[pam_ssh] Drop root group privileges properly before executing ssh-agent
Dmitry Butskoy
buc at fedoraproject.org
Tue Jun 7 12:44:30 UTC 2011
commit a28e77b1b619114fa1a956cfcb72bbae5b74b3e4
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date: Tue Jun 7 16:43:13 2011 +0400
Drop root group privileges properly before executing ssh-agent
pam_ssh-1.97-setgid.patch | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
---
diff --git a/pam_ssh-1.97-setgid.patch b/pam_ssh-1.97-setgid.patch
new file mode 100644
index 0000000..71566f6
--- /dev/null
+++ b/pam_ssh-1.97-setgid.patch
@@ -0,0 +1,13 @@
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c 2011-06-07 16:34:48.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c 2011-06-07 16:36:07.000000000 +0400
+@@ -688,7 +688,8 @@
+ _exit(EX_OSERR);
+ /* NOTREACHED */
+ case PAM_SUCCESS:
+- if (setuid(pwent->pw_uid) == -1) {
++ if (initgroups(pwent->pw_name, pwent->pw_gid) == -1 ||
++ setgid(pwent->pw_gid) == -1 || setuid(pwent->pw_uid) == -1) {
+ pam_ssh_log(LOG_ERR,
+ "can't drop privileges: %m",
+ pwent->pw_uid);
More information about the scm-commits
mailing list