Sync with P4. Most of this is debugging code; the only substantial changes
are improvements to openpam_{borrow,restore}_cred() (#24779 and #24780).
This commit is contained in:
des
parent
08883899a5
commit
ead41a55fb
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#3 $
|
||||
* $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#4 $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -57,9 +57,18 @@ openpam_borrow_cred(pam_handle_t *pamh,
|
||||
struct pam_saved_cred *scred;
|
||||
int r;
|
||||
|
||||
ENTER();
|
||||
if (geteuid() != 0)
|
||||
ENTERI(pwd->pw_uid);
|
||||
r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred);
|
||||
if (r == PAM_SUCCESS && scred != NULL) {
|
||||
openpam_log(PAM_LOG_DEBUG,
|
||||
"already operating under borrowed credentials");
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
}
|
||||
if (geteuid() != 0 && geteuid() != pwd->pw_uid) {
|
||||
openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d",
|
||||
(int)geteuid());
|
||||
RETURNC(PAM_PERM_DENIED);
|
||||
}
|
||||
scred = calloc(1, sizeof *scred);
|
||||
if (scred == NULL)
|
||||
RETURNC(PAM_BUF_ERR);
|
||||
@ -76,6 +85,8 @@ openpam_borrow_cred(pam_handle_t *pamh,
|
||||
free(scred);
|
||||
RETURNC(r);
|
||||
}
|
||||
if (geteuid() == pwd->pw_uid)
|
||||
RETURNC(PAM_SUCCESS);
|
||||
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 ||
|
||||
setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) {
|
||||
openpam_restore_cred(pamh);
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_findenv.c#9 $
|
||||
* $P4: //depot/projects/openpam/lib/openpam_findenv.c#10 $
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
@ -55,12 +55,12 @@ openpam_findenv(pam_handle_t *pamh,
|
||||
|
||||
ENTER();
|
||||
if (pamh == NULL)
|
||||
RETURNI(-1);
|
||||
RETURNN(-1);
|
||||
for (i = 0; i < pamh->env_count; ++i)
|
||||
if (strncmp(pamh->env[i], name, len) == 0 &&
|
||||
pamh->env[i][len] == '=')
|
||||
RETURNI(i);
|
||||
RETURNI(-1);
|
||||
RETURNN(i);
|
||||
RETURNN(-1);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_get_option.c#5 $
|
||||
* $P4: //depot/projects/openpam/lib/openpam_get_option.c#6 $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -57,7 +57,7 @@ openpam_get_option(pam_handle_t *pamh,
|
||||
size_t len;
|
||||
int i;
|
||||
|
||||
ENTER();
|
||||
ENTERS(option);
|
||||
if (pamh == NULL || pamh->current == NULL || option == NULL)
|
||||
RETURNS(NULL);
|
||||
cur = pamh->current;
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_impl.h#19 $
|
||||
* $P4: //depot/projects/openpam/lib/openpam_impl.h#20 $
|
||||
*/
|
||||
|
||||
#ifndef _OPENPAM_IMPL_H_INCLUDED
|
||||
@ -42,6 +42,7 @@
|
||||
extern const char *_pam_func_name[PAM_NUM_PRIMITIVES];
|
||||
extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES];
|
||||
extern const char *_pam_err_name[PAM_NUM_ERRORS];
|
||||
extern const char *_pam_item_name[PAM_NUM_ITEMS];
|
||||
|
||||
/*
|
||||
* Control flags
|
||||
@ -123,6 +124,21 @@ pam_module_t *openpam_dynamic(const char *);
|
||||
|
||||
#ifdef DEBUG
|
||||
#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering")
|
||||
#define ENTERI(i) do { \
|
||||
if ((i) > 0 && (i) < PAM_NUM_ITEMS) \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: %s", _pam_item_name[i]); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: %d", (i)); \
|
||||
} while (0);
|
||||
#define ENTERN(n) do { \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: %d", (n)); \
|
||||
} while (0);
|
||||
#define ENTERS(s) do { \
|
||||
if ((s) == NULL) \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: '%s'", (s)); \
|
||||
} while (0);
|
||||
#define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning")
|
||||
#define RETURNC(c) do { \
|
||||
if ((c) >= 0 && (c) < PAM_NUM_ERRORS) \
|
||||
@ -131,9 +147,9 @@ pam_module_t *openpam_dynamic(const char *);
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %d!", (c)); \
|
||||
return (c); \
|
||||
} while (0)
|
||||
#define RETURNI(i) do { \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %d", (i)); \
|
||||
return (i); \
|
||||
#define RETURNN(n) do { \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %d", (n)); \
