From 263012f7254f6c127509b059c309e08c419a4af7 Mon Sep 17 00:00:00 2001 From: Fredrik Thulin Date: Tue, 13 Dec 2011 16:56:04 +0100 Subject: [PATCH] authorize_user_token: Don't drop privs for system-wide file. --- pam_yubico.c | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/pam_yubico.c b/pam_yubico.c index 802a5a1..20546fb 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -206,45 +206,50 @@ authorize_user_token (struct cfg *cfg, pam_handle_t *pamh) { int retval; - struct passwd *p; - - p = getpwnam (username); - if (p == NULL) { - DBG (("getpwnam: %s", strerror(errno))); - return 0; - } - - if (drop_privileges(p, pamh) < 0) { - D (("could not drop privileges")); - return 0; - } if (cfg->auth_file) { /* Administrator had configured the file and specified is name as an argument for this module. */ + DBG (("Using system-wide auth_file %s", cfg->auth_file)); retval = check_user_token (cfg, cfg->auth_file, username, otp_id); } else { char *userfile = NULL; + struct passwd *p; + + p = getpwnam (username); + if (p == NULL) { + DBG (("getpwnam: %s", strerror(errno))); + return 0; + } /* Getting file from user home directory ..... i.e. ~/.yubico/authorized_yubikeys */ - if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) + if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) { + D (("Failed figuring out per-user cfgfile")); return 0; + } + + DBG (("Dropping privileges")); + + if (drop_privileges(p, pamh) < 0) { + D (("could not drop privileges")); + return 0; + } retval = check_user_token (cfg, userfile, username, otp_id); - free (userfile); - } + if (restore_privileges(pamh) < 0) + { + DBG (("could not restore privileges")); + return 0; + } - if (restore_privileges(pamh) < 0) - { - DBG (("could not restore privileges")); - return 0; + free (userfile); } return retval;