diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | openbsd-compat/port-aix.h | 7 | ||||
-rw-r--r-- | session.c | 9 |
3 files changed, 14 insertions, 6 deletions
@@ -2,6 +2,10 @@ | |||
2 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not | 2 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not |
3 | using it since the type conflicts can cause problems on FreeBSD. Patch | 3 | using it since the type conflicts can cause problems on FreeBSD. Patch |
4 | from Jonathan Chen. | 4 | from Jonathan Chen. |
5 | - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move | ||
6 | the setpcred call on AIX to immediately before the permanently_set_uid(). | ||
7 | Ensures that we still have privileges when we call chroot and | ||
8 | pam_open_sesson. Based on a patch from David Leonard. | ||
5 | 9 | ||
6 | 20090817 | 10 | 20090817 |
7 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an | 11 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an |
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 967bc7235..3ac76ae15 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */ | 1 | /* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * | 4 | * |
@@ -71,6 +71,11 @@ int passwdexpired(char *, char **); | |||
71 | # include <sys/timers.h> | 71 | # include <sys/timers.h> |
72 | #endif | 72 | #endif |
73 | 73 | ||
74 | /* for setpcred and friends */ | ||
75 | #ifdef HAVE_USERSEC_H | ||
76 | # include <usersec.h> | ||
77 | #endif | ||
78 | |||
74 | /* | 79 | /* |
75 | * According to the setauthdb man page, AIX password registries must be 15 | 80 | * According to the setauthdb man page, AIX password registries must be 15 |
76 | * chars or less plus terminating NUL. | 81 | * chars or less plus terminating NUL. |
@@ -1466,11 +1466,6 @@ do_setusercontext(struct passwd *pw) | |||
1466 | if (getuid() == 0 || geteuid() == 0) | 1466 | if (getuid() == 0 || geteuid() == 0) |
1467 | #endif /* HAVE_CYGWIN */ | 1467 | #endif /* HAVE_CYGWIN */ |
1468 | { | 1468 | { |
1469 | |||
1470 | #ifdef HAVE_SETPCRED | ||
1471 | if (setpcred(pw->pw_name, (char **)NULL) == -1) | ||
1472 | fatal("Failed to set process credentials"); | ||
1473 | #endif /* HAVE_SETPCRED */ | ||
1474 | #ifdef HAVE_LOGIN_CAP | 1469 | #ifdef HAVE_LOGIN_CAP |
1475 | # ifdef __bsdi__ | 1470 | # ifdef __bsdi__ |
1476 | setpgid(0, 0); | 1471 | setpgid(0, 0); |
@@ -1538,6 +1533,10 @@ do_setusercontext(struct passwd *pw) | |||
1538 | free(chroot_path); | 1533 | free(chroot_path); |
1539 | } | 1534 | } |
1540 | 1535 | ||
1536 | #ifdef HAVE_SETPCRED | ||
1537 | if (setpcred(pw->pw_name, (char **)NULL) == -1) | ||
1538 | fatal("Failed to set process credentials"); | ||
1539 | #endif /* HAVE_SETPCRED */ | ||
1541 | #ifdef HAVE_LOGIN_CAP | 1540 | #ifdef HAVE_LOGIN_CAP |
1542 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { | 1541 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { |
1543 | perror("unable to set user context (setuser)"); | 1542 | perror("unable to set user context (setuser)"); |