From 52358d6df32d9ae923572c43a58159d84b673631 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Tue, 11 Mar 2008 22:58:25 +1100
Subject:  - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move  
  pam_open_session and pam_close_session into the privsep monitor, which   
 will ensure that pam_session_close is called as root.  Patch from Tomas   
 Mraz.

---
 auth-pam.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'auth-pam.c')

diff --git a/auth-pam.c b/auth-pam.c
index a07f1fe7..ccdb9937 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL };
 void
 sshpam_cleanup(void)
 {
-	debug("PAM: cleanup");
-	if (sshpam_handle == NULL)
+	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
 		return;
+	debug("PAM: cleanup");
 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
 	if (sshpam_cred_established) {
+		debug("PAM: deleting credentials");
 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
 		sshpam_cred_established = 0;
 	}
 	if (sshpam_session_open) {
+		debug("PAM: closing session");
 		pam_close_session(sshpam_handle, PAM_SILENT);
 		sshpam_session_open = 0;
 	}
-- 
cgit v1.2.3