diff options
-rw-r--r-- | contrib/openpam/lib/openpam_borrow_cred.c | 17 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_findenv.c | 8 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_get_option.c | 4 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_impl.h | 29 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_restore_cred.c | 12 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_set_option.c | 4 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_get_data.c | 4 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_get_item.c | 20 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_set_data.c | 4 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_set_item.c | 4 |
10 files changed, 77 insertions, 29 deletions
diff --git a/contrib/openpam/lib/openpam_borrow_cred.c b/contrib/openpam/lib/openpam_borrow_cred.c index ef1a850..8a8c458 100644 --- a/contrib/openpam/lib/openpam_borrow_cred.c +++ b/contrib/openpam/lib/openpam_borrow_cred.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#3 $ + * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#4 $ */ #include <sys/param.h> @@ -57,9 +57,18 @@ openpam_borrow_cred(pam_handle_t *pamh, struct pam_saved_cred *scred; int r; - ENTER(); - if (geteuid() != 0) + ENTERI(pwd->pw_uid); + r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred); + if (r == PAM_SUCCESS && scred != NULL) { + openpam_log(PAM_LOG_DEBUG, + "already operating under borrowed credentials"); + RETURNC(PAM_SYSTEM_ERR); + } + if (geteuid() != 0 && geteuid() != pwd->pw_uid) { + openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d", + (int)geteuid()); RETURNC(PAM_PERM_DENIED); + } scred = calloc(1, sizeof *scred); if (scred == NULL) RETURNC(PAM_BUF_ERR); @@ -76,6 +85,8 @@ openpam_borrow_cred(pam_handle_t *pamh, free(scred); RETURNC(r); } + if (geteuid() == pwd->pw_uid) + RETURNC(PAM_SUCCESS); if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 || setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) { openpam_restore_cred(pamh); diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c index 2dba88a..63d81dd 100644 --- a/contrib/openpam/lib/openpam_findenv.c +++ b/contrib/openpam/lib/openpam_findenv.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_findenv.c#9 $ + * $P4: //depot/projects/openpam/lib/openpam_findenv.c#10 $ */ #include <string.h> @@ -55,12 +55,12 @@ openpam_findenv(pam_handle_t *pamh, ENTER(); if (pamh == NULL) - RETURNI(-1); + RETURNN(-1); for (i = 0; i < pamh->env_count; ++i) if (strncmp(pamh->env[i], name, len) == 0 && pamh->env[i][len] == '=') - RETURNI(i); - RETURNI(-1); + RETURNN(i); + RETURNN(-1); } /* diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c index d3993ea..90020d2 100644 --- a/contrib/openpam/lib/openpam_get_option.c +++ b/contrib/openpam/lib/openpam_get_option.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_get_option.c#5 $ + * $P4: //depot/projects/openpam/lib/openpam_get_option.c#6 $ */ #include <sys/param.h> @@ -57,7 +57,7 @@ openpam_get_option(pam_handle_t *pamh, size_t len; int i; - ENTER(); + ENTERS(option); if (pamh == NULL || pamh->current == NULL || option == NULL) RETURNS(NULL); cur = pamh->current; diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h index 87818b6..0ab2811 100644 --- a/contrib/openpam/lib/openpam_impl.h +++ b/contrib/openpam/lib/openpam_impl.h @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_impl.h#19 $ + * $P4: //depot/projects/openpam/lib/openpam_impl.h#20 $ */ #ifndef _OPENPAM_IMPL_H_INCLUDED @@ -42,6 +42,7 @@ extern const char *_pam_func_name[PAM_NUM_PRIMITIVES]; extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES]; extern const char *_pam_err_name[PAM_NUM_ERRORS]; +extern const char *_pam_item_name[PAM_NUM_ITEMS]; /* * Control flags @@ -123,6 +124,21 @@ pam_module_t *openpam_dynamic(const char *); #ifdef DEBUG #define ENTER() openpam_log(PAM_LOG_DEBUG, "entering") +#define ENTERI(i) do { \ + if ((i) > 0 && (i) < PAM_NUM_ITEMS) \ + openpam_log(PAM_LOG_DEBUG, "entering: %s", _pam_item_name[i]); \ + else \ + openpam_log(PAM_LOG_DEBUG, "entering: %d", (i)); \ +} while (0); +#define ENTERN(n) do { \ + openpam_log(PAM_LOG_DEBUG, "entering: %d", (n)); \ +} while (0); +#define ENTERS(s) do { \ + if ((s) == NULL) \ + openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \ + else \ + openpam_log(PAM_LOG_DEBUG, "entering: '%s'", (s)); \ +} while (0); #define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning") #define RETURNC(c) do { \ if ((c) >= 0 && (c) < PAM_NUM_ERRORS) \ @@ -131,9 +147,9 @@ pam_module_t *openpam_dynamic(const