mirror of
https://github.com/Yubico/yubico-pam.git
synced 2025-03-15 18:29:16 +01:00
Use pam_modutil_drop_priv if it is available.
Utility functions for what was done in drop_priv.c appeared in PAM 1.1.3. Use them when available.
This commit is contained in:
parent
b92902fd8f
commit
fcde64a93e
@ -32,9 +32,9 @@ libdir = $(PAMDIR)
|
||||
|
||||
lib_LTLIBRARIES = pam_yubico.la
|
||||
|
||||
include_HEADERS = util.h
|
||||
include_HEADERS = util.h drop_privs.h
|
||||
|
||||
pam_yubico_la_SOURCES = pam_yubico.c util.c
|
||||
pam_yubico_la_SOURCES = pam_yubico.c util.c drop_privs.c
|
||||
# XXX add -Wl,-x too? PAM documentation suggests it.
|
||||
pam_yubico_la_LIBADD = @LTLIBYKCLIENT@ @LIBLDAP@ @YKPERS_LIBS@ @LTLIBYUBIKEY@ -lpam
|
||||
pam_yubico_la_LDFLAGS = -module -avoid-version
|
||||
|
@ -37,9 +37,11 @@ AC_PROG_LIBTOOL
|
||||
|
||||
AC_CHECK_HEADERS([security/pam_appl.h], [],
|
||||
[AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])])
|
||||
AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [],
|
||||
AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h security/pam_modutil.h], [], [],
|
||||
[#include <security/pam_appl.h>])
|
||||
|
||||
AC_CHECK_LIB([pam], [pam_start])
|
||||
|
||||
AC_ARG_WITH([ldap],
|
||||
[AS_HELP_STRING([--without-ldap],
|
||||
[disable support for ldap])],
|
||||
@ -83,6 +85,8 @@ if test -n "$YKPERS_LIBS"; then
|
||||
fi
|
||||
AM_CONDITIONAL([YKPERS], [test -n "$YKPERS_LIBS"])
|
||||
|
||||
AC_CHECK_FUNCS([pam_modutil_drop_priv])
|
||||
|
||||
AC_SUBST(PAMDIR, "\$(exec_prefix)/lib/security")
|
||||
AC_ARG_WITH(pam-dir,
|
||||
AC_HELP_STRING([--with-pam-dir=DIR],
|
||||
|
37
drop_privs.c
37
drop_privs.c
@ -1,5 +1,8 @@
|
||||
/* Written by Ricky Zhou <ricky@fedoraproject.org>
|
||||
* Fredrik Thulin <fredrik@yubico.com> implemented pam_modutil_drop_priv
|
||||
*
|
||||
* Copyright (c) 2011 Ricky Zhou <ricky@fedoraproject.org>
|
||||
* Copyright (c) 2011 Yubico AB
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
@ -35,13 +38,34 @@
|
||||
|
||||
#include "util.h"
|
||||
|
||||
#ifdef HAVE_SECURITY_PAM_APPL_H
|
||||
#include <security/pam_appl.h>
|
||||
#endif
|
||||
#ifdef HAVE_SECURITY_PAM_MODULES_H
|
||||
#include <security/pam_modules.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
|
||||
#ifdef HAVE_SECURITY_PAM_MODUTIL_H
|
||||
#include <security/pam_modutil.h>
|
||||
#endif /* HAVE_SECURITY_PAM_MODUTIL_H */
|
||||
static struct pam_modutil_privs *pam_privs;
|
||||
#else
|
||||
static uid_t saved_euid;
|
||||
static gid_t saved_egid;
|
||||
|
||||
static gid_t *saved_groups;
|
||||
static int saved_groups_length;
|
||||
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
|
||||
|
||||
int drop_privileges(struct passwd *pw) {
|
||||
int drop_privileges(struct passwd *pw, pam_handle_t *pamh) {
|
||||
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
|
||||
int res;
|
||||
res = pam_modutil_drop_priv(pamh, pam_privs, pw);
|
||||
if (res)
|
||||
D (("pam_modutil_drop_priv: %i", res));
|
||||
return res;
|
||||
#else
|
||||
saved_euid = geteuid();
|
||||
saved_egid = getegid();
