Relevant BUGIDs: Red Hat bz 171164

Purpose of commit: new feature Commit summary: --------------- 2005-10-20 Tomas Mraz <t8m@centrum.cz> * configure.in: Added check for xauth binary and --with-xauth option. * config.h.in: Added configurable PAM_PATH_XAUTH. * modules/pam_xauth/README, modules/pam_xauth/pam_xauth.8: Document where xauth is looked for. * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Implement searching xauth binary on multiple places. (run_coprocess): Don't use execvp as it can be a security risk.
author: Tomas Mraz <tm@t8m.info> 2005-10-20 17:01:06 +0000
committer: Tomas Mraz <tm@t8m.info> 2005-10-20 17:01:06 +0000
commit: d9b712775c5f1962d3490b43465537c3e28a8c49 (patch)
tree: c9cf9e640727cd38b13f30b5b612d6da9357952a /modules
parent: 593ea15559fedf71fdb6e6fdc23a8f2532f7d571 (diff)
3 files changed, 32 insertions, 9 deletions
diff --git a/modules/pam_xauth/README b/modules/pam_xauth/README
index dd65292f..97916b8f 100644
--- a/modules/pam_xauth/README
+++ b/modules/pam_xauth/README
@@ -23,7 +23,8 @@ pam_xauth:
 RECOGNIZED ARGUMENTS:
 	debug		write debugging messages to syslog
 	xauthpath=	the path to the xauth program, by default
-			/usr/X11R6/bin/xauth
+			/usr/X11R6/bin/xauth, /usr/bin/xauth and
+			/usr/bin/X11/xauth
 	systemuser=	highest user id assigned to system users, defaults
 			to 499 (pam_xauth will refuse to forward creds to
 			target users with id equal to or below this number,
diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8
index 9acb7249..897b43fa 100644
--- a/modules/pam_xauth/pam_xauth.8
+++ b/modules/pam_xauth/pam_xauth.8
@@ -1,11 +1,11 @@
 .\" Copyright 2001,2003 Red Hat, Inc.
 .\" Written by Nalin Dahyabhai <nalin@redhat.com>, based on the original
 .\" version by Michael K. Johnson
-.TH pam_xauth 8 2003/7/24 "Red Hat Linux" "System Administrator's Manual"
+.TH pam_xauth 8 2005/10/20 "Red Hat Linux" "System Administrator's Manual"
 .SH NAME
 pam_xauth \- forward xauth keys between users
 .SH SYNOPSIS
-.B session optional /lib/security/pam_xauth.so \fIarguments\fP
+.B session optional pam_xauth.so \fIarguments\fP
 .SH DESCRIPTION
 pam_xauth.so is designed to forward xauth keys (sometimes referred
 to as "cookies") between users.
@@ -45,8 +45,9 @@ the import and export files can be empty, signifying that no users are allowed.
 .SH ARGUMENTS
 .IP debug
 Turns on debugging messages sent to syslog.
-.IP xauthpath=\fI/usr/X11R6/bin/xauth\fP
-Specify the path the xauth program (the default is /usr/X11R6/bin/xauth).
+.IP xauthpath=\fI/path/to/xauth\fP
+Specify the path the xauth program (it is expected in \fB/usr/X11R6/bin/xauth,\fP
+or \fB/usr/bin/xauth\fP, or \fB/usr/bin/X11/xauth\fP by default).
 .IP systemuser=\fInumber\fP
 Specify the highest UID which will be assumed to belong to a "system" user.
 pam_xauth will refuse to forward credentials to users with UID less than or
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index a830010d..886b2f88 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -58,12 +58,21 @@
 #include <security/pam_ext.h>
 
 #define DATANAME "pam_xauth_cookie_file"
-#define XAUTHBIN "/usr/X11R6/bin/xauth"
 #define XAUTHENV "XAUTHORITY"
 #define HOMEENV  "HOME"
 #define XAUTHDEF ".Xauthority"
 #define XAUTHTMP ".xauthXXXXXX"
 
+/* Possible paths to xauth executable */
+static const char * const xauthpaths[] = { 
+#ifdef PAM_PATH_XAUTH
+	PAM_PATH_XAUTH,
+#endif
+	"/usr/X11R6/bin/xauth",
+	"/usr/bin/xauth",
+	"/usr/bin/X11/xauth"
+};
+
 /* Run a given command (with a NULL-terminated argument list), feeding it the
  * given input on stdin, and storing any output it generates. */
 static int
@@ -131,7 +140,7 @@ run_coprocess(const char *input, char **output,
 			args[j] = strdup(tmp);
 		}
 		/* Run the command. */
-		execvp(command, args);
+		execv(command, args);
 		/* Never reached. */
 		exit(1);
 	}
@@ -276,10 +285,9 @@ int
 pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 		     int argc, const char **argv)
 {
-	char xauthpath[] = XAUTHBIN;
 	char *cookiefile = NULL, *xauthority = NULL,
 	     *cookie = NULL, *display = NULL, *tmp = NULL;
-	const char *user, *xauth = xauthpath;
+	const char *user, *xauth = NULL;
 	struct passwd *tpwd, *rpwd;
 	int fd, i, debug = 0;
 	int retval = PAM_SUCCESS;
@@ -321,6 +329,19 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 		pam_syslog(pamh, LOG_WARNING, "unrecognized option `%s'",
 			   argv[i]);
 	}
+	
+	if (xauth == NULL) {
+		for (i = 0; i < sizeof(xauthpaths)/sizeof(xauthpaths[0]); i++) {
+			if (access(xauthpaths[i], X_OK) == 0) {
+				xauth = xauthpaths[i];
+				break;
+			}
+		}
+		if (xauth == NULL) {
+			/* xauth executable not found - nothing to do */
+			return PAM_SUCCESS;
+		}
+	}
 
 	/* If DISPLAY isn't set, we don't really care, now do we? */
 	if ((display = getenv("DISPLAY")) == NULL) {
author	Tomas Mraz <tm@t8m.info>	2005-10-20 17:01:06 +0000
committer	Tomas Mraz <tm@t8m.info>	2005-10-20 17:01:06 +0000
commit	d9b712775c5f1962d3490b43465537c3e28a8c49 (patch)
tree	c9cf9e640727cd38b13f30b5b612d6da9357952a /modules
parent	593ea15559fedf71fdb6e6fdc23a8f2532f7d571 (diff)