From ebf989e601a137d2c2dd489a614c7ba54b6fc910 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 15 Sep 2001 21:12:49 +1000 Subject: - (djm) Clear supplemental groups at sshd start to prevent them from being propogated to random PAM modules. Based on patch from Redhat via Pekka Savola --- ChangeLog | 5 ++++- sshd.c | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0162669ca..e818d5ef6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ Redhat - (djm) Redhat initscript config sanity checking from Pekka Savola + - (djm) Clear supplemental groups at sshd start to prevent them from + being propogated to random PAM modules. Based on patch from Redhat via + Pekka Savola 20010914 - (bal) OpenBSD CVS Sync @@ -6436,4 +6439,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1518 2001/09/15 11:03:10 djm Exp $ +$Id: ChangeLog,v 1.1519 2001/09/15 11:12:49 djm Exp $ diff --git a/sshd.c b/sshd.c index aa822df17..ce13dcaf0 100644 --- a/sshd.c +++ b/sshd.c @@ -782,6 +782,10 @@ main(int ac, char **av) log_stderr = 1; log_init(__progname, options.log_level, options.log_facility, log_stderr); + /* Make supp. groups don't get propogated to PAM modules */ + if (setgroups(0, NULL) < 0) + fatal("setgroups() failed: %.200s", strerror(errno)); + /* * If not in debugging mode, and not started from inetd, disconnect * from the controlling terminal, and fork. The original process -- cgit v1.2.3