diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2011-10-25 14:24:50 +0200 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2011-10-25 14:24:50 +0200 |
| commit | fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (patch) | |
| tree | 3c0cad2f3bf8c592b5f2d4a9f9f25da0a807b062 /modules/pam_xauth/pam_xauth.c | |
| parent | 109823cb621c900c07c4b6cdc99070d354d19444 (diff) | |
| download | pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.tar.gz pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.tar.bz2 pam-fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a.zip | |
2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de>
* release version 1.1.5
* configure.in: Bump version number.
* modules/pam_tally2/pam_tally2.8.xml: Remove never used option
"no_lock_time".
Diffstat (limited to 'modules/pam_xauth/pam_xauth.c')
| -rw-r--r-- | modules/pam_xauth/pam_xauth.c | 45 |
1 files changed, 27 insertions, 18 deletions
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index a64ae89f..88624b1c 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, goto cleanup; } - /* Check that both users are amenable to this. By default, this - * boils down to this policy: - * export(ruser=root): only if <user> is listed in .xauth/export - * export(ruser=*) if <user> is listed in .xauth/export, or - * if .xauth/export does not exist - * import(user=*): if <ruser> is listed in .xauth/import, or - * if .xauth/import does not exist */ - i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; - i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); - if (i != PAM_SUCCESS) { - retval = PAM_SESSION_ERR; - goto cleanup; - } - i = PAM_SUCCESS; - i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); - if (i != PAM_SUCCESS) { - retval = PAM_SESSION_ERR; - goto cleanup; + + /* If current user and the target user are the same, don't + check the ACL list, but forward X11 */ + if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) { + + /* Check that both users are amenable to this. By default, this + * boils down to this policy: + * export(ruser=root): only if <user> is listed in .xauth/export + * export(ruser=*) if <user> is listed in .xauth/export, or + * if .xauth/export does not exist + * import(user=*): if <ruser> is listed in .xauth/import, or + * if .xauth/import does not exist */ + i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; + i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); + if (i != PAM_SUCCESS) { + retval = PAM_SESSION_ERR; + goto cleanup; + } + i = PAM_SUCCESS; + i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); + if (i != PAM_SUCCESS) { + retval = PAM_SESSION_ERR; + goto cleanup; + } + } else { + if (debug) + pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11"); } /* Figure out where the source user's .Xauthority file is. */ |