1 From b9dba3310e01a378014520d23e05ed432d0f8266 Mon Sep 17 00:00:00 2001
2 From: David Woodhouse <David.Woodhouse@intel.com>
3 Date: Sun, 11 Sep 2011 23:10:16 +0100
4 Subject: [PATCH] Add no-drop-privs option to manage secret files as root
7 libpam/pam_google_authenticator.c | 10 +++++++---
8 1 files changed, 7 insertions(+), 3 deletions(-)
10 diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c
11 index c6b8e58..1b83c38 100644
12 --- a/src/pam_google_authenticator.c
13 +++ b/src/pam_google_authenticator.c
14 @@ -60,6 +60,7 @@ typedef struct Params {
15 const char *secret_filename_spec;
22 @@ -1083,6 +1084,8 @@ static int parse_args(pam_handle_t *pamh, int argc, const char **argv,
23 params->noskewadj = 1;
24 } else if (!strcmp(argv[i], "echo-verification-code")) {
25 params->echocode = PAM_PROMPT_ECHO_ON;
26 + } else if (!strcmp(argv[i], "no-drop-privs")) {
27 + params->no_drop_privs = 1;
29 log_message(LOG_ERR, pamh, "Unrecognized option \"%s\"", argv[i]);
31 @@ -1118,9 +1121,10 @@ static int google_authenticator(pam_handle_t *pamh, int flags,
33 if ((username = get_user_name(pamh)) &&
34 (secret_filename = get_secret_filename(pamh, ¶ms, username, &uid)) &&
35 - (old_uid = drop_privileges(pamh, username, uid)) >= 0 &&
36 - (fd = open_secret_file(pamh, secret_filename, username, uid,
37 - &filesize, &mtime)) >= 0 &&
38 + (params.no_drop_privs ||
39 + (old_uid = drop_privileges(pamh, username, uid))) >= 0 &&
40 + (fd = open_secret_file(pamh, secret_filename, params.no_drop_privs?"root":username,
41 + params.no_drop_privs?0:uid, &filesize, &mtime)) >= 0 &&
42 (buf = read_file_contents(pamh, secret_filename, &fd, filesize)) &&
43 (secret = get_shared_secret(pamh, secret_filename, buf, &secretLen)) &&
44 (rate_limit(pamh, secret_filename, &updated, &buf) >= 0) &&
projects / packages / pam-pam_google-authenticator.git / blob