]>
Commit | Line | Data |
---|---|---|
2c52f225 ER |
1 | From b9dba3310e01a378014520d23e05ed432d0f8266 Mon Sep 17 00:00:00 2001 |
2 | From: David Woodhouse <David.Woodhouse@intel.com> | |
3 | Date: Sun, 11 Sep 2011 23:10:16 +0100 | |
4 | Subject: [PATCH] Add no-drop-privs option to manage secret files as root | |
5 | ||
6 | --- | |
7 | libpam/pam_google_authenticator.c | 10 +++++++--- | |
8 | 1 files changed, 7 insertions(+), 3 deletions(-) | |
9 | ||
10 | diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c | |
11 | index c6b8e58..1b83c38 100644 | |
8a194b68 ER |
12 | --- a/src/pam_google_authenticator.c |
13 | +++ b/src/pam_google_authenticator.c | |
2c52f225 ER |
14 | @@ -60,6 +60,7 @@ typedef struct Params { |
15 | const char *secret_filename_spec; | |
16 | int noskewadj; | |
17 | int echocode; | |
18 | + int no_drop_privs; | |
19 | } Params; | |
20 | ||
21 | static char oom; | |
22 | @@ -1083,6 +1084,8 @@ static int parse_args(pam_handle_t *pamh, int argc, const char **argv, | |
23 | params->noskewadj = 1; | |
24 | } else if (!strcmp(argv[i], "echo-verification-code")) { | |
25 | params->echocode = PAM_PROMPT_ECHO_ON; | |
26 | + } else if (!strcmp(argv[i], "no-drop-privs")) { | |
27 | + params->no_drop_privs = 1; | |
28 | } else { | |
29 | log_message(LOG_ERR, pamh, "Unrecognized option \"%s\"", argv[i]); | |
30 | return -1; | |
31 | @@ -1118,9 +1121,10 @@ static int google_authenticator(pam_handle_t *pamh, int flags, | |
32 | int updated = 0; | |
33 | if ((username = get_user_name(pamh)) && | |
34 | (secret_filename = get_secret_filename(pamh, ¶ms, username, &uid)) && | |
35 | - (old_uid = drop_privileges(pamh, username, uid)) >= 0 && | |
36 | - (fd = open_secret_file(pamh, secret_filename, username, uid, | |
37 | - &filesize, &mtime)) >= 0 && | |
38 | + (params.no_drop_privs || | |
39 | + (old_uid = drop_privileges(pamh, username, uid))) >= 0 && | |
40 | + (fd = open_secret_file(pamh, secret_filename, params.no_drop_privs?"root":username, | |
41 | + params.no_drop_privs?0:uid, &filesize, &mtime)) >= 0 && | |
42 | (buf = read_file_contents(pamh, secret_filename, &fd, filesize)) && | |
43 | (secret = get_shared_secret(pamh, secret_filename, buf, &secretLen)) && | |
44 | (rate_limit(pamh, secret_filename, &updated, &buf) >= 0) && | |
45 | -- | |
46 | 1.7.6 | |
47 |