summaryrefslogtreecommitdiff
path: root/modules/pam_sepermit/pam_sepermit.c
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 21:22:21 -0800
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 21:22:45 -0800
commit795badba7f95e737f979917859cd32c9bd47bcad (patch)
tree212a6a00baa11e9d0ca7bc27b12420d1dce6f07c /modules/pam_sepermit/pam_sepermit.c
parentc55c14c5c6762139ec6695d84ea0e2e917da5264 (diff)
parentba315ae8effdcad591608c99452dad05c4cf20ab (diff)
New upstream version 1.1.8
Diffstat (limited to 'modules/pam_sepermit/pam_sepermit.c')
-rw-r--r--modules/pam_sepermit/pam_sepermit.c51
1 files changed, 42 insertions, 9 deletions
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index 4879b685..8af1266a 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -85,11 +85,11 @@ match_process_uid(pid_t pid, uid_t uid)
uid_t puid;
FILE *f;
int re = 0;
-
+
snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid);
if (!(f = fopen (buf, "r")))
return 0;
-
+
while (fgets(buf, sizeof buf, f)) {
if (sscanf (buf, "Uid:\t%d", &puid)) {
re = uid == puid;
@@ -162,6 +162,40 @@ check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug)
return running;
}
+/*
+ * This function reads the loginuid from the /proc system. It returns
+ * (uid_t)-1 on failure.
+ */
+static uid_t get_loginuid(pam_handle_t *pamh)
+{
+ int fd, count;
+ char loginuid[24];
+ char *eptr;
+ uid_t rv = (uid_t)-1;
+
+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+ if (fd < 0) {
+ if (errno != ENOENT) {
+ pam_syslog(pamh, LOG_ERR,
+ "Cannot open /proc/self/loginuid: %m");
+ }
+ return rv;
+ }
+ if ((count = pam_modutil_read(fd, loginuid, sizeof(loginuid)-1)) < 1) {
+ close(fd);
+ return rv;
+ }
+ loginuid[count] = '\0';
+ close(fd);
+
+ errno = 0;
+ rv = strtoul(loginuid, &eptr, 10);
+ if (errno != 0 || eptr == loginuid)
+ rv = (uid_t) -1;
+
+ return rv;
+}
+
static void
sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED)
{
@@ -246,9 +280,9 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
int matched = 0;
int exclusive = 0;
int ignore = 0;
-
+
f = fopen(cfgfile, "r");
-
+
if (!f) {
pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile);
return PAM_SERVICE_ERR;
@@ -276,7 +310,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
start = strtok_r(start, OPT_DELIM, &sptr);
switch (start[0]) {
- case '@':
+ case '@':
++start;
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start);
@@ -319,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
if (*sense == PAM_SUCCESS) {
if (ignore)
*sense = PAM_IGNORE;
- if (geteuid() == 0 && exclusive)
+ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
if (sepermit_lock(pamh, user, debug) < 0)
*sense = PAM_AUTH_ERR;
}
@@ -411,9 +445,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
}
#ifdef PAM_STATIC
-
+
/* static module data */
-
+
struct pam_module _pam_sepermit_modstruct = {
"pam_sepermit",
pam_sm_authenticate,
@@ -424,4 +458,3 @@ struct pam_module _pam_sepermit_modstruct = {
NULL
};
#endif
-