dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 69c41ad3d74684dac43a1f767bc00ca97b4518b5 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Wed, 15 Oct 2014 18:15:53 +0200
Subject: [PATCH 36/46] PAM: Create pipe file descriptors before privileges are
 dropped

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit b547bd685cb71bb450b0c86487767f02e66f6cea)
---
 src/responder/pam/pamsrv.c | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index a3f8662738c26a537bc21d8d419e65e49c4828c9..d3cf0c770ad2978e101f40453137ade8d826b8e1 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -181,7 +181,8 @@ done:
 
 static int pam_process_init(TALLOC_CTX *mem_ctx,
                             struct tevent_context *ev,
-                            struct confdb_ctx *cdb)
+                            struct confdb_ctx *cdb,
+                            int pipe_fd, int priv_pipe_fd)
 {
     struct resp_ctx *rctx;
     struct sss_cmd_table *pam_cmds;
@@ -194,8 +195,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
     pam_cmds = get_pam_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            pam_cmds,
-                           SSS_PAM_SOCKET_NAME, -1,
-                           SSS_PAM_PRIV_SOCKET_NAME, -1,
+                           SSS_PAM_SOCKET_NAME, pipe_fd,
+                           SSS_PAM_PRIV_SOCKET_NAME, priv_pipe_fd,
                            CONFDB_PAM_CONF_ENTRY,
                            SSS_PAM_SBUS_SERVICE_NAME,
                            SSS_PAM_SBUS_SERVICE_VERSION,
@@ -318,6 +319,8 @@ int main(int argc, const char *argv[])
     int ret;
     uid_t uid;
     gid_t gid;
+    int pipe_fd;
+    int priv_pipe_fd;
 
     struct poptOption long_options[] = {
         POPT_AUTOHELP
@@ -347,6 +350,24 @@ int main(int argc, const char *argv[])
     /* set up things like debug, signals, daemonization, etc... */
     debug_log_file = "sssd_pam";
 
+    /* Crate pipe file descriptors here before privileges are dropped
+     * in server_setup() */
+    ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, 0111);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "create_pipe_fd failed [%d]: %s.\n",
+              ret, sss_strerror(ret));
+        return 2;
+    }
+
+    ret = create_pipe_fd(SSS_PAM_PRIV_SOCKET_NAME, &priv_pipe_fd, 0177);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "create_pipe_fd failed (priviledged pipe) [%d]: %s.\n",
+              ret, sss_strerror(ret));
+        return 2;
+    }
+
     ret = server_setup("sssd[pam]", 0, 0, 0, CONFDB_PAM_CONF_ENTRY, &main_ctx);
     if (ret != EOK) return 2;
 
@@ -359,7 +380,8 @@ int main(int argc, const char *argv[])
 
     ret = pam_process_init(main_ctx,
                            main_ctx->event_ctx,
-                           main_ctx->confdb_ctx);
+                           main_ctx->confdb_ctx,
+                           pipe_fd, priv_pipe_fd);
     if (ret != EOK) return 3;
 
     /* loop on main */
-- 
1.9.3