fixup openpam drop_privs implementation to support debug_file

2024-11-28 15:24:13 +01:00 · 2016-06-16 10:07:38 +02:00 · 2016-06-16 10:07:38 +02:00 · cb4e1df68e
commit cb4e1df68e
parent fc9a4255f0
2 changed files with 14 additions and 12 deletions
--- a/drop_privs.c
+++ b/drop_privs.c
@ -55,40 +55,40 @@ int pam_modutil_drop_priv(pam_handle_t *pamh, struct _ykpam_privs *privs, struct
    privs->saved_egid = getegid();

    if ((privs->saved_euid == pw->pw_uid) && (privs->saved_egid == pw->pw_gid)) {
-        D (("Privilges already dropped, pretend it is all right"));
+        D (privs->debug_file, "Privilges already dropped, pretend it is all right");
        return 0;
    }

    privs->saved_groups_length = getgroups(0, NULL);
    if (privs->saved_groups_length < 0) {
-        D (("getgroups: %s", strerror(errno)));
+        D (privs->debug_file, "getgroups: %s", strerror(errno));
        return -1;
    }

    if (privs->saved_groups_length > SAVED_GROUPS_MAX_LEN) {
-        D (("to many groups, limiting."));
+        D (privs->debug_file, "to many groups, limiting.");
        privs->saved_groups_length = SAVED_GROUPS_MAX_LEN;
    }

    if (privs->saved_groups_length > 0) {
        if (getgroups(privs->saved_groups_length, privs->saved_groups) < 0) {
-            D (("getgroups: %s", strerror(errno)));
+            D (privs->debug_file, "getgroups: %s", strerror(errno));
            goto free_out;
        }
    }

    if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
-        D (("initgroups: %s", strerror(errno)));
+        D (privs->debug_file, "initgroups: %s", strerror(errno));
        goto free_out;
    }

    if (setegid(pw->pw_gid) < 0) {
-        D (("setegid: %s", strerror(errno)));
+        D (privs->debug_file, "setegid: %s", strerror(errno));
        goto free_out;
    }

    if (seteuid(pw->pw_uid) < 0) {
-        D (("seteuid: %s", strerror(errno)));
+        D (privs->debug_file, "seteuid: %s", strerror(errno));
        goto free_out;
    }

@ -99,22 +99,22 @@ free_out:

 int pam_modutil_regain_priv(pam_handle_t *pamh, struct _ykpam_privs *privs) {
    if ((privs->saved_euid == geteuid()) && (privs->saved_egid == getegid())) {
-        D (("Privilges already as requested, pretend it is all right"));
+        D (privs->debug_file, "Privilges already as requested, pretend it is all right");
        return 0;
    }

    if (seteuid(privs->saved_euid) < 0) {
-        D (("seteuid: %s", strerror(errno)));
+        D (privs->debug_file, "seteuid: %s", strerror(errno));
        return -1;
    }

    if (setegid(privs->saved_egid) < 0) {
-        D (("setegid: %s", strerror(errno)));
+        D (privs->debug_file, "setegid: %s", strerror(errno));
        return -1;
    }

    if (setgroups(privs->saved_groups_length, privs->saved_groups) < 0) {
-        D (("setgroups: %s", strerror(errno)));
+        D (privs->debug_file, "setgroups: %s", strerror(errno));
        return -1;
    }

--- a/drop_privs.h
+++ b/drop_privs.h
@ -34,6 +34,7 @@
 #else

 #include <pwd.h>
+#include <stdio.h>

 #ifdef HAVE_SECURITY_PAM_APPL_H
 #include <security/pam_appl.h>
@ -49,11 +50,12 @@ struct _ykpam_privs {
  gid_t saved_egid;
  gid_t *saved_groups;
  int saved_groups_length;
+  FILE *debug_file;
 };

 #define PAM_MODUTIL_DEF_PRIVS(n) \
  gid_t n##_saved_groups[SAVED_GROUPS_MAX_LEN]; \
-  struct _ykpam_privs n = {-1, -1, n##_saved_groups, SAVED_GROUPS_MAX_LEN}
+  struct _ykpam_privs n = {-1, -1, n##_saved_groups, SAVED_GROUPS_MAX_LEN, cfg->debug_file}

 int pam_modutil_drop_priv(pam_handle_t *, struct _ykpam_privs *, struct passwd *);
 int pam_modutil_regain_priv(pam_handle_t *, struct _ykpam_privs *);