22842240 per-session xauth file does not work when UsePrivilege is set to no
authorTomas Kuthan <tomas.kuthan@oracle.com>
Wed, 16 Mar 2016 02:37:16 -0700
changeset 5613 27ea636da8ce
parent 5612 ece68a956e2f
child 5614 12b0db03649b
22842240 per-session xauth file does not work when UsePrivilege is set to no
components/openssh/patches/031-per_session_xauthfile.patch
--- a/components/openssh/patches/031-per_session_xauthfile.patch	Wed Mar 16 02:37:08 2016 -0700
+++ b/components/openssh/patches/031-per_session_xauthfile.patch	Wed Mar 16 02:37:16 2016 -0700
@@ -7,8 +7,9 @@
 # In the future, if this fix is accepted by the upsteam in a later release, we
 # will remove this patch when we upgrade to that release.
 #
---- orig/session.c	Thu Jul 30 10:35:15 2015
-+++ new/session.c	Tue Aug  4 11:29:22 2015
+diff -pur old/session.c new/session.c
+--- old/session.c
++++ new/session.c
 @@ -62,6 +62,10 @@
  #include <unistd.h>
  #include <limits.h>
@@ -56,7 +57,7 @@
  	if (s->auth_proto != NULL || s->auth_data != NULL) {
  		error("session_x11_req: session %d: "
  		    "x11 forwarding already active", s->self);
[email protected]@ -2188,6 +2207,48 @@
[email protected]@ -2188,6 +2207,50 @@
  		s->auth_proto = NULL;
  		s->auth_data = NULL;
  	}
@@ -69,6 +70,7 @@
 +	 * means that we won't set XAUTHORITY variable in child's environment
 +	 * and xauth(1) will use the default location for the authority file.
 +	 */
++	temporarily_use_uid(s->pw);
 +	if (mkdtemp(xauthdir) != NULL) {
 +		s->auth_file = xmalloc(MAXPATHLEN);
 +		snprintf(s->auth_file, MAXPATHLEN, "%s/xauthfile",
@@ -101,11 +103,12 @@
 +		    "authority file: %.100s; will use the default xauth file",
 +		    strerror(errno));
 +	}
++	restore_uid();
 +#endif
  	return success;
  }
  
[email protected]@ -2378,6 +2439,50 @@
[email protected]@ -2378,6 +2441,50 @@
  	PRIVSEP(session_pty_cleanup2(s));
  }
  
@@ -156,7 +159,7 @@
  static char *
  sig2name(int sig)
  {
[email protected]@ -2512,6 +2617,9 @@
[email protected]@ -2512,6 +2619,9 @@
  	free(s->auth_display);
  	free(s->auth_data);
  	free(s->auth_proto);
@@ -166,7 +169,7 @@
  	free(s->subsys);
  	if (s->env != NULL) {
  		for (i = 0; i < s->num_env; i++) {
[email protected]@ -2763,6 +2871,10 @@
[email protected]@ -2763,6 +2873,10 @@
  	/* remove agent socket */
  	auth_sock_cleanup_proc(authctxt->pw);
  
@@ -177,8 +180,9 @@
  	/*
  	 * Cleanup ptys/utmp only if privsep is disabled,
  	 * or if running in monitor.
---- orig/session.h	Thu Jul 30 10:35:12 2015
-+++ new/session.h	Tue Aug  4 11:30:04 2015
+diff -pur old/session.h new/session.h
+--- old/session.h
++++ new/session.h
 @@ -49,6 +49,9 @@
  	char	*auth_display;
  	char	*auth_proto;