From 8fe9004f9fed0eb18b51a7bba4c3e3355076041e Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 23 Aug 2013 14:43:36 +0200
Subject: Apply the exclusive check in pam_sepermit only when loginuid not set.

* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.
---
 modules/pam_sepermit/pam_sepermit.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

(limited to 'modules')

diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index f7998457..8af1266a 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -162,6 +162,40 @@ check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug)
 	return running;
 }
 
+/*
+ * This function reads the loginuid from the /proc system. It returns
+ * (uid_t)-1 on failure.
+ */
+static uid_t get_loginuid(pam_handle_t *pamh)
+{
+	int fd, count;
+	char loginuid[24];
+	char *eptr;
+	uid_t rv = (uid_t)-1;
+
+	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+	if (fd < 0) {
+		if (errno != ENOENT) {
+			pam_syslog(pamh, LOG_ERR,
+				   "Cannot open /proc/self/loginuid: %m");
+		}
+		return rv;
+	}
+	if ((count = pam_modutil_read(fd, loginuid, sizeof(loginuid)-1)) < 1) {
+		close(fd);
+		return rv;
+	}
+	loginuid[count] = '\0';
+	close(fd);
+
+	errno = 0;
+	rv = strtoul(loginuid, &eptr, 10);
+	if (errno != 0 || eptr == loginuid)
+		rv = (uid_t) -1;
+
+	return rv;
+}
+
 static void
 sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED)
 {
@@ -319,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 		if (*sense == PAM_SUCCESS) {
 			if (ignore)
 				*sense = PAM_IGNORE;
-			if (geteuid() == 0 && exclusive)
+			if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
 				if (sepermit_lock(pamh, user, debug) < 0)
 					*sense = PAM_AUTH_ERR;
 		}
-- 
cgit v1.2.3