privsep patch, Please test (take 3)
Kevin Steves
kevin at atomicgears.com
Sat Jun 8 05:18:45 EST 2002
On Fri, Jun 07, 2002 at 11:18:59AM -0700, Tim Rice wrote:
> > i think if we don't call initgroups (or setgroups) the unprivileged
> > process will retain root's supplementary groups.
> >
>
> We do call setgroups early on in main()
> /*
> * Clear out any supplemental groups we may have inherited. This
> * prevents inadvertent creation of files with bad modes (in the
> * portable version at least, it's certainly possible for PAM
> * to create a file, and we can't control the code in every
> * module which might be used).
> */
> if (setgroups(0, NULL) < 0)
> debug("setgroups() failed: %.200s", strerror(errno));
hmm, i was looking at openbsd, with the goal of syncing where
possible. that is in portable only. these diffs for key things are
becoming impossible to keep track of.
More information about the openssh-unix-dev
mailing list