summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2001-03-27 16:12:24 +1000
committerDamien Miller <djm@mindrot.org>2001-03-27 16:12:24 +1000
commitf9e93009478075ec04f0ee407e8f83ab2558a892 (patch)
tree48327e0001087c3d25a13a4a53111519c5b0145c
parent771bbac73327304cbac69ca37e33b5771e01fc17 (diff)
- (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and suggested fix from Nalin Dahyabhai <nalin@redhat.com>
-rw-r--r--ChangeLog16
-rw-r--r--auth-pam.c7
-rw-r--r--auth-pam.h4
-rw-r--r--session.c13
4 files changed, 25 insertions, 15 deletions
diff --git a/ChangeLog b/ChangeLog
index a849757a..f26478a1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,3 @@
-20010328
- - OpenBSD CVS Sync
- - markus@cvs.openbsd.org 2001/03/26 08:07:09
- [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c
- sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
- simpler key load/save interface, see authfile.h
-
20010327
- Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID)
- Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz
@@ -17,6 +10,13 @@
[servconf.c servconf.h session.c sshd.8 sshd_config]
PrintLastLog option; from chip@valinux.com with some minor
changes by me. ok markus@
+ - markus@cvs.openbsd.org 2001/03/26 08:07:09
+ [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c
+ sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
+ simpler key load/save interface, see authfile.h
+ - (djm) Reestablish PAM credentials (which can be supplemental group
+ memberships) after initgroups() blows them away. Report and suggested
+ fix from Nalin Dahyabhai <nalin@redhat.com>
20010324
- Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>.
@@ -4725,4 +4725,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1020 2001/03/26 13:44:06 mouring Exp $
+$Id: ChangeLog,v 1.1021 2001/03/27 06:12:24 djm Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 2ea29964..d8eefdfd 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -33,7 +33,7 @@
#include "canohost.h"
#include "readpass.h"
-RCSID("$Id: auth-pam.c,v 1.33 2001/03/21 02:01:35 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.34 2001/03/27 06:12:24 djm Exp $");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now"
@@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname)
}
/* Set PAM credentials */
-void do_pam_setcred(void)
+void do_pam_setcred(int init)
{
int pam_retval;
do_pam_set_conv(&conv);
debug("PAM establishing creds");
- pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
+ pam_retval = pam_setcred(__pamh,
+ init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
if (pam_retval != PAM_SUCCESS) {
if (was_authenticated)
fatal("PAM setcred failed[%d]: %.200s",
diff --git a/auth-pam.h b/auth-pam.h
index 1cf85c0f..c249b539 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */
+/* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */
#include "includes.h"
#ifdef USE_PAM
@@ -12,7 +12,7 @@ char **fetch_pam_environment(void);
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
-void do_pam_setcred(void);
+void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
void do_pam_chauthtok(void);
diff --git a/session.c b/session.c
index dfe1498a..ac026e4f 100644
--- a/session.c
+++ b/session.c
@@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command)
session_proctitle(s);
#if defined(USE_PAM)
- do_pam_setcred();
+ do_pam_setcred(1);
#endif /* USE_PAM */
/* Fork the child. */
@@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command)
#if defined(USE_PAM)
do_pam_session(s->pw->pw_name, s->tty);
- do_pam_setcred();
+ do_pam_setcred(1);
#endif
/* Fork the child. */
@@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command)
exit(1);
}
endgrent();
+# ifdef USE_PAM
+ /*
+ * PAM credentials may take the form of
+ * supplementary groups. These will have been
+ * wiped by the above initgroups() call.
+ * Reestablish them here.
+ */
+ do_pam_setcred(0);
+# endif /* USE_PAM */
# ifdef WITH_IRIX_JOBS
jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
if (jid == -1) {