From b6b756b58b4787f31b67f70956d94b3441623e3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Wed, 23 Jan 2002 15:16:01 +0000 Subject: [PATCH] Base the comparison on UIDs, not on user names. Sponsored by: DARPA, NAI Labs --- lib/libpam/modules/pam_self/pam_self.8 | 4 ++-- lib/libpam/modules/pam_self/pam_self.c | 22 ++++++++++------------ 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/lib/libpam/modules/pam_self/pam_self.8 b/lib/libpam/modules/pam_self/pam_self.8 index 2dc968ffc0a1..5e51445ed738 100644 --- a/lib/libpam/modules/pam_self/pam_self.8 +++ b/lib/libpam/modules/pam_self/pam_self.8 @@ -61,8 +61,8 @@ It also provides a null function for session management. .Ss Self Authentication Module The Self authentication component .Pq Fn pam_sm_authenticate , -returns success if and only if the source and target user names are -identical. +returns success if and only if the target user's user ID is identical +with the current real user ID. .Pp The following options may be passed to the authentication module: .Bl -tag -width ".Cm no_warn" diff --git a/lib/libpam/modules/pam_self/pam_self.c b/lib/libpam/modules/pam_self/pam_self.c index 847e0925cfa8..1cbc8324b537 100644 --- a/lib/libpam/modules/pam_self/pam_self.c +++ b/lib/libpam/modules/pam_self/pam_self.c @@ -39,6 +39,7 @@ __FBSDID("$FreeBSD$"); #define _BSD_SOURCE +#include #include #include @@ -54,24 +55,21 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { struct options options; - const char *luser, *ruser; - int r; + struct passwd *pwd; + const char *luser; + int pam_err; pam_std_option(&options, NULL, argc, argv); PAM_LOG("Options processed"); - r = pam_get_item(pamh, PAM_USER, (const void **)&luser); - if (r != PAM_SUCCESS) - PAM_RETURN(r); - if (luser == NULL) - PAM_RETURN(PAM_USER_UNKNOWN); - - r = pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); - if (r != PAM_SUCCESS) - PAM_RETURN(r); + pam_err = pam_get_item(pamh, PAM_USER, (const void **)&luser); + if (pam_err != PAM_SUCCESS) + PAM_RETURN(pam_err); + if (luser == NULL || (pwd = getpwnam(luser)) == NULL) + PAM_RETURN(PAM_AUTH_ERR); - if (strcmp(luser, ruser) == 0) + if (getuid() == (uid_t)pwd->pw_uid) PAM_RETURN(PAM_SUCCESS); PAM_VERBOSE_ERROR("Refused; source and target users differ");