forked from pool/pam_kwallet
c3c23f9515
- Add patches for handling edge cases and hardening: * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch * 0002-Don-t-do-anything-if-the-password-is-empty.patch * 0003-Exit-early-if-the-target-user-is-root.patch * 0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch OBS-URL: https://build.opensuse.org/request/show/1071111 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=264
43 lines
1.3 KiB
Diff
43 lines
1.3 KiB
Diff
From 2126d9f148506d71ebc5576a91259c80e095f5ec Mon Sep 17 00:00:00 2001
|
|
From: Fabian Vogt <fabian@ritter-vogt.de>
|
|
Date: Mon, 13 Mar 2023 10:12:18 +0100
|
|
Subject: [PATCH 3/4] Exit early if the target user is root
|
|
|
|
kwallet should not be used as root user, so just refuse doing anything if
|
|
root is the target user.
|
|
---
|
|
pam_kwallet.c | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/pam_kwallet.c b/pam_kwallet.c
|
|
index 2cd3758..49be6c0 100644
|
|
--- a/pam_kwallet.c
|
|
+++ b/pam_kwallet.c
|
|
@@ -265,6 +265,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
return PAM_IGNORE;
|
|
}
|
|
|
|
+ if (userInfo->pw_uid == 0) {
|
|
+ pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
|
|
+ return PAM_IGNORE;
|
|
+ }
|
|
+
|
|
const char *password;
|
|
result = pam_get_item(pamh, PAM_AUTHTOK, (const void**)&password);
|
|
|
|
@@ -569,6 +574,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons
|
|
return PAM_IGNORE;
|
|
}
|
|
|
|
+ if (userInfo->pw_uid == 0) {
|
|
+ pam_syslog(pamh, LOG_DEBUG, "%s: Refusing to do anything for the root user", logPrefix);
|
|
+ return PAM_IGNORE;
|
|
+ }
|
|
+
|
|
char *password;
|
|
result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);
|
|
|
|
--
|
|
2.39.2
|
|
|