diff options
author | Damien Miller <djm@mindrot.org> | 2001-03-27 16:12:24 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2001-03-27 16:12:24 +1000 |
commit | f9e93009478075ec04f0ee407e8f83ab2558a892 (patch) | |
tree | 48327e0001087c3d25a13a4a53111519c5b0145c | |
parent | 771bbac73327304cbac69ca37e33b5771e01fc17 (diff) |
- (djm) Reestablish PAM credentials (which can be supplemental group
memberships) after initgroups() blows them away. Report and suggested
fix from Nalin Dahyabhai <nalin@redhat.com>
-rw-r--r-- | ChangeLog | 16 | ||||
-rw-r--r-- | auth-pam.c | 7 | ||||
-rw-r--r-- | auth-pam.h | 4 | ||||
-rw-r--r-- | session.c | 13 |
4 files changed, 25 insertions, 15 deletions
@@ -1,10 +1,3 @@ | |||
1 | 20010328 | ||
2 | - OpenBSD CVS Sync | ||
3 | - markus@cvs.openbsd.org 2001/03/26 08:07:09 | ||
4 | [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c | ||
5 | sshconnect.h sshconnect1.c sshconnect2.c sshd.c] | ||
6 | simpler key load/save interface, see authfile.h | ||
7 | |||
8 | 20010327 | 1 | 20010327 |
9 | - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) | 2 | - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) |
10 | - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz | 3 | - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz |
@@ -17,6 +10,13 @@ | |||
17 | [servconf.c servconf.h session.c sshd.8 sshd_config] | 10 | [servconf.c servconf.h session.c sshd.8 sshd_config] |
18 | PrintLastLog option; from chip@valinux.com with some minor | 11 | PrintLastLog option; from chip@valinux.com with some minor |
19 | changes by me. ok markus@ | 12 | changes by me. ok markus@ |
13 | - markus@cvs.openbsd.org 2001/03/26 08:07:09 | ||
14 | [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c | ||
15 | sshconnect.h sshconnect1.c sshconnect2.c sshd.c] | ||
16 | simpler key load/save interface, see authfile.h | ||
17 | - (djm) Reestablish PAM credentials (which can be supplemental group | ||
18 | memberships) after initgroups() blows them away. Report and suggested | ||
19 | fix from Nalin Dahyabhai <nalin@redhat.com> | ||
20 | 20 | ||
21 | 20010324 | 21 | 20010324 |
22 | - Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>. | 22 | - Fixed permissions ssh-keyscan. Thanks to Christopher Linn <celinn@mtu.edu>. |
@@ -4725,4 +4725,4 @@ | |||
4725 | - Wrote replacements for strlcpy and mkdtemp | 4725 | - Wrote replacements for strlcpy and mkdtemp |
4726 | - Released 1.0pre1 | 4726 | - Released 1.0pre1 |
4727 | 4727 | ||
4728 | $Id: ChangeLog,v 1.1020 2001/03/26 13:44:06 mouring Exp $ | 4728 | $Id: ChangeLog,v 1.1021 2001/03/27 06:12:24 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 2ea29964d..d8eefdfd7 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -33,7 +33,7 @@ | |||
33 | #include "canohost.h" | 33 | #include "canohost.h" |
34 | #include "readpass.h" | 34 | #include "readpass.h" |
35 | 35 | ||
36 | RCSID("$Id: auth-pam.c,v 1.33 2001/03/21 02:01:35 djm Exp $"); | 36 | RCSID("$Id: auth-pam.c,v 1.34 2001/03/27 06:12:24 djm Exp $"); |
37 | 37 | ||
38 | #define NEW_AUTHTOK_MSG \ | 38 | #define NEW_AUTHTOK_MSG \ |
39 | "Warning: Your password has expired, please change it now" | 39 | "Warning: Your password has expired, please change it now" |
@@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname) | |||
287 | } | 287 | } |
288 | 288 | ||
289 | /* Set PAM credentials */ | 289 | /* Set PAM credentials */ |
290 | void do_pam_setcred(void) | 290 | void do_pam_setcred(int init) |
291 | { | 291 | { |
292 | int pam_retval; | 292 | int pam_retval; |
293 | 293 | ||
294 | do_pam_set_conv(&conv); | 294 | do_pam_set_conv(&conv); |
295 | 295 | ||
296 | debug("PAM establishing creds"); | 296 | debug("PAM establishing creds"); |
297 | pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED); | 297 | pam_retval = pam_setcred(__pamh, |
298 | init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); | ||
298 | if (pam_retval != PAM_SUCCESS) { | 299 | if (pam_retval != PAM_SUCCESS) { |
299 | if (was_authenticated) | 300 | if (was_authenticated) |
300 | fatal("PAM setcred failed[%d]: %.200s", | 301 | fatal("PAM setcred failed[%d]: %.200s", |
diff --git a/auth-pam.h b/auth-pam.h index 1cf85c0f1..c249b5396 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */ | 1 | /* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */ |
2 | 2 | ||
3 | #include "includes.h" | 3 | #include "includes.h" |
4 | #ifdef USE_PAM | 4 | #ifdef USE_PAM |
@@ -12,7 +12,7 @@ char **fetch_pam_environment(void); | |||
12 | int do_pam_authenticate(int flags); | 12 | int do_pam_authenticate(int flags); |
13 | int do_pam_account(char *username, char *remote_user); | 13 | int do_pam_account(char *username, char *remote_user); |
14 | void do_pam_session(char *username, const char *ttyname); | 14 | void do_pam_session(char *username, const char *ttyname); |
15 | void do_pam_setcred(void); | 15 | void do_pam_setcred(int init); |
16 | void print_pam_messages(void); | 16 | void print_pam_messages(void); |
17 | int is_pam_password_change_required(void); | 17 | int is_pam_password_change_required(void); |
18 | void do_pam_chauthtok(void); | 18 | void do_pam_chauthtok(void); |
@@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command) | |||
488 | session_proctitle(s); | 488 | session_proctitle(s); |
489 | 489 | ||
490 | #if defined(USE_PAM) | 490 | #if defined(USE_PAM) |
491 | do_pam_setcred(); | 491 | do_pam_setcred(1); |
492 | #endif /* USE_PAM */ | 492 | #endif /* USE_PAM */ |
493 | 493 | ||
494 | /* Fork the child. */ | 494 | /* Fork the child. */ |
@@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command) | |||
603 | 603 | ||
604 | #if defined(USE_PAM) | 604 | #if defined(USE_PAM) |
605 | do_pam_session(s->pw->pw_name, s->tty); | 605 | do_pam_session(s->pw->pw_name, s->tty); |
606 | do_pam_setcred(); | 606 | do_pam_setcred(1); |
607 | #endif | 607 | #endif |
608 | 608 | ||
609 | /* Fork the child. */ | 609 | /* Fork the child. */ |
@@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command) | |||
1100 | exit(1); | 1100 | exit(1); |
1101 | } | 1101 | } |
1102 | endgrent(); | 1102 | endgrent(); |
1103 | # ifdef USE_PAM | ||
1104 | /* | ||
1105 | * PAM credentials may take the form of | ||
1106 | * supplementary groups. These will have been | ||
1107 | * wiped by the above initgroups() call. | ||
1108 | * Reestablish them here. | ||
1109 | */ | ||
1110 | do_pam_setcred(0); | ||
1111 | # endif /* USE_PAM */ | ||
1103 | # ifdef WITH_IRIX_JOBS | 1112 | # ifdef WITH_IRIX_JOBS |
1104 | jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); | 1113 | jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); |
1105 | if (jid == -1) { | 1114 | if (jid == -1) { |