diff options
| author | Tomas Mraz <tm@t8m.info> | 2005-10-20 17:01:06 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2005-10-20 17:01:06 +0000 |
| commit | d9b712775c5f1962d3490b43465537c3e28a8c49 (patch) | |
| tree | c9cf9e640727cd38b13f30b5b612d6da9357952a /modules/pam_xauth/pam_xauth.c | |
| parent | 593ea15559fedf71fdb6e6fdc23a8f2532f7d571 (diff) | |
| download | pam-d9b712775c5f1962d3490b43465537c3e28a8c49.tar.gz pam-d9b712775c5f1962d3490b43465537c3e28a8c49.tar.bz2 pam-d9b712775c5f1962d3490b43465537c3e28a8c49.zip | |
Relevant BUGIDs: Red Hat bz 171164
Purpose of commit: new feature
Commit summary:
---------------
2005-10-20 Tomas Mraz <t8m@centrum.cz>
* configure.in: Added check for xauth binary and --with-xauth option.
* config.h.in: Added configurable PAM_PATH_XAUTH.
* modules/pam_xauth/README,
modules/pam_xauth/pam_xauth.8: Document where xauth is looked for.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session): Implement
searching xauth binary on multiple places.
(run_coprocess): Don't use execvp as it can be a security risk.
Diffstat (limited to 'modules/pam_xauth/pam_xauth.c')
| -rw-r--r-- | modules/pam_xauth/pam_xauth.c | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index a830010d..886b2f88 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -58,12 +58,21 @@ #include <security/pam_ext.h> #define DATANAME "pam_xauth_cookie_file" -#define XAUTHBIN "/usr/X11R6/bin/xauth" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" #define XAUTHDEF ".Xauthority" #define XAUTHTMP ".xauthXXXXXX" +/* Possible paths to xauth executable */ +static const char * const xauthpaths[] = { +#ifdef PAM_PATH_XAUTH + PAM_PATH_XAUTH, +#endif + "/usr/X11R6/bin/xauth", + "/usr/bin/xauth", + "/usr/bin/X11/xauth" +}; + /* Run a given command (with a NULL-terminated argument list), feeding it the * given input on stdin, and storing any output it generates. */ static int @@ -131,7 +140,7 @@ run_coprocess(const char *input, char **output, args[j] = strdup(tmp); } /* Run the command. */ - execvp(command, args); + execv(command, args); /* Never reached. */ exit(1); } @@ -276,10 +285,9 @@ int pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - char xauthpath[] = XAUTHBIN; char *cookiefile = NULL, *xauthority = NULL, *cookie = NULL, *display = NULL, *tmp = NULL; - const char *user, *xauth = xauthpath; + const char *user, *xauth = NULL; struct passwd *tpwd, *rpwd; int fd, i, debug = 0; int retval = PAM_SUCCESS; @@ -321,6 +329,19 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, pam_syslog(pamh, LOG_WARNING, "unrecognized option `%s'", argv[i]); } + + if (xauth == NULL) { + for (i = 0; i < sizeof(xauthpaths)/sizeof(xauthpaths[0]); i++) { + if (access(xauthpaths[i], X_OK) == 0) { + xauth = xauthpaths[i]; + break; + } + } + if (xauth == NULL) { + /* xauth executable not found - nothing to do */ + return PAM_SUCCESS; + } + } /* If DISPLAY isn't set, we don't really care, now do we? */ if ((display = getenv("DISPLAY")) == NULL) { |