summaryrefslogtreecommitdiff
path: root/debian/patches/selinux-role.patch
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-12-20 00:22:53 +0000
committerColin Watson <cjwatson@debian.org>2016-12-23 19:08:35 +0000
commitee52365e713e546dbd878d73d9590dbaccd760ba (patch)
tree841d0d9ae73e83070bcc3b46218ebdd18142dda3 /debian/patches/selinux-role.patch
parent8a4a5c22e363ad6a110ad9b787170297f5da8f04 (diff)
parent2103d3e5566c54e08a59be750579a249e46747d7 (diff)
New upstream release (7.4p1).
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r--debian/patches/selinux-role.patch151
1 files changed, 60 insertions, 91 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index bcb61480d..9ab9394b3 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 7a7851c903e5dbb58a85014deb2c88cb718068c9 Mon Sep 17 00:00:00 2001 1From 5e4ebd6472d995738a2c67d618c4bd1ee2c00968 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -14,7 +14,6 @@ Last-Update: 2015-08-19
14Patch-Name: selinux-role.patch 14Patch-Name: selinux-role.patch
15--- 15---
16 auth.h | 1 + 16 auth.h | 1 +
17 auth1.c | 8 +++++++-
18 auth2.c | 10 ++++++++-- 17 auth2.c | 10 ++++++++--
19 monitor.c | 32 +++++++++++++++++++++++++++++--- 18 monitor.c | 32 +++++++++++++++++++++++++++++---
20 monitor.h | 2 ++ 19 monitor.h | 2 ++
@@ -29,10 +28,10 @@ Patch-Name: selinux-role.patch
29 sshd.c | 2 +- 28 sshd.c | 2 +-
30 sshpty.c | 4 ++-- 29 sshpty.c | 4 ++--
31 sshpty.h | 2 +- 30 sshpty.h | 2 +-
32 16 files changed, 104 insertions(+), 31 deletions(-) 31 15 files changed, 97 insertions(+), 30 deletions(-)
33 32
34diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
35index 55170af..50baeaa 100644 34index 338a62da..8c658d16 100644
36--- a/auth.h 35--- a/auth.h
37+++ b/auth.h 36+++ b/auth.h
38@@ -62,6 +62,7 @@ struct Authctxt { 37@@ -62,6 +62,7 @@ struct Authctxt {
@@ -43,39 +42,8 @@ index 55170af..50baeaa 100644
43 void *kbdintctxt; 42 void *kbdintctxt;
44 char *info; /* Extra info for next auth_log */ 43 char *info; /* Extra info for next auth_log */
45 #ifdef BSD_AUTH 44 #ifdef BSD_AUTH
46diff --git a/auth1.c b/auth1.c
47index 5073c49..dd00648 100644
48--- a/auth1.c
49+++ b/auth1.c
50@@ -383,7 +383,7 @@ void
51 do_authentication(Authctxt *authctxt)
52 {
53 u_int ulen;
54- char *user, *style = NULL;
55+ char *user, *style = NULL, *role = NULL;
56
57 /* Get the name of the user that we wish to log in as. */
58 packet_read_expect(SSH_CMSG_USER);
59@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
60 user = packet_get_cstring(&ulen);
61 packet_check_eom();
62
63+ if ((role = strchr(user, '/')) != NULL)
64+ *role++ = '\0';
65+
66 if ((style = strchr(user, ':')) != NULL)
67 *style++ = '\0';
68+ else if (role && (style = strchr(role, ':')) != NULL)
69+ *style++ = '\0';
70
71 authctxt->user = user;
72 authctxt->style = style;
73+ authctxt->role = role;
74
75 /* Verify that the user is a valid user. */
76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
78index ce0d376..461311b 100644 46index ce0d3760..461311bd 100644
79--- a/auth2.c 47--- a/auth2.c
80+++ b/auth2.c 48+++ b/auth2.c
81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 49@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -113,10 +81,10 @@ index ce0d376..461311b 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
116index 05bb48a..e91054e 100644 84index 76d9e346..64286a12 100644
117--- a/monitor.c 85--- a/monitor.c
118+++ b/monitor.c 86+++ b/monitor.c
119@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 88 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 89 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 90 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +92,7 @@ index 05bb48a..e91054e 100644
124 int mm_answer_authpassword(int, Buffer *); 92 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 93 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 94 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -209,6 +210,7 @@ struct mon_table mon_dispatch_proto20[] = { 95@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,15 +100,15 @@ index 05bb48a..e91054e 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 102 #ifdef USE_PAM
135@@ -880,6 +882,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 103@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 104
137 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
139+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); 107+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 109
142 #ifdef USE_PAM 110 #ifdef USE_PAM
143@@ -910,14 +913,37 @@ mm_answer_authserv(int sock, Buffer *m) 111@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 112
