Use pam_modutil_drop_priv if it is available.

Utility functions for what was done in drop_priv.c appeared in PAM 1.1.3. Use them when available.
2025-03-15 18:29:16 +01:00 · 2011-11-23 13:27:37 +01:00 · 2011-11-23 13:27:37 +01:00 · fcde64a93e
commit fcde64a93e
parent b92902fd8f
5 changed files with 58 additions and 13 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -32,9 +32,9 @@ libdir = $(PAMDIR)

 lib_LTLIBRARIES = pam_yubico.la

-include_HEADERS = util.h
+include_HEADERS = util.h drop_privs.h

-pam_yubico_la_SOURCES = pam_yubico.c util.c
+pam_yubico_la_SOURCES = pam_yubico.c util.c drop_privs.c
 # XXX add -Wl,-x too?  PAM documentation suggests it.
 pam_yubico_la_LIBADD = @LTLIBYKCLIENT@ @LIBLDAP@ @YKPERS_LIBS@ @LTLIBYUBIKEY@ -lpam
 pam_yubico_la_LDFLAGS = -module -avoid-version
--- a/configure.ac
+++ b/configure.ac
@ -37,9 +37,11 @@ AC_PROG_LIBTOOL

 AC_CHECK_HEADERS([security/pam_appl.h], [],
  [AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])])
-AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [],
+AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h security/pam_modutil.h], [], [],
  [#include <security/pam_appl.h>])

+AC_CHECK_LIB([pam], [pam_start])
+
 AC_ARG_WITH([ldap],
            [AS_HELP_STRING([--without-ldap],
              [disable support for ldap])],
@ -83,6 +85,8 @@ if test -n "$YKPERS_LIBS"; then
 fi
 AM_CONDITIONAL([YKPERS], [test -n "$YKPERS_LIBS"])

+AC_CHECK_FUNCS([pam_modutil_drop_priv])
+
 AC_SUBST(PAMDIR, "\$(exec_prefix)/lib/security")
 AC_ARG_WITH(pam-dir,
  AC_HELP_STRING([--with-pam-dir=DIR],
--- a/drop_privs.c
+++ b/drop_privs.c
@ -1,5 +1,8 @@
 /* Written by Ricky Zhou <ricky@fedoraproject.org>
+ * Fredrik Thulin <fredrik@yubico.com> implemented pam_modutil_drop_priv
+ *
 * Copyright (c) 2011 Ricky Zhou <ricky@fedoraproject.org>
+ * Copyright (c) 2011 Yubico AB
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -35,13 +38,34 @@

 #include "util.h"

+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+#ifdef HAVE_SECURITY_PAM_MODULES_H
+#include <security/pam_modules.h>
+#endif
+
+#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
+#ifdef HAVE_SECURITY_PAM_MODUTIL_H
+#include <security/pam_modutil.h>
+#endif /* HAVE_SECURITY_PAM_MODUTIL_H */
+static struct pam_modutil_privs *pam_privs;
+#else
 static uid_t saved_euid;
 static gid_t saved_egid;

 static gid_t *saved_groups;
 static int saved_groups_length;
+#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */

-int drop_privileges(struct passwd *pw) {
+int drop_privileges(struct passwd *pw, pam_handle_t *pamh) {
+#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
+  int res;
+  res = pam_modutil_drop_priv(pamh, pam_privs, pw);
+  if (res)
+    D (("pam_modutil_drop_priv: %i", res));
+  return res;
+#else
    saved_euid = geteuid();
    saved_egid = getegid();

@ -80,9 +104,17 @@ int drop_privileges(struct passwd *pw) {
    }

    return 0;
+#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
 }

-int restore_privileges(void) {
+int restore_privileges(pam_handle_t *pamh) {
+#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
+  int res;
+  res = pam_modutil_regain_priv(pamh, pam_privs);
+  if (res)
+    D (("pam_modutil_drop_priv: %i", res));
+  return res;
+#else
    if (seteuid(saved_euid) < 0) {
        D (("seteuid: %s", strerror(errno)));
        return -1;
@ -101,4 +133,5 @@ int restore_privileges(void) {
    free(saved_groups);

    return 0;
+#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
 }
--- a/drop_privs.h
+++ b/drop_privs.h
@ -3,7 +3,14 @@

 #include <pwd.h>

-int drop_privileges(struct passwd *);
-int restore_privileges(void);
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+#ifdef HAVE_SECURITY_PAM_MODULES_H
+#include <security/pam_modules.h>
+#endif
+
+int drop_privileges(struct passwd *, pam_handle_t *);
+int restore_privileges(pam_handle_t *);

 #endif
--- a/pam_yubico.c
+++ b/pam_yubico.c
@ -197,7 +197,8 @@ check_user_token (struct cfg *cfg,
 static int
 authorize_user_token (struct cfg *cfg,
 		      const char *username,
-		      const char *otp_id)
+		      const char *otp_id,
+		      pam_handle_t *pamh)
 {
  int retval;
  struct passwd *p;
@ -208,7 +209,7 @@ authorize_user_token (struct cfg *cfg,
      return 0;
  }

-  if (drop_privileges(p) < 0) {
+  if (drop_privileges(p, pamh) < 0) {
    D (("could not drop privileges"));
    return 0;
  }
@ -235,7 +236,7 @@ authorize_user_token (struct cfg *cfg,
      free (userfile);
    }

-  if (restore_privileges() < 0)
+  if (restore_privileges(pamh) < 0)
    {
      DBG (("could not restore privileges"));
      return 0;
@ -479,7 +480,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
  }

  /* Drop privileges before opening user file. */
-  if (drop_privileges(p) < 0) {
+  if (drop_privileges(p, pamh) < 0) {
      D (("could not drop privileges"));
      goto out;
  }
@ -495,7 +496,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
    goto out;
  }

-  if (restore_privileges() < 0) {
+  if (restore_privileges(pamh) < 0) {
      DBG (("could not restore privileges"));
      goto out;
  }
@ -898,7 +899,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
  if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
    valid_token = authorize_user_token_ldap (cfg, user, otp_id);
  else
-    valid_token = authorize_user_token (cfg, user, otp_id);
+    valid_token = authorize_user_token (cfg, user, otp_id, pamh);

  if (valid_token == 0)
    {