|
||||
|
||||
@ -80,9 +104,17 @@ int drop_privileges(struct passwd *pw) {
|
||||
}
|
||||
|
||||
return 0;
|
||||
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
|
||||
}
|
||||
|
||||
int restore_privileges(void) {
|
||||
int restore_privileges(pam_handle_t *pamh) {
|
||||
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
|
||||
int res;
|
||||
res = pam_modutil_regain_priv(pamh, pam_privs);
|
||||
if (res)
|
||||
D (("pam_modutil_drop_priv: %i", res));
|
||||
return res;
|
||||
#else
|
||||
if (seteuid(saved_euid) < 0) {
|
||||
D (("seteuid: %s", strerror(errno)));
|
||||
return -1;
|
||||
@ -101,4 +133,5 @@ int restore_privileges(void) {
|
||||
free(saved_groups);
|
||||
|
||||
return 0;
|
||||
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
|
||||
}
|
||||
|
11
drop_privs.h
11
drop_privs.h
@ -3,7 +3,14 @@
|
||||
|
||||
#include <pwd.h>
|
||||
|
||||
int drop_privileges(struct passwd *);
|
||||
int restore_privileges(void);
|
||||
#ifdef HAVE_SECURITY_PAM_APPL_H
|
||||
#include <security/pam_appl.h>
|
||||
#endif
|
||||
#ifdef HAVE_SECURITY_PAM_MODULES_H
|
||||
#include <security/pam_modules.h>
|
||||
#endif
|
||||
|
||||
int drop_privileges(struct passwd *, pam_handle_t *);
|
||||
int restore_privileges(pam_handle_t *);
|
||||
|
||||
#endif
|
||||
|
13
pam_yubico.c
13
pam_yubico.c
@ -197,7 +197,8 @@ check_user_token (struct cfg *cfg,
|
||||
static int
|
||||
authorize_user_token (struct cfg *cfg,
|
||||
const char *username,
|
||||
const char *otp_id)
|
||||
const char *otp_id,
|
||||
pam_handle_t *pamh)
|
||||
{
|
||||
int retval;
|
||||
struct passwd *p;
|
||||
@ -208,7 +209,7 @@ authorize_user_token (struct cfg *cfg,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (drop_privileges(p) < 0) {
|
||||
if (drop_privileges(p, pamh) < 0) {
|
||||
D (("could not drop privileges"));
|
||||
return 0;
|
||||
}
|
||||
@ -235,7 +236,7 @@ authorize_user_token (struct cfg *cfg,
|
||||
free (userfile);
|
||||
}
|
||||
|
||||
if (restore_privileges() < 0)
|
||||
if (restore_privileges(pamh) < 0)
|
||||
{
|
||||
DBG (("could not restore privileges"));
|
||||
return 0;
|
||||
@ -479,7 +480,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
|
||||
}
|
||||
|
||||
/* Drop privileges before opening user file. */
|
||||
if (drop_privileges(p) < 0) {
|
||||
if (drop_privileges(p, pamh) < 0) {
|
||||
D (("could not drop privileges"));
|
||||
goto out;
|
||||
}
|
||||
@ -495,7 +496,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (restore_privileges() < 0) {
|
||||
if (restore_privileges(pamh) < 0) {
|
||||
DBG (("could not restore privileges"));
|
||||
goto out;
|
||||
}
|
||||
@ -898,7 +899,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
|
||||
if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
|
||||
valid_token = authorize_user_token_ldap (cfg, user, otp_id);
|
||||
else
|
||||
valid_token = authorize_user_token (cfg, user, otp_id);
|
||||
valid_token = authorize_user_token (cfg, user, otp_id, pamh);
|
||||
|
||||
if (valid_token == 0)
|
||||
{
|
||||
|
Loading…
x
Reference in New Issue
Block a user