From 1814aec611a5f9e03eceee81237ad3a3f51c954a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 26 Oct 2011 23:56:54 +0000 Subject: Fix whitespace issues Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD --- modules/pam_sepermit/pam_sepermit.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'modules/pam_sepermit/pam_sepermit.c') diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 4879b685..f7998457 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -85,11 +85,11 @@ match_process_uid(pid_t pid, uid_t uid) uid_t puid; FILE *f; int re = 0; - + snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid); if (!(f = fopen (buf, "r"))) return 0; - + while (fgets(buf, sizeof buf, f)) { if (sscanf (buf, "Uid:\t%d", &puid)) { re = uid == puid; @@ -246,9 +246,9 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, int matched = 0; int exclusive = 0; int ignore = 0; - + f = fopen(cfgfile, "r"); - + if (!f) { pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile); return PAM_SERVICE_ERR; @@ -276,7 +276,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, start = strtok_r(start, OPT_DELIM, &sptr); switch (start[0]) { - case '@': + case '@': ++start; if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start); @@ -411,9 +411,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } #ifdef PAM_STATIC - + /* static module data */ - + struct pam_module _pam_sepermit_modstruct = { "pam_sepermit", pam_sm_authenticate, @@ -424,4 +424,3 @@ struct pam_module _pam_sepermit_modstruct = { NULL }; #endif - -- cgit v1.2.3 From 8fe9004f9fed0eb18b51a7bba4c3e3355076041e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 23 Aug 2013 14:43:36 +0200 Subject: Apply the exclusive check in pam_sepermit only when loginuid not set. * modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from /proc (sepermit_match): Apply the exclusive check only when loginuid not set. --- modules/pam_sepermit/pam_sepermit.c | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'modules/pam_sepermit/pam_sepermit.c') diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index f7998457..8af1266a 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -162,6 +162,40 @@ check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug) return running; } +/* + * This function reads the loginuid from the /proc system. It returns + * (uid_t)-1 on failure. + */ +static uid_t get_loginuid(pam_handle_t *pamh) +{ + int fd, count; + char loginuid[24]; + char *eptr; + uid_t rv = (uid_t)-1; + + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY); + if (fd < 0) { + if (errno != ENOENT) { + pam_syslog(pamh, LOG_ERR, + "Cannot open /proc/self/loginuid: %m"); + } + return rv; + } + if ((count = pam_modutil_read(fd, loginuid, sizeof(loginuid)-1)) < 1) { + close(fd); + return rv; + } + loginuid[count] = '\0'; + close(fd); + + errno = 0; + rv = strtoul(loginuid, &eptr, 10); + if (errno != 0 || eptr == loginuid) + rv = (uid_t) -1; + + return rv; +} + static void sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED) { @@ -319,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, if (*sense == PAM_SUCCESS) { if (ignore) *sense = PAM_IGNORE; - if (geteuid() == 0 && exclusive) + if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1) if (sepermit_lock(pamh, user, debug) < 0) *sense = PAM_AUTH_ERR; } -- cgit v1.2.3