- (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move

the setpcred call on AIX to immediately before the permanently_set_uid(). Ensures that we still have privileges when we call chroot and pam_open_sesson. Based on a patch from David Leonard.
2024-12-22 01:50:16 +00:00 · 2009-08-20 16:20:50 +10:00 · 2009-08-20 16:20:50 +10:00 · 82edf23fff
commit 82edf23fff
parent 2a5588daeb
3 changed files with 14 additions and 6 deletions
--- a/4
+++ b/4
@ -2,6 +2,10 @@
 - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
   using it since the type conflicts can cause problems on FreeBSD.  Patch
   from Jonathan Chen.
+ - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
+   the setpcred call on AIX to immediately before the permanently_set_uid().
+   Ensures that we still have privileges when we call chroot and
+   pam_open_sesson.  Based on a patch from David Leonard.

 20090817
 - (dtucker) [configure.ac] Check for headers before libraries for openssl an
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@ -1,4 +1,4 @@
-/* $Id: port-aix.h,v 1.30 2009/08/16 23:40:00 dtucker Exp $ */
+/* $Id: port-aix.h,v 1.31 2009/08/20 06:20:50 dtucker Exp $ */

 /*
 *
@ -71,6 +71,11 @@ int passwdexpired(char *, char **);
 # include <sys/timers.h>
 #endif

+/* for setpcred and friends */
+#ifdef HAVE_USERSEC_H
+# include <usersec.h>
+#endif
+
 /*
 * According to the setauthdb man page, AIX password registries must be 15
 * chars or less plus terminating NUL.
--- a/session.c
+++ b/session.c
@ -1466,11 +1466,6 @@ do_setusercontext(struct passwd *pw)
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
 	{
-
-#ifdef HAVE_SETPCRED
-		if (setpcred(pw->pw_name, (char **)NULL) == -1)
-			fatal("Failed to set process credentials");
-#endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
 # ifdef __bsdi__
 		setpgid(0, 0);
@ -1538,6 +1533,10 @@ do_setusercontext(struct passwd *pw)
 			free(chroot_path);
 		}

+#ifdef HAVE_SETPCRED
+		if (setpcred(pw->pw_name, (char **)NULL) == -1)
+			fatal("Failed to set process credentials");
+#endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
 			perror("unable to set user context (setuser)");