summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--contrib/openpam/lib/openpam_borrow_cred.c17
-rw-r--r--contrib/openpam/lib/openpam_findenv.c8
-rw-r--r--contrib/openpam/lib/openpam_get_option.c4
-rw-r--r--contrib/openpam/lib/openpam_impl.h29
-rw-r--r--contrib/openpam/lib/openpam_restore_cred.c12
-rw-r--r--contrib/openpam/lib/openpam_set_option.c4
-rw-r--r--contrib/openpam/lib/pam_get_data.c4
-rw-r--r--contrib/openpam/lib/pam_get_item.c20
-rw-r--r--contrib/openpam/lib/pam_set_data.c4
-rw-r--r--contrib/openpam/lib/pam_set_item.c4
10 files changed, 77 insertions, 29 deletions
diff --git a/contrib/openpam/lib/openpam_borrow_cred.c b/contrib/openpam/lib/openpam_borrow_cred.c
index ef1a850..8a8c458 100644
--- a/contrib/openpam/lib/openpam_borrow_cred.c
+++ b/contrib/openpam/lib/openpam_borrow_cred.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#3 $
+ * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#4 $
*/
#include <sys/param.h>
@@ -57,9 +57,18 @@ openpam_borrow_cred(pam_handle_t *pamh,
struct pam_saved_cred *scred;
int r;
- ENTER();
- if (geteuid() != 0)
+ ENTERI(pwd->pw_uid);
+ r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred);
+ if (r == PAM_SUCCESS && scred != NULL) {
+ openpam_log(PAM_LOG_DEBUG,
+ "already operating under borrowed credentials");
+ RETURNC(PAM_SYSTEM_ERR);
+ }
+ if (geteuid() != 0 && geteuid() != pwd->pw_uid) {
+ openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d",
+ (int)geteuid());
RETURNC(PAM_PERM_DENIED);
+ }
scred = calloc(1, sizeof *scred);
if (scred == NULL)
RETURNC(PAM_BUF_ERR);
@@ -76,6 +85,8 @@ openpam_borrow_cred(pam_handle_t *pamh,
free(scred);
RETURNC(r);
}
+ if (geteuid() == pwd->pw_uid)
+ RETURNC(PAM_SUCCESS);
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 ||
setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) {
openpam_restore_cred(pamh);
diff --git a/contrib/openpam/lib/openpam_findenv.c b/contrib/openpam/lib/openpam_findenv.c
index 2dba88a..63d81dd 100644
--- a/contrib/openpam/lib/openpam_findenv.c
+++ b/contrib/openpam/lib/openpam_findenv.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/openpam_findenv.c#9 $
+ * $P4: //depot/projects/openpam/lib/openpam_findenv.c#10 $
*/
#include <string.h>
@@ -55,12 +55,12 @@ openpam_findenv(pam_handle_t *pamh,
ENTER();
if (pamh == NULL)
- RETURNI(-1);
+ RETURNN(-1);
for (i = 0; i < pamh->env_count; ++i)
if (strncmp(pamh->env[i], name, len) == 0 &&
pamh->env[i][len] == '=')
- RETURNI(i);
- RETURNI(-1);
+ RETURNN(i);
+ RETURNN(-1);
}
/*
diff --git a/contrib/openpam/lib/openpam_get_option.c b/contrib/openpam/lib/openpam_get_option.c
index d3993ea..90020d2 100644
--- a/contrib/openpam/lib/openpam_get_option.c
+++ b/contrib/openpam/lib/openpam_get_option.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/openpam_get_option.c#5 $
+ * $P4: //depot/projects/openpam/lib/openpam_get_option.c#6 $
*/
#include <sys/param.h>
@@ -57,7 +57,7 @@ openpam_get_option(pam_handle_t *pamh,
size_t len;
int i;
- ENTER();
+ ENTERS(option);
if (pamh == NULL || pamh->current == NULL || option == NULL)
RETURNS(NULL);
cur = pamh->current;
diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h
index 87818b6..0ab2811 100644
--- a/contrib/openpam/lib/openpam_impl.h
+++ b/contrib/openpam/lib/openpam_impl.h
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/openpam_impl.h#19 $
+ * $P4: //depot/projects/openpam/lib/openpam_impl.h#20 $
*/
#ifndef _OPENPAM_IMPL_H_INCLUDED
@@ -42,6 +42,7 @@
extern const char *_pam_func_name[PAM_NUM_PRIMITIVES];
extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES];
extern const char *_pam_err_name[PAM_NUM_ERRORS];
+extern const char *_pam_item_name[PAM_NUM_ITEMS];
/*
* Control flags
@@ -123,6 +124,21 @@ pam_module_t *openpam_dynamic(const char *);
#ifdef DEBUG
#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering")
+#define ENTERI(i) do { \
+ if ((i) > 0 && (i) < PAM_NUM_ITEMS) \
+ openpam_log(PAM_LOG_DEBUG, "entering: %s", _pam_item_name[i]); \
+ else \
+ openpam_log(PAM_LOG_DEBUG, "entering: %d", (i)); \
+} while (0);
+#define ENTERN(n) do { \
+ openpam_log(PAM_LOG_DEBUG, "entering: %d", (n)); \
+} while (0);
+#define ENTERS(s) do { \
+ if ((s) == NULL) \
+ openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \
+ else \
+ openpam_log(PAM_LOG_DEBUG, "entering: '%s'", (s)); \
+} while (0);
#define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning")
#define RETURNC(c) do { \
if ((c) >= 0 && (c) < PAM_NUM_ERRORS) \
@@ -131,9 +147,9 @@ pam_module_t *openpam_dynamic(const char *);
openpam_log(PAM_LOG_DEBUG, "returning %d!", (c)); \
return (c); \
} while (0)
-#define RETURNI(i) do { \
- openpam_log(PAM_LOG_DEBUG, "returning %d", (i)); \
- return (i); \
+#define RETURNN(n) do { \
+ openpam_log(PAM_LOG_DEBUG, "returning %d", (n)); \
+ return (n); \
} while (0)
#define RETURNP(p) do { \
if ((p) == NULL) \
@@ -151,9 +167,12 @@ pam_module_t *openpam_dynamic(const char *);
} while (0)
#else
#define ENTER()
+#define ENTERI(i)
+#define ENTERN(n)
+#define ENTERS(s)
#define RETURNV() return
#define RETURNC(c) return (c)
-#define RETURNI(i) return (i)
+#define RETURNN(n) return (n)
#define RETURNP(p) return (p)
#define RETURNS(s) return (s)
#endif
diff --git a/contrib/openpam/lib/openpam_restore_cred.c b/contrib/openpam/lib/openpam_restore_cred.c
index 75ebe5e..d18f78f 100644
--- a/contrib/openpam/lib/openpam_restore_cred.c
+++ b/contrib/openpam/lib/openpam_restore_cred.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#3 $
+ * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#4 $
*/
#include <sys/param.h>
@@ -62,10 +62,12 @@ openpam_restore_cred(pam_handle_t *pamh)
RETURNC(r);
if (scred == NULL)
RETURNC(PAM_SYSTEM_ERR);
- if (seteuid(scred->euid) == -1 ||
- setgroups(scred->ngroups, scred->groups) == -1 ||
- setegid(scred->egid) == -1)
- RETURNC(PAM_SYSTEM_ERR);
+ if (scred->euid != geteuid()) {
+ if (seteuid(scred->euid) == -1 ||
+ setgroups(scred->ngroups, scred->groups) == -1 ||
+ setegid(scred->egid) == -1)
+ RETURNC(PAM_SYSTEM_ERR);
+ }
pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL);
RETURNC(PAM_SUCCESS);
}
diff --git a/contrib/openpam/lib/openpam_set_option.c b/contrib/openpam/lib/openpam_set_option.c
