summaryrefslogtreecommitdiff
path: root/modules/pam_xauth/pam_xauth.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_xauth/pam_xauth.c')
-rw-r--r--modules/pam_xauth/pam_xauth.c45
1 files changed, 27 insertions, 18 deletions
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index a64ae89f..88624b1c 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
goto cleanup;
}
- /* Check that both users are amenable to this. By default, this
- * boils down to this policy:
- * export(ruser=root): only if <user> is listed in .xauth/export
- * export(ruser=*) if <user> is listed in .xauth/export, or
- * if .xauth/export does not exist
- * import(user=*): if <ruser> is listed in .xauth/import, or
- * if .xauth/import does not exist */
- i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
- i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
- if (i != PAM_SUCCESS) {
- retval = PAM_SESSION_ERR;
- goto cleanup;
- }
- i = PAM_SUCCESS;
- i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
- if (i != PAM_SUCCESS) {
- retval = PAM_SESSION_ERR;
- goto cleanup;
+
+ /* If current user and the target user are the same, don't
+ check the ACL list, but forward X11 */
+ if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) {
+
+ /* Check that both users are amenable to this. By default, this
+ * boils down to this policy:
+ * export(ruser=root): only if <user> is listed in .xauth/export
+ * export(ruser=*) if <user> is listed in .xauth/export, or
+ * if .xauth/export does not exist
+ * import(user=*): if <ruser> is listed in .xauth/import, or
+ * if .xauth/import does not exist */
+ i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
+ i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
+ if (i != PAM_SUCCESS) {
+ retval = PAM_SESSION_ERR;
+ goto cleanup;
+ }
+ i = PAM_SUCCESS;
+ i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
+ if (i != PAM_SUCCESS) {
+ retval = PAM_SESSION_ERR;
+ goto cleanup;
+ }
+ } else {
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11");
}
/* Figure out where the source user's .Xauthority file is. */
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 05:28:37 +0000