|
David Woodhouse |
5709593 |
From b9dba3310e01a378014520d23e05ed432d0f8266 Mon Sep 17 00:00:00 2001
|
|
David Woodhouse |
5709593 |
From: David Woodhouse <David.Woodhouse@intel.com>
|
|
David Woodhouse |
5709593 |
Date: Sun, 11 Sep 2011 23:10:16 +0100
|
|
David Woodhouse |
5709593 |
Subject: [PATCH] Add no-drop-privs option to manage secret files as root
|
|
David Woodhouse |
5709593 |
|
|
David Woodhouse |
5709593 |
---
|
|
David Woodhouse |
5709593 |
libpam/pam_google_authenticator.c | 10 +++++++---
|
|
David Woodhouse |
5709593 |
1 files changed, 7 insertions(+), 3 deletions(-)
|
|
David Woodhouse |
5709593 |
|
|
David Woodhouse |
5709593 |
diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c
|
|
David Woodhouse |
5709593 |
index c6b8e58..1b83c38 100644
|
|
David Woodhouse |
5709593 |
--- a/libpam/pam_google_authenticator.c
|
|
David Woodhouse |
5709593 |
+++ b/libpam/pam_google_authenticator.c
|
|
David Woodhouse |
5709593 |
@@ -60,6 +60,7 @@ typedef struct Params {
|
|
David Woodhouse |
5709593 |
const char *secret_filename_spec;
|
|
David Woodhouse |
5709593 |
int noskewadj;
|
|
David Woodhouse |
5709593 |
int echocode;
|
|
David Woodhouse |
5709593 |
+ int no_drop_privs;
|
|
David Woodhouse |
5709593 |
} Params;
|
|
David Woodhouse |
5709593 |
|
|
David Woodhouse |
5709593 |
static char oom;
|
|
David Woodhouse |
5709593 |
@@ -1083,6 +1084,8 @@ static int parse_args(pam_handle_t *pamh, int argc, const char **argv,
|
|
David Woodhouse |
5709593 |
params->noskewadj = 1;
|
|
David Woodhouse |
5709593 |
} else if (!strcmp(argv[i], "echo-verification-code")) {
|
|
David Woodhouse |
5709593 |
params->echocode = PAM_PROMPT_ECHO_ON;
|
|
David Woodhouse |
5709593 |
+ } else if (!strcmp(argv[i], "no-drop-privs")) {
|
|
David Woodhouse |
5709593 |
+ params->no_drop_privs = 1;
|
|
David Woodhouse |
5709593 |
} else {
|
|
David Woodhouse |
5709593 |
log_message(LOG_ERR, pamh, "Unrecognized option \"%s\"", argv[i]);
|
|
David Woodhouse |
5709593 |
return -1;
|
|
David Woodhouse |
5709593 |
@@ -1118,9 +1121,10 @@ static int google_authenticator(pam_handle_t *pamh, int flags,
|
|
David Woodhouse |
5709593 |
int updated = 0;
|
|
David Woodhouse |
5709593 |
if ((username = get_user_name(pamh)) &&
|
|
David Woodhouse |
5709593 |
(secret_filename = get_secret_filename(pamh, ¶ms, username, &uid)) &&
|
|
David Woodhouse |
5709593 |
- (old_uid = drop_privileges(pamh, username, uid)) >= 0 &&
|
|
David Woodhouse |
5709593 |
- (fd = open_secret_file(pamh, secret_filename, username, uid,
|
|
David Woodhouse |
5709593 |
- &filesize, &mtime)) >= 0 &&
|
|
David Woodhouse |
5709593 |
+ (params.no_drop_privs ||
|
|
David Woodhouse |
5709593 |
+ (old_uid = drop_privileges(pamh, username, uid))) >= 0 &&
|
|
David Woodhouse |
5709593 |
+ (fd = open_secret_file(pamh, secret_filename, params.no_drop_privs?"root":username,
|
|
David Woodhouse |
5709593 |
+ params.no_drop_privs?0:uid, &filesize, &mtime)) >= 0 &&
|
|
David Woodhouse |
5709593 |
(buf = read_file_contents(pamh, secret_filename, &fd, filesize)) &&
|
|
David Woodhouse |
5709593 |
(secret = get_shared_secret(pamh, secret_filename, buf, &secretLen)) &&
|
|
David Woodhouse |
5709593 |
(rate_limit(pamh, secret_filename, &updated, &buf) >= 0) &&
|
|
David Woodhouse |
5709593 |
--
|
|
David Woodhouse |
5709593 |
1.7.6
|
|
David Woodhouse |
5709593 |
|