1 $NetBSD: patch-av,v 1.9 2010/06/11 20:41:42 martti Exp $
3 --- sshd.c.orig 2011-02-16 01:25:58.000000000 +0000
5 @@ -239,7 +239,11 @@ int *startup_pipes = NULL;
6 int startup_pipe; /* in child */
8 /* variables used for privilege separation */
14 struct monitor *pmonitor = NULL;
16 /* global authentication context */
17 @@ -618,10 +622,15 @@ privsep_preauth_child(void)
18 /* XXX not ready, too heavy after chroot */
19 do_setusercontext(privsep_pw);
22 + if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
23 + fatal("setuser: %.100s", strerror(errno));
25 gidset[0] = privsep_pw->pw_gid;
26 if (setgroups(1, gidset) < 0)
27 fatal("setgroups: %.100s", strerror(errno));
28 permanently_set_uid(privsep_pw);
29 +#endif /* HAVE_INTERIX */
33 @@ -661,7 +670,7 @@ privsep_preauth(Authctxt *authctxt)
34 close(pmonitor->m_sendfd);
36 /* Demote the child */
37 - if (getuid() == 0 || geteuid() == 0)
38 + if (getuid() == ROOTUID || geteuid() == ROOTUID)
39 privsep_preauth_child();
40 setproctitle("%s", "[net]");
42 @@ -676,7 +685,7 @@ privsep_postauth(Authctxt *authctxt)
43 #ifdef DISABLE_FD_PASSING
46 - if (authctxt->pw->pw_uid == 0 || options.use_login) {
47 + if (authctxt->pw->pw_uid == ROOTUID || options.use_login) {
49 /* File descriptor passing is broken or root login */
51 @@ -1335,8 +1344,10 @@ main(int ac, char **av)
55 - if (geteuid() == 0 && setgroups(0, NULL) == -1)
57 + if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
58 debug("setgroups(): %.200s", strerror(errno));
61 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
63 @@ -1690,7 +1701,7 @@ main(int ac, char **av)
64 (st.st_uid != getuid () ||
65 (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
67 - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
68 + if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
70 fatal("%s must be owned by root and not group or "
71 "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
72 @@ -1714,8 +1725,10 @@ main(int ac, char **av)
73 * to create a file, and we can't control the code in every
74 * module which might be used).
77 if (setgroups(0, NULL) < 0)
78 debug("setgroups() failed: %.200s", strerror(errno));
82 rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));