1 files changed, 142 insertions, 0 deletions

diff --git a/modules/pam_unix/lckpwdf.-c b/modules/pam_unix/lckpwdf.-c
new file mode 100644
index 00000000..7145617e
--- /dev/null
+++ b/modules/pam_unix/lckpwdf.-c
@@ -0,0 +1,142 @@
+/*
+ * This is a hack, but until libc and glibc both include this function
+ * by default (libc only includes it if nys is not being used, at the
+ * moment, and glibc doesn't appear to have it at all) we need to have
+ * it here, too.  :-(
+ *
+ * This should not become an official part of PAM.
+ *
+ * BEGIN_HACK
+ */
+
+/*
+ * lckpwdf.c -- prevent simultaneous updates of password files
+ *
+ * Before modifying any of the password files, call lckpwdf().  It may block
+ * for up to 15 seconds trying to get the lock.  Return value is 0 on success
+ * or -1 on failure.  When you are done, call ulckpwdf() to release the lock.
+ * The lock is also released automatically when the process exits.  Only one
+ * process at a time may hold the lock.
+ *
+ * These functions are supposed to be conformant with AT&T SVID Issue 3.
+ *
+ * Written by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>,
+ * public domain.
+ */
+
+#include <fcntl.h>
+#include <signal.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
+#define LOCKFILE "/etc/.pwd.lock"
+#define TIMEOUT 15
+
+static int lockfd = -1;
+
+static int set_close_on_exec(int fd)
+{
+	int flags = fcntl(fd, F_GETFD, 0);
+	if (flags == -1)
+		return -1;
+	flags |= FD_CLOEXEC;
+	return fcntl(fd, F_SETFD, flags);
+}
+
+static int do_lock(int fd)
+{
+	struct flock fl;
+
+	memset(&fl, 0, sizeof fl);
+	fl.l_type = F_WRLCK;
+	fl.l_whence = SEEK_SET;
+	return fcntl(fd, F_SETLKW, &fl);
+}
+
+static void alarm_catch(int sig)
+{
+/* does nothing, but fcntl F_SETLKW will fail with EINTR */
+}
+
+static int lckpwdf(void)
+{
+	struct sigaction act, oldact;
+	sigset_t set, oldset;
+
+	if (lockfd != -1)
+		return -1;
+
+#ifdef WITH_SELINUX
+	if(is_selinux_enabled()>0)
+	{
+		lockfd = open(LOCKFILE, O_WRONLY);
+		if(lockfd == -1 && errno == ENOENT)
+		{
+			security_context_t create_context;
+			int rc;
+
+			if(getfilecon("/etc/passwd", &create_context))
+				return -1;
+			rc = setfscreatecon(create_context);
+			freecon(create_context);
+			if(rc)
+				return -1;
+			lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
+			if(setfscreatecon(NULL))
+				return -1;
+		}
+	}
+	else
+#endif
+	lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
+	if (lockfd == -1)
+		return -1;
+	if (set_close_on_exec(lockfd) == -1)
+		goto cleanup_fd;
+
+	memset(&act, 0, sizeof act);
+	act.sa_handler = alarm_catch;
+	act.sa_flags = 0;
+	sigfillset(&act.sa_mask);
+	if (sigaction(SIGALRM, &act, &oldact) == -1)
+		goto cleanup_fd;
+
+	sigemptyset(&set);
+	sigaddset(&set, SIGALRM);
+	if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1)
+		goto cleanup_sig;
+
+	alarm(TIMEOUT);
+	if (do_lock(lockfd) == -1)
+		goto cleanup_alarm;
+	alarm(0);
+	sigprocmask(SIG_SETMASK, &oldset, NULL);
+	sigaction(SIGALRM, &oldact, NULL);
+	return 0;
+
+      cleanup_alarm:
+	alarm(0);
+	sigprocmask(SIG_SETMASK, &oldset, NULL);
+      cleanup_sig:
+	sigaction(SIGALRM, &oldact, NULL);
+      cleanup_fd:
+	close(lockfd);
+	lockfd = -1;
+	return -1;
+}
+
+static int ulckpwdf(void)
+{
+	unlink(LOCKFILE);
+	if (lockfd == -1)
+		return -1;
+
+	if (close(lockfd) == -1) {
+		lockfd = -1;
+		return -1;
+	}
+	lockfd = -1;
+	return 0;
+}
+/* END_HACK */