diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | auth-pam.c | 6 | ||||
-rw-r--r-- | monitor.c | 5 | ||||
-rw-r--r-- | session.c | 29 | ||||
-rw-r--r-- | sshd.c | 14 |
5 files changed, 30 insertions, 32 deletions
@@ -1,3 +1,9 @@ | |||
1 | 20080312 | ||
2 | - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move | ||
3 | pam_open_session and pam_close_session into the privsep monitor, which | ||
4 | will ensure that pam_session_close is called as root. Patch from Tomas | ||
5 | Mraz. | ||
6 | |||
1 | 20080309 | 7 | 20080309 |
2 | - (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't | 8 | - (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't |
3 | always work for all platforms and versions, so test what we can and | 9 | always work for all platforms and versions, so test what we can and |
@@ -3712,4 +3718,4 @@ | |||
3712 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 3718 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
3713 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 3719 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
3714 | 3720 | ||
3715 | $Id: ChangeLog,v 1.4864 2008/03/09 11:50:50 dtucker Exp $ | 3721 | $Id: ChangeLog,v 1.4865 2008/03/11 11:58:25 dtucker Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index a07f1fe77..ccdb9937e 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL }; | |||
598 | void | 598 | void |
599 | sshpam_cleanup(void) | 599 | sshpam_cleanup(void) |
600 | { | 600 | { |
601 | debug("PAM: cleanup"); | 601 | if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) |
602 | if (sshpam_handle == NULL) | ||
603 | return; | 602 | return; |
603 | debug("PAM: cleanup"); | ||
604 | pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); | 604 | pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); |
605 | if (sshpam_cred_established) { | 605 | if (sshpam_cred_established) { |
606 | debug("PAM: deleting credentials"); | ||
606 | pam_setcred(sshpam_handle, PAM_DELETE_CRED); | 607 | pam_setcred(sshpam_handle, PAM_DELETE_CRED); |
607 | sshpam_cred_established = 0; | 608 | sshpam_cred_established = 0; |
608 | } | 609 | } |
609 | if (sshpam_session_open) { | 610 | if (sshpam_session_open) { |
611 | debug("PAM: closing session"); | ||
610 | pam_close_session(sshpam_handle, PAM_SILENT); | 612 | pam_close_session(sshpam_handle, PAM_SILENT); |
611 | sshpam_session_open = 0; | 613 | sshpam_session_open = 0; |
612 | } | 614 | } |
@@ -1547,6 +1547,11 @@ mm_answer_term(int sock, Buffer *req) | |||
1547 | /* The child is terminating */ | 1547 | /* The child is terminating */ |
1548 | session_destroy_all(&mm_session_close); | 1548 | session_destroy_all(&mm_session_close); |
1549 | 1549 | ||
1550 | #ifdef USE_PAM | ||
1551 | if (options.use_pam) | ||
1552 | sshpam_cleanup(); | ||
1553 | #endif | ||
1554 | |||
1550 | while (waitpid(pmonitor->m_pid, &status, 0) == -1) | 1555 | while (waitpid(pmonitor->m_pid, &status, 0) == -1) |
1551 | if (errno != EINTR) | 1556 | if (errno != EINTR) |
1552 | exit(1); | 1557 | exit(1); |
@@ -428,11 +428,6 @@ do_exec_no_pty(Session *s, const char *command) | |||
428 | 428 | ||
429 | session_proctitle(s); | 429 | session_proctitle(s); |
430 | 430 | ||
431 | #if defined(USE_PAM) | ||
432 | if (options.use_pam && !use_privsep) | ||
433 | do_pam_setcred(1); | ||
