From 82edf23fffc4accf7686da08367e9fd5b5baa487 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 20 Aug 2009 16:20:50 +1000 Subject: - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move the setpcred call on AIX to immediately before the permanently_set_uid(). Ensures that we still have privileges when we call chroot and pam_open_sesson. Based on a patch from David Leonard. --- ChangeLog | 4 ++++ openbsd-compat/port-aix.h | 7 ++++++- session.c | 9 ++++----- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 056240f3..58cb1645 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not using it since the type conflicts can cause problems on FreeBSD. Patch from Jonathan Chen. + - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move + the setpcred call on AIX to immediately before the permanently_set_uid(). + Ensures that we still have privileges when we call chroot and + pam_open_sesson. Based on a patch from David Leonard. 20090817 - (dtucker) [configure.ac] Check for headers before libraries for openssl an diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 967bc723..3ac76ae1 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */ /* * @@ -71,6 +71,11 @@ int passwdexpired(char *, char **); # include #endif +/* for setpcred and friends */ +#ifdef HAVE_USERSEC_H +# include +#endif + /* * According to the setauthdb man page, AIX password registries must be 15 * chars or less plus terminating NUL. diff --git a/session.c b/session.c index cdbf88ab..f4a36354 100644 --- a/session.c +++ b/session.c @@ -1466,11 +1466,6 @@ do_setusercontext(struct passwd *pw) if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ { - -#ifdef HAVE_SETPCRED - if (setpcred(pw->pw_name, (char **)NULL) == -1) - fatal("Failed to set process credentials"); -#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP # ifdef __bsdi__ setpgid(0, 0); @@ -1538,6 +1533,10 @@ do_setusercontext(struct passwd *pw) free(chroot_path); } +#ifdef HAVE_SETPCRED + if (setpcred(pw->pw_name, (char **)NULL) == -1) + fatal("Failed to set process credentials"); +#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { perror("unable to set user context (setuser)"); -- cgit v1.2.3