145 authctxt->service = buffer_get_string(m, NULL); 113 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 114 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +148,7 @@ index 05bb48a..e91054e 100644
180 return (0); 148 return (0);
181 } 149 }
182 150
183@@ -1553,7 +1579,7 @@ mm_answer_pty(int sock, Buffer *m) 151@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 153 if (res == 0)
186 goto error; 154 goto error;
@@ -190,7 +158,7 @@ index 05bb48a..e91054e 100644
190 buffer_put_int(m, 1); 158 buffer_put_int(m, 1);
191 buffer_put_cstring(m, s->tty); 159 buffer_put_cstring(m, s->tty);
192diff --git a/monitor.h b/monitor.h 160diff --git a/monitor.h b/monitor.h
193index bc50ade..2d82b8b 100644 161index ec41404c..4c7955d7 100644
194--- a/monitor.h 162--- a/monitor.h
195+++ b/monitor.h 163+++ b/monitor.h
196@@ -68,6 +68,8 @@ enum monitor_reqtype { 164@@ -68,6 +68,8 @@ enum monitor_reqtype {
@@ -201,12 +169,12 @@ index bc50ade..2d82b8b 100644
201+ 169+
202 }; 170 };
203 171
204 struct mm_master; 172 struct monitor {
205diff --git a/monitor_wrap.c b/monitor_wrap.c 173diff --git a/monitor_wrap.c b/monitor_wrap.c
206index 5a9f1b5..11e3a69 100644 174index d5cb640a..2ff8064a 100644
207--- a/monitor_wrap.c 175--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 176+++ b/monitor_wrap.c
209@@ -328,10 +328,10 @@ mm_auth2_read_banner(void) 177@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
210 return (banner); 178 return (banner);
211 } 179 }
212 180
@@ -219,7 +187,7 @@ index 5a9f1b5..11e3a69 100644
219 { 187 {
220 Buffer m; 188 Buffer m;
221 189
222@@ -340,12 +340,30 @@ mm_inform_authserv(char *service, char *style) 190@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style)
223 buffer_init(&m); 191 buffer_init(&m);
224 buffer_put_cstring(&m, service); 192 buffer_put_cstring(&m, service);
225 buffer_put_cstring(&m, style ? style : ""); 193 buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +219,7 @@ index 5a9f1b5..11e3a69 100644
251 int 219 int
252 mm_auth_password(Authctxt *authctxt, char *password) 220 mm_auth_password(Authctxt *authctxt, char *password)
253diff --git a/monitor_wrap.h b/monitor_wrap.h 221diff --git a/monitor_wrap.h b/monitor_wrap.h
254index b5414c2..d5b3334 100644 222index 8f9dd896..3e75867c 100644
255--- a/monitor_wrap.h 223--- a/monitor_wrap.h
256+++ b/monitor_wrap.h 224+++ b/monitor_wrap.h
257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); 225@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
@@ -265,10 +233,10 @@ index b5414c2..d5b3334 100644
265 char *mm_auth2_read_banner(void); 233 char *mm_auth2_read_banner(void);
266 int mm_auth_password(struct Authctxt *, char *); 234 int mm_auth_password(struct Authctxt *, char *);
267diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
268index f36999d..f9cdc15 100644 236index e4c5d1b7..e26faf08 100644
269--- a/openbsd-compat/port-linux.c 237--- a/openbsd-compat/port-linux.c
270+++ b/openbsd-compat/port-linux.c 238+++ b/openbsd-compat/port-linux.c
271@@ -29,6 +29,12 @@ 239@@ -27,6 +27,12 @@
272 #include <string.h> 240 #include <string.h>
273 #include <stdio.h> 241 #include <stdio.h>
274 242
@@ -281,7 +249,7 @@ index f36999d..f9cdc15 100644
281 #include "log.h" 249 #include "log.h"
282 #include "xmalloc.h" 250 #include "xmalloc.h"
283 #include "port-linux.h" 251 #include "port-linux.h"
284@@ -58,7 +64,7 @@ ssh_selinux_enabled(void) 252@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
285 253
286 /* Return the default security context for the given username */ 254 /* Return the default security context for the given username */
287 static security_context_t 255 static security_context_t
@@ -290,7 +258,7 @@ index f36999d..f9cdc15 100644
290 { 258 {
291 security_context_t sc = NULL; 259 security_context_t sc = NULL;
292 char *sename = NULL, *lvl = NULL; 260 char *sename = NULL, *lvl = NULL;
293@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname) 261@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
294 #endif 262 #endif
295 263
296 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 264 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -309,7 +277,7 @@ index f36999d..f9cdc15 100644
309 #endif 277 #endif
310 278
311 if (r != 0) { 279 if (r != 0) {
312@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname) 280@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
313 281
314 /* Set the execution context to the default for the specified user */ 282 /* Set the execution context to the default for the specified user */
