|
|
9d3d10 |
From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001
|
|
|
9d3d10 |
From: ikerexxe <ipedrosa@redhat.com>
|
|
|
9d3d10 |
Date: Wed, 26 Aug 2020 14:44:23 +0200
|
|
|
9d3d10 |
Subject: [PATCH 1/3] pam_wheel: improve coding style
|
|
|
9d3d10 |
|
|
|
9d3d10 |
modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
|
|
|
9d3d10 |
condition statements
|
|
|
9d3d10 |
---
|
|
|
9d3d10 |
modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++-----------------
|
|
|
9d3d10 |
1 file changed, 19 insertions(+), 17 deletions(-)
|
|
|
9d3d10 |
|
|
|
9d3d10 |
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
|
|
|
9d3d10 |
index a025ebaf..94cb7d89 100644
|
|
|
9d3d10 |
--- a/modules/pam_wheel/pam_wheel.c
|
|
|
9d3d10 |
+++ b/modules/pam_wheel/pam_wheel.c
|
|
|
9d3d10 |
@@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
|
|
|
9d3d10 |
}
|
|
|
9d3d10 |
|
|
|
9d3d10 |
if (ctrl & PAM_USE_UID_ARG) {
|
|
|
9d3d10 |
- tpwd = pam_modutil_getpwuid (pamh, getuid());
|
|
|
9d3d10 |
- if (!tpwd) {
|
|
|
9d3d10 |
- if (ctrl & PAM_DEBUG_ARG) {
|
|
|
9d3d10 |
+ tpwd = pam_modutil_getpwuid (pamh, getuid());
|
|
|
9d3d10 |
+ if (tpwd == NULL) {
|
|
|
9d3d10 |
+ if (ctrl & PAM_DEBUG_ARG) {
|
|
|
9d3d10 |
pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
|
|
9d3d10 |
- }
|
|
|
9d3d10 |
- return PAM_SERVICE_ERR;
|
|
|
9d3d10 |
- }
|
|
|
9d3d10 |
- fromsu = tpwd->pw_name;
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
+ return PAM_SERVICE_ERR;
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
+ fromsu = tpwd->pw_name;
|
|
|
9d3d10 |
} else {
|
|
|
9d3d10 |
- fromsu = pam_modutil_getlogin(pamh);
|
|
|
9d3d10 |
- if (fromsu) {
|
|
|
9d3d10 |
- tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
|
|
9d3d10 |
- }
|
|
|
9d3d10 |
- if (!fromsu || !tpwd) {
|
|
|
9d3d10 |
- if (ctrl & PAM_DEBUG_ARG) {
|
|
|
9d3d10 |
- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
|
|
9d3d10 |
- }
|
|
|
9d3d10 |
- return PAM_SERVICE_ERR;
|
|
|
9d3d10 |
- }
|
|
|
9d3d10 |
+ fromsu = pam_modutil_getlogin(pamh);
|
|
|
9d3d10 |
+
|
|
|
9d3d10 |
+ if (fromsu != NULL) {
|
|
|
9d3d10 |
+ tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
+
|
|
|
9d3d10 |
+ if (fromsu == NULL || tpwd == NULL) {
|
|
|
9d3d10 |
+ if (ctrl & PAM_DEBUG_ARG) {
|
|
|
9d3d10 |
+ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
+ return PAM_SERVICE_ERR;
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
}
|
|
|
9d3d10 |
|
|
|
9d3d10 |
/*
|
|
|
9d3d10 |
--
|
|
|
9d3d10 |
2.26.2
|
|
|
9d3d10 |
|
|
|
9d3d10 |
|
|
|
9d3d10 |
From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001
|
|
|
9d3d10 |
From: ikerexxe <ipedrosa@redhat.com>
|
|
|
9d3d10 |
Date: Thu, 27 Aug 2020 09:16:15 +0200
|
|
|
9d3d10 |
Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER
|
|
|
9d3d10 |
|
|
|
9d3d10 |
modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
|
|
|
9d3d10 |
ID, then try with PAM_RUSER.
