diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 19:05:18 -0800 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 21:26:02 -0800 |
| commit | 2fab298d986f0dec0f655884083c78d4cd0a08ff (patch) | |
| tree | 3fb48879b8a0f0a14518fb6963febe68218e21b0 /modules/pam_xauth/pam_xauth.c | |
| parent | bd01c7eaabdecde8fbf697b17d70e3596aeaf83f (diff) | |
| parent | aa0448336a79d85579464f023ac87675be60abfc (diff) | |
| download | pam-2fab298d986f0dec0f655884083c78d4cd0a08ff.tar.gz pam-2fab298d986f0dec0f655884083c78d4cd0a08ff.tar.bz2 pam-2fab298d986f0dec0f655884083c78d4cd0a08ff.zip | |
merge upstream version 1.1.1
Diffstat (limited to 'modules/pam_xauth/pam_xauth.c')
| -rw-r--r-- | modules/pam_xauth/pam_xauth.c | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index bc72a8c1..0a94db4f 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -57,6 +57,12 @@ #include <security/pam_modutil.h> #include <security/pam_ext.h> +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#include <selinux/label.h> +#include <sys/stat.h> +#endif + #define DATANAME "pam_xauth_cookie_file" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" @@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, getuid(), getgid(), xauth, "-f", cookiefile, "nlist", display, NULL) == 0) { + int save_errno; +#ifdef WITH_SELINUX + security_context_t context = NULL; +#endif /* Check that we got a cookie. If not, we get creative. */ if (((cookie == NULL) || (strlen(cookie) == 0)) && ((strncmp(display, "localhost:", 10) == 0) || @@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Generate a new file to hold the data. */ euid = geteuid(); setfsuid(tpwd->pw_uid); - fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); + +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) { + struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (ctx != NULL) { + if (selabel_lookup(ctx, &context, + xauthority + sizeof(XAUTHENV), S_IFREG) != 0) { + pam_syslog(pamh, LOG_WARNING, + "could not get SELinux label for '%s'", + xauthority + sizeof(XAUTHENV)); + } + selabel_close(ctx); + if (setfscreatecon(context)) { + pam_syslog(pamh, LOG_WARNING, + "setfscreatecon(%s) failed: %m", context); + } + } + } + fd = mkstemp(xauthority + sizeof(XAUTHENV)); + save_errno = errno; + if (context != NULL) { + free(context); + setfscreatecon(NULL); + } +#else + fd = mkstemp(xauthority + sizeof(XAUTHENV)); + save_errno = errno; +#endif + setfsuid(euid); if (fd == -1) { + errno = save_errno; pam_syslog(pamh, LOG_ERR, "error creating temporary file `%s': %m", - xauthority + strlen(XAUTHENV) + 1); + xauthority + sizeof(XAUTHENV)); retval = PAM_SESSION_ERR; goto cleanup; } @@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Get a copy of the filename to save as a data item for * removal at session-close time. */ free(cookiefile); - cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1); + cookiefile = strdup(xauthority + sizeof(XAUTHENV)); /* Save the filename. */ if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) { |