[pam_ssh/f15] Drop root group privileges properly before executing ssh-agent (#711170)
Dmitry Butskoy
buc at fedoraproject.org
Tue Jun 7 12:46:50 UTC 2011
commit 213cd835defaaf437616e9fb37494f374508841b
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date: Tue Jun 7 16:46:24 2011 +0400
Drop root group privileges properly before executing ssh-agent (#711170)
pam_ssh-1.97-setgid.patch | 13 +++++++++++++
pam_ssh.spec | 9 +++++++--
2 files changed, 20 insertions(+), 2 deletions(-)
---
diff --git a/pam_ssh-1.97-setgid.patch b/pam_ssh-1.97-setgid.patch
new file mode 100644
index 0000000..71566f6
--- /dev/null
+++ b/pam_ssh-1.97-setgid.patch
@@ -0,0 +1,13 @@
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c 2011-06-07 16:34:48.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c 2011-06-07 16:36:07.000000000 +0400
+@@ -688,7 +688,8 @@
+ _exit(EX_OSERR);
+ /* NOTREACHED */
+ case PAM_SUCCESS:
+- if (setuid(pwent->pw_uid) == -1) {
++ if (initgroups(pwent->pw_name, pwent->pw_gid) == -1 ||
++ setgid(pwent->pw_gid) == -1 || setuid(pwent->pw_uid) == -1) {
+ pam_ssh_log(LOG_ERR,
+ "can't drop privileges: %m",
+ pwent->pw_uid);
diff --git a/pam_ssh.spec b/pam_ssh.spec
index 4e7ee33..811e215 100644
--- a/pam_ssh.spec
+++ b/pam_ssh.spec
@@ -1,16 +1,17 @@
Summary: PAM module for use with SSH keys and ssh-agent
Name: pam_ssh
Version: 1.97
-Release: 6%{?dist}
+Release: 7%{?dist}
Group: System Environment/Base
License: BSD
URL: http://sourceforge.net/projects/pam-ssh/
Source0: http://downloads.sourceforge.net/pam-ssh/pam_ssh-%{version}.tar.bz2
-Patch0: pam_ssh-1.97-var_run.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: pam-devel, openssh-clients, openssl-devel, libtool
Requires: openssh-clients
Conflicts: selinux-policy-targeted < 3.0.8-55
+Patch0: pam_ssh-1.97-var_run.patch
+Patch1: pam_ssh-1.97-setgid.patch
%description
@@ -25,6 +26,7 @@ are set in the session phase.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
# re-run autoconf utils to libtoolize properly
autoreconf -f -si
@@ -69,6 +71,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Tue Jun 7 2011 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.97-7
+- Drop root group privileges properly before executing ssh-agent (#711170)
+
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.97-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
More information about the scm-commits
mailing list