|
|
|
9d3d10 |
|
|
|
9d3d10 |
Resolves:
|
|
|
9d3d10 |
https://bugzilla.redhat.com/show_bug.cgi?id=1866866
|
|
|
9d3d10 |
---
|
|
|
9d3d10 |
modules/pam_wheel/pam_wheel.c | 10 ++++++++++
|
|
|
9d3d10 |
1 file changed, 10 insertions(+)
|
|
|
9d3d10 |
|
|
|
9d3d10 |
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
|
|
|
9d3d10 |
index 94cb7d89..7fa3cfa9 100644
|
|
|
9d3d10 |
--- a/modules/pam_wheel/pam_wheel.c
|
|
|
9d3d10 |
+++ b/modules/pam_wheel/pam_wheel.c
|
|
|
9d3d10 |
@@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
|
|
|
9d3d10 |
} else {
|
|
|
9d3d10 |
fromsu = pam_modutil_getlogin(pamh);
|
|
|
9d3d10 |
|
|
|
9d3d10 |
+ /* if getlogin fails try a fallback to PAM_RUSER */
|
|
|
9d3d10 |
+ if (fromsu == NULL) {
|
|
|
9d3d10 |
+ const char *rhostname;
|
|
|
9d3d10 |
+
|
|
|
9d3d10 |
+ retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
|
|
|
9d3d10 |
+ if (retval != PAM_SUCCESS || rhostname == NULL) {
|
|
|
9d3d10 |
+ retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
+ }
|
|
|
9d3d10 |
+
|
|
|
9d3d10 |
if (fromsu != NULL) {
|
|
|
9d3d10 |
tpwd = pam_modutil_getpwnam (pamh, fromsu);
|
|
|
9d3d10 |
}
|
|
|
9d3d10 |
--
|
|
|
9d3d10 |
2.26.2
|
|
|
9d3d10 |
|
|
|
9d3d10 |
|
|
|
9d3d10 |
From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001
|
|
|
9d3d10 |
From: ikerexxe <ipedrosa@redhat.com>
|
|
|
9d3d10 |
Date: Wed, 9 Sep 2020 10:32:03 +0200
|
|
|
9d3d10 |
Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page
|
|
|
9d3d10 |
|
|
|
9d3d10 |
modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
|
|
|
9d3d10 |
real uid of the calling process.
|
|
|
9d3d10 |
---
|
|
|
9d3d10 |
modules/pam_wheel/pam_wheel.8.xml | 6 +++---
|
|
|
9d3d10 |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
9d3d10 |
|
|
|
9d3d10 |
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
|
|
|
9d3d10 |
index b32f5e2b..ee8c7d26 100644
|
|
|
9d3d10 |
--- a/modules/pam_wheel/pam_wheel.8.xml
|
|
|
9d3d10 |
+++ b/modules/pam_wheel/pam_wheel.8.xml
|
|
|
9d3d10 |
@@ -122,9 +122,9 @@
|
|
|
9d3d10 |
</term>
|
|
|
9d3d10 |
<listitem>
|
|
|
9d3d10 |
<para>
|
|
|
9d3d10 |
- The check for wheel membership will be done against
|
|
|
9d3d10 |
- the current uid instead of the original one (useful when
|
|
|
9d3d10 |
- jumping with su from one account to another for example).
|
|
|
9d3d10 |
+ The check will be done against the real uid of the calling process,
|
|
|
9d3d10 |
+ instead of trying to obtain the user from the login session
|
|
|
9d3d10 |
+ associated with the terminal in use.
|
|
|
9d3d10 |
</para>
|
|
|
9d3d10 |
</listitem>
|
|
|
9d3d10 |
</varlistentry>
|
|
|
9d3d10 |
--
|
|
|
9d3d10 |
2.26.2
|
|
|
9d3d10 |
|