1 # This issue has been raised with the upstream OpenSSH community:

     2 #

     3 # 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux

     4 #      platforms

     5 # https://bugzilla.mindrot.org/show_bug.cgi?id=2426

     6 #

     7 # The OpenSSH maintainers added a call to do_pam_setcred() in

     8 # platform_setusercontext_post_groups() with no corresponding bugID along with

     9 # a befuddling comment that initgroups(3C) wipes out supplementary groups:

    10 #

    11 #https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96

    12 #

    13 # This only applies in the Linux world if the LinuxPAM pam_group(8) module

    14 # has been installed and configured which allows one to assign additional

    15 # secondary groups to a user using /etc/security/group.conf in addition to

    16 # /etc/group.  To confuse things a bit more, there is an OpenPAM PAM module

    17 # of the same name, pam_group(8), which has different functionality, it

    18 # performs access control based on group membership.

    19 #

    20 # In short, this additional call to do_pam_setcred() is Linux-specific and

    21 # shouldn't be called on Solaris.

    22 #

    23 diff -pur old/platform.c new/platform.c

    24 --- old/platform.c	2015-07-02 04:21:38.155790601 -0700

    25 +++ new/platform.c	2015-07-02 05:11:06.302125686 -0700

    26 @@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *p

    27  void

    28  platform_setusercontext_post_groups(struct passwd *pw)

    29  {

    30 -#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)

    31 +#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE)

    32  	/*

    33  	 * PAM credentials may take the form of supplementary groups.

    34  	 * These will have been wiped by the above initgroups() call.