|
|
c28ff7 |
diff -up Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c.pam_keyinit-thread-safe Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c
|
|
|
c28ff7 |
--- Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c.pam_keyinit-thread-safe 2017-02-10 11:10:15.000000000 +0100
|
|
|
c28ff7 |
+++ Linux-PAM-1.3.1/modules/pam_keyinit/pam_keyinit.c 2022-04-25 12:10:28.071240439 +0200
|
|
|
c28ff7 |
@@ -20,6 +20,7 @@
|
|
|
c28ff7 |
#include <security/pam_modutil.h>
|
|
|
c28ff7 |
#include <security/pam_ext.h>
|
|
|
c28ff7 |
#include <sys/syscall.h>
|
|
|
c28ff7 |
+#include <stdatomic.h>
|
|
|
c28ff7 |
|
|
|
c28ff7 |
#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */
|
|
|
c28ff7 |
#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */
|
|
|
c28ff7 |
@@ -30,12 +31,12 @@
|
|
|
c28ff7 |
#define KEYCTL_REVOKE 3 /* revoke a key */
|
|
|
c28ff7 |
#define KEYCTL_LINK 8 /* link a key into a keyring */
|
|
|
c28ff7 |
|
|
|
c28ff7 |
-static int my_session_keyring;
|
|
|
c28ff7 |
-static int session_counter;
|
|
|
c28ff7 |
-static int do_revoke;
|
|
|
c28ff7 |
-static int revoke_as_uid;
|
|
|
c28ff7 |
-static int revoke_as_gid;
|
|
|
c28ff7 |
-static int xdebug = 0;
|
|
|
c28ff7 |
+static _Thread_local int my_session_keyring = 0;
|
|
|
c28ff7 |
+static _Atomic int session_counter = 0;
|
|
|
c28ff7 |
+static _Thread_local int do_revoke = 0;
|
|
|
c28ff7 |
+static _Thread_local uid_t revoke_as_uid;
|
|
|
c28ff7 |
+static _Thread_local gid_t revoke_as_gid;
|
|
|
c28ff7 |
+static _Thread_local int xdebug = 0;
|
|
|
c28ff7 |
|
|
|
c28ff7 |
static void debug(pam_handle_t *pamh, const char *fmt, ...)
|
|
|
c28ff7 |
__attribute__((format(printf, 2, 3)));
|
|
|
c28ff7 |
@@ -65,6 +66,33 @@ static int error(pam_handle_t *pamh, con
|
|
|
c28ff7 |
return PAM_SESSION_ERR;
|
|
|
c28ff7 |
}
|
|
|
c28ff7 |
|
|
|
c28ff7 |
+static int pam_setreuid(uid_t ruid, uid_t euid)
|
|
|
c28ff7 |
+{
|
|
|
c28ff7 |
+#if defined(SYS_setreuid32)
|
|
|
c28ff7 |
+ return syscall(SYS_setreuid32, ruid, euid);
|
|
|
c28ff7 |
+#else
|
|
|
c28ff7 |
+ return syscall(SYS_setreuid, ruid, euid);
|
|
|
c28ff7 |
+#endif
|
|
|
c28ff7 |
+}
|
|
|
c28ff7 |
+
|
|
|
c28ff7 |
+static int pam_setregid(gid_t rgid, gid_t egid)
|
|
|
c28ff7 |
+{
|
|
|
c28ff7 |
+#if defined(SYS_setregid32)
|
|
|
c28ff7 |
+ return syscall(SYS_setregid32, rgid, egid);
|
|
|
c28ff7 |
+#else
|
|
|
c28ff7 |
+ return syscall(SYS_setregid, rgid, egid);
|
|
|
c28ff7 |
+#endif
|
|
|
c28ff7 |
+}
|
|
|
c28ff7 |
+
|
|
|
c28ff7 |
+static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
|
|
c28ff7 |
+{
|
|
|
c28ff7 |
+#if defined(SYS_setresuid32)
|
|
|
c28ff7 |
+ return syscall(SYS_setresuid32, ruid, euid, suid);
|
|
|
c28ff7 |
+#else
|
|
|
c28ff7 |
+ return syscall(SYS_setresuid, ruid, euid, suid);
|
|
|
c28ff7 |
+#endif
|
|
|
c28ff7 |
+}
|
|
|
c28ff7 |
+
|
|
|
c28ff7 |
/*
|
|
|
c28ff7 |
* initialise the session keyring for this process
|
|
|
c28ff7 |
*/
|
|
|
c28ff7 |
@@ -139,23 +167,25 @@ static void kill_keyrings(pam_handle_t *
|
|
|
c28ff7 |
|
|
|
c28ff7 |
/* switch to the real UID and GID so that we have permission to
|
