summaryrefslogtreecommitdiff
path: root/modules/pam_exec/pam_exec.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_exec/pam_exec.c')
-rw-r--r--modules/pam_exec/pam_exec.c74
1 files changed, 28 insertions, 46 deletions
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index b56e4b26..0ab65489 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
}
pam_set_item (pamh, PAM_AUTHTOK, resp);
- authtok = strdupa (resp);
+ authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
_pam_drop (resp);
}
else
- authtok = void_pass;
+ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
if (pipe(fds) != 0)
{
@@ -302,6 +302,10 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
char **envlist, **tmp;
int envlen, nitems;
char *envstr;
+ enum pam_modutil_redirect_fd redirect_stdin =
+ expose_authtok ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_PIPE_FD;
+ enum pam_modutil_redirect_fd redirect_stdout =
+ (use_stdout || logfile) ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_NULL_FD;
/* First, move all the pipes off of stdin, stdout, and stderr, to ensure
* that calls to dup2 won't close them. */
@@ -330,18 +334,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
_exit (err);
}
}
- else
- {
- close (STDIN_FILENO);
-
- /* New stdin. */
- if ((i = open ("/dev/null", O_RDWR)) < 0)
- {
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m");
- _exit (err);
- }
- }
/* Set up stdout. */
@@ -368,32 +360,34 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
logfile);
_exit (err);
}
- if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0)
+ if (i != STDOUT_FILENO)
{
- pam_modutil_write (i, buffer, strlen (buffer));
- free (buffer);
+ if (dup2 (i, STDOUT_FILENO) == -1)
+ {
+ int err = errno;
+ pam_syslog (pamh, LOG_ERR, "dup2 failed: %m");
+ _exit (err);
+ }
+ close (i);
}
- }
- else
- {
- close (STDOUT_FILENO);
- if ((i = open ("/dev/null", O_RDWR)) < 0)
+ if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0)
{
- int err = errno;
- pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m");
- _exit (err);
+ pam_modutil_write (STDOUT_FILENO, buffer, strlen (buffer));
+ free (buffer);
}
}
- if (dup2 (STDOUT_FILENO, STDERR_FILENO) == -1)
+ if ((use_stdout || logfile) &&
+ dup2 (STDOUT_FILENO, STDERR_FILENO) == -1)
{
int err = errno;
pam_syslog (pamh, LOG_ERR, "dup2 failed: %m");
_exit (err);
}
- for (i = 3; i < sysconf (_SC_OPEN_MAX); i++)
- close (i);
+ if (pam_modutil_sanitize_helper_fds(pamh, redirect_stdin,
+ redirect_stdout, redirect_stdout) < 0)
+ _exit(1);
if (call_setuid)
if (setuid (geteuid ()) == -1)
@@ -473,14 +467,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
return PAM_SYSTEM_ERR; /* will never be reached. */
}
-PAM_EXTERN int
+int
pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
return call_exec ("auth", pamh, argc, argv);
}
-PAM_EXTERN int
+int
pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
int argc UNUSED, const char **argv UNUSED)
{
@@ -489,7 +483,7 @@ pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
/* password updating functions */
-PAM_EXTERN int
+int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
@@ -498,35 +492,23 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
return call_exec ("password", pamh, argc, argv);
}
-PAM_EXTERN int
+int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
return call_exec ("account", pamh, argc, argv);
}
-PAM_EXTERN int
+int
pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
return call_exec ("open_session", pamh, argc, argv);
}
-PAM_EXTERN int
+int
pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
return call_exec ("close_session", pamh, argc, argv);
}
-
-#ifdef PAM_STATIC
-struct pam_module _pam_exec_modstruct = {
- "pam_exec",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok,
-};
-#endif