1 files changed, 9 insertions, 71 deletions
diff --git a/session.c b/session.c
index 71e4fbe7c..fff31b02e 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.256 2010/06/25 07:20:04 djm Exp $ */
+/* $OpenBSD: session.c,v 1.258 2010/11/25 04:10:09 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -585,7 +585,8 @@ do_exec_no_pty(Session *s, const char *command)
        s->pid = pid;
        /* Set interactive/non-interactive mode. */
-        packet_set_interactive(s->display != NULL);
+        packet_set_interactive(s->display != NULL,
+            options.ip_qos_interactive, options.ip_qos_bulk);
        /*
         * Clear loginmsg, since it's the child's responsibility to display
@@ -739,7 +740,8 @@ do_exec_pty(Session *s, const char *command)
        /* Enter interactive session. */
        s->ptymaster = ptymaster;
-        packet_set_interactive(1);
+        packet_set_interactive(1, 
+            options.ip_qos_interactive, options.ip_qos_bulk);
        if (compat20) {
                session_set_fds(s, ptyfd, fdout, -1, 1, 1);
        } else {
@@ -1469,36 +1471,16 @@ do_setusercontext(struct passwd *pw)
 {
        char *chroot_path, *tmp;
-#ifdef WITH_SELINUX
+        platform_setusercontext(pw);
-        /* Cache selinux status for later use */
-        (void)ssh_selinux_enabled();
-#endif
-#ifndef HAVE_CYGWIN
+        if (platform_privileged_uidswap()) {
-        if (getuid() == 0 || geteuid() == 0)
-#endif /* HAVE_CYGWIN */
-        {
 #ifdef HAVE_LOGIN_CAP
-# ifdef __bsdi__
-                setpgid(0, 0);
-# endif
-# ifdef USE_PAM
-                if (options.use_pam) {
-                        do_pam_setcred(use_privsep);
-                }
-# endif /* USE_PAM */
                if (setusercontext(lc, pw, pw->pw_uid,
                    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
                        perror("unable to set user context");
                        exit(1);
                }
 #else
-# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
-                /* Sets login uid for accounting */
-                if (getluid() == -1 && setluid(pw->pw_uid) == -1)
-                        error("setluid: %s", strerror(errno));
-# endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */
                if (setlogin(pw->pw_name) < 0)
                        error("setlogin failed: %s", strerror(errno));
                if (setgid(pw->pw_gid) < 0) {
@@ -1511,50 +1493,9 @@ do_setusercontext(struct passwd *pw)
                        exit(1);
                }
                endgrent();
-# ifdef USE_PAM
-                /*
-                 * PAM credentials may take the form of supplementary groups.
-                 * These will have been wiped by the above initgroups() call.
-                 * Reestablish them here.
-                 */
-                if (options.use_pam) {
-                        do_pam_setcred(use_privsep);
-                }
-# endif /* USE_PAM */
-# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
-                irix_setusercontext(pw);
-# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
-# ifdef _AIX
-                aix_usrinfo(pw);
-# endif /* _AIX */
-# ifdef USE_LIBIAF
-                if (set_id(pw->pw_name) != 0) {
-                        exit(1);
-                }
-# endif /* USE_LIBIAF */
 #endif
-#ifdef HAVE_SETPCRED
-                /*
-                 * If we have a chroot directory, we set all creds except real
-                 * uid which we will need for chroot.  If we don't have a
-                 * chroot directory, we don't override anything.
-                 */
-                {
-                        char **creds = NULL, *chroot_creds[] =
-                            { "REAL_USER=root", NULL };
-                        if (options.chroot_directory != NULL &&
-                            strcasecmp(options.chroot_directory, "none") != 0)
-                                creds = chroot_creds;
-                        if (setpcred(pw->pw_name, creds) == -1)
-                                fatal("Failed to set process credentials");
-                }
-#endif /* HAVE_SETPCRED */
-#ifdef WITH_SELINUX
+                platform_setusercontext_post_groups(pw);
-                ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
                if (options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1628,8 +1569,6 @@ launch_login(struct passwd *pw, const char *hostname)
 static void
 child_close_fds(void)
 {
-        int i;
        if (packet_get_connection_in() == packet_get_connection_out())
                close(packet_get_connection_in());
        else {
@@ -1655,8 +1594,7 @@ child_close_fds(void)
         * initgroups, because at least on Solaris 2.3 it leaves file
         * descriptors open.
