19775805 OpenSSH contains a redundant call to do_pam_setcred()
authorBrent Paulson <Brent.Paulson@Oracle.COM>
Fri, 10 Jul 2015 05:57:54 -0700
changeset 4649 b795d11564a3
parent 4639 b98581a0bf2f
child 4651 28673cba9fe1
19775805 OpenSSH contains a redundant call to do_pam_setcred() 21379157 OpenSSH shouldn't call setproject(3PROJECT) when configured to use PAM
components/openssh/Makefile
components/openssh/patches/029-disable-redundant-pam_setcred.patch
--- a/components/openssh/Makefile	Mon Jul 13 23:01:27 2015 -0700
+++ b/components/openssh/Makefile	Fri Jul 10 05:57:54 2015 -0700
@@ -79,7 +79,6 @@
 CONFIGURE_OPTIONS += --with-pam
 CONFIGURE_OPTIONS += --with-sandbox=no
 CONFIGURE_OPTIONS += --with-solaris-contracts
-CONFIGURE_OPTIONS += --with-solaris-projects
 CONFIGURE_OPTIONS += --with-tcp-wrappers
 CONFIGURE_OPTIONS += --with-4in6
 CONFIGURE_OPTIONS += --enable-strip=no
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/029-disable-redundant-pam_setcred.patch	Fri Jul 10 05:57:54 2015 -0700
@@ -0,0 +1,34 @@
+# This issue has been raised with the upstream OpenSSH community:
+#
+# 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux
+#      platforms
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2426
+#
+# The OpenSSH maintainers added a call to do_pam_setcred() in
+# platform_setusercontext_post_groups() with no corresponding bugID along with
+# a befuddling comment that initgroups(3C) wipes out supplementary groups:
+#
+#https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96
+#
+# This only applies in the Linux world if the LinuxPAM pam_group(8) module
+# has been installed and configured which allows one to assign additional
+# secondary groups to a user using /etc/security/group.conf in addition to
+# /etc/group.  To confuse things a bit more, there is an OpenPAM PAM module
+# of the same name, pam_group(8), which has different functionality, it
+# performs access control based on group membership.
+#
+# In short, this additional call to do_pam_setcred() is Linux-specific and
+# shouldn't be called on Solaris.
+#
+diff -pur old/platform.c new/platform.c
+--- old/platform.c	2015-07-02 04:21:38.155790601 -0700
++++ new/platform.c	2015-07-02 05:11:06.302125686 -0700
[email protected]@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *p
+ void
+ platform_setusercontext_post_groups(struct passwd *pw)
+ {
+-#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
++#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE)
+ 	/*
+ 	 * PAM credentials may take the form of supplementary groups.
+ 	 * These will have been wiped by the above initgroups() call.