434 | #endif /* USE_PAM */ | ||
435 | |||
436 | /* Fork the child. */ | 431 | /* Fork the child. */ |
437 | if ((pid = fork()) == 0) { | 432 | if ((pid = fork()) == 0) { |
438 | is_child = 1; | 433 | is_child = 1; |
@@ -563,14 +558,6 @@ do_exec_pty(Session *s, const char *command) | |||
563 | ptyfd = s->ptyfd; | 558 | ptyfd = s->ptyfd; |
564 | ttyfd = s->ttyfd; | 559 | ttyfd = s->ttyfd; |
565 | 560 | ||
566 | #if defined(USE_PAM) | ||
567 | if (options.use_pam) { | ||
568 | do_pam_set_tty(s->tty); | ||
569 | if (!use_privsep) | ||
570 | do_pam_setcred(1); | ||
571 | } | ||
572 | #endif | ||
573 | |||
574 | /* Fork the child. */ | 561 | /* Fork the child. */ |
575 | if ((pid = fork()) == 0) { | 562 | if ((pid = fork()) == 0) { |
576 | is_child = 1; | 563 | is_child = 1; |
@@ -1373,16 +1360,8 @@ do_setusercontext(struct passwd *pw) | |||
1373 | # ifdef __bsdi__ | 1360 | # ifdef __bsdi__ |
1374 | setpgid(0, 0); | 1361 | setpgid(0, 0); |
1375 | # endif | 1362 | # endif |
1376 | #ifdef GSSAPI | ||
1377 | if (options.gss_authentication) { | ||
1378 | temporarily_use_uid(pw); | ||
1379 | ssh_gssapi_storecreds(); | ||
1380 | restore_uid(); | ||
1381 | } | ||
1382 | #endif | ||
1383 | # ifdef USE_PAM | 1363 | # ifdef USE_PAM |
1384 | if (options.use_pam) { | 1364 | if (options.use_pam) { |
1385 | do_pam_session(); | ||
1386 | do_pam_setcred(use_privsep); | 1365 | do_pam_setcred(use_privsep); |
1387 | } | 1366 | } |
1388 | # endif /* USE_PAM */ | 1367 | # endif /* USE_PAM */ |
@@ -1410,13 +1389,6 @@ do_setusercontext(struct passwd *pw) | |||
1410 | exit(1); | 1389 | exit(1); |
1411 | } | 1390 | } |
1412 | endgrent(); | 1391 | endgrent(); |
1413 | # ifdef GSSAPI | ||
1414 | if (options.gss_authentication) { | ||
1415 | temporarily_use_uid(pw); | ||
1416 | ssh_gssapi_storecreds(); | ||
1417 | restore_uid(); | ||
1418 | } | ||
1419 | # endif | ||
1420 | # ifdef USE_PAM | 1392 | # ifdef USE_PAM |
1421 | /* | 1393 | /* |
1422 | * PAM credentials may take the form of supplementary groups. | 1394 | * PAM credentials may take the form of supplementary groups. |
@@ -1424,7 +1396,6 @@ do_setusercontext(struct passwd *pw) | |||
1424 | * Reestablish them here. | 1396 | * Reestablish them here. |
1425 | */ | 1397 | */ |
1426 | if (options.use_pam) { | 1398 | if (options.use_pam) { |
1427 | do_pam_session(); | ||
1428 | do_pam_setcred(use_privsep); | 1399 | do_pam_setcred(use_privsep); |
1429 | } | 1400 | } |
1430 | # endif /* USE_PAM */ | 1401 | # endif /* USE_PAM */ |
@@ -1847,6 +1847,20 @@ main(int ac, char **av) | |||
1847 | audit_event(SSH_AUTH_SUCCESS); | 1847 | audit_event(SSH_AUTH_SUCCESS); |
1848 | #endif | 1848 | #endif |
1849 | 1849 | ||
1850 | #ifdef GSSAPI | ||
1851 | if (options.gss_authentication) { | ||
1852 | temporarily_use_uid(authctxt->pw); | ||
1853 | ssh_gssapi_storecreds(); | ||
1854 | restore_uid(); | ||
1855 | } | ||
1856 | #endif | ||
1857 | #ifdef USE_PAM | ||
1858 | if (options.use_pam) { | ||
1859 | do_pam_setcred(1); | ||
1860 | do_pam_session(); | ||
1861 | } | ||
1862 | #endif | ||
1863 | |||
1850 | /* | 1864 | /* |
1851 | * In privilege separation, we fork another child and prepare | 1865 | * In privilege separation, we fork another child and prepare |
1852 | * file descriptor passing. | 1866 | * file descriptor passing. |