         */
-        for (i = 3; i < 64; i++)
+        closefrom(STDERR_FILENO + 1);
-                close(i);
 }
 /*

diff --git a/session.c b/session.c index 71e4fbe7c..fff31b02e 100644 --- a/session.c +++ b/session.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: session.c,v 1.256 2010/06/25 07:20:04 djm Exp $ */	1	/* $OpenBSD: session.c,v 1.258 2010/11/25 04:10:09 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -585,7 +585,8 @@ do_exec_no_pty(Session s, const char command)
585		585
586	s->pid = pid;	586	s->pid = pid;
587	/* Set interactive/non-interactive mode. */	587	/* Set interactive/non-interactive mode. */
588	packet_set_interactive(s->display != NULL);	588	packet_set_interactive(s->display != NULL,
		589	options.ip_qos_interactive, options.ip_qos_bulk);
589		590
590	/*	591	/*
591	* Clear loginmsg, since it's the child's responsibility to display	592	* Clear loginmsg, since it's the child's responsibility to display
@@ -739,7 +740,8 @@ do_exec_pty(Session s, const char command)
739		740
740	/* Enter interactive session. */	741	/* Enter interactive session. */
741	s->ptymaster = ptymaster;	742	s->ptymaster = ptymaster;
742	packet_set_interactive(1);	743	packet_set_interactive(1,
		744	options.ip_qos_interactive, options.ip_qos_bulk);
743	if (compat20) {	745	if (compat20) {
744	session_set_fds(s, ptyfd, fdout, -1, 1, 1);	746	session_set_fds(s, ptyfd, fdout, -1, 1, 1);
745	} else {	747	} else {
@@ -1469,36 +1471,16 @@ do_setusercontext(struct passwd *pw)
1469	{	1471	{
1470	char chroot_path, tmp;	1472	char chroot_path, tmp;
1471		1473
1472	#ifdef WITH_SELINUX	1474	platform_setusercontext(pw);
1473	/* Cache selinux status for later use */
1474	(void)ssh_selinux_enabled();
1475	#endif
1476		1475
1477	#ifndef HAVE_CYGWIN	1476	if (platform_privileged_uidswap()) {
1478	if (getuid() == 0 \|\| geteuid() == 0)
1479	#endif /* HAVE_CYGWIN */
1480	{
1481	#ifdef HAVE_LOGIN_CAP	1477	#ifdef HAVE_LOGIN_CAP
1482	# ifdef __bsdi__
1483	setpgid(0, 0);
1484	# endif
1485	# ifdef USE_PAM
1486	if (options.use_pam) {
1487	do_pam_setcred(use_privsep);
1488	}
1489	# endif /* USE_PAM */
1490	if (setusercontext(lc, pw, pw->pw_uid,	1478	if (setusercontext(lc, pw, pw->pw_uid,
1491	(LOGIN_SETALL & ~(LOGIN_SETPATH\|LOGIN_SETUSER))) < 0) {	1479	(LOGIN_SETALL & ~(LOGIN_SETPATH\|LOGIN_SETUSER))) < 0) {
1492	perror("unable to set user context");	1480	perror("unable to set user context");
1493	exit(1);	1481	exit(1);
1494	}	1482	}
1495	#else	1483	#else
1496	# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
1497	/* Sets login uid for accounting */
1498	if (getluid() == -1 && setluid(pw->pw_uid) == -1)
1499	error("setluid: %s", strerror(errno));
1500	# endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */
1501
1502	if (setlogin(pw->pw_name) < 0)	1484	if (setlogin(pw->pw_name) < 0)
1503	error("setlogin failed: %s", strerror(errno));	1485	error("setlogin failed: %s", strerror(errno));
1504	if (setgid(pw->pw_gid) < 0) {	1486	if (setgid(pw->pw_gid) < 0) {
@@ -1511,50 +1493,9 @@ do_setusercontext(struct passwd *pw)
1511	exit(1);	1493	exit(1);
1512	}	1494	}
1513	endgrent();	1495	endgrent();
1514	# ifdef USE_PAM
1515	/*
1516	* PAM credentials may take the form of supplementary groups.
1517	* These will have been wiped by the above initgroups() call.
1518	* Reestablish them here.
1519	*/
1520	if (options.use_pam) {
1521	do_pam_setcred(use_privsep);
1522	}
1523	# endif /* USE_PAM */
1524	# if defined(WITH_IRIX_PROJECT) \|\| defined(WITH_IRIX_JOBS) \|\| defined(WITH_IRIX_ARRAY)
1525	irix_setusercontext(pw);
1526	# endif /* defined(WITH_IRIX_PROJECT) \|\| defined(WITH_IRIX_JOBS) \|\| defined(WITH_IRIX_ARRAY) */
1527	# ifdef _AIX
1528	aix_usrinfo(pw);
1529	# endif /* _AIX */
1530	# ifdef USE_LIBIAF
1531	if (set_id(pw->pw_name) != 0) {
1532	exit(1);
1533	}
1534	# endif /* USE_LIBIAF */
1535	#endif	1496	#endif
1536	#ifdef HAVE_SETPCRED
1537	/*
1538	* If we have a chroot directory, we set all creds except real
1539	* uid which we will need for chroot. If we don't have a
1540	* chroot directory, we don't override anything.
1541	*/
1542	{
1543	char *creds = NULL, chroot_creds[] =
1544	{ "REAL_USER=root", NULL };
1545
1546	if (options.chroot_directory != NULL &&
1547	strcasecmp(options.chroot_directory, "none") != 0)
1548	creds = chroot_creds;
1549
1550	if (setpcred(pw->pw_name, creds) == -1)
1551	fatal("Failed to set process credentials");
1552	}
1553	#endif /* HAVE_SETPCRED */
1554		1497
1555	#ifdef WITH_SELINUX	1498	platform_setusercontext_post_groups(pw);
1556	ssh_selinux_setup_exec_context(pw->pw_name);
1557	#endif
1558		1499
1559	if (options.chroot_directory != NULL &&	1500	if (options.chroot_directory != NULL &&
1560	strcasecmp(options.chroot_directory, "none") != 0) {	1501	strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1628,8 +1569,6 @@ launch_login(struct passwd pw, const char hostname)
1628	static void	1569	static void
1629	child_close_fds(void)	1570	child_close_fds(void)
1630	{	1571	{
1631	int i;
1632
1633	if (packet_get_connection_in() == packet_get_connection_out())	1572	if (packet_get_connection_in() == packet_get_connection_out())
1634	close(packet_get_connection_in());	1573	close(packet_get_connection_in());
1635	else {	1574	else {
@@ -1655,8 +1594,7 @@ child_close_fds(void)
1655	* initgroups, because at least on Solaris 2.3 it leaves file	1594	* initgroups, because at least on Solaris 2.3 it leaves file
1656	* descriptors open.	1595	* descriptors open.
1657	*/	1596	*/
1658	for (i = 3; i < 64; i++)	1597	closefrom(STDERR_FILENO + 1);
1659	close(i);
1660	}	1598	}
1661		1599
1662	/*	1600	/*