diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2010-06-15 14:27:13 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2010-06-15 14:27:13 +0000 |
| commit | 6a8a52582835d5ffd1e65d3e3cd4c47d4a57c884 (patch) | |
| tree | 0e631b479730566be58d7e556f0162e379a32b85 /modules/pam_xauth | |
| parent | ed3eeb1f9d6dd02f2ae3035f4504b97c4f80c338 (diff) | |
Relevant BUGIDs: 3010705
Purpose of commit: bugfix
Commit summary:
---------------
2010-06-15 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_xauth/pam_xauth.c (pam_sm_close_session): Call
setfsuid to be allowed to remove temporary files (#3010705).
(pam_sm_open_session): Call fchown with correct permissions.
Diffstat (limited to 'modules/pam_xauth')
| -rw-r--r-- | modules/pam_xauth/pam_xauth.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index 0a94db4f..61bd5a91 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -555,7 +555,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Generate a new file to hold the data. */ euid = geteuid(); setfsuid(tpwd->pw_uid); - + #ifdef WITH_SELINUX if (is_selinux_enabled() > 0) { struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); @@ -595,8 +595,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, } /* Set permissions on the new file and dispose of the * descriptor. */ + setfsuid(tpwd->pw_uid); if (fchown(fd, tpwd->pw_uid, tpwd->pw_gid) < 0) pam_syslog (pamh, LOG_ERR, "fchown: %m"); + setfsuid(euid); close(fd); /* Get a copy of the filename to save as a data item for @@ -693,6 +695,20 @@ pam_sm_close_session (pam_handle_t *pamh, int flags UNUSED, { void *cookiefile; int i, debug = 0; + const char* user; + struct passwd *tpwd; + uid_t unlinkuid, euid; + unlinkuid = euid = geteuid (); + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) + pam_syslog(pamh, LOG_ERR, "error determining target user's name"); + else { + tpwd = pam_modutil_getpwnam(pamh, user); + if (!tpwd) + pam_syslog(pamh, LOG_ERR, "error determining target user's UID"); + else + unlinkuid = tpwd->pw_uid; + } /* Parse arguments. We don't understand many, so no sense in breaking * this into a separate function. */ @@ -723,7 +739,10 @@ pam_sm_close_session (pam_handle_t *pamh, int flags UNUSED, pam_syslog(pamh, LOG_DEBUG, "removing `%s'", (char*)cookiefile); } + /* NFS with root_squash requires non-root user */ + setfsuid (unlinkuid); unlink((char*)cookiefile); + setfsuid (euid); *((char*)cookiefile) = '\0'; } } |