[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM support lacks pam_setcred() call
From: |
Brian Murphy |
Subject: |
Re: PAM support lacks pam_setcred() call |
Date: |
Mon, 27 Oct 2003 23:43:40 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030529 |
Brian Murphy wrote:
Marc Singer wrote:
CVSs PAM support does not make the pam_setcred() call. The
pam_group.so module uses this call to add UNIX groups to the user's
Do you have an example of how you want to use the pam_group module? A
configuration file
for example and what you expect it to do.
process privileges. In addition, the pam_setcred() call requires
PAM_TTY to be set.
What should PAM_TTY be set to? I can't really see that there is a
sensible value.
/Brian
I figured it out: have a look at the attached patch against the current
HEAD - it's not finished
but see if it does what you want.
/Brian
Index: src/server.c
===================================================================
RCS file: /cvs/ccvs/src/server.c,v
retrieving revision 1.328
diff -u -r1.328 server.c
--- src/server.c 12 Oct 2003 00:07:43 -0000 1.328
+++ src/server.c 27 Oct 2003 22:42:42 -0000
@@ -112,6 +112,12 @@
# endif /* AUTH_SERVER_SUPPORT */
+#ifdef HAVE_PAM
+# include <security/pam_appl.h>
+
+static pam_handle_t *pamh = NULL;
+#endif
+
/* While processing requests, this buffer accumulates data to be sent to
the client, and then once we are in do_cvs_command, we use it
@@ -5076,12 +5082,35 @@
}
+#define LOG(message) do { printf("E message: %s.\n", message); fflush(stdout);
} while(0)
#if defined (HAVE_KERBEROS) || defined (AUTH_SERVER_SUPPORT) || defined
(HAVE_GSSAPI)
static void
switch_to_user (const char *username)
{
struct passwd *pw;
+#ifdef HAVE_PAM
+ int retval, err;
+
+ if (pamh == NULL)
+ {
+ printf("E Fatal error, aborting.\n"
+ "no pam handle\n");
+ exit (EXIT_FAILURE);
+ }
+
+ retval = pam_set_item(pamh, PAM_TTY, "CVSdummy");
+ if (retval != PAM_SUCCESS)
+ printf("E PAM %s error: %s\n", "failed to set PAM_TTY",
pam_strerror(pamh, retval));
+
+ retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ if (retval != PAM_SUCCESS)
+ printf("E PAM %s error: %s\n", "failed to establish credentials",
pam_strerror(pamh, retval));
+
+ retval = pam_open_session(pamh, 0);
+ if (retval != PAM_SUCCESS)
+ printf("E PAM %s error: %s\n", "failed to open pam session",
pam_strerror(pamh, retval));
+#endif
pw = getpwnam (username);
if (pw == NULL)
@@ -5140,6 +5169,12 @@
}
}
+#ifdef HAVE_PAM
+ retval = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
+ if (retval != PAM_SUCCESS)
+ printf("E PAM %s error: %s\n", "failed to establish credentials",
pam_strerror(pamh, retval));
+#endif
+
if (setuid (pw->pw_uid) < 0)
{
/* Note that this means that if run as a non-root user,
@@ -5356,8 +5391,6 @@
#ifdef HAVE_PAM
-# include <security/pam_appl.h>
-
struct cvs_pam_userinfo {
char *username;
char *password;
@@ -5417,7 +5450,6 @@
static int
check_system_password( char *username, char *password )
{
- pam_handle_t *pamh = NULL;
int retval, err;
struct cvs_pam_userinfo ui = { username, password };
struct pam_conv conv = { cvs_pam_conv, (void *)&ui };
@@ -5438,6 +5470,7 @@
if (retval != PAM_SUCCESS)
printf("E PAM %s error: %s\n", pam_stage, pam_strerror(pamh, retval));
+#if 0
if ((err = pam_end(pamh, retval)) != PAM_SUCCESS)
{
printf("E Fatal error, aborting.\n"
@@ -5445,7 +5478,7 @@
"PAM error %s\n", pam_strerror(NULL, err));
exit (EXIT_FAILURE);
}
-
+#endif
return (retval == PAM_SUCCESS); /* indicate success */
}
#else
- PAM support lacks pam_setcred() call, Marc Singer, 2003/10/20
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/20
- Re: PAM support lacks pam_setcred() call, Brian Murphy, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Derek Robert Price, 2003/10/21
- Re: PAM support lacks pam_setcred() call, Steve McIntyre, 2003/10/22
- Re: PAM support lacks pam_setcred() call, Derek Robert Price, 2003/10/22
Re: PAM support lacks pam_setcred() call, Brian Murphy, 2003/10/27
- Re: PAM support lacks pam_setcred() call,
Brian Murphy <=
Re: PAM support lacks pam_setcred() call, Marc Singer, 2003/10/27