diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | session.c | 22 |
2 files changed, 21 insertions, 4 deletions
| @@ -2,6 +2,9 @@ | |||
| 2 | - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that | 2 | - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that |
| 3 | it gets the passwd struct from the LAM that knows about the user which is | 3 | it gets the passwd struct from the LAM that knows about the user which is |
| 4 | not necessarily the default. Patch from Alexandre Letourneau. | 4 | not necessarily the default. Patch from Alexandre Letourneau. |
| 5 | - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and | ||
| 6 | do not set real uid, since that's needed for the chroot, and will be set | ||
| 7 | by permanently_set_uid. | ||
| 5 | 8 | ||
| 6 | 20100305 | 9 | 20100305 |
| 7 | - OpenBSD CVS Sync | 10 | - OpenBSD CVS Sync |
| @@ -1530,6 +1530,24 @@ do_setusercontext(struct passwd *pw) | |||
| 1530 | } | 1530 | } |
| 1531 | # endif /* USE_LIBIAF */ | 1531 | # endif /* USE_LIBIAF */ |
| 1532 | #endif | 1532 | #endif |
| 1533 | #ifdef HAVE_SETPCRED | ||
| 1534 | /* | ||
| 1535 | * If we have a chroot directory, we set all creds except real | ||
| 1536 | * uid which we will need for chroot. If we don't have a | ||
| 1537 | * chroot directory, we don't override anything. | ||
| 1538 | */ | ||
| 1539 | { | ||
| 1540 | char **creds, *chroot_creds[] = | ||
| 1541 | { "REAL_USER=root", NULL }; | ||
| 1542 | |||
| 1543 | if (options.chroot_directory != NULL && | ||
| 1544 | strcasecmp(options.chroot_directory, "none") != 0) | ||
| 1545 | creds = chroot_creds; | ||
| 1546 | |||
| 1547 | if (setpcred(pw->pw_name, creds) == -1) | ||
| 1548 | fatal("Failed to set process credentials"); | ||
| 1549 | } | ||
| 1550 | #endif /* HAVE_SETPCRED */ | ||
| 1533 | 1551 | ||
| 1534 | if (options.chroot_directory != NULL && | 1552 | if (options.chroot_directory != NULL && |
| 1535 | strcasecmp(options.chroot_directory, "none") != 0) { | 1553 | strcasecmp(options.chroot_directory, "none") != 0) { |
| @@ -1542,10 +1560,6 @@ do_setusercontext(struct passwd *pw) | |||
| 1542 | free(chroot_path); | 1560 | free(chroot_path); |
| 1543 | } | 1561 | } |
| 1544 | 1562 | ||
| 1545 | #ifdef HAVE_SETPCRED | ||
| 1546 | if (setpcred(pw->pw_name, (char **)NULL) == -1) | ||
| 1547 | fatal("Failed to set process credentials"); | ||
| 1548 | #endif /* HAVE_SETPCRED */ | ||
| 1549 | #ifdef HAVE_LOGIN_CAP | 1563 | #ifdef HAVE_LOGIN_CAP |
| 1550 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { | 1564 | if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { |
| 1551 | perror("unable to set user context (setuser)"); | 1565 | perror("unable to set user context (setuser)"); |