pool/pam_krb5
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c4c1d3c115
pam_krb5/pam_krb5-2.3.1-switch-perms-on-refresh.dif
Michael Calmer c4c1d3c115 - update to version 2.4.4 
* drop configuration settings that duplicated library settings
  * drop the existing_ticket option
  * drop krb4 support
  * add support for preserving configuration information in ccaches
  * add support for creating and cleaning up DIR: ccaches
  * finish cleaning up KEYRING: ccaches
  * add experimental "armor" and "armor_strategy" options
  * handle creation of /run/user/XXX for FILE: and DIR: caches
  * handle different function signatures for krb5_trace_callback
  * avoid overriding the primary when updating DIR: caches
- obsolets patches (upstream):
  * pam_krb5-2.2.0-0.5-configure_ac.dif
  * use-urandom-for-tests.dif

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=26
2013-04-16 09:12:50 +00:00

112 lines
3.0 KiB
Plaintext
Raw Blame History

Index: pam_krb5-2.4.4/src/auth.c
===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c
@@ -56,6 +56,7 @@
#include "items.h"
#include "kuserok.h"
#include "log.h"
+#include "perms.h"
#include "options.h"
#include "prompter.h"
#include "session.h"
@@ -433,6 +434,7 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv)
{
+ struct _pam_krb5_perms *saved_perms;
notice("pam_setcred (%s) called",
(flags & PAM_ESTABLISH_CRED)?"establish credential":
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
_pam_krb5_session_caller_setcred);
}
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
+ saved_perms = _pam_krb5_switch_perms_r2e();
+
if (_pam_krb5_sly_looks_unsafe() == 0) {
- return _pam_krb5_sly_maybe_refresh(pamh, flags,
- argc, argv);
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv);
+ if (saved_perms != NULL) {
+ _pam_krb5_restore_perms_r2e(saved_perms);
+ }
+ saved_perms = NULL;
+
+ return i;
} else {
+ debug("looks unsafe - ignore refresh");
+ if (saved_perms != NULL) {
+ _pam_krb5_restore_perms_r2e(saved_perms);
+ }
+ saved_perms = NULL;
return PAM_IGNORE;
}
}
Index: pam_krb5-2.4.4/src/perms.c
===================================================================
--- pam_krb5-2.4.4.orig/src/perms.c
+++ pam_krb5-2.4.4/src/perms.c
@@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
}
return ret;
}
+
+struct _pam_krb5_perms *
+_pam_krb5_switch_perms_r2e(void)
+{
+ struct _pam_krb5_perms *ret;
+ ret = malloc(sizeof(*ret));
+ if (ret != NULL) {
+ ret->ruid = getuid();
+ ret->euid = geteuid();
+ ret->rgid = getgid();
+ ret->egid = getegid();
+ if (ret->ruid == ret->euid) {
+ ret->ruid = -1;
+ ret->euid = -1;
+ }
+ if (ret->rgid == ret->egid) {
+ ret->rgid = -1;
+ ret->egid = -1;
+ }
+ if (setresgid(ret->rgid, ret->rgid, ret->egid) == -1) {
+ free(ret);
+ ret = NULL;
+ } else {
+ if (setresuid(ret->ruid, ret->ruid, ret->euid) == -1) {
+ setresgid(ret->rgid, ret->egid, ret->rgid);
+ free(ret);
+ ret = NULL;
+ }
+ }
+ }
+ return ret;
+}
+
+int
+_pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved)
+{
+ int ret = -1;
+ if (saved != NULL) {
+ if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
+ ret = 0;
+ }
+ free(saved);
+ }
+ return ret;
+}
Index: pam_krb5-2.4.4/src/perms.h
===================================================================
--- pam_krb5-2.4.4.orig/src/perms.h
+++ pam_krb5-2.4.4/src/perms.h
@@ -37,4 +37,7 @@ struct _pam_krb5_perms;
struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
+struct _pam_krb5_perms *_pam_krb5_switch_perms_r2e(void);
+int _pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved);
+
#endif
Reference in New Issue View Git Blame Copy Permalink