From c738e6c646aa0b588f50e953b4d3931c29e9ab28 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 7 Mar 2010 13:21:12 +1100 Subject: - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and do not set real uid, since that's needed for the chroot, and will be set by permanently_set_uid. --- ChangeLog | 3 +++ session.c | 22 ++++++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 63beb948..e9cb557d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that it gets the passwd struct from the LAM that knows about the user which is not necessarily the default. Patch from Alexandre Letourneau. + - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and + do not set real uid, since that's needed for the chroot, and will be set + by permanently_set_uid. 20100305 - OpenBSD CVS Sync diff --git a/session.c b/session.c index fd7acbe0..8f978faa 100644 --- a/session.c +++ b/session.c @@ -1530,6 +1530,24 @@ do_setusercontext(struct passwd *pw) } # endif /* USE_LIBIAF */ #endif +#ifdef HAVE_SETPCRED + /* + * If we have a chroot directory, we set all creds except real + * uid which we will need for chroot. If we don't have a + * chroot directory, we don't override anything. + */ + { + char **creds, *chroot_creds[] = + { "REAL_USER=root", NULL }; + + if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) + creds = chroot_creds; + + if (setpcred(pw->pw_name, creds) == -1) + fatal("Failed to set process credentials"); + } +#endif /* HAVE_SETPCRED */ if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { @@ -1542,10 +1560,6 @@ do_setusercontext(struct passwd *pw) free(chroot_path); } -#ifdef HAVE_SETPCRED - if (setpcred(pw->pw_name, (char **)NULL) == -1) - fatal("Failed to set process credentials"); -#endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { perror("unable to set user context (setuser)"); -- cgit v1.2.3