mirrors/xrdp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Moved initgroups call to before auth_start_session()

Browse Source 
This is required for PAM systems that depend on group membership being
available during PAM processing. This is used by pam_group on FreeBSD
and pam_group on Linux-PAM, although the functionality of both is
different.
This commit is contained in:
matt335672 2021-09-02 11:44:51 +01:00
parent cd1af4772c
commit 4183d8ddbf
4 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
common/os_calls.c
View File

@ -2875,12 +2875,18 @@ g_setgid(int pid)
/* returns error, zero is success, non zero is error */ /* returns error, zero is success, non zero is error */
/* does not work in win32 */ /* does not work in win32 */
int int
g_initgroups(const char *user, int gid) g_initgroups(const char *username)
{ {
#if defined(_WIN32) #if defined(_WIN32)
return 0; return 0;
#else #else
return initgroups(user, gid); int gid;
int error = g_getuser_info(username, &gid, NULL, NULL, NULL, NULL);
if (error == 0)
{
error = initgroups(username, gid);
}
return error;
#endif #endif
} }

2
common/os_calls.h
View File

@ -159,7 +159,7 @@ void g_signal_pipe(void (*func)(int));
void g_signal_usr1(void (*func)(int)); void g_signal_usr1(void (*func)(int));
int g_fork(void); int g_fork(void);
int g_setgid(int pid); int g_setgid(int pid);
int g_initgroups(const char *user, int gid); int g_initgroups(const char *user);
int g_getuid(void); int g_getuid(void);
int g_getgid(void); int g_getgid(void);
int g_setuid(int pid); int g_setuid(int pid);

8
sesman/env.c
View File

@ -112,13 +112,11 @@ env_set_user(const char *username, char **passwd_file, int display,
if (error == 0) if (error == 0)
{ {
g_rm_temp_dir(); g_rm_temp_dir();
/*
* Set the primary group. Note that secondary groups should already
* have been set */
error = g_setgid(pw_gid); error = g_setgid(pw_gid);
if (error == 0)
{
error = g_initgroups(username, pw_gid);
}
if (error == 0) if (error == 0)
{ {
uid = pw_uid; uid = pw_uid;

10
sesman/session.c
View File

@ -525,6 +525,16 @@ session_start(long data,
g_delete_wait_obj(g_sigchld_event); g_delete_wait_obj(g_sigchld_event);
g_delete_wait_obj(g_term_event); g_delete_wait_obj(g_term_event);
/* Set the secondary groups before starting the session to prevent
* problems on PAM-based systems (see pam_setcred(3)) */
if (g_initgroups(s->username) != 0)
{
LOG(LOG_LEVEL_ERROR,
"Failed to initialise secondary groups for %s: %s",
s->username, g_get_strerror());
g_exit(1);
}
auth_start_session(data, display); auth_start_session(data, display);
sesman_close_all(); sesman_close_all();
g_sprintf(geometry, "%dx%d", s->width, s->height); g_sprintf(geometry, "%dx%d", s->width, s->height);