Moved initgroups call to before auth_start_session()

This is required for PAM systems that depend on group membership being
available during PAM processing. This is used by pam_group on FreeBSD
and pam_group on Linux-PAM, although the functionality of both is
different.
This commit is contained in:
matt335672 2021-09-02 11:44:51 +01:00
parent cd1af4772c
commit 4183d8ddbf
4 changed files with 22 additions and 8 deletions

View File

@ -2875,12 +2875,18 @@ g_setgid(int pid)
/* returns error, zero is success, non zero is error */
/* does not work in win32 */
int
g_initgroups(const char *user, int gid)
g_initgroups(const char *username)
{
#if defined(_WIN32)
return 0;
#else
return initgroups(user, gid);
int gid;
int error = g_getuser_info(username, &gid, NULL, NULL, NULL, NULL);
if (error == 0)
{
error = initgroups(username, gid);
}
return error;
#endif
}

View File

@ -159,7 +159,7 @@ void g_signal_pipe(void (*func)(int));
void g_signal_usr1(void (*func)(int));
int g_fork(void);
int g_setgid(int pid);
int g_initgroups(const char *user, int gid);
int g_initgroups(const char *user);
int g_getuid(void);
int g_getgid(void);
int g_setuid(int pid);

View File

@ -112,13 +112,11 @@ env_set_user(const char *username, char **passwd_file, int display,
if (error == 0)
{
g_rm_temp_dir();
/*
* Set the primary group. Note that secondary groups should already
* have been set */
error = g_setgid(pw_gid);
if (error == 0)
{
error = g_initgroups(username, pw_gid);
}
if (error == 0)
{
uid = pw_uid;

View File

@ -525,6 +525,16 @@ session_start(long data,
g_delete_wait_obj(g_sigchld_event);
g_delete_wait_obj(g_term_event);
/* Set the secondary groups before starting the session to prevent
* problems on PAM-based systems (see pam_setcred(3)) */
if (g_initgroups(s->username) != 0)
{
LOG(LOG_LEVEL_ERROR,
"Failed to initialise secondary groups for %s: %s",
s->username, g_get_strerror());
g_exit(1);
}
auth_start_session(data, display);
sesman_close_all();
g_sprintf(geometry, "%dx%d", s->width, s->height);