- (djm) Clear supplemental groups at sshd start to prevent them from

being propogated to random PAM modules. Based on patch from Redhat via Pekka Savola <pekkas@netcore.fi>
author: Damien Miller <djm@mindrot.org> 2001-09-15 21:12:49 +1000
committer: Damien Miller <djm@mindrot.org> 2001-09-15 21:12:49 +1000
commit: ebf989e601a137d2c2dd489a614c7ba54b6fc910 (patch)
tree: 06093961121682e71af1bece0fda514bd8910053
parent: ba6f9f9e492705d85001426d535bd3ff5b8dc46c (diff)
2 files changed, 8 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 0162669ca..e818d5ef6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@
   Redhat
 - (djm) Redhat initscript config sanity checking from Pekka Savola 
   <pekkas@netcore.fi>
+ - (djm) Clear supplemental groups at sshd start to prevent them from 
+   being propogated to random PAM modules. Based on patch from Redhat via
+   Pekka Savola <pekkas@netcore.fi>
 20010914
 - (bal) OpenBSD CVS Sync
@@ -6436,4 +6439,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1518 2001/09/15 11:03:10 djm Exp $
+$Id: ChangeLog,v 1.1519 2001/09/15 11:12:49 djm Exp $
diff --git a/sshd.c b/sshd.c
index aa822df17..ce13dcaf0 100644
--- a/sshd.c
+++ b/sshd.c
@@ -782,6 +782,10 @@ main(int ac, char **av)
                log_stderr = 1;
        log_init(__progname, options.log_level, options.log_facility, log_stderr);
+        /* Make supp. groups don't get propogated to PAM modules */
+        if (setgroups(0, NULL) < 0)
+                fatal("setgroups() failed: %.200s", strerror(errno));
        /*
         * If not in debugging mode, and not started from inetd, disconnect
         * from the controlling terminal, and fork.  The original process
author	Damien Miller <djm@mindrot.org>	2001-09-15 21:12:49 +1000
committer	Damien Miller <djm@mindrot.org>	2001-09-15 21:12:49 +1000
commit	ebf989e601a137d2c2dd489a614c7ba54b6fc910 (patch)
tree	06093961121682e71af1bece0fda514bd8910053
parent	ba6f9f9e492705d85001426d535bd3ff5b8dc46c (diff)