index f65733b..d981398 100644
--- a/contrib/openpam/lib/openpam_set_option.c
+++ b/contrib/openpam/lib/openpam_set_option.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/openpam_set_option.c#6 $
+ * $P4: //depot/projects/openpam/lib/openpam_set_option.c#7 $
*/
#include <sys/param.h>
@@ -61,7 +61,7 @@ openpam_set_option(pam_handle_t *pamh,
size_t len;
int i;
- ENTER();
+ ENTERS(option);
if (pamh == NULL || pamh->current == NULL || option == NULL)
RETURNC(PAM_SYSTEM_ERR);
cur = pamh->current;
diff --git a/contrib/openpam/lib/pam_get_data.c b/contrib/openpam/lib/pam_get_data.c
index 96038ca..63de926 100644
--- a/contrib/openpam/lib/pam_get_data.c
+++ b/contrib/openpam/lib/pam_get_data.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/pam_get_data.c#9 $
+ * $P4: //depot/projects/openpam/lib/pam_get_data.c#10 $
*/
#include <string.h>
@@ -54,7 +54,7 @@ pam_get_data(pam_handle_t *pamh,
{
pam_data_t *dp;
- ENTER();
+ ENTERS(module_data_name);
if (pamh == NULL)
RETURNC(PAM_SYSTEM_ERR);
for (dp = pamh->module_data; dp != NULL; dp = dp->next)
diff --git a/contrib/openpam/lib/pam_get_item.c b/contrib/openpam/lib/pam_get_item.c
index f3e8c9b..fa63d3e 100644
--- a/contrib/openpam/lib/pam_get_item.c
+++ b/contrib/openpam/lib/pam_get_item.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/pam_get_item.c#14 $
+ * $P4: //depot/projects/openpam/lib/pam_get_item.c#15 $
*/
#include <sys/param.h>
@@ -40,6 +40,22 @@
#include "openpam_impl.h"
+const char *_pam_item_name[PAM_NUM_ITEMS] = {
+ "(NO ITEM)",
+ "PAM_SERVICE",
+ "PAM_USER",
+ "PAM_TTY",
+ "PAM_RHOST",
+ "PAM_CONV",
+ "PAM_AUTHTOK",
+ "PAM_OLDAUTHTOK",
+ "PAM_RUSER",
+ "PAM_USER_PROMPT",
+ "PAM_REPOSITORY",
+ "PAM_AUTHTOK_PROMPT",
+ "PAM_OLDAUTHTOK_PROMPT"
+};
+
/*
* XSSO 4.2.1
* XSSO 6 page 46
@@ -53,7 +69,7 @@ pam_get_item(pam_handle_t *pamh,
const void **item)
{
- ENTER();
+ ENTERI(item_type);
if (pamh == NULL)
RETURNC(PAM_SYSTEM_ERR);
switch (item_type) {
diff --git a/contrib/openpam/lib/pam_set_data.c b/contrib/openpam/lib/pam_set_data.c
index c944e0f..5428bb1 100644
--- a/contrib/openpam/lib/pam_set_data.c
+++ b/contrib/openpam/lib/pam_set_data.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/pam_set_data.c#11 $
+ * $P4: //depot/projects/openpam/lib/pam_set_data.c#12 $
*/
#include <stdlib.h>
@@ -58,7 +58,7 @@ pam_set_data(pam_handle_t *pamh,
{
pam_data_t *dp;
- ENTER();
+ ENTERS(module_data_name);
if (pamh == NULL)
RETURNC(PAM_SYSTEM_ERR);
for (dp = pamh->module_data; dp != NULL; dp = dp->next) {
diff --git a/contrib/openpam/lib/pam_set_item.c b/contrib/openpam/lib/pam_set_item.c
index 42653b1..250d287 100644
--- a/contrib/openpam/lib/pam_set_item.c
+++ b/contrib/openpam/lib/pam_set_item.c
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/openpam/lib/pam_set_item.c#16 $
+ * $P4: //depot/projects/openpam/lib/pam_set_item.c#17 $
*/
#include <sys/param.h>
@@ -58,7 +58,7 @@ pam_set_item(pam_handle_t *pamh,
void **slot, *tmp;
size_t nsize, osize;
- ENTER();
+ ENTERI(item_type);
if (pamh == NULL)
RETURNC(PAM_SYSTEM_ERR);
slot = &pamh->item[item_type];
OpenPOWER on IntegriCloud