315 void 283 void
@@ -318,7 +286,7 @@ index f36999d..f9cdc15 100644
318 { 286 {
319 security_context_t user_ctx = NULL; 287 security_context_t user_ctx = NULL;
320 288
321@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname) 289@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
322 290
323 debug3("%s: setting execution context", __func__); 291 debug3("%s: setting execution context", __func__);
324 292
@@ -327,7 +295,7 @@ index f36999d..f9cdc15 100644
327 if (setexeccon(user_ctx) != 0) { 295 if (setexeccon(user_ctx) != 0) {
328 switch (security_getenforce()) { 296 switch (security_getenforce()) {
329 case -1: 297 case -1:
330@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname) 298@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
331 299
332 /* Set the TTY context for the specified user */ 300 /* Set the TTY context for the specified user */
333 void 301 void
@@ -336,7 +304,7 @@ index f36999d..f9cdc15 100644
336 { 304 {
337 security_context_t new_tty_ctx = NULL; 305 security_context_t new_tty_ctx = NULL;
338 security_context_t user_ctx = NULL; 306 security_context_t user_ctx = NULL;
339@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) 307@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
340 308
341 debug3("%s: setting TTY context on %s", __func__, tty); 309 debug3("%s: setting TTY context on %s", __func__, tty);
342 310
@@ -346,10 +314,10 @@ index f36999d..f9cdc15 100644
346 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 314 /* XXX: should these calls fatal() upon failure in enforcing mode? */
347 315
348diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h 316diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
349index e3d1004..80ce13a 100644 317index 3c22a854..c8812942 100644
350--- a/openbsd-compat/port-linux.h 318--- a/openbsd-compat/port-linux.h
351+++ b/openbsd-compat/port-linux.h 319+++ b/openbsd-compat/port-linux.h
352@@ -21,8 +21,8 @@ 320@@ -19,8 +19,8 @@
353 321
354 #ifdef WITH_SELINUX 322 #ifdef WITH_SELINUX
355 int ssh_selinux_enabled(void); 323 int ssh_selinux_enabled(void);
@@ -361,10 +329,10 @@ index e3d1004..80ce13a 100644
361 void ssh_selinux_setfscreatecon(const char *); 329 void ssh_selinux_setfscreatecon(const char *);
362 #endif 330 #endif
363diff --git a/platform.c b/platform.c 331diff --git a/platform.c b/platform.c
364index acf8554..4831706 100644 332index 973a63e4..cd7bf566 100644
365--- a/platform.c 333--- a/platform.c
366+++ b/platform.c 334+++ b/platform.c
367@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *pw) 335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
368 * called if sshd is running as root. 336 * called if sshd is running as root.
369 */ 337 */
370 void 338 void
@@ -373,7 +341,7 @@ index acf8554..4831706 100644
373 { 341 {
374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 342 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375 /* 343 /*
376@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 344@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377 } 345 }
378 #endif /* HAVE_SETPCRED */ 346 #endif /* HAVE_SETPCRED */
379 #ifdef WITH_SELINUX 347 #ifdef WITH_SELINUX
@@ -383,10 +351,10 @@ index acf8554..4831706 100644
383 } 351 }
384 352
385diff --git a/platform.h b/platform.h 353diff --git a/platform.h b/platform.h
386index e97ecd9..5b72304 100644 354index ea4f9c58..60d72ffe 100644
387--- a/platform.h 355--- a/platform.h
388+++ b/platform.h 356+++ b/platform.h
389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); 357@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
390 void platform_post_fork_child(void); 358 void platform_post_fork_child(void);
391 int platform_privileged_uidswap(void); 359 int platform_privileged_uidswap(void);
392 void platform_setusercontext(struct passwd *); 360 void platform_setusercontext(struct passwd *);
@@ -396,10 +364,10 @@ index e97ecd9..5b72304 100644
396 char *platform_krb5_get_principal_name(const char *); 364 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 365 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 366diff --git a/session.c b/session.c
399index 2235f26..6dfcf84 100644 367index a08aa69d..ea3871eb 100644
400--- a/session.c 368--- a/session.c
401+++ b/session.c 369+++ b/session.c
402@@ -1517,7 +1517,7 @@ safely_chroot(const char *path, uid_t uid) 370@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
403 371
404 /* Set login name, uid, gid, and groups. */ 372 /* Set login name, uid, gid, and groups. */
405 void 373 void
@@ -408,7 +376,7 @@ index 2235f26..6dfcf84 100644
408 { 376 {
