diff options
author | Darren Tucker <dtucker@zip.com.au> | 2010-03-07 13:21:12 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2010-03-07 13:21:12 +1100 |
commit | c738e6c646aa0b588f50e953b4d3931c29e9ab28 (patch) | |
tree | 8b4ec045539c608e14ccd8d43af5024e6ca683fa | |
parent | b3d20a3ff0f822e2b39c3f6d31bfdea89f577465 (diff) |
- (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
do not set real uid, since that's needed for the chroot, and will be set
by permanently_set_uid.
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | session.c | 22 |
2 files changed, 21 insertions, 4 deletions
@@ -2,6 +2,9 @@ | |||
2 | - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that | 2 | - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that |
3 | it gets the passwd struct from the LAM that knows about the user which is | 3 | it gets the passwd struct from the LAM that knows about the user which is |
4 | not necessarily the default. Patch from Alexandre Letourneau. | 4 | not necessarily the default. Patch from Alexandre Letourneau. |
5 | - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and | ||
6 | do not set real uid, since that's needed for the chroot, and will be set | ||
7 | by permanently_set_uid. | ||
5 | 8 | ||
6 | 20100305 | 9 | 20100305 |
7 | - OpenBSD CVS Sync | 10 | - OpenBSD CVS Sync |
@@ -1530,6 +1530,24 @@ do_setusercontext(struct passwd *pw) | |||
1530 | } | 1530 | } |
1531 | # endif /* USE_LIBIAF */ | 1531 | # endif /* USE_LIBIAF */ |
1532 | #endif | 1532 | #endif |
1533 | #ifdef HAVE_SETPCRED | ||
1534 | /* | ||
1535 | * If we have a chroot directory, we set all creds except real | ||
1536 | * uid which we will need for chroot. If we don't have a | ||
1537 | * chroot directory, we don't override anything. | ||
1538 | */ | ||
1539 | { | ||
1540 | char **creds, *chroot_creds[] = | ||
1541 | { "REAL_USER=root", NULL }; | ||
1542 | |||
1543 | if (options.chroot_directory != NULL && | ||
1544 | strcasecmp(options.chroot_directory, "none") != 0) | ||
1545 | creds = chroot_creds; | ||
1546 | |||
1547 | if (setpcred(pw->pw_name, creds) == -1) | ||
1548 | fatal("Failed to set process credentials"); | ||
1549 | } | ||
1550 | #endif /* HAVE_SETPCRED */ | ||
1533 | 1551 | ||
1534 | if (options.chroot_directory != NULL && | 1552 | if (options.chroot_directory != NULL && |
1535 | strcasecmp(options.chroot_directory, "none") != 0) { | 1553 | strcasecmp(options.chroot_directory, "none") != 0) { |
@@ -1542,10 +1560,6 @@ do_setusercontext(struct passwd *pw) | |||
1542 | free(chroot_path); | 1560 | free(chroot_path); |
1543 | } | 1561 | } |
1544 | 1562 | ||
1545 | #ifdef HAVE_SETPCRED | ||
1546 | if (setpcred(pw->pw_name, (char **)NULL) == -1) | ||
1547 | fatal("Failed to set process credentials"); | ||
1548 | #endif /* HAVE_SETPCRED */ | ||
1549 | #ifdef HAVE_LOGIN_CAP | 1563 | #ifdef HAVE_LOGIN_CAP |
1550 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { | 1564 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { |
1551 | perror("unable to set user context (setuser)"); | 1565 | perror("unable to set user context (setuser)"); |