From owner-p4-projects Fri Feb 7 7: 4:49 2003 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A111037B405; Fri, 7 Feb 2003 07:04:46 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AF3137B401 for ; Fri, 7 Feb 2003 07:04:46 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC28A43FBF for ; Fri, 7 Feb 2003 07:04:45 -0800 (PST) (envelope-from des@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h17F4jbv019308 for ; Fri, 7 Feb 2003 07:04:45 -0800 (PST) (envelope-from des@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h17F4jsr019305 for perforce@freebsd.org; Fri, 7 Feb 2003 07:04:45 -0800 (PST) Date: Fri, 7 Feb 2003 07:04:45 -0800 (PST) Message-Id: <200302071504.h17F4jsr019305@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to des@freebsd.org using -f From: Dag-Erling Smorgrav Subject: PERFORCE change 24779 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=24779 Change 24779 by des@des.at.des.thinksec.com on 2003/02/07 07:04:39 If a set of saved credentials already exists when we are called, log a debugging message and fail. If the effective uid is non-zero but identical to the target uid, save the current credentials and return without doing anything else. Affected files ... .. //depot/projects/openpam/lib/openpam_borrow_cred.c#4 edit Differences ... ==== //depot/projects/openpam/lib/openpam_borrow_cred.c#4 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#3 $ + * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#4 $ */ #include @@ -57,9 +57,18 @@ struct pam_saved_cred *scred; int r; - ENTER(); - if (geteuid() != 0) + ENTERI(pwd->pw_uid); + r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred); + if (r == PAM_SUCCESS && scred != NULL) { + openpam_log(PAM_LOG_DEBUG, + "already operating under borrowed credentials"); + RETURNC(PAM_SYSTEM_ERR); + } + if (geteuid() != 0 && geteuid() != pwd->pw_uid) { + openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d", + (int)geteuid()); RETURNC(PAM_PERM_DENIED); + } scred = calloc(1, sizeof *scred); if (scred == NULL) RETURNC(PAM_BUF_ERR); @@ -76,6 +85,8 @@ free(scred); RETURNC(r); } + if (geteuid() == pwd->pw_uid) + RETURNC(PAM_SUCCESS); if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 || setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) { openpam_restore_cred(pamh); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message