pool/pam
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3146390b20
pam/pam_loginuid-part2.diff
Thorsten Kukuk 9e8981cb04 - Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid 
- Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=132
2014-01-10 10:58:11 +00:00

75 lines
3.0 KiB
Diff
Raw Blame History

commit 24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf
Author: Stéphane Graber <stgraber@ubuntu.com>
Date: Tue Jan 7 16:12:03 2014 -0800
pam_loginuid: Ignore failure in user namespaces
When running pam_loginuid in a container using the user namespaces, even
uid 0 isn't allowed to set the loginuid property.
This change catches the EACCES from opening loginuid, checks if the user
is in the host namespace (by comparing the uid_map with the host's one)
and only if that's the case, sets rc to 1.
Should uid_map not exist or be unreadable for some reason, it'll be
assumed that the process is running on the host's namespace.
The initial reason behind this change was failure to ssh into an
unprivileged container (using a 3.13 kernel and current LXC) when using
a standard pam profile for sshd (which requires success from
pam_loginuid).
I believe this solution doesn't have any drawback and will allow people
to use unprivileged containers normally. An alternative would be to have
all distros set pam_loginuid as optional but that'd be bad for any of
the other potential failure case which people may care about.
There has also been some discussions to get some of the audit features
tied with the user namespaces but currently none of that has been merged
upstream and the currently proposed implementation doesn't cover
loginuid (nor is it clear how this should even work when loginuid is set
as immutable after initial write).
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
modules/pam_loginuid/pam_loginuid.c | 15 ++++++++++++++-
1 files changed, 14 insertions(+), 1 deletions(-)
---
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
index 96f8ffa..54ae6f0 100644
--- a/modules/pam_loginuid/pam_loginuid.c
+++ b/modules/pam_loginuid/pam_loginuid.c
@@ -55,13 +55,26 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
{
int fd, count, rc = PAM_SESSION_ERR;
char loginuid[24], buf[24];
+ static const char host_uid_map[] = " 0 0 4294967295\n";
+ char uid_map[sizeof(host_uid_map)];
count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
if (errno == ENOENT) {
rc = PAM_IGNORE;
- } else {
+ } else if (errno == EACCES) {
+ fd = open("/proc/self/uid_map", O_RDONLY);
+ if (fd >= 0) {
+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
+ if (strncmp(uid_map, host_uid_map, count) != 0)
+ rc = PAM_IGNORE;
+ close(fd);
+ }
+ if (rc != PAM_IGNORE)
+ errno = EACCES;
+ }
+ if (rc != PAM_IGNORE) {
pam_syslog(pamh, LOG_ERR,
"Cannot open /proc/self/loginuid: %m");
}
_______________________________________________
linux-pam-commits mailing list
linux-pam-commits@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits
Reference in New Issue View Git Blame Copy Permalink