diff options
| author | Tomas Mraz <tm@t8m.info> | 2006-08-09 19:04:59 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2006-08-09 19:04:59 +0000 |
| commit | b242762dbe2f3acc1d60a6c1f1363af4d471ad84 (patch) | |
| tree | 71c7e3d5bbda8707be6ec247c9ffced598503952 | |
| parent | 9fe629581bf126af81233706e71bec60decee79c (diff) | |
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2006-08-09 David Howells <dhowells@redhat.com>
* modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Set real uid
to user's before revoking.
(pam_sm_open_session): Remember the uid.
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.c | 30 |
2 files changed, 35 insertions, 3 deletions
@@ -1,3 +1,9 @@ +2006-08-09 David Howells <dhowells@redhat.com> + + * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Set real uid + to user's before revoking. + (pam_sm_open_session): Remember the uid. + 2006-08-06 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_umask/pam_umask.c (setup_limits_from_gecos): @@ -63,7 +69,7 @@ * libpam/Makefile.am: Bump patchlevel of libpam. * libpam/pam_dispatch.c (_pam_dispatch_aux): If [return=die] or [return=bad] is used, don't return PAM_IGNORE. Based on - patch by Tomas Mraz <t8m@centrum.cz>, [BRC#196859]. + patch by Tomas Mraz <t8m@centrum.cz>, [BRC#196859]. 2006-07-28 Thorsten Kukuk <kukuk@thkukuk.de> diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index 5a43c12a..452b0005 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -33,6 +33,8 @@ static int my_session_keyring; static int session_counter; static int do_revoke; +static int revoke_as_uid; +static int revoke_as_gid; static int xdebug = 0; static void debug(pam_handle_t *pamh, const char *fmt, ...) @@ -124,14 +126,38 @@ static int init_keyrings(pam_handle_t *pamh, int force) */ static void kill_keyrings(pam_handle_t *pamh) { + int old_uid, old_gid; + /* revoke the session keyring we created earlier */ if (my_session_keyring > 0) { debug(pamh, "REVOKE %d", my_session_keyring); + old_uid = getuid(); + old_gid = getgid(); + debug(pamh, "UID:%d [%d] GID:%d [%d]", + revoke_as_uid, old_uid, revoke_as_gid, old_gid); + + /* switch to the real UID and GID so that we have permission to + * revoke the key */ + if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0) + error(pamh, "Unable to change UID to %d temporarily\n", + revoke_as_uid); + + if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) + error(pamh, "Unable to change GID to %d temporarily\n", + revoke_as_gid); + syscall(__NR_keyctl, KEYCTL_REVOKE, my_session_keyring); + /* return to the orignal UID and GID (probably root) */ + if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) + error(pamh, "Unable to change UID back to %d\n", old_uid); + + if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) + error(pamh, "Unable to change GID back to %d\n", old_gid); + my_session_keyring = 0; } } @@ -177,9 +203,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, return PAM_USER_UNKNOWN; } - uid = pw->pw_uid; + revoke_as_uid = uid = pw->pw_uid; old_uid = getuid(); - gid = pw->pw_gid; + revoke_as_gid = gid = pw->pw_gid; old_gid = getgid(); debug(pamh, "UID:%d [%d] GID:%d [%d]", uid, old_uid, gid, old_gid); |