delay lookup of privsep user until config loaded

sshd-session attempting to use options.kerberos_authentication to decide whether it needed to lookup the privsep user before the configuration was loaded. This caused it to get a placeholder value that caused it always to try to lookup the privsep user, breaking at least one test environment.
openssh · Jun 13, 2024 · f66d4df · f66d4df
1 parent f1c4285
commit f66d4df
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/sshd-session.c b/sshd-session.c
@@ -1036,6 +1036,17 @@ main(int ac, char **av)
 
 	debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION);
 
+	/* Fetch our configuration */
+	if ((cfg = sshbuf_new()) == NULL)
+		fatal("sshbuf_new config buf failed");
+	setproctitle("%s", "[rexeced]");
+	recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg, &timing_secret);
+	close(REEXEC_CONFIG_PASS_FD);
+	parse_server_config(&options, "rexec", cfg, &includes, NULL, 1);
+	/* Fill in default values for those options not explicitly set. */
+	fill_default_server_options(&options);
+	options.timing_secret = timing_secret;
+
 	/* Store privilege separation user for later use if required. */
 	privsep_chroot = (getuid() == 0 || geteuid() == 0);
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
@@ -1049,17 +1060,6 @@ main(int ac, char **av)
 	}
 	endpwent();
 
-	/* Fetch our configuration */
-	if ((cfg = sshbuf_new()) == NULL)
-		fatal("sshbuf_new config buf failed");
-	setproctitle("%s", "[rexeced]");
-	recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg, &timing_secret);
-	close(REEXEC_CONFIG_PASS_FD);
-	parse_server_config(&options, "rexec", cfg, &includes, NULL, 1);
-	/* Fill in default values for those options not explicitly set. */
-	fill_default_server_options(&options);
-	options.timing_secret = timing_secret;
-
 	if (!debug_flag) {
 		startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
 		close(REEXEC_STARTUP_PIPE_FD);