privsep patch, Please test (take 3)
Ben Lindstrom
mouring at etoh.eviladmin.org
Sat Jun 8 05:28:13 EST 2002
On Fri, 7 Jun 2002, Kevin Steves wrote:
> On Fri, Jun 07, 2002 at 11:18:59AM -0700, Tim Rice wrote:
> > > i think if we don't call initgroups (or setgroups) the unprivileged
> > > process will retain root's supplementary groups.
> > >
> >
> > We do call setgroups early on in main()
> > /*
> > * Clear out any supplemental groups we may have inherited. This
> > * prevents inadvertent creation of files with bad modes (in the
> > * portable version at least, it's certainly possible for PAM
> > * to create a file, and we can't control the code in every
> > * module which might be used).
> > */
> > if (setgroups(0, NULL) < 0)
> > debug("setgroups() failed: %.200s", strerror(errno));
>
> hmm, i was looking at openbsd, with the goal of syncing where
> possible. that is in portable only. these diffs for key things are
> becoming impossible to keep track of.
Agreed.. portable tree is looking more like a fork than branch. And I'm
not dead sure how to coop with some of it without some how being able to
take a 10,000ft view which is.. ermm.. ugly.
- Ben
More information about the openssh-unix-dev
mailing list