1 From 5d88117bbbf58eab0895f532202ff1c46016ec0f Mon Sep 17 00:00:00 2001
2 From: oracle <solaris@oracle.com>
3 Date: Mon, 3 Aug 2015 14:38:41 -0700
4 Subject: [PATCH 19/36] Don't call do_pam_setcred twice
5
6 # This issue has been raised with the upstream OpenSSH community:
7 #
8 # 2426 OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux
9 # platforms
10 # https://bugzilla.mindrot.org/show_bug.cgi?id=2426
11 #
12 # The OpenSSH maintainers added a call to do_pam_setcred() in
13 # platform_setusercontext_post_groups() with no corresponding bugID along with
14 # a befuddling comment that initgroups(3C) wipes out supplementary groups:
15 #
16 #https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96
17 #
18 # This only applies in the Linux world if the LinuxPAM pam_group(8) module
19 # has been installed and configured which allows one to assign additional
20 # secondary groups to a user using /etc/security/group.conf in addition to
21 # /etc/group. To confuse things a bit more, there is an OpenPAM PAM module
22 # of the same name, pam_group(8), which has different functionality, it
23 # performs access control based on group membership.
24 #
25 # In short, this additional call to do_pam_setcred() is Linux-specific and
26 # shouldn't be called on Solaris.
27 #
28 ---
29 platform.c | 2 +-
30 1 file changed, 1 insertion(+), 1 deletion(-)
31
32 diff --git a/platform.c b/platform.c
33 index ee313da..8362a08 100644
34 --- a/platform.c
35 +++ b/platform.c
36 @@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *pw)
37 void
38 platform_setusercontext_post_groups(struct passwd *pw)
39 {
40 -#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
41 +#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) && !defined(PAM_SUN_CODEBASE)
42 /*
43 * PAM credentials may take the form of supplementary groups.
44 * These will have been wiped by the above initgroups() call.
45 --
46 2.5.4 (Apple Git-61)
47