Blame SOURCES/pam-1.3.1-wheel-pam_ruser-fallback.patch

9d3d10
From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001
9d3d10
From: ikerexxe <ipedrosa@redhat.com>
9d3d10
Date: Wed, 26 Aug 2020 14:44:23 +0200
9d3d10
Subject: [PATCH 1/3] pam_wheel: improve coding style
9d3d10
9d3d10
modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
9d3d10
condition statements
9d3d10
---
9d3d10
 modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++-----------------
9d3d10
 1 file changed, 19 insertions(+), 17 deletions(-)
9d3d10
9d3d10
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
9d3d10
index a025ebaf..94cb7d89 100644
9d3d10
--- a/modules/pam_wheel/pam_wheel.c
9d3d10
+++ b/modules/pam_wheel/pam_wheel.c
9d3d10
@@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
9d3d10
     }
9d3d10
 
9d3d10
     if (ctrl & PAM_USE_UID_ARG) {
9d3d10
-	tpwd = pam_modutil_getpwuid (pamh, getuid());
9d3d10
-	if (!tpwd) {
9d3d10
-	    if (ctrl & PAM_DEBUG_ARG) {
9d3d10
+        tpwd = pam_modutil_getpwuid (pamh, getuid());
9d3d10
+        if (tpwd == NULL) {
9d3d10
+            if (ctrl & PAM_DEBUG_ARG) {
9d3d10
                 pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
9d3d10
-	    }
9d3d10
-	    return PAM_SERVICE_ERR;
9d3d10
-	}
9d3d10
-	fromsu = tpwd->pw_name;
9d3d10
+            }
9d3d10
+            return PAM_SERVICE_ERR;
9d3d10
+        }
9d3d10
+        fromsu = tpwd->pw_name;
9d3d10
     } else {
9d3d10
-	fromsu = pam_modutil_getlogin(pamh);
9d3d10
-	if (fromsu) {
9d3d10
-	    tpwd = pam_modutil_getpwnam (pamh, fromsu);
9d3d10
-	}
9d3d10
-	if (!fromsu || !tpwd) {
9d3d10
-	    if (ctrl & PAM_DEBUG_ARG) {
9d3d10
-		pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
9d3d10
-	    }
9d3d10
-	    return PAM_SERVICE_ERR;
9d3d10
-	}
9d3d10
+        fromsu = pam_modutil_getlogin(pamh);
9d3d10
+
9d3d10
+        if (fromsu != NULL) {
9d3d10
+            tpwd = pam_modutil_getpwnam (pamh, fromsu);
9d3d10
+        }
9d3d10
+
9d3d10
+        if (fromsu == NULL || tpwd == NULL) {
9d3d10
+            if (ctrl & PAM_DEBUG_ARG) {
9d3d10
+                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
9d3d10
+            }
9d3d10
+            return PAM_SERVICE_ERR;
9d3d10
+        }
9d3d10
     }
9d3d10
 
9d3d10
     /*
9d3d10
-- 
9d3d10
2.26.2
9d3d10
9d3d10
9d3d10
From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001
9d3d10
From: ikerexxe <ipedrosa@redhat.com>
9d3d10
Date: Thu, 27 Aug 2020 09:16:15 +0200
9d3d10
Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER
9d3d10
9d3d10
modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
9d3d10
ID, then try with PAM_RUSER.
9d3d10
9d3d10
Resolves:
9d3d10
https://bugzilla.redhat.com/show_bug.cgi?id=1866866
9d3d10
---
9d3d10
 modules/pam_wheel/pam_wheel.c | 10 ++++++++++
9d3d10
 1 file changed, 10 insertions(+)
9d3d10
9d3d10
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
9d3d10
index 94cb7d89..7fa3cfa9 100644
9d3d10
--- a/modules/pam_wheel/pam_wheel.c
9d3d10
+++ b/modules/pam_wheel/pam_wheel.c
9d3d10
@@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
9d3d10
     } else {
9d3d10
         fromsu = pam_modutil_getlogin(pamh);
9d3d10
 
9d3d10
+        /* if getlogin fails try a fallback to PAM_RUSER */
9d3d10
+        if (fromsu == NULL) {
9d3d10
+            const char *rhostname;
9d3d10
+
9d3d10
+            retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
9d3d10
+            if (retval != PAM_SUCCESS || rhostname == NULL) {
9d3d10
+                retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
9d3d10
+            }
9d3d10
+        }
9d3d10
+
9d3d10
         if (fromsu != NULL) {
9d3d10
             tpwd = pam_modutil_getpwnam (pamh, fromsu);
9d3d10
         }
9d3d10
-- 
9d3d10
2.26.2
9d3d10
9d3d10
9d3d10
From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001
9d3d10
From: ikerexxe <ipedrosa@redhat.com>
9d3d10
Date: Wed, 9 Sep 2020 10:32:03 +0200
9d3d10
Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page
9d3d10
9d3d10
modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
9d3d10
real uid of the calling process.
9d3d10
---
9d3d10
 modules/pam_wheel/pam_wheel.8.xml | 6 +++---
9d3d10
 1 file changed, 3 insertions(+), 3 deletions(-)
9d3d10
9d3d10
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
9d3d10
index b32f5e2b..ee8c7d26 100644
9d3d10
--- a/modules/pam_wheel/pam_wheel.8.xml
9d3d10
+++ b/modules/pam_wheel/pam_wheel.8.xml
9d3d10
@@ -122,9 +122,9 @@
9d3d10
         </term>
9d3d10
         <listitem>
9d3d10
           <para>
9d3d10
-            The check for wheel membership will be done against
9d3d10
-            the current uid instead of the original one (useful when
9d3d10
-            jumping with su from one account to another for example).
9d3d10
+            The check will be done against the real uid of the calling process,
9d3d10
+            instead of trying to obtain the user from the login session
9d3d10
+            associated with the terminal in use.
9d3d10
           </para>
9d3d10
         </listitem>
9d3d10
       </varlistentry>
9d3d10
-- 
9d3d10
2.26.2
9d3d10