diff options
| -rw-r--r-- | modules/pam_unix/lckpwdf.-c | 17 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 2 | ||||
| -rw-r--r-- | modules/pam_unix/passverify.c | 16 | ||||
| -rw-r--r-- | modules/pam_unix/support.c | 2 |
4 files changed, 13 insertions, 24 deletions
diff --git a/modules/pam_unix/lckpwdf.-c b/modules/pam_unix/lckpwdf.-c index c3e63155..4d0f0ad3 100644 --- a/modules/pam_unix/lckpwdf.-c +++ b/modules/pam_unix/lckpwdf.-c @@ -35,15 +35,6 @@ static int lockfd = -1; -static int set_close_on_exec(int fd) -{ - int flags = fcntl(fd, F_GETFD, 0); - if (flags == -1) - return -1; - flags |= FD_CLOEXEC; - return fcntl(fd, F_SETFD, flags); -} - static int do_lock(int fd) { struct flock fl; @@ -70,7 +61,7 @@ static int lckpwdf(void) #ifdef WITH_SELINUX if(is_selinux_enabled()>0) { - lockfd = open(LOCKFILE, O_WRONLY); + lockfd = open(LOCKFILE, O_WRONLY | O_CLOEXEC); if(lockfd == -1 && errno == ENOENT) { char *create_context_raw; @@ -82,18 +73,16 @@ static int lckpwdf(void) freecon(create_context_raw); if(rc) return -1; - lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); + lockfd = open(LOCKFILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600); if(setfscreatecon_raw(NULL)) return -1; } } else #endif - lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); + lockfd = open(LOCKFILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600); if (lockfd == -1) return -1; - if (set_close_on_exec(lockfd) == -1) - goto cleanup_fd; memset(&act, 0, sizeof act); act.sa_handler = alarm_catch; diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index fe3f566a..3a223949 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -346,7 +346,7 @@ static int check_old_password(const char *forwho, const char *newpass) size_t n = 0; size_t len = strlen(forwho); - opwfile = fopen(OLD_PASSWORDS_FILE, "r"); + opwfile = fopen(OLD_PASSWORDS_FILE, "re"); if (opwfile == NULL) return PAM_ABORT; diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index 60d9ceca..303929a4 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -400,7 +400,7 @@ crypt_make_salt(char *where, int length) int fd; int rv; - if ((rv = fd = open(PAM_PATH_RANDOMDEV, O_RDONLY)) != -1) { + if ((rv = fd = open(PAM_PATH_RANDOMDEV, O_RDONLY | O_CLOEXEC)) != -1) { while ((rv = read(fd, where, length)) != length && errno == EINTR); close (fd); } @@ -557,7 +557,7 @@ unix_selinux_confined(void) } /* let's try opening shadow read only */ - if ((fd=open("/etc/shadow", O_RDONLY)) != -1) { + if ((fd=open("/etc/shadow", O_RDONLY | O_CLOEXEC)) != -1) { close(fd); confined = 0; return confined; @@ -695,14 +695,14 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, freecon(passwd_context_raw); } #endif - pwfile = fopen(OPW_TMPFILE, "w"); + pwfile = fopen(OPW_TMPFILE, "we"); umask(oldmask); if (pwfile == NULL) { err = 1; goto done; } - opwfile = fopen(OLD_PASSWORDS_FILE, "r"); + opwfile = fopen(OLD_PASSWORDS_FILE, "re"); if (opwfile == NULL) { fclose(pwfile); err = 1; @@ -858,14 +858,14 @@ PAMH_ARG_DECL(int unix_update_passwd, freecon(passwd_context_raw); } #endif - pwfile = fopen(PW_TMPFILE, "w"); + pwfile = fopen(PW_TMPFILE, "we"); umask(oldmask); if (pwfile == NULL) { err = 1; goto done; } - opwfile = fopen("/etc/passwd", "r"); + opwfile = fopen("/etc/passwd", "re"); if (opwfile == NULL) { fclose(pwfile); err = 1; @@ -983,14 +983,14 @@ PAMH_ARG_DECL(int unix_update_shadow, freecon(shadow_context_raw); } #endif - pwfile = fopen(SH_TMPFILE, "w"); + pwfile = fopen(SH_TMPFILE, "we"); umask(oldmask); if (pwfile == NULL) { err = 1; goto done; } - opwfile = fopen("/etc/shadow", "r"); + opwfile = fopen("/etc/shadow", "re"); if (opwfile == NULL) { fclose(pwfile); err = 1; diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 546ef820..d391973f 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -352,7 +352,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, if (!matched && files && strchr(name, ':') == NULL) { FILE *passwd; - passwd = fopen("/etc/passwd", "r"); + passwd = fopen("/etc/passwd", "re"); if (passwd != NULL) { size_t n = 0, userlen; ssize_t r; |