Bug 2426 - OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux platforms
Summary: OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux platforms
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 6.9p1
Hardware: SPARC Solaris
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-07 20:09 AEST by brent.paulson
Modified: 2015-07-17 12:20 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description brent.paulson 2015-07-07 20:09:27 AEST 
There is a second call to do_pam_setcred() in
platform.c:platform_setusercontext_post_groups() which was made via the
following changeset which doesn't mention a bugID:

https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96

The comment mentions initgroups(3C) wiping out supplementary groups
which only applies in the Linux world if the LinuxPAM pam_group(8)
module has been installed and configured which allows one to assign
additional secondary groups to a user using /etc/security/group.conf in
addition to /etc/group.  Note that there is an OpenPAM PAM module of the
same name, pam_group(8), which has different functionality, it performs
access control based on group membership.

There is an earlier call to do_pam_setcred() in main() so this
additional call to do_pam_setcred() doesn't need to be called on
non-Linux platforms.  I don't see any config.h #defines for Linux PAM so
this code could be ifdef'ed out for Solaris by including a check for
PAM_SUN_CODEBASE.
Comment 1 Damien Miller 2015-07-17 12:20:07 AEST 
Does the additional call hurt?