diff options
| author | Steve Langasek <vorlon@debian.org> | 2019-01-22 14:54:11 -0800 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-22 14:54:11 -0800 |
| commit | f00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb (patch) | |
| tree | 402838c53047b0e21466a653ae88d86a8e4b7b65 /modules/pam_exec/pam_exec.c | |
| parent | 795badba7f95e737f979917859cd32c9bd47bcad (diff) | |
| parent | 1cad9fb2a0d729c5b5e5aa7297c521df7d5a2d33 (diff) | |
| download | pam-f00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb.tar.gz pam-f00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb.tar.bz2 pam-f00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb.zip | |
New upstream version 1.3.0
Diffstat (limited to 'modules/pam_exec/pam_exec.c')
| -rw-r--r-- | modules/pam_exec/pam_exec.c | 74 |
1 files changed, 28 insertions, 46 deletions
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index b56e4b26..0ab65489 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, } pam_set_item (pamh, PAM_AUTHTOK, resp); - authtok = strdupa (resp); + authtok = strndupa (resp, PAM_MAX_RESP_SIZE); _pam_drop (resp); } else - authtok = void_pass; + authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); if (pipe(fds) != 0) { @@ -302,6 +302,10 @@ call_exec (const char *pam_type, pam_handle_t *pamh, char **envlist, **tmp; int envlen, nitems; char *envstr; + enum pam_modutil_redirect_fd redirect_stdin = + expose_authtok ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_PIPE_FD; + enum pam_modutil_redirect_fd redirect_stdout = + (use_stdout || logfile) ? PAM_MODUTIL_IGNORE_FD : PAM_MODUTIL_NULL_FD; /* First, move all the pipes off of stdin, stdout, and stderr, to ensure * that calls to dup2 won't close them. */ @@ -330,18 +334,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, _exit (err); } } - else - { - close (STDIN_FILENO); - - /* New stdin. */ - if ((i = open ("/dev/null", O_RDWR)) < 0) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m"); - _exit (err); - } - } /* Set up stdout. */ @@ -368,32 +360,34 @@ call_exec (const char *pam_type, pam_handle_t *pamh, logfile); _exit (err); } - if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0) + if (i != STDOUT_FILENO) { - pam_modutil_write (i, buffer, strlen (buffer)); - free (buffer); + if (dup2 (i, STDOUT_FILENO) == -1) + { + int err = errno; + pam_syslog (pamh, LOG_ERR, "dup2 failed: %m"); + _exit (err); + } + close (i); } - } - else - { - close (STDOUT_FILENO); - if ((i = open ("/dev/null", O_RDWR)) < 0) + if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0) { - int err = errno; - pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m"); - _exit (err); + pam_modutil_write (STDOUT_FILENO, buffer, strlen (buffer)); + free (buffer); } } - if (dup2 (STDOUT_FILENO, STDERR_FILENO) == -1) + if ((use_stdout || logfile) && + dup2 (STDOUT_FILENO, STDERR_FILENO) == -1) { int err = errno; pam_syslog (pamh, LOG_ERR, "dup2 failed: %m"); _exit (err); } - for (i = 3; i < sysconf (_SC_OPEN_MAX); i++) - close (i); + if (pam_modutil_sanitize_helper_fds(pamh, redirect_stdin, + redirect_stdout, redirect_stdout) < 0) + _exit(1); if (call_setuid) if (setuid (geteuid ()) == -1) @@ -473,14 +467,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh, return PAM_SYSTEM_ERR; /* will never be reached. */ } -PAM_EXTERN int +int pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { return call_exec ("auth", pamh, argc, argv); } -PAM_EXTERN int +int pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { @@ -489,7 +483,7 @@ pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, /* password updating functions */ -PAM_EXTERN int +int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -498,35 +492,23 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, return call_exec ("password", pamh, argc, argv); } -PAM_EXTERN int +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { return call_exec ("account", pamh, argc, argv); } -PAM_EXTERN int +int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { return call_exec ("open_session", pamh, argc, argv); } -PAM_EXTERN int +int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { return call_exec ("close_session", pamh, argc, argv); } - -#ifdef PAM_STATIC -struct pam_module _pam_exec_modstruct = { - "pam_exec", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; -#endif |