- (djm) Reestablish PAM credentials (which can be supplemental group

   memberships) after initgroups() blows them away. Report and suggested
   fix from Nalin Dahyabhai <[email protected]>

ChangeLog

@@ -1,10 +1,3 @@
-20010328
- - OpenBSD CVS Sync
-   - [email protected] 2001/03/26 08:07:09
-     [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c 
-      sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
-     simpler key load/save interface, see authfile.h
-
 20010327
  - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID)
  - Fix pointer issues in waitpid() and wait() replaces.  Patch by Lutz 
@@ -17,6 +10,13 @@
      [servconf.c servconf.h session.c sshd.8 sshd_config]
      PrintLastLog option; from [email protected] with some minor
      changes by me.  ok markus@
+   - [email protected] 2001/03/26 08:07:09
+     [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c 
+      sshconnect.h sshconnect1.c sshconnect2.c sshd.c]
+     simpler key load/save interface, see authfile.h
+ - (djm) Reestablish PAM credentials (which can be supplemental group 
+   memberships) after initgroups() blows them away. Report and suggested
+   fix from Nalin Dahyabhai <[email protected]>
 
 20010324
  - Fixed permissions ssh-keyscan.  Thanks to Christopher Linn <[email protected]>.
@@ -4725,4 +4725,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1020 2001/03/26 13:44:06 mouring Exp $
+$Id: ChangeLog,v 1.1021 2001/03/27 06:12:24 djm Exp $

auth-pam.c

@@ -33,7 +33,7 @@
 #include "canohost.h"
 #include "readpass.h"
 
-RCSID("$Id: auth-pam.c,v 1.33 2001/03/21 02:01:35 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.34 2001/03/27 06:12:24 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@@ -287,14 +287,15 @@ void do_pam_session(char *username, const char *ttyname)
 }
 
 /* Set PAM credentials */
-void do_pam_setcred(void)
+void do_pam_setcred(int init)
 {
 	int pam_retval;
 
 	do_pam_set_conv(&conv);
 
 	debug("PAM establishing creds");
-	pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
+	pam_retval = pam_setcred(__pamh, 
+	    init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
 	if (pam_retval != PAM_SUCCESS) {
 		if (was_authenticated)
 			fatal("PAM setcred failed[%d]: %.200s",

auth-pam.h

@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.10 2001/02/15 00:51:32 djm Exp $ */
+/* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */
 
 #include "includes.h"
 #ifdef USE_PAM
@@ -12,7 +12,7 @@ char **fetch_pam_environment(void);
 int do_pam_authenticate(int flags);
 int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
-void do_pam_setcred(void);
+void do_pam_setcred(int init);
 void print_pam_messages(void);
 int is_pam_password_change_required(void);
 void do_pam_chauthtok(void);

session.c

@@ -488,7 +488,7 @@ do_exec_no_pty(Session *s, const char *command)
 	session_proctitle(s);
 
 #if defined(USE_PAM)
-	do_pam_setcred();
+	do_pam_setcred(1);
 #endif /* USE_PAM */
 
 	/* Fork the child. */
@@ -603,7 +603,7 @@ do_exec_pty(Session *s, const char *command)
 
 #if defined(USE_PAM)
 	do_pam_session(s->pw->pw_name, s->tty);
-	do_pam_setcred();
+	do_pam_setcred(1);
 #endif
 
 	/* Fork the child. */
@@ -1100,6 +1100,15 @@ do_child(Session *s, const char *command)
 				exit(1);
 			}
 			endgrent();
+#  ifdef USE_PAM
+			/*
+			 * PAM credentials may take the form of 
+			 * supplementary groups. These will have been 
+			 * wiped by the above initgroups() call.
+			 * Reestablish them here.
+			 */
+			do_pam_setcred(0);
+#  endif /* USE_PAM */
 #  ifdef WITH_IRIX_JOBS
 			jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
 			if (jid == -1) {