[openssh-commits] [openssh] branch master updated: delay lookup of privsep user until config loaded

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Jun 13 11:34:47 AEST 2024 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new f66d4df5 delay lookup of privsep user until config loaded
f66d4df5 is described below

commit f66d4df5749551380a8c4ae642347675a0b6a2e9
Author: Damien Miller <djm at mindrot.org>
AuthorDate: Thu Jun 13 11:33:09 2024 +1000

    delay lookup of privsep user until config loaded
    
    sshd-session attempting to use options.kerberos_authentication to
    decide whether it needed to lookup the privsep user before the
    configuration was loaded. This caused it to get a placeholder value
    that caused it always to try to lookup the privsep user, breaking at
    least one test environment.
---
 sshd-session.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/sshd-session.c b/sshd-session.c
index 02e469e0..dbc3074f 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -1036,19 +1036,6 @@ main(int ac, char **av)
 
 	debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION);
 
-	/* Store privilege separation user for later use if required. */
-	privsep_chroot = (getuid() == 0 || geteuid() == 0);
-	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
-		if (privsep_chroot || options.kerberos_authentication)
-			fatal("Privilege separation user %s does not exist",
-			    SSH_PRIVSEP_USER);
-	} else {
-		privsep_pw = pwcopy(privsep_pw);
-		freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd));
-		privsep_pw->pw_passwd = xstrdup("*");
-	}
-	endpwent();
-
 	/* Fetch our configuration */
 	if ((cfg = sshbuf_new()) == NULL)
 		fatal("sshbuf_new config buf failed");
@@ -1060,6 +1047,19 @@ main(int ac, char **av)
 	fill_default_server_options(&options);
 	options.timing_secret = timing_secret;
 
+	/* Store privilege separation user for later use if required. */
+	privsep_chroot = (getuid() == 0 || geteuid() == 0);
+	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+		if (privsep_chroot || options.kerberos_authentication)
+			fatal("Privilege separation user %s does not exist",
+			    SSH_PRIVSEP_USER);
+	} else {
+		privsep_pw = pwcopy(privsep_pw);
+		freezero(privsep_pw->pw_passwd, strlen(privsep_pw->pw_passwd));
+		privsep_pw->pw_passwd = xstrdup("*");
+	}
+	endpwent();
+
 	if (!debug_flag) {
 		startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
 		close(REEXEC_STARTUP_PIPE_FD);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list