summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2008-11-20 14:10:17 +0000
committerTomas Mraz <tm@t8m.info>2008-11-20 14:10:17 +0000
commitbc32e648b76cb6eef5a3dd4720a7384d918ca6fb (patch)
treeaa9a564e2b457cac8cb3fa609ea63eed873455ee
parentd356c2696c3044d4b81690830558a3ecd0f3427c (diff)
Relevant BUGIDs:
Purpose of commit: bugfix Commit summary: --------------- 2008-11-20 Tomas Mraz <t8m@centrum.cz> * modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not call sepermit_lock() if sense is deny. Do not crash on NULL seuser match. (pam_sm_authenticate): Try to call getseuserbyname() even if SELinux is disabled.
-rw-r--r--ChangeLog8
-rw-r--r--modules/pam_sepermit/pam_sepermit.c24
2 files changed, 23 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 683f3b6c..f8757df7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2008-11-20 Tomas Mraz <t8m@centrum.cz>
+
+ * modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not
+ call sepermit_lock() if sense is deny. Do not crash on NULL seuser
+ match.
+ (pam_sm_authenticate): Try to call getseuserbyname() even if
+ SELinux is disabled.
+
2008-11-19 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session):
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index 15cdc3e1..0fd95619 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
/* return 0 when matched, -1 when unmatched, pam error otherwise */
static int
sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
- const char *seuser, int debug)
+ const char *seuser, int debug, int sense)
{
FILE *f;
char *line = NULL;
@@ -278,6 +278,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
}
break;
case '%':
+ if (seuser == NULL)
+ break;
++start;
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
@@ -304,8 +306,12 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
free(line);
fclose(f);
- if (matched)
- return (geteuid() == 0 && exclusive) ? sepermit_lock(pamh, user, debug) : 0;
+ if (matched) {
+ if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive)
+ return sepermit_lock(pamh, user, debug);
+ else
+ return 0;
+ }
else
return -1;
}
@@ -348,18 +354,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match");
sense = PAM_SUCCESS;
}
+ }
- if (getseuserbyname(user, &seuser, &level) != 0) {
- seuser = NULL;
- level = NULL;
- pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m");
- }
+ if (getseuserbyname(user, &seuser, &level) != 0) {
+ seuser = NULL;
+ level = NULL;
+ pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m");
}
if (debug && sense != PAM_SUCCESS)
pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
- rv = sepermit_match(pamh, cfgfile, user, seuser, debug);
+ rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense);
if (debug)
pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);