From: Tomas Mraz Date: Thu, 3 Aug 2006 12:51:30 +0000 (+0000) Subject: Relevant BUGIDs: rh bugzilla 201048 X-Git-Tag: Linux-PAM-0_99_6_0~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=455fa431f054f3ef537335bb43a0f88f717e912d;p=linux-pam Relevant BUGIDs: rh bugzilla 201048 Purpose of commit: bugfix Commit summary: --------------- * modules/pam_keyinit/pam_keyinit.c: Debug should be off by default. (init_keyrings): Properly handle multiple invocations of the module. (kill_keyrings, pam_sm_open_session, pam_sm_close_session): Likewise. --- diff --git a/ChangeLog b/ChangeLog index c21e7f4e..ec8c5f93 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2006-08-03 David Howells + + * modules/pam_keyinit/pam_keyinit.c: Debug should be off by default. + (init_keyrings): Properly handle multiple invocations of the module. + (kill_keyrings, pam_sm_open_session, pam_sm_close_session): Likewise. + 2006-08-03 Tomas Mraz * modules/pam_succeed_if/pam_succeed_if.c (evaluate_inlist): diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index 47b2c0f5..5a43c12a 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -31,8 +31,9 @@ #define KEYCTL_LINK 8 /* link a key into a keyring */ static int my_session_keyring; +static int session_counter; static int do_revoke; -static int xdebug = 1; +static int xdebug = 0; static void debug(pam_handle_t *pamh, const char *fmt, ...) __attribute__((format(printf, 2, 3))); @@ -95,10 +96,8 @@ static int init_keyrings(pam_handle_t *pamh, int force) /* if the user session keyring is our keyring, then we don't * need to do anything if we're not forcing */ - if (session != usession) { - do_revoke = 0; + if (session != usession) return PAM_SUCCESS; - } } /* create a session keyring, discarding the old one */ @@ -132,6 +131,8 @@ static void kill_keyrings(pam_handle_t *pamh) syscall(__NR_keyctl, KEYCTL_REVOKE, my_session_keyring); + + my_session_keyring = 0; } } @@ -155,6 +156,16 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, do_revoke = 1; } + /* don't do anything if already created a keyring (will be called + * multiple times if mentioned more than once in a pam script) + */ + session_counter++; + + debug(pamh, "OPEN %d", session_counter); + + if (my_session_keyring > 0) + return PAM_SUCCESS; + /* look up the target UID */ ret = pam_get_user(pamh, &username, "key user"); if (ret != PAM_SUCCESS) @@ -202,7 +213,12 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) { - if (do_revoke) + debug(pamh, "CLOSE %d,%d,%d", + session_counter, my_session_keyring, do_revoke); + + session_counter--; + + if (session_counter == 0 && my_session_keyring > 0 && do_revoke) kill_keyrings(pamh); return PAM_SUCCESS;