From 4ad428dc125159cb66f796dcf1a16c0237541187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Fri, 7 Feb 2003 16:04:39 +0000 Subject: [PATCH] If a set of saved credentials already exists when we are called, log a debugging message and fail. If the effective uid is non-zero but identical to the target uid, save the current credentials and return without doing anything else. git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@201 185d5e19-27fe-0310-9dcf-9bff6b9f3609 --- lib/openpam_borrow_cred.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/openpam_borrow_cred.c b/lib/openpam_borrow_cred.c index ef1a850..8a8c458 100644 --- a/lib/openpam_borrow_cred.c +++ b/lib/openpam_borrow_cred.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#3 $ + * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#4 $ */ #include @@ -57,9 +57,18 @@ openpam_borrow_cred(pam_handle_t *pamh, struct pam_saved_cred *scred; int r; - ENTER(); - if (geteuid() != 0) + ENTERI(pwd->pw_uid); + r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred); + if (r == PAM_SUCCESS && scred != NULL) { + openpam_log(PAM_LOG_DEBUG, + "already operating under borrowed credentials"); + RETURNC(PAM_SYSTEM_ERR); + } + if (geteuid() != 0 && geteuid() != pwd->pw_uid) { + openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d", + (int)geteuid()); RETURNC(PAM_PERM_DENIED); + } scred = calloc(1, sizeof *scred); if (scred == NULL) RETURNC(PAM_BUF_ERR); @@ -76,6 +85,8 @@ openpam_borrow_cred(pam_handle_t *pamh, free(scred); RETURNC(r); } + if (geteuid() == pwd->pw_uid) + RETURNC(PAM_SUCCESS); if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 || setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) { openpam_restore_cred(pamh);