privsep patch, Please test (take 3)
Kevin Steves
kevin at atomicgears.com
Sat Jun 8 03:58:02 EST 2002
On Thu, Jun 06, 2002 at 05:49:13PM -0700, Tim Rice wrote:
> > > --- openssh/session.c.old Sun May 12 20:25:02 2002
> > > +++ openssh/session.c Wed May 29 07:39:22 2002
> > > @@ -1089,10 +1089,11 @@
> > > exit(1);
> > > }
> > > /* Initialize the group list. */
> > > - if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> > > - perror("initgroups");
> > > - exit(1);
> > > - }
> > > + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER))
> > > + if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
> > > + perror("initgroups");
> > > + exit(1);
> > > + }
> >
> > why are we doing this?
>
> On some platforms initgroups() fails in the chroot child. As initgroups
> is unnecessary for the sshd user, this fixes that problem. I'm open
> to any better ways.
i think if we don't call initgroups (or setgroups) the unprivileged
process will retain root's supplementary groups.
More information about the openssh-unix-dev
mailing list