|
|
c28ff7 |
* revoke the key */
|
|
|
c28ff7 |
- if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
|
|
|
c28ff7 |
+ if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0)
|
|
|
c28ff7 |
error(pamh, "Unable to change GID to %d temporarily\n",
|
|
|
c28ff7 |
revoke_as_gid);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
- if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0)
|
|
|
c28ff7 |
+ if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0)
|
|
|
c28ff7 |
error(pamh, "Unable to change UID to %d temporarily\n",
|
|
|
c28ff7 |
revoke_as_uid);
|
|
|
c28ff7 |
+ if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0)
|
|
|
c28ff7 |
+ error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
syscall(__NR_keyctl,
|
|
|
c28ff7 |
KEYCTL_REVOKE,
|
|
|
c28ff7 |
my_session_keyring);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
/* return to the orignal UID and GID (probably root) */
|
|
|
c28ff7 |
- if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
|
|
|
c28ff7 |
+ if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0)
|
|
|
c28ff7 |
error(pamh, "Unable to change UID back to %d\n", old_uid);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
- if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
|
|
|
c28ff7 |
+ if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0)
|
|
|
c28ff7 |
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
my_session_keyring = 0;
|
|
|
c28ff7 |
@@ -210,14 +240,14 @@ int pam_sm_open_session(pam_handle_t *pa
|
|
|
c28ff7 |
|
|
|
c28ff7 |
/* switch to the real UID and GID so that the keyring ends up owned by
|
|
|
c28ff7 |
* the right user */
|
|
|
c28ff7 |
- if (gid != old_gid && setregid(gid, -1) < 0) {
|
|
|
c28ff7 |
+ if (gid != old_gid && pam_setregid(gid, -1) < 0) {
|
|
|
c28ff7 |
error(pamh, "Unable to change GID to %d temporarily\n", gid);
|
|
|
c28ff7 |
return PAM_SESSION_ERR;
|
|
|
c28ff7 |
}
|
|
|
c28ff7 |
|
|
|
c28ff7 |
- if (uid != old_uid && setreuid(uid, -1) < 0) {
|
|
|
c28ff7 |
+ if (uid != old_uid && pam_setreuid(uid, -1) < 0) {
|
|
|
c28ff7 |
error(pamh, "Unable to change UID to %d temporarily\n", uid);
|
|
|
c28ff7 |
- if (setregid(old_gid, -1) < 0)
|
|
|
c28ff7 |
+ if (pam_setregid(old_gid, -1) < 0)
|
|
|
c28ff7 |
error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
|
c28ff7 |
return PAM_SESSION_ERR;
|
|
|
c28ff7 |
}
|
|
|
c28ff7 |
@@ -225,10 +255,10 @@ int pam_sm_open_session(pam_handle_t *pa
|
|
|
c28ff7 |
ret = init_keyrings(pamh, force);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
/* return to the orignal UID and GID (probably root) */
|
|
|
c28ff7 |
- if (uid != old_uid && setreuid(old_uid, -1) < 0)
|
|
|
c28ff7 |
+ if (uid != old_uid && pam_setreuid(old_uid, -1) < 0)
|
|
|
c28ff7 |
ret = error(pamh, "Unable to change UID back to %d\n", old_uid);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
- if (gid != old_gid && setregid(old_gid, -1) < 0)
|
|
|
c28ff7 |
+ if (gid != old_gid && pam_setregid(old_gid, -1) < 0)
|
|
|
c28ff7 |
ret = error(pamh, "Unable to change GID back to %d\n", old_gid);
|
|
|
c28ff7 |
|
|
|
c28ff7 |
return ret;
|