diff options
author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 21:22:21 -0800 |
---|---|---|
committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 21:22:45 -0800 |
commit | 795badba7f95e737f979917859cd32c9bd47bcad (patch) | |
tree | 212a6a00baa11e9d0ca7bc27b12420d1dce6f07c /modules/pam_sepermit/pam_sepermit.c | |
parent | c55c14c5c6762139ec6695d84ea0e2e917da5264 (diff) | |
parent | ba315ae8effdcad591608c99452dad05c4cf20ab (diff) |
New upstream version 1.1.8
Diffstat (limited to 'modules/pam_sepermit/pam_sepermit.c')
-rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 51 |
1 files changed, 42 insertions, 9 deletions
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 4879b685..8af1266a 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -85,11 +85,11 @@ match_process_uid(pid_t pid, uid_t uid) uid_t puid; FILE *f; int re = 0; - + snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); if (!(f = fopen (buf, "r"))) return 0; - + while (fgets(buf, sizeof buf, f)) { if (sscanf (buf, "Uid:\t%d", &puid)) { re = uid == puid; @@ -162,6 +162,40 @@ check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) return running; } +/* + * This function reads the loginuid from the /proc system. It returns + * (uid_t)-1 on failure. + */ +static uid_t get_loginuid(pam_handle_t *pamh) +{ + int fd, count; + char loginuid[24]; + char *eptr; + uid_t rv = (uid_t)-1; + + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY); + if (fd < 0) { + if (errno != ENOENT) { + pam_syslog(pamh, LOG_ERR, + "Cannot open /proc/self/loginuid: %m"); + } + return rv; + } + if ((count = pam_modutil_read(fd, loginuid, sizeof(loginuid)-1)) < 1) { + close(fd); + return rv; + } + loginuid[count] = '\0'; + close(fd); + + errno = 0; + rv = strtoul(loginuid, &eptr, 10); + if (errno != 0 || eptr == loginuid) + rv = (uid_t) -1; + + return rv; +} + static void sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) { @@ -246,9 +280,9 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, int matched = 0; int exclusive = 0; int ignore = 0; - + f = fopen(cfgfile, "r"); - + if (!f) { pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); return PAM_SERVICE_ERR; @@ -276,7 +310,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, start = strtok_r(start, OPT_DELIM, &sptr); switch (start[0]) { - case '@': + case '@': ++start; if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); @@ -319,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (*sense == PAM_SUCCESS) { if (ignore) *sense = PAM_IGNORE; - if (geteuid() == 0 && exclusive) + if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1) if (sepermit_lock(pamh, user, debug) < 0) *sense = PAM_AUTH_ERR; } @@ -411,9 +445,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } #ifdef PAM_STATIC - + /* static module data */ - + struct pam_module _pam_sepermit_modstruct = { "pam_sepermit", pam_sm_authenticate, @@ -424,4 +458,3 @@ struct pam_module _pam_sepermit_modstruct = { NULL }; #endif - |