# # This patch is the ProFTPD part of CR 28398194. The mod_solaris_priv.c # makes the FTP session process privilege aware. As soon as # solaris_priv_post_pass() calls setreuid() to make a process privilege # aware, it sets 'session.disable_id_switching' to TRUE. Unfortunately # it's not enough, because mod_auth_pam.c overrides .disable_id_switching to # tell src/privs.c to operate as root. This is of course futile on Oracle # Solaris and makes src/privs.c complain loudly. All details were submitted # to upstream: # https://github.com/proftpd/proftpd/pull/732 # # The other part of the fix updates mod_solaris_priv.c to set # he priv_aware flag as soon as a session process is privilege aware. # # If the pull request is accepted, we can kill this patch # as soon as we get fixed proftpd from upstream. There is no ETA. # --- a/include/proftpd.h +++ b/include/proftpd.h @@ -100,6 +100,9 @@ typedef struct { */ int disable_id_switching; /* Disable UID/GID switching */ +#ifdef SOLARIS2 + int priv_aware; /* process posses all privs it needs */ +#endif /* SOLARIS2 */ uid_t uid, ouid; /* Current and original UIDs */ gid_t gid; /* Current GID */ --- a/src/privs.c +++ b/src/privs.c @@ -169,7 +169,11 @@ int pr_privs_root(const char *file, int lineno) { pr_signals_block(); +#ifdef SOLARIS2 + if (!session.disable_id_switching && !session.priv_aware) { +#else if (!session.disable_id_switching) { +#endif #if defined(HAVE_SETEUID) if (seteuid(PR_ROOT_UID) < 0) { @@ -219,7 +223,12 @@ int pr_privs_user(const char *file, int lineno) { pr_signals_block(); +#ifdef SOLARIS2 + if (!session.disable_id_switching && !session.priv_aware) { +#else if (!session.disable_id_switching) { +#endif + #if defined(HAVE_SETEUID) if (seteuid(PR_ROOT_UID) < 0) { privs_log_error("USER PRIVS: unable to seteuid(PR_ROOT_UID)", errno); @@ -294,7 +303,12 @@ int pr_privs_relinquish(const char *file, int lineno) { pr_signals_block(); +#ifdef SOLARIS2 + if (!session.disable_id_switching && !session.priv_aware) { +#else if (!session.disable_id_switching) { +#endif + #if defined(HAVE_SETEUID) if (geteuid() != PR_ROOT_UID) { if (seteuid(PR_ROOT_UID) < 0) {