summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--modules/pam_keyinit/pam_keyinit.c22
2 files changed, 17 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 043159bf..a1d3b113 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,11 @@
* modules/pam_unix/support.c (_unix_verify_password): Use strncmp
only for bigcrypt result.
+
+ * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Switch to new
+ egid first, euid next. Revert euid/egid to old euid/egid and not
+ ruid/rgid.
+ (pam_sm_open_session): Switch to new rgid first, ruid next.
2006-12-13 Thorsten Kukuk <kukuk@thkukuk.de>
diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
index 452b0005..378a7723 100644
--- a/modules/pam_keyinit/pam_keyinit.c
+++ b/modules/pam_keyinit/pam_keyinit.c
@@ -132,21 +132,21 @@ static void kill_keyrings(pam_handle_t *pamh)
if (my_session_keyring > 0) {
debug(pamh, "REVOKE %d", my_session_keyring);
- old_uid = getuid();
- old_gid = getgid();
+ old_uid = geteuid();
+ old_gid = getegid();
debug(pamh, "UID:%d [%d] GID:%d [%d]",
revoke_as_uid, old_uid, revoke_as_gid, old_gid);
/* switch to the real UID and GID so that we have permission to
* revoke the key */
- if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
- error(pamh, "Unable to change UID to %d temporarily\n",
- revoke_as_uid);
-
if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
error(pamh, "Unable to change GID to %d temporarily\n",
revoke_as_gid);
+ if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
+ error(pamh, "Unable to change UID to %d temporarily\n",
+ revoke_as_uid);
+
syscall(__NR_keyctl,
KEYCTL_REVOKE,
my_session_keyring);
@@ -211,12 +211,14 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
/* switch to the real UID and GID so that the keyring ends up owned by
* the right user */
- if (uid != old_uid && setreuid(uid, -1) < 0)
- return error(pamh, "Unable to change UID to %d temporarily\n", uid);
-
if (gid != old_gid && setregid(gid, -1) < 0) {
error(pamh, "Unable to change GID to %d temporarily\n", gid);
- setreuid(old_uid, -1);
+ return PAM_SESSION_ERR;
+ }
+
+ if (uid != old_uid && setreuid(uid, -1) < 0) {
+ error(pamh, "Unable to change UID to %d temporarily\n", uid);
+ setregid(old_gid, -1);
return PAM_SESSION_ERR;
}