|
||||
return (n); \
|
||||
} while (0)
|
||||
#define RETURNP(p) do { \
|
||||
if ((p) == NULL) \
|
||||
@ -151,9 +167,12 @@ pam_module_t *openpam_dynamic(const char *);
|
||||
} while (0)
|
||||
#else
|
||||
#define ENTER()
|
||||
#define ENTERI(i)
|
||||
#define ENTERN(n)
|
||||
#define ENTERS(s)
|
||||
#define RETURNV() return
|
||||
#define RETURNC(c) return (c)
|
||||
#define RETURNI(i) return (i)
|
||||
#define RETURNN(n) return (n)
|
||||
#define RETURNP(p) return (p)
|
||||
#define RETURNS(s) return (s)
|
||||
#endif
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#3 $
|
||||
* $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#4 $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -62,10 +62,12 @@ openpam_restore_cred(pam_handle_t *pamh)
|
||||
RETURNC(r);
|
||||
if (scred == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
if (seteuid(scred->euid) == -1 ||
|
||||
setgroups(scred->ngroups, scred->groups) == -1 ||
|
||||
setegid(scred->egid) == -1)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
if (scred->euid != geteuid()) {
|
||||
if (seteuid(scred->euid) == -1 ||
|
||||
setgroups(scred->ngroups, scred->groups) == -1 ||
|
||||
setegid(scred->egid) == -1)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
}
|
||||
pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL);
|
||||
RETURNC(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_set_option.c#6 $
|
||||
* $P4: //depot/projects/openpam/lib/openpam_set_option.c#7 $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -61,7 +61,7 @@ openpam_set_option(pam_handle_t *pamh,
|
||||
size_t len;
|
||||
int i;
|
||||
|
||||
ENTER();
|
||||
ENTERS(option);
|
||||
if (pamh == NULL || pamh->current == NULL || option == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
cur = pamh->current;
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_get_data.c#9 $
|
||||
* $P4: //depot/projects/openpam/lib/pam_get_data.c#10 $
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
@ -54,7 +54,7 @@ pam_get_data(pam_handle_t *pamh,
|
||||
{
|
||||
pam_data_t *dp;
|
||||
|
||||
ENTER();
|
||||
ENTERS(module_data_name);
|
||||
if (pamh == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
for (dp = pamh->module_data; dp != NULL; dp = dp->next)
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_get_item.c#14 $
|
||||
* $P4: //depot/projects/openpam/lib/pam_get_item.c#15 $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -40,6 +40,22 @@
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
const char *_pam_item_name[PAM_NUM_ITEMS] = {
|
||||
"(NO ITEM)",
|
||||
"PAM_SERVICE",
|
||||
"PAM_USER",
|
||||
"PAM_TTY",
|
||||
"PAM_RHOST",
|
||||
"PAM_CONV",
|
||||
"PAM_AUTHTOK",
|
||||
"PAM_OLDAUTHTOK",
|
||||
"PAM_RUSER",
|
||||
"PAM_USER_PROMPT",
|
||||
"PAM_REPOSITORY",
|
||||
"PAM_AUTHTOK_PROMPT",
|
||||
"PAM_OLDAUTHTOK_PROMPT"
|
||||
};
|
||||
|
||||
/*
|
||||
* XSSO 4.2.1
|
||||
* XSSO 6 page 46
|
||||
@ -53,7 +69,7 @@ pam_get_item(pam_handle_t *pamh,
|
||||
const void **item)
|
||||
{
|
||||
|
||||
ENTER();
|
||||
ENTERI(item_type);
|
||||
if (pamh == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
switch (item_type) {
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_set_data.c#11 $
|
||||
* $P4: //depot/projects/openpam/lib/pam_set_data.c#12 $
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
@ -58,7 +58,7 @@ pam_set_data(pam_handle_t *pamh,
|
||||
{
|
||||
pam_data_t *dp;
|
||||
|
||||
ENTER();
|
||||
ENTERS(module_data_name);
|
||||
if (pamh == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
for (dp = pamh->module_data; dp != NULL; dp = dp->next) {
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_set_item.c#16 $
|
||||
* $P4: //depot/projects/openpam/lib/pam_set_item.c#17 $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -58,7 +58,7 @@ pam_set_item(pam_handle_t *pamh,
|
||||
void **slot, *tmp;
|
||||
size_t nsize, osize;
|
||||
|
||||
ENTER();
|
||||
ENTERI(item_type);
|
||||
if (pamh == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
slot = &pamh->item[item_type];
|
||||
|
||||
Loading…
Reference in New Issue
Block a user