Upgrade to OpenSSH 5.8p2.

1 files changed, 130 insertions, 2 deletions

diff --git a/crypto/openssh/platform.c b/crypto/openssh/platform.c
index e3a428a..a455472 100644
--- a/crypto/openssh/platform.c
+++ b/crypto/openssh/platform.c
@@ -1,4 +1,4 @@
-/* $Id: platform.c,v 1.3 2009/12/20 23:49:22 dtucker Exp $ */
+/* $Id: platform.c,v 1.18 2011/01/11 06:02:25 djm Exp $ */
 
 /*
  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
@@ -16,11 +16,27 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include "config.h"
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <unistd.h>
+
+#include "log.h"
+#include "buffer.h"
+#include "servconf.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "auth-pam.h"
 #include "platform.h"
 
 #include "openbsd-compat/openbsd-compat.h"
 
+extern int use_privsep;
+extern ServerOptions options;
+
 void
 platform_pre_listen(void)
 {
@@ -57,6 +73,118 @@ platform_post_fork_child(void)
 #endif
 }
 
+/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
+int
+platform_privileged_uidswap(void)
+{
+#ifdef HAVE_CYGWIN
+	/* uid 0 is not special on Cygwin so always try */
+	return 1;
+#else
+	return (getuid() == 0 || geteuid() == 0);
+#endif
+}
+
+/*
+ * This gets called before switching UIDs, and is called even when sshd is
+ * not running as root.
+ */
+void
+platform_setusercontext(struct passwd *pw)
+{
+#ifdef WITH_SELINUX
+	/* Cache selinux status for later use */
+	(void)ssh_selinux_enabled();
+#endif
+
+#ifdef USE_SOLARIS_PROJECTS
+	/* if solaris projects were detected, set the default now */
+	if (getuid() == 0 || geteuid() == 0)
+		solaris_set_default_project(pw);
+#endif
+
+#if defined(HAVE_LOGIN_CAP) && defined (__bsdi__)
+	if (getuid() == 0 || geteuid() == 0)
+		setpgid(0, 0);
+# endif
+
+#if defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+	/*
+	 * If we have both LOGIN_CAP and PAM, we want to establish creds
+	 * before calling setusercontext (in session.c:do_setusercontext).
+	 */
+	if (getuid() == 0 || geteuid() == 0) {
+		if (options.use_pam) {
+			do_pam_setcred(use_privsep);
+		}
+	}
+# endif /* USE_PAM */
+
+#if !defined(HAVE_LOGIN_CAP) && defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
+	if (getuid() == 0 || geteuid() == 0) {
+		/* Sets login uid for accounting */
+		if (getluid() == -1 && setluid(pw->pw_uid) == -1)
+			error("setluid: %s", strerror(errno));
+	}
+#endif
+}
+
+/*
+ * This gets called after we've established the user's groups, and is only
+ * called if sshd is running as root.
+ */
+void
+platform_setusercontext_post_groups(struct passwd *pw)
+{
+#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+	/*
+	 * PAM credentials may take the form of supplementary groups.
+	 * These will have been wiped by the above initgroups() call.
+	 * Reestablish them here.
+	 */
+	if (options.use_pam) {
+		do_pam_setcred(use_privsep);
+	}
+#endif /* USE_PAM */
+
+#if !defined(HAVE_LOGIN_CAP) && (defined(WITH_IRIX_PROJECT) || \
+    defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY))
+	irix_setusercontext(pw);
+#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
+
+#ifdef _AIX
+	aix_usrinfo(pw);
+#endif /* _AIX */
+
+#if !defined(HAVE_LOGIN_CAP) && defined(USE_LIBIAF)
+	if (set_id(pw->pw_name) != 0) {
+		exit(1);
+	}
+# endif /* USE_LIBIAF */
+
+#ifdef HAVE_SETPCRED
+	/*
+	 * If we have a chroot directory, we set all creds except real
+	 * uid which we will need for chroot.  If we don't have a
+	 * chroot directory, we don't override anything.
+	 */
+	{
+		char **creds = NULL, *chroot_creds[] =
+		    { "REAL_USER=root", NULL };
+
+		if (options.chroot_directory != NULL &&
+		    strcasecmp(options.chroot_directory, "none") != 0)
+			creds = chroot_creds;
+
+		if (setpcred(pw->pw_name, creds) == -1)
+			fatal("Failed to set process credentials");
+	}
+#endif /* HAVE_SETPCRED */
+#ifdef WITH_SELINUX
+	ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
+}
+
 char *
 platform_krb5_get_principal_name(const char *pw_name)
 {