slurm/pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch

From 86f74afb04f2f8f40751ccc0bdbfd77b99035d8d Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 5 Dec 2018 15:08:53 +0100
Subject: [PATCH 3/3] pam_slurm_adopt: use uid to determine whether root is
 logging on

In some systems there can be multiple user accounts for uid 0, therefore
the check for literal user name "root" might be insufficient.

Signed-off-by: Christian Goll <cgoll@suse.de>
---
 contribs/pam_slurm_adopt/pam_slurm_adopt.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/contribs/pam_slurm_adopt/pam_slurm_adopt.c b/contribs/pam_slurm_adopt/pam_slurm_adopt.c
index da21479f61..c4635b4693 100644
--- a/contribs/pam_slurm_adopt/pam_slurm_adopt.c
+++ b/contribs/pam_slurm_adopt/pam_slurm_adopt.c
@@ -708,17 +708,6 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags
 		opts.ignore_root = 1;
 	}
 
-	/* Ignoring root is probably best but the admin can allow it */
-	if (!strcmp(user_name, "root")) {
-		if (opts.ignore_root) {
-			info("Ignoring root user");
-			return PAM_IGNORE;
-		} else {
-			/* This administrator is crazy */
-			info("Danger!!! This is a connection attempt by root and ignore_root=0 is set! Hope for the best!");
-		}
-	}
-
 	/* Calculate buffer size for getpwnam_r */
 	bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
 	if (bufsize == -1)
@@ -740,6 +729,16 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags
 
 	if (_load_cgroup_config() != SLURM_SUCCESS)
 		return rc;
+	/* Ignoring root is probably best but the admin can allow it */
+	if (pwd.pw_uid == 0) {
+		if (opts.ignore_root) {
+			info("Ignoring root user");
+			return PAM_IGNORE;
+		} else {
+			/* This administrator is crazy */
+			info("Danger!!! This is a connection attempt by root (user id 0) and ignore_root=0 is set! Hope for the best!");
+		}
+	}
 
 	/* Check if there are any steps on the node from any user. A failure here
 	 * likely means failures everywhere so exit on failure or if no local jobs
-- 
2.16.4
Accepting request 657422 from home:mslacken:slurm18 - restarting services on update only when activated - added rotation of logs - Added backported patches which harden the pam module pam_slurm_adopt (BOO#1116758) which will be in slurm 19.05.x * added pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch [PATCH 1/3] pam_slurm_adopt: avoid running outside of the sshd PAM * added pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch [PATCH 2/3] pam_slurm_adopt: send_user_msg: don't copy undefined data * added pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch [PATCH 3/3] pam_slurm_adopt: use uid to determine whether root is logging on - package slurm-pam_slurm now depends on slurm-node and not on slurm OBS-URL: https://build.opensuse.org/request/show/657422 OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=79 2018-12-12 10:28:26 +01:00			`From 86f74afb04f2f8f40751ccc0bdbfd77b99035d8d Mon Sep 17 00:00:00 2001`
			`From: Matthias Gerstner <matthias.gerstner@suse.de>`
			`Date: Wed, 5 Dec 2018 15:08:53 +0100`
			`Subject: [PATCH 3/3] pam_slurm_adopt: use uid to determine whether root is`
			`logging on`

			`In some systems there can be multiple user accounts for uid 0, therefore`
			`the check for literal user name "root" might be insufficient.`

			`Signed-off-by: Christian Goll <cgoll@suse.de>`
			`---`
			`contribs/pam_slurm_adopt/pam_slurm_adopt.c \| 21 ++++++++++-----------`
			`1 file changed, 10 insertions(+), 11 deletions(-)`

			`diff --git a/contribs/pam_slurm_adopt/pam_slurm_adopt.c b/contribs/pam_slurm_adopt/pam_slurm_adopt.c`
			`index da21479f61..c4635b4693 100644`
			`--- a/contribs/pam_slurm_adopt/pam_slurm_adopt.c`
			`+++ b/contribs/pam_slurm_adopt/pam_slurm_adopt.c`
			`@@ -708,17 +708,6 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags`
			`opts.ignore_root = 1;`
			`}`

			`- /* Ignoring root is probably best but the admin can allow it */`
			`- if (!strcmp(user_name, "root")) {`
			`- if (opts.ignore_root) {`
			`- info("Ignoring root user");`
			`- return PAM_IGNORE;`
			`- } else {`
			`- /* This administrator is crazy */`
			`- info("Danger!!! This is a connection attempt by root and ignore_root=0 is set! Hope for the best!");`
			`- }`
			`- }`
			`-`
			`/* Calculate buffer size for getpwnam_r */`
			`bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);`
			`if (bufsize == -1)`
			`@@ -740,6 +729,16 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags`

			`if (_load_cgroup_config() != SLURM_SUCCESS)`
			`return rc;`
			`+ /* Ignoring root is probably best but the admin can allow it */`
			`+ if (pwd.pw_uid == 0) {`
			`+ if (opts.ignore_root) {`
			`+ info("Ignoring root user");`
			`+ return PAM_IGNORE;`
			`+ } else {`
			`+ /* This administrator is crazy */`
			`+ info("Danger!!! This is a connection attempt by root (user id 0) and ignore_root=0 is set! Hope for the best!");`
			`+ }`
			`+ }`

			`/* Check if there are any steps on the node from any user. A failure here`
			`* likely means failures everywhere so exit on failure or if no local jobs`
			`--`
			`2.16.4`