mirror of
https://github.com/Yubico/yubico-pam.git
synced 2025-02-20 21:54:16 +01:00
in the challenge-response case only drop privileges for user dir
This allows the module to work in a case where the directory is only writable to root. fixes #77
This commit is contained in:
parent
6f6a7b20fc
commit
1036873b95
10
pam_yubico.c
10
pam_yubico.c
@ -475,10 +475,12 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
|
||||
|
||||
DBG(("Loading challenge from file %s", userfile));
|
||||
|
||||
/* Drop privileges before opening user file. */
|
||||
if (pam_modutil_drop_priv(pamh, &privs, p)) {
|
||||
/* Drop privileges before opening user file (if we're not using system-wide dir). */
|
||||
if (!cfg->chalresp_path) {
|
||||
if (pam_modutil_drop_priv(pamh, &privs, p)) {
|
||||
DBG (("could not drop privileges"));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
fd = open(userfile, O_RDONLY, 0);
|
||||
@ -515,9 +517,11 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
|
||||
}
|
||||
f = NULL;
|
||||
|
||||
if (pam_modutil_regain_priv(pamh, &privs)) {
|
||||
if (!cfg->chalresp_path) {
|
||||
if (pam_modutil_regain_priv(pamh, &privs)) {
|
||||
DBG (("could not restore privileges"));
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len,
|
||||
|
Loading…
x
Reference in New Issue
Block a user