From 4447e914e80cfcd607872e28a473a82be29ac0e2 Mon Sep 17 00:00:00 2001 From: Mark Murray Date: Sat, 4 Aug 2001 09:19:31 +0000 Subject: [PATCH] Fix the bug where this modulke was not checking the priamry GID, only the GIDS in /etc/group or NIS's group map. Tested by: sheldonh PR: 29349 --- lib/libpam/modules/pam_wheel/pam_wheel.c | 35 ++++++++---------------- 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c index 9535d3e7d6f3..e5505c85dc0c 100644 --- a/lib/libpam/modules/pam_wheel/pam_wheel.c +++ b/lib/libpam/modules/pam_wheel/pam_wheel.c @@ -66,23 +66,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) { struct options options; - struct passwd *pwd, *temppwd; + struct passwd *pwd; struct group *grp; int retval; const char *user; - char *fromsu, *use_group; + char *use_group; pam_std_option(&options, other_options, argc, argv); PAM_LOG("Options processed"); - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - - pwd = getpwnam(user); - if (!pwd) - PAM_RETURN(PAM_USER_UNKNOWN); + if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) + pwd = getpwnam(getlogin()); + else { + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + pwd = getpwnam(user); + } PAM_LOG("Got user: %s", user); @@ -92,20 +93,6 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) PAM_LOG("Not superuser"); - if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { - temppwd = getpwnam(getlogin()); - if (temppwd == NULL) - PAM_RETURN(PAM_SERVICE_ERR); - fromsu = temppwd->pw_name; - } - else { - fromsu = getlogin(); - if (!fromsu) - PAM_RETURN(PAM_SERVICE_ERR); - } - - PAM_LOG("Got fromsu: %s", fromsu); - if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) { if ((grp = getgrnam("wheel")) == NULL) grp = getgrgid(0); @@ -122,7 +109,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) PAM_LOG("Got group: %s", grp->gr_name); - if (in_list(grp->gr_mem, fromsu)) { + if (pwd->pw_gid == grp->gr_gid || in_list(grp->gr_mem, pwd->pw_name)) { if (pam_test_option(&options, PAM_OPT_DENY, NULL)) PAM_RETURN(PAM_PERM_DENIED); if (pam_test_option(&options, PAM_OPT_TRUST, NULL))