diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-11-12 17:26:18 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2023-11-29 15:40:53 +0000 |
| commit | ea53ebbd05ea695bca0130a882f89ea831284c36 (patch) | |
| tree | 683768bfc187206ba3d67cf85f90634583eec7d1 /modules/pam_mkhomedir/mkhomedir_helper.c | |
| parent | f2fef8e3a84507ae15e40ac9b37256a4f7484500 (diff) | |
| download | pam-ea53ebbd05ea695bca0130a882f89ea831284c36.tar.gz pam-ea53ebbd05ea695bca0130a882f89ea831284c36.tar.bz2 pam-ea53ebbd05ea695bca0130a882f89ea831284c36.zip | |
pam_mkhomedir: set home directory mode only once
If HOME_MODE of login.conf is more restrictive than the default
directory mode with umask, a short time window exists in which the home
directory has a less restrictive mode than requested (between
create_homedir and prelude of create_homedir_helper).
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'modules/pam_mkhomedir/mkhomedir_helper.c')
| -rw-r--r-- | modules/pam_mkhomedir/mkhomedir_helper.c | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c index 67b6f34e..36d9502e 100644 --- a/modules/pam_mkhomedir/mkhomedir_helper.c +++ b/modules/pam_mkhomedir/mkhomedir_helper.c @@ -27,12 +27,11 @@ #include <security/pam_modutil.h> static unsigned long u_mask = 0022; -static unsigned long home_mode = 0; static char skeldir[BUFSIZ] = "/etc/skel"; /* Do the actual work of creating a home dir */ static int -create_homedir(const struct passwd *pwd, +create_homedir(const struct passwd *pwd, mode_t dir_mode, const char *source, const char *dest) { char remark[BUFSIZ]; @@ -104,7 +103,7 @@ create_homedir(const struct passwd *pwd, /* If it's a directory, recurse. */ if (S_ISDIR(st.st_mode)) { - retval = create_homedir(pwd, newsource, newdest); + retval = create_homedir(pwd, dir_mode & (~u_mask), newsource, newdest); free(newsource); free(newdest); @@ -275,7 +274,7 @@ create_homedir(const struct passwd *pwd, go_out: - if (chmod(dest, 0777 & (~u_mask)) != 0 || + if (chmod(dest, dir_mode) != 0 || chown(dest, pwd->pw_uid, pwd->pw_gid) != 0) { pam_syslog(NULL, LOG_DEBUG, @@ -287,19 +286,12 @@ create_homedir(const struct passwd *pwd, } static int -create_homedir_helper(const struct passwd *_pwd, +create_homedir_helper(const struct passwd *_pwd, mode_t home_mode, const char *_skeldir, const char *_homedir) { int retval = PAM_SESSION_ERR; - retval = create_homedir(_pwd, _skeldir, _homedir); - - if (chmod(_homedir, home_mode) != 0) - { - pam_syslog(NULL, LOG_DEBUG, - "unable to change perms on home directory %s: %m", _homedir); - return PAM_PERM_DENIED; - } + retval = create_homedir(_pwd, home_mode, _skeldir, _homedir); return retval; } @@ -338,6 +330,7 @@ main(int argc, char *argv[]) struct passwd *pwd; struct stat st; char *eptr; + unsigned long home_mode = 0; if (argc < 2) { fprintf(stderr, "Usage: %s <username> [<umask> [<skeldir> [<home_mode>]]]\n", argv[0]); @@ -387,5 +380,5 @@ main(int argc, char *argv[]) if (make_parent_dirs(pwd->pw_dir, 0) != PAM_SUCCESS) return PAM_PERM_DENIED; - return create_homedir_helper(pwd, skeldir, pwd->pw_dir); + return create_homedir_helper(pwd, home_mode, skeldir, pwd->pw_dir); } |