1 files changed, 11 insertions, 3 deletions

diff --git a/session.c b/session.c
index 1bffa6b06..cff14cd5a 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */
+/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -274,7 +274,10 @@ do_authenticated(Authctxt *authctxt)
         setproctitle("%s", authctxt->pw->pw_name);
 
         /* setup the channel layer */
-        if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+        if (no_port_forwarding_flag ||
+            (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+                channel_disable_adm_local_opens();
+        else
                 channel_permit_all_opens();
 
         auth_debug_send();
@@ -384,7 +387,7 @@ do_authenticated1(Authctxt *authctxt)
                                 debug("Port forwarding not permitted for this authentication.");
                                 break;
                         }
-                        if (!options.allow_tcp_forwarding) {
+                        if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) {
                                 debug("Port forwarding not permitted.");
                                 break;
                         }
@@ -1526,6 +1529,11 @@ do_setusercontext(struct passwd *pw, const char *role)
                         perror("unable to set user context (setuser)");
                         exit(1);
                 }
+                /* 
+                 * FreeBSD's setusercontext() will not apply the user's
+                 * own umask setting unless running with the user's UID.
+                 */
+                (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
 #else
                 /* Permanently switch to the desired uid. */
                 permanently_set_uid(pw);