From: Darren Tucker Date: Fri, 5 Nov 2010 02:00:05 +0000 (+1100) Subject: - (dtucker) [platform.c session.c] Move the PAM credential establishment for X-Git-Tag: V_5_7_P1~105 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=728d8371a1dc1b615284ece94b0085897b4c0b51;p=thirdparty%2Fopenssh-portable.git - (dtucker) [platform.c session.c] Move the PAM credential establishment for the LOGIN_CAP case into platform.c. --- diff --git a/ChangeLog b/ChangeLog index 3f415d7dc..909b9fc59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,8 @@ - (dtucker) [platform.c session.c] Move the BSDI setpgrp into platform.c. - (dtucker) [platform.c] Only call setpgrp on BSDI if running as root to retain previous behavior. + - (dtucker) [platform.c session.c] Move the PAM credential establishment for + the LOGIN_CAP case into platform.c. 20101025 - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came with diff --git a/platform.c b/platform.c index 570f130ae..0335eaae6 100644 --- a/platform.c +++ b/platform.c @@ -1,4 +1,4 @@ -/* $Id: platform.c,v 1.8 2010/11/05 01:50:41 dtucker Exp $ */ +/* $Id: platform.c,v 1.9 2010/11/05 02:00:05 dtucker Exp $ */ /* * Copyright (c) 2006 Darren Tucker. All rights reserved. @@ -21,6 +21,8 @@ #include "openbsd-compat/openbsd-compat.h" +extern int use_privsep; + void platform_pre_listen(void) { @@ -79,6 +81,18 @@ platform_setusercontext(struct passwd *pw) if (getuid() == 0 || geteuid() == 0) setpgid(0, 0); # endif + +#if defined(HAVE_LOGIN_CAP) && defined(USE_PAM) + /* + * If we have both LOGIN_CAP and PAM, we want to establish creds + * before calling setusercontext (in session.c:do_setusercontext). + */ + if (getuid() == 0 || geteuid() == 0) { + if (options.use_pam) { + do_pam_setcred(use_privsep); + } + } +# endif /* USE_PAM */ } /* diff --git a/session.c b/session.c index 0775d78d2..a2d8bec8b 100644 --- a/session.c +++ b/session.c @@ -1476,11 +1476,6 @@ do_setusercontext(struct passwd *pw) #endif /* HAVE_CYGWIN */ { #ifdef HAVE_LOGIN_CAP -# ifdef USE_PAM - if (options.use_pam) { - do_pam_setcred(use_privsep); - } -# endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context");