Index: src/auth.c =================================================================== --- src/auth.c.orig +++ src/auth.c @@ -435,9 +435,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f return pam_sm_open_session(pamh, flags, argc, argv); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { - if (_pam_krb5_sly_looks_unsafe() == 0) { + int unsave = _pam_krb5_sly_looks_unsafe(); + + /* unsave == 2 or 3 can be fixed inside of + _pam_krb5_sly_maybe_refresh */ + if (unsave == 0 || unsave == 2 || unsave == 3) { return _pam_krb5_sly_maybe_refresh(pamh, flags, - argc, argv); + argc, argv); } else { return PAM_IGNORE; } Index: src/sly.c =================================================================== --- src/sly.c.orig +++ src/sly.c @@ -148,6 +148,21 @@ _pam_krb5_sly_looks_unsafe(void) return 0; } +/* restore dropped privileges */ +int +_restore_privs(uid_t save_euid, gid_t save_egid) +{ + int retuid = 0, retgid = 0; + + retuid = setresuid(getuid(), save_euid, getuid()); + retgid = setresgid(getgid(), save_egid, getgid()); + + debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); + debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid()); + + return (retuid == -1 || retgid == -1)?-1:0; +} + int _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) @@ -161,6 +176,20 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t int i, retval, stored; char *v5ccname, *v5filename, *v4tktfile; + uid_t save_euid = geteuid(); + gid_t save_egid = getegid(); + + + if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3) + { + /* drop privileges temporarily; restore them on every return from this function */ + setresuid(getuid(), getuid(), geteuid()); + setresgid(getgid(), getgid(), getegid()); + + debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid()); + debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid()); + } + /* Inexpensive checks. */ switch (_pam_krb5_sly_looks_unsafe()) { case 0: @@ -168,18 +197,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t break; case 1: warn("won't refresh credentials while running under sudo"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; case 2: warn("won't refresh credentials while running setuid"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; case 3: warn("won't refresh credentials while running setgid"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; default: warn("not safe to refresh credentials"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; } @@ -187,6 +220,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t /* Initialize Kerberos. */ if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) { warn("error initializing Kerberos"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; } @@ -195,6 +229,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t if (i != PAM_SUCCESS) { warn("could not identify user name"); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return i; } @@ -203,6 +238,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t if (options == NULL) { warn("error parsing options (shouldn't happen)"); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; } if (options->debug) { @@ -224,6 +260,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t } _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return retval; } @@ -235,6 +272,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t _pam_krb5_user_info_free(ctx, userinfo); _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return PAM_IGNORE; } @@ -246,6 +284,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t _pam_krb5_user_info_free(ctx, userinfo); _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; } @@ -354,5 +393,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return retval; }