1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-20 21:54:16 +01:00

in the challenge-response case only drop privileges for user dir

This allows the module to work in a case where the directory is only
writable to root.

fixes #77
This commit is contained in:
Klas Lindfors 2015-09-11 13:56:14 +02:00
parent 6f6a7b20fc
commit 1036873b95

View File

@ -475,10 +475,12 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
DBG(("Loading challenge from file %s", userfile));
/* Drop privileges before opening user file. */
if (pam_modutil_drop_priv(pamh, &privs, p)) {
/* Drop privileges before opening user file (if we're not using system-wide dir). */
if (!cfg->chalresp_path) {
if (pam_modutil_drop_priv(pamh, &privs, p)) {
DBG (("could not drop privileges"));
goto out;
}
}
fd = open(userfile, O_RDONLY, 0);
@ -515,9 +517,11 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
}
f = NULL;
if (pam_modutil_regain_priv(pamh, &privs)) {
if (!cfg->chalresp_path) {
if (pam_modutil_regain_priv(pamh, &privs)) {
DBG (("could not restore privileges"));
goto out;
}
}
if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len,