File xrdp-Moved-initgroups-call-to-before-auth_start_session.patch of Package xrdp.31568

From 4183d8ddbfd1399a1c7255f6de31298bea18655b Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Thu, 2 Sep 2021 11:44:51 +0100
Subject: [PATCH] Moved initgroups call to before auth_start_session()

This is required for PAM systems that depend on group membership being
available during PAM processing. This is used by pam_group on FreeBSD
and pam_group on Linux-PAM, although the functionality of both is
different.
---
 common/os_calls.c | 10 ++++++++--
 common/os_calls.h |  2 +-
 sesman/env.c      |  8 +++-----
 sesman/session.c  | 10 ++++++++++
 4 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/common/os_calls.c b/common/os_calls.c
index 2fdbea4a..e3561ebb 100644
--- a/common/os_calls.c
+++ b/common/os_calls.c
@@ -2875,12 +2875,18 @@ g_setgid(int pid)
 /* returns error, zero is success, non zero is error */
 /* does not work in win32 */
 int
-g_initgroups(const char *user, int gid)
+g_initgroups(const char *username)
 {
 #if defined(_WIN32)
     return 0;
 #else
-    return initgroups(user, gid);
+    int gid;
+    int error = g_getuser_info(username, &gid, NULL, NULL, NULL, NULL);
+    if (error == 0)
+    {
+        error = initgroups(username, gid);
+    }
+    return error;
 #endif
 }
 
diff --git a/common/os_calls.h b/common/os_calls.h
index 3511d7cc..3550b68d 100644
--- a/common/os_calls.h
+++ b/common/os_calls.h
@@ -159,7 +159,7 @@ void     g_signal_pipe(void (*func)(int));
 void     g_signal_usr1(void (*func)(int));
 int      g_fork(void);
 int      g_setgid(int pid);
-int      g_initgroups(const char* user, int gid);
+int      g_initgroups(const char *user);
 int      g_getuid(void);
 int      g_getgid(void);
 int      g_setuid(int pid);
diff --git a/sesman/env.c b/sesman/env.c
index f3b3dc63..34a6a97f 100644
--- a/sesman/env.c
+++ b/sesman/env.c
@@ -112,13 +112,11 @@ env_set_user(const char *username, char **passwd_file, int display,
     if (error == 0)
     {
         g_rm_temp_dir();
+        /*
+         * Set the primary group. Note that secondary groups should already
+         * have been set */
         error = g_setgid(pw_gid);
 
-        if (error == 0)
-        {
-            error = g_initgroups(username, pw_gid);
-        }
-
         if (error == 0)
         {
             uid = pw_uid;
diff --git a/sesman/session.c b/sesman/session.c
index 0eae928e..00594d1d 100644
--- a/sesman/session.c
+++ b/sesman/session.c
@@ -525,6 +525,16 @@ session_start(long data,
     {
         log_message(LOG_LEVEL_INFO, "calling auth_start_session from pid %d",
                     g_getpid());
+        /* Set the secondary groups before starting the session to prevent
+         * problems on PAM-based systems (see pam_setcred(3)) */
+        if (g_initgroups(s->username) != 0)
+        {
+            log_message(LOG_LEVEL_ERROR,
+                "Failed to initialise secondary groups for %s: %s",
+                s->username, g_get_strerror());
+            g_exit(1);
+        }
+
         auth_start_session(data, display);
         g_delete_wait_obj(g_term_event);
         g_tcp_close(g_sck);
-- 
2.26.2