#

# OpenSSH verifies, that changing [ug]id back to 0 fails, after it

# was set to the values of the user logging in.

# On Solaris, if that user was given PRIV_PROC_SETUID privilege,

# set[gu]id(0) succeeds. But in this case this is not an error in

# dropping privilege, such user is supposed to be able to do that.

#

# This fix removes this check entirely. Skipping the check only in

# case PRIV_PROC_SETUID is asserted in the effective set was considered

# but decided against. The check is redundant, because inability to

# restore uid=0 can be inferred from successful run of setreuid(uid, uid).

#

# The fix is implemented by replacing an OS-related HAVE_CYGWIN guard

# with a functional NO_UID_RESTORATION_TEST and by defining the new

# symbol in the component Makefile.

#

# This patch was submitted upstream:

#

# https://bugzilla.mindrot.org/show_bug.cgi?id=2299

#

# See the above URL for details on if/when it might be accepted.

#

diff -ur old/uidswap.c new/uidswap.c

--- old/uidswap.c	2014-01-18 01:43:50.000000000 -0800

+++ new/uidswap.c	2014-09-04 06:26:32.965065384 -0700

@@ -134,7 +134,7 @@

 void

 permanently_drop_suid(uid_t uid)

 {

-#ifndef HAVE_CYGWIN

+#ifndef NO_UID_RESTORATION_TEST

 	uid_t old_uid = getuid();

 #endif

@@ -142,7 +142,7 @@

 	if (setresuid(uid, uid, uid) < 0)

 		fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));

-#ifndef HAVE_CYGWIN

+#ifndef NO_UID_RESTORATION_TEST

 	/* Try restoration of UID if changed (test clearing of saved uid) */

 	if (old_uid != uid &&

 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))

@@ -199,7 +199,7 @@

 void

 permanently_set_uid(struct passwd *pw)

 {

-#ifndef HAVE_CYGWIN

+#ifndef NO_UID_RESTORATION_TEST

 	uid_t old_uid = getuid();

 	gid_t old_gid = getgid();

 #endif

@@ -227,7 +227,7 @@

 	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)

 		fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));

-#ifndef HAVE_CYGWIN

+#ifndef NO_UID_RESTORATION_TEST

 	/* Try restoration of GID if changed (test clearing of saved gid) */

 	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&

 	    (setgid(old_gid) != -1 || setegid(old_gid) != -1))

@@ -241,7 +241,7 @@

 		    (u_int)pw->pw_gid);

 	}

-#ifndef HAVE_CYGWIN

+#ifndef NO_UID_RESTORATION_TEST

 	/* Try restoration of UID if changed (test clearing of saved uid) */

 	if (old_uid != pw->pw_uid &&

 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))