BSD/OS with privsep

Markus Friedl markus at openbsd.org
Tue Jun 25 20:40:24 EST 2002


I need this for BSD/OS 4.2 + privsep

perhaps we should not call do_setusercontext() after
chroot().

--- sshd.c.orig	Fri Jun 21 03:09:47 2002
+++ sshd.c	Tue Jun 25 13:11:03 2002
@@ -548,21 +548,35 @@
 	/* Change our root directory*/
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
 		    strerror(errno));
 	if (chdir("/") == -1)
 		fatal("chdir(\"/\"): %s", strerror(errno));
 
 	/* Drop our privileges */
 	debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
 	    (u_int)pw->pw_gid);
+#if 0
+	/* XXX not ready, to heavy after chroot */
 	do_setusercontext(pw);
+#else
+	{
+		gid_t gidset[2];
+
+		gidset[0] = pw->pw_gid;
+		if (setgid(pw->pw_gid) < 0)
+			fatal("setgid failed for %u", pw->pw_gid );
+		if (setgroups(1, gidset) < 0)
+			fatal("setgroups: %.100s", strerror(errno));
+		permanently_set_uid(pw);
+	}
+#endif
 }
 
 static Authctxt*
 privsep_preauth(void)
 {
 	Authctxt *authctxt = NULL;
 	int status;
 	pid_t pid;
 
 	/* Set up unprivileged child process to deal with network data */
--- session.c.orig	Tue Jun 25 13:28:07 2002
+++ session.c	Tue Jun 25 13:33:16 2002
@@ -1154,22 +1154,26 @@
 {
 #ifdef HAVE_CYGWIN
 	if (is_winnt) {
 #else /* HAVE_CYGWIN */
 	if (getuid() == 0 || geteuid() == 0) {
 #endif /* HAVE_CYGWIN */
 #ifdef HAVE_SETPCRED
 		setpcred(pw->pw_name);
 #endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
-		if (setusercontext(lc, pw, pw->pw_uid,
-		    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
+		int flags = LOGIN_SETALL & ~LOGIN_SETPATH;
+#ifdef __bsdi__
+		if (getpid() != getpgrp())
+			flags &= ~LOGIN_SETLOGIN;
+#endif
+		if (setusercontext(lc, pw, pw->pw_uid, flags) < 0) {
 			perror("unable to set user context");
 			exit(1);
 		}
 #else
 # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
 		/* Sets login uid for accounting */
 		if (getluid() == -1 && setluid(pw->pw_uid) == -1)
 			error("setluid: %s", strerror(errno));
 # endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */
 



More information about the openssh-unix-dev mailing list