+2006-08-09 David Howells <dhowells@redhat.com>
+
+ * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Set real uid
+ to user's before revoking.
+ (pam_sm_open_session): Remember the uid.
+
2006-08-06 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_umask/pam_umask.c (setup_limits_from_gecos):
* libpam/Makefile.am: Bump patchlevel of libpam.
* libpam/pam_dispatch.c (_pam_dispatch_aux): If [return=die]
or [return=bad] is used, don't return PAM_IGNORE. Based on
- patch by Tomas Mraz <t8m@centrum.cz>, [BRC#196859].
+ patch by Tomas Mraz <t8m@centrum.cz>, [BRC#196859].
2006-07-28 Thorsten Kukuk <kukuk@thkukuk.de>
static int my_session_keyring;
static int session_counter;
static int do_revoke;
+static int revoke_as_uid;
+static int revoke_as_gid;
static int xdebug = 0;
static void debug(pam_handle_t *pamh, const char *fmt, ...)
*/
static void kill_keyrings(pam_handle_t *pamh)
{
+ int old_uid, old_gid;
+
/* revoke the session keyring we created earlier */
if (my_session_keyring > 0) {
debug(pamh, "REVOKE %d", my_session_keyring);
+ old_uid = getuid();
+ old_gid = getgid();
+ debug(pamh, "UID:%d [%d] GID:%d [%d]",
+ revoke_as_uid, old_uid, revoke_as_gid, old_gid);
+
+ /* switch to the real UID and GID so that we have permission to
+ * revoke the key */
+ if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
+ error(pamh, "Unable to change UID to %d temporarily\n",
+ revoke_as_uid);
+
+ if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
+ error(pamh, "Unable to change GID to %d temporarily\n",
+ revoke_as_gid);
+
syscall(__NR_keyctl,
KEYCTL_REVOKE,
my_session_keyring);
+ /* return to the orignal UID and GID (probably root) */
+ if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
+ error(pamh, "Unable to change UID back to %d\n", old_uid);
+
+ if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
+ error(pamh, "Unable to change GID back to %d\n", old_gid);
+
my_session_keyring = 0;
}
}
return PAM_USER_UNKNOWN;
}
- uid = pw->pw_uid;
+ revoke_as_uid = uid = pw->pw_uid;
old_uid = getuid();
- gid = pw->pw_gid;
+ revoke_as_gid = gid = pw->pw_gid;
old_gid = getgid();
debug(pamh, "UID:%d [%d] GID:%d [%d]", uid, old_uid, gid, old_gid);