|
1 # This issue has been raised with the upstream OpenSSH community: |
|
2 # |
|
3 # 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux |
|
4 # platforms |
|
5 # https://bugzilla.mindrot.org/show_bug.cgi?id=2426 |
|
6 # |
|
7 # The OpenSSH maintainers added a call to do_pam_setcred() in |
|
8 # platform_setusercontext_post_groups() with no corresponding bugID along with |
|
9 # a befuddling comment that initgroups(3C) wipes out supplementary groups: |
|
10 # |
|
11 #https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96 |
|
12 # |
|
13 # This only applies in the Linux world if the LinuxPAM pam_group(8) module |
|
14 # has been installed and configured which allows one to assign additional |
|
15 # secondary groups to a user using /etc/security/group.conf in addition to |
|
16 # /etc/group. To confuse things a bit more, there is an OpenPAM PAM module |
|
17 # of the same name, pam_group(8), which has different functionality, it |
|
18 # performs access control based on group membership. |
|
19 # |
|
20 # In short, this additional call to do_pam_setcred() is Linux-specific and |
|
21 # shouldn't be called on Solaris. |
|
22 # |
|
23 diff -pur old/platform.c new/platform.c |
|
24 --- old/platform.c 2015-07-02 04:21:38.155790601 -0700 |
|
25 +++ new/platform.c 2015-07-02 05:11:06.302125686 -0700 |
|
26 @@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *p |
|
27 void |
|
28 platform_setusercontext_post_groups(struct passwd *pw) |
|
29 { |
|
30 -#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
|
31 +#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE) |
|
32 /* |
|
33 * PAM credentials may take the form of supplementary groups. |
|
34 * These will have been wiped by the above initgroups() call. |