From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Wed, 26 Aug 2020 14:44:23 +0200 Subject: [PATCH 1/3] pam_wheel: improve coding style modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state condition statements --- modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index a025ebaf..94cb7d89 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) } if (ctrl & PAM_USE_UID_ARG) { - tpwd = pam_modutil_getpwuid (pamh, getuid()); - if (!tpwd) { - if (ctrl & PAM_DEBUG_ARG) { + tpwd = pam_modutil_getpwuid (pamh, getuid()); + if (tpwd == NULL) { + if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; + } + return PAM_SERVICE_ERR; + } + fromsu = tpwd->pw_name; } else { - fromsu = pam_modutil_getlogin(pamh); - if (fromsu) { - tpwd = pam_modutil_getpwnam (pamh, fromsu); - } - if (!fromsu || !tpwd) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } + fromsu = pam_modutil_getlogin(pamh); + + if (fromsu != NULL) { + tpwd = pam_modutil_getpwnam (pamh, fromsu); + } + + if (fromsu == NULL || tpwd == NULL) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } + return PAM_SERVICE_ERR; + } } /* -- 2.26.2 From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Thu, 27 Aug 2020 09:16:15 +0200 Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user ID, then try with PAM_RUSER. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1866866 --- modules/pam_wheel/pam_wheel.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 94cb7d89..7fa3cfa9 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) } else { fromsu = pam_modutil_getlogin(pamh); + /* if getlogin fails try a fallback to PAM_RUSER */ + if (fromsu == NULL) { + const char *rhostname; + + retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); + if (retval != PAM_SUCCESS || rhostname == NULL) { + retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); + } + } + if (fromsu != NULL) { tpwd = pam_modutil_getpwnam (pamh, fromsu); } -- 2.26.2 From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Wed, 9 Sep 2020 10:32:03 +0200 Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the real uid of the calling process. --- modules/pam_wheel/pam_wheel.8.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml index b32f5e2b..ee8c7d26 100644 --- a/modules/pam_wheel/pam_wheel.8.xml +++ b/modules/pam_wheel/pam_wheel.8.xml @@ -122,9 +122,9 @@ - The check for wheel membership will be done against - the current uid instead of the original one (useful when - jumping with su from one account to another for example). + The check will be done against the real uid of the calling process, + instead of trying to obtain the user from the login session + associated with the terminal in use. -- 2.26.2