pool/slurm
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9eefc8e774
slurm/pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch
Christian Goll 9eefc8e774 Accepting request 657422 from home:mslacken:slurm18 
- restarting services on update only when activated 
- added rotation of logs
- Added backported patches which harden the pam module pam_slurm_adopt
  (BOO#1116758) which will be in slurm 19.05.x
  * added pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch
    [PATCH 1/3] pam_slurm_adopt: avoid running outside of the sshd PAM
  * added pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch
    [PATCH 2/3] pam_slurm_adopt: send_user_msg: don't copy undefined data
  * added pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch
    [PATCH 3/3] pam_slurm_adopt: use uid to determine whether root is
    logging on
- package slurm-pam_slurm now depends on slurm-node and not on slurm

OBS-URL: https://build.opensuse.org/request/show/657422
OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=79
2018-12-12 09:28:26 +00:00

57 lines
2.0 KiB
Diff
Raw Blame History

From 86f74afb04f2f8f40751ccc0bdbfd77b99035d8d Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 5 Dec 2018 15:08:53 +0100
Subject: [PATCH 3/3] pam_slurm_adopt: use uid to determine whether root is
logging on
In some systems there can be multiple user accounts for uid 0, therefore
the check for literal user name "root" might be insufficient.
Signed-off-by: Christian Goll <cgoll@suse.de>
---
contribs/pam_slurm_adopt/pam_slurm_adopt.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/contribs/pam_slurm_adopt/pam_slurm_adopt.c b/contribs/pam_slurm_adopt/pam_slurm_adopt.c
index da21479f61..c4635b4693 100644
--- a/contribs/pam_slurm_adopt/pam_slurm_adopt.c
+++ b/contribs/pam_slurm_adopt/pam_slurm_adopt.c
@@ -708,17 +708,6 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags
opts.ignore_root = 1;
}
- /* Ignoring root is probably best but the admin can allow it */
- if (!strcmp(user_name, "root")) {
- if (opts.ignore_root) {
- info("Ignoring root user");
- return PAM_IGNORE;
- } else {
- /* This administrator is crazy */
- info("Danger!!! This is a connection attempt by root and ignore_root=0 is set! Hope for the best!");
- }
- }
-
/* Calculate buffer size for getpwnam_r */
bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
if (bufsize == -1)
@@ -740,6 +729,16 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags
if (_load_cgroup_config() != SLURM_SUCCESS)
return rc;
+ /* Ignoring root is probably best but the admin can allow it */
+ if (pwd.pw_uid == 0) {
+ if (opts.ignore_root) {
+ info("Ignoring root user");
+ return PAM_IGNORE;
+ } else {
+ /* This administrator is crazy */
+ info("Danger!!! This is a connection attempt by root (user id 0) and ignore_root=0 is set! Hope for the best!");
+ }
+ }
/* Check if there are any steps on the node from any user. A failure here
* likely means failures everywhere so exit on failure or if no local jobs
--
2.16.4
Reference in New Issue View Git Blame Copy Permalink