diff options
| author | Tomas Mraz <tm@t8m.info> | 2009-10-29 15:26:50 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2009-10-29 15:26:50 +0000 |
| commit | 2abb3dfa9a3ec4934217c594b7d3edcb43716a16 (patch) | |
| tree | d579b2c7f7de63326d948498308d890f3d9b3c91 /modules/pam_xauth/pam_xauth.c | |
| parent | 0d0218cc1cae724073a6f93de4d133049b359a81 (diff) | |
| download | pam-2abb3dfa9a3ec4934217c594b7d3edcb43716a16.tar.gz pam-2abb3dfa9a3ec4934217c594b7d3edcb43716a16.tar.bz2 pam-2abb3dfa9a3ec4934217c594b7d3edcb43716a16.zip | |
Relevant BUGIDs: rhbz#531530
Purpose of commit: bugfix
Commit summary:
---------------
2009-10-29 Tomas Mraz <t8m@centrum.cz>
* modules/pam_xauth/Makefile.am: Link with libselinux.
* modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call
setfscreatecon() if selinux is enabled to create the .xauth file
with the right label. Original idea by Dan Walsh.
Diffstat (limited to 'modules/pam_xauth/pam_xauth.c')
| -rw-r--r-- | modules/pam_xauth/pam_xauth.c | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index bc72a8c1..0a94db4f 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -57,6 +57,12 @@ #include <security/pam_modutil.h> #include <security/pam_ext.h> +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#include <selinux/label.h> +#include <sys/stat.h> +#endif + #define DATANAME "pam_xauth_cookie_file" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" @@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, getuid(), getgid(), xauth, "-f", cookiefile, "nlist", display, NULL) == 0) { + int save_errno; +#ifdef WITH_SELINUX + security_context_t context = NULL; +#endif /* Check that we got a cookie. If not, we get creative. */ if (((cookie == NULL) || (strlen(cookie) == 0)) && ((strncmp(display, "localhost:", 10) == 0) || @@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Generate a new file to hold the data. */ euid = geteuid(); setfsuid(tpwd->pw_uid); - fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); + +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) { + struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (ctx != NULL) { + if (selabel_lookup(ctx, &context, + xauthority + sizeof(XAUTHENV), S_IFREG) != 0) { + pam_syslog(pamh, LOG_WARNING, + "could not get SELinux label for '%s'", + xauthority + sizeof(XAUTHENV)); + } + selabel_close(ctx); + if (setfscreatecon(context)) { + pam_syslog(pamh, LOG_WARNING, + "setfscreatecon(%s) failed: %m", context); + } + } + } + fd = mkstemp(xauthority + sizeof(XAUTHENV)); + save_errno = errno; + if (context != NULL) { + free(context); + setfscreatecon(NULL); + } +#else + fd = mkstemp(xauthority + sizeof(XAUTHENV)); + save_errno = errno; +#endif + setfsuid(euid); if (fd == -1) { + errno = save_errno; pam_syslog(pamh, LOG_ERR, "error creating temporary file `%s': %m", - xauthority + strlen(XAUTHENV) + 1); + xauthority + sizeof(XAUTHENV)); retval = PAM_SESSION_ERR; goto cleanup; } @@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Get a copy of the filename to save as a data item for * removal at session-close time. */ free(cookiefile); - cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1); + cookiefile = strdup(xauthority + sizeof(XAUTHENV)); /* Save the filename. */ if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) { |