409 char *chroot_path, *tmp; 377 char *chroot_path, *tmp;
410 378
411@@ -1545,7 +1545,7 @@ do_setusercontext(struct passwd *pw) 379@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 380 endgrent();
413 #endif 381 #endif
414 382
@@ -417,7 +385,7 @@ index 2235f26..6dfcf84 100644
417 385
418 if (!in_chroot && options.chroot_directory != NULL && 386 if (!in_chroot && options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 387 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command) 388@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command)
421 389
422 /* Force a password change */ 390 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 391 if (s->authctxt->force_pwchange) {
@@ -426,16 +394,16 @@ index 2235f26..6dfcf84 100644
426 child_close_fds(); 394 child_close_fds();
427 do_pwchange(s); 395 do_pwchange(s);
428 exit(1); 396 exit(1);
429@@ -1730,7 +1730,7 @@ do_child(Session *s, const char *command) 397@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 398 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 399 if (!options.use_pam)
432 do_nologin(pw); 400 do_nologin(pw);
433- do_setusercontext(pw); 401- do_setusercontext(pw);
434+ do_setusercontext(pw, s->authctxt->role); 402+ do_setusercontext(pw, s->authctxt->role);
435 /* 403 /*
436 * PAM session modules in do_setusercontext may have 404 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 405 * generated messages, so if this in an interactive
438@@ -2141,7 +2141,7 @@ session_pty_req(Session *s) 406@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 407 tty_parse_modes(s->ttyfd, &n_bytes);
440 408
441 if (!use_privsep) 409 if (!use_privsep)
@@ -445,10 +413,10 @@ index 2235f26..6dfcf84 100644
445 /* Set window size from the packet. */ 413 /* Set window size from the packet. */
446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 414 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
447diff --git a/session.h b/session.h 415diff --git a/session.h b/session.h
448index f18eaf3..2b7d939 100644 416index 98e1dafe..0a31dce4 100644
449--- a/session.h 417--- a/session.h
450+++ b/session.h 418+++ b/session.h
451@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); 419@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
452 Session *session_new(void); 420 Session *session_new(void);
453 Session *session_by_tty(char *); 421 Session *session_by_tty(char *);
454 void session_close(Session *); 422 void session_close(Session *);
@@ -458,11 +426,11 @@ index f18eaf3..2b7d939 100644
458 const char *value); 426 const char *value);
459 427
460diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
461index 982e545..76306da 100644 429index 4f791b92..5a3f796d 100644
462--- a/sshd.c 430--- a/sshd.c
463+++ b/sshd.c 431+++ b/sshd.c
464@@ -787,7 +787,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 433 reseed_prngs();
466 434
467 /* Drop privileges */ 435 /* Drop privileges */
468- do_setusercontext(authctxt->pw); 436- do_setusercontext(authctxt->pw);
@@ -471,7 +439,7 @@ index 982e545..76306da 100644
471 skip: 439 skip:
472 /* It is safe now to apply the key state */ 440 /* It is safe now to apply the key state */
473diff --git a/sshpty.c b/sshpty.c 441diff --git a/sshpty.c b/sshpty.c
474index 15da8c6..e89efb7 100644 442index fe2fb5aa..feb22b06 100644
475--- a/sshpty.c 443--- a/sshpty.c
476+++ b/sshpty.c 444+++ b/sshpty.c
477@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 445@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -493,12 +461,13 @@ index 15da8c6..e89efb7 100644
493 461
494 if (st.st_uid != pw->pw_uid || st.st_gid != gid) { 462 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
495diff --git a/sshpty.h b/sshpty.h 463diff --git a/sshpty.h b/sshpty.h
496index cfa3224..edf2436 100644 464index 9ec7e9a1..de7e000a 100644
497--- a/sshpty.h 465--- a/sshpty.h
498+++ b/sshpty.h 466+++ b/sshpty.h
499@@ -24,4 +24,4 @@ int pty_allocate(int *, int *, char *, size_t); 467@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
500 void pty_release(const char *); 468 void pty_release(const char *);
501 void pty_make_controlling_tty(int *, const char *); 469 void pty_make_controlling_tty(int *, const char *);
502 void pty_change_window_size(int, u_int, u_int, u_int, u_int); 470 void pty_change_window_size(int, u_int, u_int, u_int, u_int);
503-void pty_setowner(struct passwd *, const char *); 471-void pty_setowner(struct passwd *, const char *);
504+void pty_setowner(struct passwd *, const char *, const char *); 472+void pty_setowner(struct passwd *, const char *, const char *);
473 void disconnect_controlling_tty(void);