dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0025-PAM-client-only-require-UID-0-for-private-socket.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   0d097b9920e1e6f8bd897f3956f667e9947e7a75
  2.   SOURCES
  3.   0025-PAM-client-only-require-UID-0-for-private-socket.patch
Blob History Raw
3bc8c4 
From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001
3bc8c4 
From: Sumit Bose <sbose@redhat.com>
3bc8c4 
Date: Thu, 6 Feb 2020 14:50:23 +0100
3bc8c4 
Subject: [PATCH 25/25] PAM client: only require UID 0 for private socket
3bc8c4 
MIME-Version: 1.0
3bc8c4 
Content-Type: text/plain; charset=UTF-8
3bc8c4 
Content-Transfer-Encoding: 8bit
3bc8c4
3bc8c4 
Some privileged services like e.g. gdm might only call with UID 0 but
3bc8c4 
with a different GID. This patch removes the GID 0 requirement to access
3bc8c4 
to private PAM socket so that e.g. gdm can use the wait-for-card option.
3bc8c4
3bc8c4 
Resolves: https://pagure.io/SSSD/sssd/issue/4159
3bc8c4
3bc8c4 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
3bc8c4 
---
3bc8c4 
 src/sss_client/common.c | 4 ++--
3bc8c4 
 1 file changed, 2 insertions(+), 2 deletions(-)
3bc8c4
3bc8c4 
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
3bc8c4 
index 270ca8b54..902438c86 100644
3bc8c4 
--- a/src/sss_client/common.c
3bc8c4 
+++ b/src/sss_client/common.c
3bc8c4 
@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
3bc8c4 
         goto out;
3bc8c4 
     }
3bc8c4
3bc8c4 
-    /* only root shall use the privileged pipe */
3bc8c4 
-    if (getuid() == 0 && getgid() == 0) {
3bc8c4 
+    /* only UID 0 shall use the privileged pipe */
3bc8c4 
+    if (getuid() == 0) {
3bc8c4 
         socket_name = SSS_PAM_PRIV_SOCKET_NAME;
3bc8c4 
         errno = 0;
3bc8c4 
         statret = stat(socket_name, &stat_buf);
3bc8c4 
--
3bc8c4 
2.20.1
3bc8c4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation