author | Brent Paulson <Brent.Paulson@Oracle.COM> |
Fri, 10 Jul 2015 05:57:54 -0700 | |
changeset 4649 | b795d11564a3 |
permissions | -rw-r--r-- |
4649
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
1 |
# This issue has been raised with the upstream OpenSSH community: |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
2 |
# |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
3 |
# 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
4 |
# platforms |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
5 |
# https://bugzilla.mindrot.org/show_bug.cgi?id=2426 |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
6 |
# |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
7 |
# The OpenSSH maintainers added a call to do_pam_setcred() in |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
8 |
# platform_setusercontext_post_groups() with no corresponding bugID along with |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
9 |
# a befuddling comment that initgroups(3C) wipes out supplementary groups: |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
10 |
# |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
11 |
#https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96 |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
12 |
# |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
13 |
# This only applies in the Linux world if the LinuxPAM pam_group(8) module |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
14 |
# has been installed and configured which allows one to assign additional |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
15 |
# secondary groups to a user using /etc/security/group.conf in addition to |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
16 |
# /etc/group. To confuse things a bit more, there is an OpenPAM PAM module |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
17 |
# of the same name, pam_group(8), which has different functionality, it |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
18 |
# performs access control based on group membership. |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
19 |
# |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
20 |
# In short, this additional call to do_pam_setcred() is Linux-specific and |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
21 |
# shouldn't be called on Solaris. |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
22 |
# |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
23 |
diff -pur old/platform.c new/platform.c |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
24 |
--- old/platform.c 2015-07-02 04:21:38.155790601 -0700 |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
25 |
+++ new/platform.c 2015-07-02 05:11:06.302125686 -0700 |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
26 |
@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *p |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
27 |
void |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
28 |
platform_setusercontext_post_groups(struct passwd *pw) |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
29 |
{ |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
30 |
-#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
31 |
+#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE) |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
32 |
/* |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
33 |
* PAM credentials may take the form of supplementary groups. |
b795d11564a3
19775805 OpenSSH contains a redundant call to do_pam_setcred()
Brent Paulson <Brent.Paulson@Oracle.COM>
parents:
diff
changeset
|
34 |
* These will have been wiped by the above initgroups() call. |