[pam_ssh/f15] Drop root group privileges properly before executing ssh-agent (#711170)

Dmitry Butskoy buc at fedoraproject.org
Tue Jun 7 12:46:50 UTC 2011 

commit 213cd835defaaf437616e9fb37494f374508841b
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date:   Tue Jun 7 16:46:24 2011 +0400

    Drop root group privileges properly before executing ssh-agent (#711170)

 pam_ssh-1.97-setgid.patch |   13 +++++++++++++
 pam_ssh.spec              |    9 +++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)
---
diff --git a/pam_ssh-1.97-setgid.patch b/pam_ssh-1.97-setgid.patch
new file mode 100644
index 0000000..71566f6
--- /dev/null
+++ b/pam_ssh-1.97-setgid.patch
@@ -0,0 +1,13 @@
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c	2011-06-07 16:34:48.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c	2011-06-07 16:36:07.000000000 +0400
+@@ -688,7 +688,8 @@
+ 				_exit(EX_OSERR);
+ 				/* NOTREACHED */
+ 			case PAM_SUCCESS:
+-				if (setuid(pwent->pw_uid) == -1) {
++				if (initgroups(pwent->pw_name, pwent->pw_gid) == -1 ||
++				setgid(pwent->pw_gid) == -1 || setuid(pwent->pw_uid) == -1) {
+ 					pam_ssh_log(LOG_ERR,
+ 					    "can't drop privileges: %m",
+ 					    pwent->pw_uid);
diff --git a/pam_ssh.spec b/pam_ssh.spec
index 4e7ee33..811e215 100644
--- a/pam_ssh.spec
+++ b/pam_ssh.spec
@@ -1,16 +1,17 @@
 Summary: PAM module for use with SSH keys and ssh-agent
 Name: pam_ssh
 Version: 1.97
-Release: 6%{?dist}
+Release: 7%{?dist}
 Group: System Environment/Base
 License: BSD
 URL: http://sourceforge.net/projects/pam-ssh/
 Source0: http://downloads.sourceforge.net/pam-ssh/pam_ssh-%{version}.tar.bz2
-Patch0: pam_ssh-1.97-var_run.patch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: pam-devel, openssh-clients, openssl-devel, libtool
 Requires: openssh-clients
 Conflicts: selinux-policy-targeted < 3.0.8-55
+Patch0: pam_ssh-1.97-var_run.patch
+Patch1: pam_ssh-1.97-setgid.patch
 
 
 %description
@@ -25,6 +26,7 @@ are set in the session phase.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 # re-run autoconf utils to libtoolize properly
 autoreconf -f -si
@@ -69,6 +71,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Jun  7 2011 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.97-7
+- Drop root group privileges properly before executing ssh-agent (#711170)
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.97-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

More information about the scm-commits mailing list