|
 |
905b4d |
From 69c41ad3d74684dac43a1f767bc00ca97b4518b5 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Michal Zidek <mzidek@redhat.com>
|
|
|
905b4d |
Date: Wed, 15 Oct 2014 18:15:53 +0200
|
|
|
905b4d |
Subject: [PATCH 36/46] PAM: Create pipe file descriptors before privileges are
|
|
|
905b4d |
dropped
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
905b4d |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
905b4d |
(cherry picked from commit b547bd685cb71bb450b0c86487767f02e66f6cea)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/responder/pam/pamsrv.c | 30 ++++++++++++++++++++++++++----
|
|
|
905b4d |
1 file changed, 26 insertions(+), 4 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
|
905b4d |
index a3f8662738c26a537bc21d8d419e65e49c4828c9..d3cf0c770ad2978e101f40453137ade8d826b8e1 100644
|
|
|
905b4d |
--- a/src/responder/pam/pamsrv.c
|
|
|
905b4d |
+++ b/src/responder/pam/pamsrv.c
|
|
|
905b4d |
@@ -181,7 +181,8 @@ done:
|
|
|
905b4d |
|
|
|
905b4d |
static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
struct tevent_context *ev,
|
|
|
905b4d |
- struct confdb_ctx *cdb)
|
|
|
905b4d |
+ struct confdb_ctx *cdb,
|
|
|
905b4d |
+ int pipe_fd, int priv_pipe_fd)
|
|
|
905b4d |
{
|
|
|
905b4d |
struct resp_ctx *rctx;
|
|
|
905b4d |
struct sss_cmd_table *pam_cmds;
|
|
|
905b4d |
@@ -194,8 +195,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
pam_cmds = get_pam_cmds();
|
|
|
905b4d |
ret = sss_process_init(mem_ctx, ev, cdb,
|
|
|
905b4d |
pam_cmds,
|
|
|
905b4d |
- SSS_PAM_SOCKET_NAME, -1,
|
|
|
905b4d |
- SSS_PAM_PRIV_SOCKET_NAME, -1,
|
|
|
905b4d |
+ SSS_PAM_SOCKET_NAME, pipe_fd,
|
|
|
905b4d |
+ SSS_PAM_PRIV_SOCKET_NAME, priv_pipe_fd,
|
|
|
905b4d |
CONFDB_PAM_CONF_ENTRY,
|
|
|
905b4d |
SSS_PAM_SBUS_SERVICE_NAME,
|
|
|
905b4d |
SSS_PAM_SBUS_SERVICE_VERSION,
|
|
|
905b4d |
@@ -318,6 +319,8 @@ int main(int argc, const char *argv[])
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
uid_t uid;
|
|
|
905b4d |
gid_t gid;
|
|
|
905b4d |
+ int pipe_fd;
|
|
|
905b4d |
+ int priv_pipe_fd;
|
|
|
905b4d |
|
|
|
905b4d |
struct poptOption long_options[] = {
|
|
|
905b4d |
POPT_AUTOHELP
|
|
|
905b4d |
@@ -347,6 +350,24 @@ int main(int argc, const char *argv[])
|
|
|
905b4d |
/* set up things like debug, signals, daemonization, etc... */
|
|
|
905b4d |
debug_log_file = "sssd_pam";
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Crate pipe file descriptors here before privileges are dropped
|
|
|
905b4d |
+ * in server_setup() */
|
|
|
905b4d |
+ ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, 0111);
|
|
|
905b4d |
+ if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
905b4d |
+ "create_pipe_fd failed [%d]: %s.\n",
|
|
|
905b4d |
+ ret, sss_strerror(ret));
|
|
|
905b4d |
+ return 2;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ ret = create_pipe_fd(SSS_PAM_PRIV_SOCKET_NAME, &priv_pipe_fd, 0177);
|
|
|
905b4d |
+ if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
905b4d |
+ "create_pipe_fd failed (priviledged pipe) [%d]: %s.\n",
|
|
|
905b4d |
+ ret, sss_strerror(ret));
|
|
|
905b4d |
+ return 2;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
ret = server_setup("sssd[pam]", 0, 0, 0, CONFDB_PAM_CONF_ENTRY, &main_ctx);
|
|
|
905b4d |
if (ret != EOK) return 2;
|
|
|
905b4d |
|
|
|
905b4d |
@@ -359,7 +380,8 @@ int main(int argc, const char *argv[])
|
|
|
905b4d |
|
|
|
905b4d |
ret = pam_process_init(main_ctx,
|
|
|
905b4d |
main_ctx->event_ctx,
|
|
|
905b4d |
- main_ctx->confdb_ctx);
|
|
|
905b4d |
+ main_ctx->confdb_ctx,
|
|
|
905b4d |
+ pipe_fd, priv_pipe_fd);
|
|
|
905b4d |
if (ret != EOK) return 3;
|
|
|
905b4d |
|
|
|
905b4d |
/* loop on main */
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|