diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | openbsd-compat/port-aix.h | 7 | ||||
| -rw-r--r-- | session.c | 9 |
3 files changed, 14 insertions, 6 deletions
| @@ -2,6 +2,10 @@ | |||
| 2 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not | 2 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not |
| 3 | using it since the type conflicts can cause problems on FreeBSD. Patch | 3 | using it since the type conflicts can cause problems on FreeBSD. Patch |
| 4 | from Jonathan Chen. | 4 | from Jonathan Chen. |
| 5 | - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move | ||
| 6 | the setpcred call on AIX to immediately before the permanently_set_uid(). | ||
| 7 | Ensures that we still have privileges when we call chroot and | ||
| 8 | pam_open_sesson. Based on a patch from David Leonard. | ||
| 5 | 9 | ||
| 6 | 20090817 | 10 | 20090817 |
| 7 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an | 11 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an |
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 967bc7235..3ac76ae15 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */ | 1 | /* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * | 4 | * |
| @@ -71,6 +71,11 @@ int passwdexpired(char *, char **); | |||
| 71 | # include <sys/timers.h> | 71 | # include <sys/timers.h> |
| 72 | #endif | 72 | #endif |
| 73 | 73 | ||
| 74 | /* for setpcred and friends */ | ||
| 75 | #ifdef HAVE_USERSEC_H | ||
| 76 | # include <usersec.h> | ||
| 77 | #endif | ||
| 78 | |||
| 74 | /* | 79 | /* |
| 75 | * According to the setauthdb man page, AIX password registries must be 15 | 80 | * According to the setauthdb man page, AIX password registries must be 15 |
| 76 | * chars or less plus terminating NUL. | 81 | * chars or less plus terminating NUL. |
| @@ -1466,11 +1466,6 @@ do_setusercontext(struct passwd *pw) | |||
| 1466 | if (getuid() == 0 || geteuid() == 0) | 1466 | if (getuid() == 0 || geteuid() == 0) |
| 1467 | #endif /* HAVE_CYGWIN */ | 1467 | #endif /* HAVE_CYGWIN */ |
| 1468 | { | 1468 | { |
| 1469 | |||
| 1470 | #ifdef HAVE_SETPCRED | ||
| 1471 | if (setpcred(pw->pw_name, (char **)NULL) == -1) | ||
| 1472 | fatal("Failed to set process credentials"); | ||
| 1473 | #endif /* HAVE_SETPCRED */ | ||
| 1474 | #ifdef HAVE_LOGIN_CAP | 1469 | #ifdef HAVE_LOGIN_CAP |
| 1475 | # ifdef __bsdi__ | 1470 | # ifdef __bsdi__ |
| 1476 | setpgid(0, 0); | 1471 | setpgid(0, 0); |
| @@ -1538,6 +1533,10 @@ do_setusercontext(struct passwd *pw) | |||
| 1538 | free(chroot_path); | 1533 | free(chroot_path); |
| 1539 | } | 1534 | } |
| 1540 | 1535 | ||
| 1536 | #ifdef HAVE_SETPCRED | ||
| 1537 | if (setpcred(pw->pw_name, (char **)NULL) == -1) | ||
| 1538 | fatal("Failed to set process credentials"); | ||
| 1539 | #endif /* HAVE_SETPCRED */ | ||
| 1541 | #ifdef HAVE_LOGIN_CAP | 1540 | #ifdef HAVE_LOGIN_CAP |
| 1542 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { | 1541 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { |
| 1543 | perror("unable to set user context (setuser)"); | 1542 | perror("unable to set user context (setuser)"); |