From 69c41ad3d74684dac43a1f767bc00ca97b4518b5 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Wed, 15 Oct 2014 18:15:53 +0200
Subject: [PATCH 36/46] PAM: Create pipe file descriptors before privileges are
dropped
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit b547bd685cb71bb450b0c86487767f02e66f6cea)
---
src/responder/pam/pamsrv.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index a3f8662738c26a537bc21d8d419e65e49c4828c9..d3cf0c770ad2978e101f40453137ade8d826b8e1 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -181,7 +181,8 @@ done:
static int pam_process_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- struct confdb_ctx *cdb)
+ struct confdb_ctx *cdb,
+ int pipe_fd, int priv_pipe_fd)
{
struct resp_ctx *rctx;
struct sss_cmd_table *pam_cmds;
@@ -194,8 +195,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
pam_cmds = get_pam_cmds();
ret = sss_process_init(mem_ctx, ev, cdb,
pam_cmds,
- SSS_PAM_SOCKET_NAME, -1,
- SSS_PAM_PRIV_SOCKET_NAME, -1,
+ SSS_PAM_SOCKET_NAME, pipe_fd,
+ SSS_PAM_PRIV_SOCKET_NAME, priv_pipe_fd,
CONFDB_PAM_CONF_ENTRY,
SSS_PAM_SBUS_SERVICE_NAME,
SSS_PAM_SBUS_SERVICE_VERSION,
@@ -318,6 +319,8 @@ int main(int argc, const char *argv[])
int ret;
uid_t uid;
gid_t gid;
+ int pipe_fd;
+ int priv_pipe_fd;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -347,6 +350,24 @@ int main(int argc, const char *argv[])
/* set up things like debug, signals, daemonization, etc... */
debug_log_file = "sssd_pam";
+ /* Crate pipe file descriptors here before privileges are dropped
+ * in server_setup() */
+ ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, 0111);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "create_pipe_fd failed [%d]: %s.\n",
+ ret, sss_strerror(ret));
+ return 2;
+ }
+
+ ret = create_pipe_fd(SSS_PAM_PRIV_SOCKET_NAME, &priv_pipe_fd, 0177);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "create_pipe_fd failed (priviledged pipe) [%d]: %s.\n",
+ ret, sss_strerror(ret));
+ return 2;
+ }
+
ret = server_setup("sssd[pam]", 0, 0, 0, CONFDB_PAM_CONF_ENTRY, &main_ctx);
if (ret != EOK) return 2;
@@ -359,7 +380,8 @@ int main(int argc, const char *argv[])
ret = pam_process_init(main_ctx,
main_ctx->event_ctx,
- main_ctx->confdb_ctx);
+ main_ctx->confdb_ctx,
+ pipe_fd, priv_pipe_fd);
if (ret != EOK) return 3;
/* loop on main */
--
1.9.3