privsep patch, Please test (take 3)

Kevin Steves kevin at atomicgears.com
Sat Jun 8 03:58:02 EST 2002


On Thu, Jun 06, 2002 at 05:49:13PM -0700, Tim Rice wrote:
> > > --- openssh/session.c.old	Sun May 12 20:25:02 2002
> > > +++ openssh/session.c	Wed May 29 07:39:22 2002
> > > @@ -1089,10 +1089,11 @@
> > >  			exit(1);
> > >  		}
> > >  		/* Initialize the group list. */
> > > -		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> > > -			perror("initgroups");
> > > -			exit(1);
> > > -		}
> > > +		if (strcmp(pw->pw_name, SSH_PRIVSEP_USER))
> > > +			if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> > > +				perror("initgroups");
> > > +				exit(1);
> > > +			}
> >
> > why are we doing this?
> 
> On some platforms initgroups() fails in the chroot child. As initgroups
> is unnecessary for the sshd user, this fixes that problem. I'm open
> to any better ways.

i think if we don't call initgroups (or setgroups) the unprivileged
process will retain root's supplementary groups.



More information about the openssh-unix-dev mailing list