char *); openpam_log(PAM_LOG_DEBUG, "returning %d!", (c)); \ return (c); \ } while (0) -#define RETURNI(i) do { \ - openpam_log(PAM_LOG_DEBUG, "returning %d", (i)); \ - return (i); \ +#define RETURNN(n) do { \ + openpam_log(PAM_LOG_DEBUG, "returning %d", (n)); \ + return (n); \ } while (0) #define RETURNP(p) do { \ if ((p) == NULL) \ @@ -151,9 +167,12 @@ pam_module_t *openpam_dynamic(const char *); } while (0) #else #define ENTER() +#define ENTERI(i) +#define ENTERN(n) +#define ENTERS(s) #define RETURNV() return #define RETURNC(c) return (c) -#define RETURNI(i) return (i) +#define RETURNN(n) return (n) #define RETURNP(p) return (p) #define RETURNS(s) return (s) #endif diff --git a/contrib/openpam/lib/openpam_restore_cred.c b/contrib/openpam/lib/openpam_restore_cred.c index 75ebe5e..d18f78f 100644 --- a/contrib/openpam/lib/openpam_restore_cred.c +++ b/contrib/openpam/lib/openpam_restore_cred.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#3 $ + * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#4 $ */ #include <sys/param.h> @@ -62,10 +62,12 @@ openpam_restore_cred(pam_handle_t *pamh) RETURNC(r); if (scred == NULL) RETURNC(PAM_SYSTEM_ERR); - if (seteuid(scred->euid) == -1 || - setgroups(scred->ngroups, scred->groups) == -1 || - setegid(scred->egid) == -1) - RETURNC(PAM_SYSTEM_ERR); + if (scred->euid != geteuid()) { + if (seteuid(scred->euid) == -1 || + setgroups(scred->ngroups, scred->groups) == -1 || + setegid(scred->egid) == -1) + RETURNC(PAM_SYSTEM_ERR); + } pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL); RETURNC(PAM_SUCCESS); } diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c index f65733b..d981398 100644 --- a/contrib/openpam/lib/openpam_set_option.c +++ b/contrib/openpam/lib/openpam_set_option.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_set_option.c#6 $ + * $P4: //depot/projects/openpam/lib/openpam_set_option.c#7 $ */ #include <sys/param.h> @@ -61,7 +61,7 @@ openpam_set_option(pam_handle_t *pamh, size_t len; int i; - ENTER(); + ENTERS(option); if (pamh == NULL || pamh->current == NULL || option == NULL) RETURNC(PAM_SYSTEM_ERR); cur = pamh->current; diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c index 96038ca..63de926 100644 --- a/contrib/openpam/lib/pam_get_data.c +++ b/contrib/openpam/lib/pam_get_data.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_get_data.c#9 $ + * $P4: //depot/projects/openpam/lib/pam_get_data.c#10 $ */ #include <string.h> @@ -54,7 +54,7 @@ pam_get_data(pam_handle_t *pamh, { pam_data_t *dp; - ENTER(); + ENTERS(module_data_name); if (pamh == NULL) RETURNC(PAM_SYSTEM_ERR); for (dp = pamh->module_data; dp != NULL; dp = dp->next) diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c index f3e8c9b..fa63d3e 100644 --- a/contrib/openpam/lib/pam_get_item.c +++ b/contrib/openpam/lib/pam_get_item.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_get_item.c#14 $ + * $P4: //depot/projects/openpam/lib/pam_get_item.c#15 $ */ #include <sys/param.h> @@ -40,6 +40,22 @@ #include "openpam_impl.h" +const char *_pam_item_name[PAM_NUM_ITEMS] = { + "(NO ITEM)", + "PAM_SERVICE", + "PAM_USER", + "PAM_TTY", + "PAM_RHOST", + "PAM_CONV", + "PAM_AUTHTOK", + "PAM_OLDAUTHTOK", + "PAM_RUSER", + "PAM_USER_PROMPT", + "PAM_REPOSITORY", + "PAM_AUTHTOK_PROMPT", + "PAM_OLDAUTHTOK_PROMPT" +}; + /* * XSSO 4.2.1 * XSSO 6 page 46 @@ -53,7 +69,7 @@ pam_get_item(pam_handle_t *pamh, const void **item) { - ENTER(); + ENTERI(item_type); if (pamh == NULL) RETURNC(PAM_SYSTEM_ERR); switch (item_type) { diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c index c944e0f..5428bb1 100644 --- a/contrib/openpam/lib/pam_set_data.c +++ b/contrib/openpam/lib/pam_set_data.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_set_data.c#11 $ + * $P4: //depot/projects/openpam/lib/pam_set_data.c#12 $ */ #include <stdlib.h> @@ -58,7 +58,7 @@ pam_set_data(pam_handle_t *pamh, { pam_data_t *dp; - ENTER(); + ENTERS(module_data_name); if (pamh == NULL) RETURNC(PAM_SYSTEM_ERR); for (dp = pamh->module_data; dp != NULL; dp = dp->next) { diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c index 42653b1..250d287 100644 --- a/contrib/openpam/lib/pam_set_item.c +++ b/contrib/openpam/lib/pam_set_item.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_set_item.c#16 $ + * $P4: //depot/projects/openpam/lib/pam_set_item.c#17 $ */ #include <sys/param.h> @@ -58,7 +58,7 @@ pam_set_item(pam_handle_t *pamh, void **slot, *tmp; size_t nsize, osize; - ENTER(); + ENTERI(item_type); if (pamh == NULL) RETURNC(PAM_SYSTEM_ERR); slot = &pamh->item[item_type]; |