); void do_pam_chauthtok(void); @@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); #if defined(USE_PAM) - do_pam_setcred(); + do_pam_setcred(1); #endif /* USE_PAM */ /* Fork the child. */ @@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command) #if defined(USE_PAM) do_pam_session(s->pw->pw_name, s->tty); - do_pam_setcred(); + do_pam_setcred(1); #endif /* Fork the child. */ @@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command) exit(1); } endgrent(); +# ifdef USE_PAM + /* + * PAM credentials may take the form of + * supplementary groups. These will have been + * wiped by the above initgroups() call. + * Reestablish them here. + */ + do_pam_setcred(0); +# endif /* USE_PAM */ # ifdef WITH_IRIX_JOBS jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); if (jid == -1) { |