Index: pam_krb5-2.3.1-1/src/auth.c =================================================================== --- pam_krb5-2.3.1-1.orig/src/auth.c +++ pam_krb5-2.3.1-1/src/auth.c @@ -62,6 +62,7 @@ #include "items.h" #include "kuserok.h" #include "log.h" +#include "perms.h" #include "options.h" #include "prompter.h" #include "sly.h" @@ -477,6 +478,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) { + struct _pam_krb5_perms *saved_perms; notice("pam_setcred (%s) called", (flags & PAM_ESTABLISH_CRED)?"establish credential": (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": @@ -486,10 +488,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f return pam_sm_open_session(pamh, flags, argc, argv); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { + saved_perms = _pam_krb5_switch_perms_r2e(); + if (_pam_krb5_sly_looks_unsafe() == 0) { - return _pam_krb5_sly_maybe_refresh(pamh, flags, - argc, argv); + int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } + saved_perms = NULL; + + return i; } else { + debug("looks unsafe - ignore refresh"); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } + saved_perms = NULL; return PAM_IGNORE; } } Index: pam_krb5-2.3.1-1/src/perms.c =================================================================== --- pam_krb5-2.3.1-1.orig/src/perms.c +++ pam_krb5-2.3.1-1/src/perms.c @@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 } return ret; } + +struct _pam_krb5_perms * +_pam_krb5_switch_perms_r2e(void) +{ + struct _pam_krb5_perms *ret; + ret = malloc(sizeof(*ret)); + if (ret != NULL) { + ret->ruid = getuid(); + ret->euid = geteuid(); + ret->rgid = getgid(); + ret->egid = getegid(); + if (ret->ruid == ret->euid) { + ret->ruid = -1; + ret->euid = -1; + } + if (ret->rgid == ret->egid) { + ret->rgid = -1; + ret->egid = -1; + } + if (setresgid(ret->rgid, ret->rgid, ret->egid) == -1) { + free(ret); + ret = NULL; + } else { + if (setresuid(ret->ruid, ret->ruid, ret->euid) == -1) { + setresgid(ret->rgid, ret->egid, ret->rgid); + free(ret); + ret = NULL; + } + } + } + return ret; +} + +int +_pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved) +{ + int ret = -1; + if (saved != NULL) { + if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && + (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { + ret = 0; + } + free(saved); + } + return ret; +} Index: pam_krb5-2.3.1-1/src/perms.h =================================================================== --- pam_krb5-2.3.1-1.orig/src/perms.h +++ pam_krb5-2.3.1-1/src/perms.h @@ -37,4 +37,7 @@ struct _pam_krb5_perms; struct _pam_krb5_perms *_pam_krb5_switch_perms(void); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); +struct _pam_krb5_perms *_pam_krb5_switch_perms_r2e(void); +int _pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved); + #endif