Created attachment 2661 [details] patch to limit setproject(3PROJECT) calls to non-PAM configurations The OpenSSH bug: 1824 Added project(4) support for Solaris 10 https://bugzilla.mindrot.org/show_bug.cgi?id=1824 added code to call setproject(3PROJECT) on Solaris when USE_SOLARIS_PROJECTS is defined. The USE_SOLARIS_PROJECTS #define is set when --with-solaris-projects is supplied to the configure script. Ever since the introduction of projects in Solaris 9 a user's project membership has been set by PAM. As of Solaris 10, released in January 2005, the updating of a user's project information happens via pam_unix_cred(5). This PAM module must be present in all authentication PAM transactions and is part of all PAM stacks shipped with Solaris and thus when PAM is configured for OpenSSH (--with-pam) it is not necessary to separately call setproject(3PROJECT). In short, I'm suggesting including '&& !defined(USE_PAM)' to the lines containing 'USE_SOLARIS_PROJECTS' in the portable OpenSSH source.
Comment on attachment 2661 [details] patch to limit setproject(3PROJECT) calls to non-PAM configurations >-#ifdef USE_SOLARIS_PROJECTS >+#ifdef USE_SOLARIS_PROJECTS && !defined(USE_PAM) This part isn't correct: USE_PAM is a compile time flag but PAM can be enabled and disabled at runtime. > /* if solaris projects were detected, set the default now */ > if (getuid() == 0 || geteuid() == 0) > solaris_set_default_project(pw); I think that should be something like if ((getuid() == 0 || geteuid() == 0) && !options.use_pam) solaris_set_default_project(pw);
Created attachment 2742 [details] Check PAM at runtime before setting Solaris project Could you please confirm that this diff works as expected? Thanks.
We haven't received confirmation that this works so pushing to next release.
> Could you please confirm that this diff works as expected? Thanks. Yes, I've confirmed the patch works as expected. Thanks!
Thanks, applied.
Bulk mark issues CLOSED in 7.3 release