pam_kwallet/0003-Exit-early-if-the-target-user-is-root.patch

From 2126d9f148506d71ebc5576a91259c80e095f5ec Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Mon, 13 Mar 2023 10:12:18 +0100
Subject: [PATCH 3/4] Exit early if the target user is root

kwallet should not be used as root user, so just refuse doing anything if
root is the target user.
---
 pam_kwallet.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pam_kwallet.c b/pam_kwallet.c
index 2cd3758..49be6c0 100644
--- a/pam_kwallet.c
+++ b/pam_kwallet.c
@@ -265,6 +265,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
         return PAM_IGNORE;
     }
 
+    if (userInfo->pw_uid == 0) {
+        pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
+        return PAM_IGNORE;
+    }
+
     const char *password;
     result = pam_get_item(pamh, PAM_AUTHTOK, (const void**)&password);
 
@@ -569,6 +574,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
         return PAM_IGNORE;
     }
 
+    if (userInfo->pw_uid == 0) {
+        pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
+        return PAM_IGNORE;
+    }
+
     char *password;
     result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);
 
-- 
2.39.2
Accepting request 1071111 from home:Vogtinator:plasma5.27 - Add patches for handling edge cases and hardening: * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch * 0002-Don-t-do-anything-if-the-password-is-empty.patch * 0003-Exit-early-if-the-target-user-is-root.patch * 0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch OBS-URL: https://build.opensuse.org/request/show/1071111 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=264 2023-03-13 16:17:31 +00:00			`From 2126d9f148506d71ebc5576a91259c80e095f5ec Mon Sep 17 00:00:00 2001`
			`From: Fabian Vogt <fabian@ritter-vogt.de>`
			`Date: Mon, 13 Mar 2023 10:12:18 +0100`
			`Subject: [PATCH 3/4] Exit early if the target user is root`

			`kwallet should not be used as root user, so just refuse doing anything if`
			`root is the target user.`
			`---`
			`pam_kwallet.c \| 10 ++++++++++`
			`1 file changed, 10 insertions(+)`

			`diff --git a/pam_kwallet.c b/pam_kwallet.c`
			`index 2cd3758..49be6c0 100644`
			`--- a/pam_kwallet.c`
			`+++ b/pam_kwallet.c`
			`@@ -265,6 +265,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons`
			`return PAM_IGNORE;`
			`}`

			`+ if (userInfo->pw_uid == 0) {`
			`+ pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);`
			`+ return PAM_IGNORE;`
			`+ }`
			`+`
			`const char *password;`
			`result = pam_get_item(pamh, PAM_AUTHTOK, (const void**)&password);`

			`@@ -569,6 +574,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons`
			`return PAM_IGNORE;`
			`}`

			`+ if (userInfo->pw_uid == 0) {`
			`+ pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);`
			`+ return PAM_IGNORE;`
			`+ }`
			`+`
			`char *password;`
			`result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);`

			`--`
			`2.39.2`