1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-03-15 18:29:16 +01:00

Use pam_modutil_drop_priv if it is available.

Utility functions for what was done in drop_priv.c appeared
in PAM 1.1.3. Use them when available.
This commit is contained in:
Fredrik Thulin 2011-11-23 13:27:37 +01:00
parent b92902fd8f
commit fcde64a93e
5 changed files with 58 additions and 13 deletions

View File

@ -32,9 +32,9 @@ libdir = $(PAMDIR)
lib_LTLIBRARIES = pam_yubico.la
include_HEADERS = util.h
include_HEADERS = util.h drop_privs.h
pam_yubico_la_SOURCES = pam_yubico.c util.c
pam_yubico_la_SOURCES = pam_yubico.c util.c drop_privs.c
# XXX add -Wl,-x too? PAM documentation suggests it.
pam_yubico_la_LIBADD = @LTLIBYKCLIENT@ @LIBLDAP@ @YKPERS_LIBS@ @LTLIBYUBIKEY@ -lpam
pam_yubico_la_LDFLAGS = -module -avoid-version

View File

@ -37,9 +37,11 @@ AC_PROG_LIBTOOL
AC_CHECK_HEADERS([security/pam_appl.h], [],
[AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])])
AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [],
AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h security/pam_modutil.h], [], [],
[#include <security/pam_appl.h>])
AC_CHECK_LIB([pam], [pam_start])
AC_ARG_WITH([ldap],
[AS_HELP_STRING([--without-ldap],
[disable support for ldap])],
@ -83,6 +85,8 @@ if test -n "$YKPERS_LIBS"; then
fi
AM_CONDITIONAL([YKPERS], [test -n "$YKPERS_LIBS"])
AC_CHECK_FUNCS([pam_modutil_drop_priv])
AC_SUBST(PAMDIR, "\$(exec_prefix)/lib/security")
AC_ARG_WITH(pam-dir,
AC_HELP_STRING([--with-pam-dir=DIR],

View File

@ -1,5 +1,8 @@
/* Written by Ricky Zhou <ricky@fedoraproject.org>
* Fredrik Thulin <fredrik@yubico.com> implemented pam_modutil_drop_priv
*
* Copyright (c) 2011 Ricky Zhou <ricky@fedoraproject.org>
* Copyright (c) 2011 Yubico AB
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@ -35,13 +38,34 @@
#include "util.h"
#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
#endif
#ifdef HAVE_SECURITY_PAM_MODULES_H
#include <security/pam_modules.h>
#endif
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
#ifdef HAVE_SECURITY_PAM_MODUTIL_H
#include <security/pam_modutil.h>
#endif /* HAVE_SECURITY_PAM_MODUTIL_H */
static struct pam_modutil_privs *pam_privs;
#else
static uid_t saved_euid;
static gid_t saved_egid;
static gid_t *saved_groups;
static int saved_groups_length;
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
int drop_privileges(struct passwd *pw) {
int drop_privileges(struct passwd *pw, pam_handle_t *pamh) {
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
int res;
res = pam_modutil_drop_priv(pamh, pam_privs, pw);
if (res)
D (("pam_modutil_drop_priv: %i", res));
return res;
#else
saved_euid = geteuid();
saved_egid = getegid();
@ -80,9 +104,17 @@ int drop_privileges(struct passwd *pw) {
}
return 0;
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
}
int restore_privileges(void) {
int restore_privileges(pam_handle_t *pamh) {
#ifdef HAVE_PAM_MODUTIL_DROP_PRIV
int res;
res = pam_modutil_regain_priv(pamh, pam_privs);
if (res)
D (("pam_modutil_drop_priv: %i", res));
return res;
#else
if (seteuid(saved_euid) < 0) {
D (("seteuid: %s", strerror(errno)));
return -1;
@ -101,4 +133,5 @@ int restore_privileges(void) {
free(saved_groups);
return 0;
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
}

View File

@ -3,7 +3,14 @@
#include <pwd.h>
int drop_privileges(struct passwd *);
int restore_privileges(void);
#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
#endif
#ifdef HAVE_SECURITY_PAM_MODULES_H
#include <security/pam_modules.h>
#endif
int drop_privileges(struct passwd *, pam_handle_t *);
int restore_privileges(pam_handle_t *);
#endif

View File

@ -197,7 +197,8 @@ check_user_token (struct cfg *cfg,
static int
authorize_user_token (struct cfg *cfg,
const char *username,
const char *otp_id)
const char *otp_id,
pam_handle_t *pamh)
{
int retval;
struct passwd *p;
@ -208,7 +209,7 @@ authorize_user_token (struct cfg *cfg,
return 0;
}
if (drop_privileges(p) < 0) {
if (drop_privileges(p, pamh) < 0) {
D (("could not drop privileges"));
return 0;
}
@ -235,7 +236,7 @@ authorize_user_token (struct cfg *cfg,
free (userfile);
}
if (restore_privileges() < 0)
if (restore_privileges(pamh) < 0)
{
DBG (("could not restore privileges"));
return 0;
@ -479,7 +480,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
}
/* Drop privileges before opening user file. */
if (drop_privileges(p) < 0) {
if (drop_privileges(p, pamh) < 0) {
D (("could not drop privileges"));
goto out;
}
@ -495,7 +496,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
goto out;
}
if (restore_privileges() < 0) {
if (restore_privileges(pamh) < 0) {
DBG (("could not restore privileges"));
goto out;
}
@ -898,7 +899,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
valid_token = authorize_user_token_ldap (cfg, user, otp_id);
else
valid_token = authorize_user_token (cfg, user, otp_id);
valid_token = authorize_user_token (cfg, user, otp_id, pamh);
if (valid_token == 0)
{