openssh bugs - Jul 2015 - [Bug 2426] New: OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux platforms

https://bugzilla.mindrot.org/show_bug.cgi?id=2426

            Bug ID: 2426
           Summary: OpenSSH doesn't need the second call to
                    do_pam_setcred() on non-Linux platforms
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: minor
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: brent.paulson at gmail.com

There is a second call to do_pam_setcred() in
platform.c:platform_setusercontext_post_groups() which was made via the
following changeset which doesn't mention a bugID:

https://anongit.mindrot.org/openssh.git/commit/platform.c?id=cc12418e18242ce1f61d7035da4956274ba13a96

The comment mentions initgroups(3C) wiping out supplementary groups
which only applies in the Linux world if the LinuxPAM pam_group(8)
module has been installed and configured which allows one to assign
additional secondary groups to a user using /etc/security/group.conf in
addition to /etc/group.  Note that there is an OpenPAM PAM module of
the
same name, pam_group(8), which has different functionality, it performs
access control based on group membership.

There is an earlier call to do_pam_setcred() in main() so this
additional call to do_pam_setcred() doesn't need to be called on
non-Linux platforms.  I don't see any config.h #defines for Linux PAM
so
this code could be ifdef'ed out for Solaris by including a check for
PAM_SUN_CODEBASE.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2426

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Does the additional call hurt?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2426

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
no response; closing

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.