diff options
| author | Tomas Mraz <tm@t8m.info> | 2008-11-20 14:10:17 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2008-11-20 14:10:17 +0000 |
| commit | bc32e648b76cb6eef5a3dd4720a7384d918ca6fb (patch) | |
| tree | aa9a564e2b457cac8cb3fa609ea63eed873455ee | |
| parent | d356c2696c3044d4b81690830558a3ecd0f3427c (diff) | |
| download | pam-bc32e648b76cb6eef5a3dd4720a7384d918ca6fb.tar.gz pam-bc32e648b76cb6eef5a3dd4720a7384d918ca6fb.tar.bz2 pam-bc32e648b76cb6eef5a3dd4720a7384d918ca6fb.zip | |
Relevant BUGIDs:
Purpose of commit: bugfix
Commit summary:
---------------
2008-11-20 Tomas Mraz <t8m@centrum.cz>
* modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not
call sepermit_lock() if sense is deny. Do not crash on NULL seuser
match.
(pam_sm_authenticate): Try to call getseuserbyname() even if
SELinux is disabled.
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | modules/pam_sepermit/pam_sepermit.c | 24 |
2 files changed, 23 insertions, 9 deletions
@@ -1,3 +1,11 @@ +2008-11-20 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not + call sepermit_lock() if sense is deny. Do not crash on NULL seuser + match. + (pam_sm_authenticate): Try to call getseuserbyname() even if + SELinux is disabled. + 2008-11-19 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_xauth/pam_xauth.c (pam_sm_open_session): diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 15cdc3e1..0fd95619 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) /* return 0 when matched, -1 when unmatched, pam error otherwise */ static int sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, - const char *seuser, int debug) + const char *seuser, int debug, int sense) { FILE *f; char *line = NULL; @@ -278,6 +278,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, } break; case '%': + if (seuser == NULL) + break; ++start; if (debug) pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start); @@ -304,8 +306,12 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, free(line); fclose(f); - if (matched) - return (geteuid() == 0 && exclusive) ? sepermit_lock(pamh, user, debug) : 0; + if (matched) { + if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive) + return sepermit_lock(pamh, user, debug); + else + return 0; + } else return -1; } @@ -348,18 +354,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match"); sense = PAM_SUCCESS; } + } - if (getseuserbyname(user, &seuser, &level) != 0) { - seuser = NULL; - level = NULL; - pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m"); - } + if (getseuserbyname(user, &seuser, &level) != 0) { + seuser = NULL; + level = NULL; + pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m"); } if (debug && sense != PAM_SUCCESS) pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match"); - rv = sepermit_match(pamh, cfgfile, user, seuser, debug); + rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense); if (debug) pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv); |