# HG changeset patch # User Brent Paulson # Date 1436533074 25200 # Node ID b795d11564a35d74a3aa8010e4792d2a7af475df # Parent b98581a0bf2f911015784e3be0e93deb87cdc622 19775805 OpenSSH contains a redundant call to do_pam_setcred() 21379157 OpenSSH shouldn't call setproject(3PROJECT) when configured to use PAM diff -r b98581a0bf2f -r b795d11564a3 components/openssh/Makefile --- a/components/openssh/Makefile Mon Jul 13 23:01:27 2015 -0700 +++ b/components/openssh/Makefile Fri Jul 10 05:57:54 2015 -0700 @@ -79,7 +79,6 @@ CONFIGURE_OPTIONS += --with-pam CONFIGURE_OPTIONS += --with-sandbox=no CONFIGURE_OPTIONS += --with-solaris-contracts -CONFIGURE_OPTIONS += --with-solaris-projects CONFIGURE_OPTIONS += --with-tcp-wrappers CONFIGURE_OPTIONS += --with-4in6 CONFIGURE_OPTIONS += --enable-strip=no diff -r b98581a0bf2f -r b795d11564a3 components/openssh/patches/029-disable-redundant-pam_setcred.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/029-disable-redundant-pam_setcred.patch Fri Jul 10 05:57:54 2015 -0700 @@ -0,0 +1,34 @@ +# This issue has been raised with the upstream OpenSSH community: +# +# 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux +# platforms +# https://bugzilla.mindrot.org/show_bug.cgi?id=2426 +# +# The OpenSSH maintainers added a call to do_pam_setcred() in +# platform_setusercontext_post_groups() with no corresponding bugID along with +# a befuddling comment that initgroups(3C) wipes out supplementary groups: +# +#https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96 +# +# This only applies in the Linux world if the LinuxPAM pam_group(8) module +# has been installed and configured which allows one to assign additional +# secondary groups to a user using /etc/security/group.conf in addition to +# /etc/group. To confuse things a bit more, there is an OpenPAM PAM module +# of the same name, pam_group(8), which has different functionality, it +# performs access control based on group membership. +# +# In short, this additional call to do_pam_setcred() is Linux-specific and +# shouldn't be called on Solaris. +# +diff -pur old/platform.c new/platform.c +--- old/platform.c 2015-07-02 04:21:38.155790601 -0700 ++++ new/platform.c 2015-07-02 05:11:06.302125686 -0700 +@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *p + void + platform_setusercontext_post_groups(struct passwd *pw) + { +-#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) ++#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE) + /* + * PAM credentials may take the form of supplementary groups. + * These will have been wiped by the above initgroups() call.