From d9b712775c5f1962d3490b43465537c3e28a8c49 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 20 Oct 2005 17:01:06 +0000 Subject: Relevant BUGIDs: Red Hat bz 171164 Purpose of commit: new feature Commit summary: --------------- 2005-10-20 Tomas Mraz * configure.in: Added check for xauth binary and --with-xauth option. * config.h.in: Added configurable PAM_PATH_XAUTH. * modules/pam_xauth/README, modules/pam_xauth/pam_xauth.8: Document where xauth is looked for. * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Implement searching xauth binary on multiple places. (run_coprocess): Don't use execvp as it can be a security risk. --- ChangeLog | 10 ++++++++++ NEWS | 2 ++ config.h.in | 3 +++ configure.in | 21 +++++++++++++++++++-- modules/pam_xauth/README | 3 ++- modules/pam_xauth/pam_xauth.8 | 9 +++++---- modules/pam_xauth/pam_xauth.c | 29 +++++++++++++++++++++++++---- 7 files changed, 66 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 96175ccf..27289235 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2005-10-20 Tomas Mraz + + * configure.in: Added check for xauth binary and --with-xauth option. + * config.h.in: Added configurable PAM_PATH_XAUTH. + * modules/pam_xauth/README, + modules/pam_xauth/pam_xauth.8: Document where xauth is looked for. + * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Implement + searching xauth binary on multiple places. + (run_coprocess): Don't use execvp as it can be a security risk. + 2005-10-04 Steve Langasek * libpam/include/security/pam_malloc.h, diff --git a/NEWS b/NEWS index d7d72edc..2b829e3c 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ Linux-PAM NEWS -- history of user-visible changes. +* pam_xauth: Look for xauth executable in multiple places + Release 0.99.1.0 * Use autoconf/automake/libtool diff --git a/config.h.in b/config.h.in index a42faad6..edb637ff 100644 --- a/config.h.in +++ b/config.h.in @@ -218,6 +218,9 @@ /* Path where mails are stored */ #undef PAM_PATH_MAILDIR +/* Additional path of xauth executable */ +#undef PAM_PATH_XAUTH + /* read both /etc/pam.d and /etc/pam.conf files */ #undef PAM_READ_BOTH_CONFS diff --git a/configure.in b/configure.in index c24a8985..f6610f08 100644 --- a/configure.in +++ b/configure.in @@ -223,8 +223,8 @@ fi AC_CHECK_HEADERS(paths.h) AC_ARG_WITH(mailspool, -[ --with-mailspool path to mail spool directory - [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]], +[ --with-mailspool path to mail spool directory + [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]], with_mailspool=${withval}) if test x$with_mailspool != x ; then pam_mail_spool="\"$with_mailspool\"" @@ -244,6 +244,23 @@ fi AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool, [Path where mails are stored]) +AC_ARG_WITH(xauth, +[ --with-xauth additional path to check for xauth when it is called from pam_xauth + [added to the default of /usr/X11R6/bin/xauth, /usr/bin/xauth, /usr/bin/X11/xauth]], +pam_xauth_path=${withval}) +if test x$with_xauth == x ; then + AC_PATH_PROG(pam_xauth_path, xauth) +dnl There is no sense in adding the first default path + if test x$pam_xauth_path == x/usr/X11R6/bin/xauth ; then + unset pam_xauth_path + fi +fi + +if test x$pam_xauth_path != x ; then + AC_DEFINE_UNQUOTED(PAM_PATH_XAUTH, "$pam_xauth_path", + [Additional path of xauth executable]) +fi + dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc AC_CHECK_LIB([dl], [dlopen], LIBDL="-ldl", LIBDL="") AC_SUBST(LIBDL) diff --git a/modules/pam_xauth/README b/modules/pam_xauth/README index dd65292f..97916b8f 100644 --- a/modules/pam_xauth/README +++ b/modules/pam_xauth/README @@ -23,7 +23,8 @@ pam_xauth: RECOGNIZED ARGUMENTS: debug write debugging messages to syslog xauthpath= the path to the xauth program, by default - /usr/X11R6/bin/xauth + /usr/X11R6/bin/xauth, /usr/bin/xauth and + /usr/bin/X11/xauth systemuser= highest user id assigned to system users, defaults to 499 (pam_xauth will refuse to forward creds to target users with id equal to or below this number, diff --git a/modules/pam_xauth/pam_xauth.8 b/modules/pam_xauth/pam_xauth.8 index 9acb7249..897b43fa 100644 --- a/modules/pam_xauth/pam_xauth.8 +++ b/modules/pam_xauth/pam_xauth.8 @@ -1,11 +1,11 @@ .\" Copyright 2001,2003 Red Hat, Inc. .\" Written by Nalin Dahyabhai , based on the original .\" version by Michael K. Johnson -.TH pam_xauth 8 2003/7/24 "Red Hat Linux" "System Administrator's Manual" +.TH pam_xauth 8 2005/10/20 "Red Hat Linux" "System Administrator's Manual" .SH NAME pam_xauth \- forward xauth keys between users .SH SYNOPSIS -.B session optional /lib/security/pam_xauth.so \fIarguments\fP +.B session optional pam_xauth.so \fIarguments\fP .SH DESCRIPTION pam_xauth.so is designed to forward xauth keys (sometimes referred to as "cookies") between users. @@ -45,8 +45,9 @@ the import and export files can be empty, signifying that no users are allowed. .SH ARGUMENTS .IP debug Turns on debugging messages sent to syslog. -.IP xauthpath=\fI/usr/X11R6/bin/xauth\fP -Specify the path the xauth program (the default is /usr/X11R6/bin/xauth). +.IP xauthpath=\fI/path/to/xauth\fP +Specify the path the xauth program (it is expected in \fB/usr/X11R6/bin/xauth,\fP +or \fB/usr/bin/xauth\fP, or \fB/usr/bin/X11/xauth\fP by default). .IP systemuser=\fInumber\fP Specify the highest UID which will be assumed to belong to a "system" user. pam_xauth will refuse to forward credentials to users with UID less than or diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index a830010d..886b2f88 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -58,12 +58,21 @@ #include #define DATANAME "pam_xauth_cookie_file" -#define XAUTHBIN "/usr/X11R6/bin/xauth" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" #define XAUTHDEF ".Xauthority" #define XAUTHTMP ".xauthXXXXXX" +/* Possible paths to xauth executable */ +static const char * const xauthpaths[] = { +#ifdef PAM_PATH_XAUTH + PAM_PATH_XAUTH, +#endif + "/usr/X11R6/bin/xauth", + "/usr/bin/xauth", + "/usr/bin/X11/xauth" +}; + /* Run a given command (with a NULL-terminated argument list), feeding it the * given input on stdin, and storing any output it generates. */ static int @@ -131,7 +140,7 @@ run_coprocess(const char *input, char **output, args[j] = strdup(tmp); } /* Run the command. */ - execvp(command, args); + execv(command, args); /* Never reached. */ exit(1); } @@ -276,10 +285,9 @@ int pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - char xauthpath[] = XAUTHBIN; char *cookiefile = NULL, *xauthority = NULL, *cookie = NULL, *display = NULL, *tmp = NULL; - const char *user, *xauth = xauthpath; + const char *user, *xauth = NULL; struct passwd *tpwd, *rpwd; int fd, i, debug = 0; int retval = PAM_SUCCESS; @@ -321,6 +329,19 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, pam_syslog(pamh, LOG_WARNING, "unrecognized option `%s'", argv[i]); } + + if (xauth == NULL) { + for (i = 0; i < sizeof(xauthpaths)/sizeof(xauthpaths[0]); i++) { + if (access(xauthpaths[i], X_OK) == 0) { + xauth = xauthpaths[i]; + break; + } + } + if (xauth == NULL) { + /* xauth executable not found - nothing to do */ + return PAM_SUCCESS; + } + } /* If DISPLAY isn't set, we don't really care, now do we? */ if ((display = getenv("DISPLAY")) == NULL) { -- cgit v1.2.3