bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM support lacks pam_setcred() call


From: Brian Murphy
Subject: Re: PAM support lacks pam_setcred() call
Date: Mon, 27 Oct 2003 23:43:40 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030529

Brian Murphy wrote:

Marc Singer wrote:

CVSs PAM support does not make the pam_setcred() call.  The
pam_group.so module uses this call to add UNIX groups to the user's

Do you have an example of how you want to use the pam_group module? A configuration file
for example and what you expect it to do.

process privileges.  In addition, the pam_setcred() call requires
PAM_TTY to be set.
What should PAM_TTY be set to? I can't really see that there is a sensible value.

/Brian


I figured it out: have a look at the attached patch against the current HEAD - it's not finished
but see if it does what you want.

/Brian
Index: src/server.c
===================================================================
RCS file: /cvs/ccvs/src/server.c,v
retrieving revision 1.328
diff -u -r1.328 server.c
--- src/server.c        12 Oct 2003 00:07:43 -0000      1.328
+++ src/server.c        27 Oct 2003 22:42:42 -0000
@@ -112,6 +112,12 @@
 
 # endif /* AUTH_SERVER_SUPPORT */
 
+#ifdef HAVE_PAM
+# include <security/pam_appl.h>
+
+static pam_handle_t *pamh = NULL;
+#endif
+
 
 /* While processing requests, this buffer accumulates data to be sent to
    the client, and then once we are in do_cvs_command, we use it
@@ -5076,12 +5082,35 @@
 }
 
 
+#define LOG(message) do { printf("E message: %s.\n", message); fflush(stdout); 
} while(0)
 
 #if defined (HAVE_KERBEROS) || defined (AUTH_SERVER_SUPPORT) || defined 
(HAVE_GSSAPI)
 static void
 switch_to_user (const char *username)
 {
     struct passwd *pw;
+#ifdef HAVE_PAM
+    int retval, err;
+
+    if (pamh == NULL)
+    {
+        printf("E Fatal error, aborting.\n"
+                "no pam handle\n");
+        exit (EXIT_FAILURE);
+    }
+
+    retval = pam_set_item(pamh, PAM_TTY, "CVSdummy");
+    if (retval != PAM_SUCCESS)
+        printf("E PAM %s error: %s\n", "failed to set PAM_TTY", 
pam_strerror(pamh, retval));
+
+    retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+    if (retval != PAM_SUCCESS)
+        printf("E PAM %s error: %s\n", "failed to establish credentials", 
pam_strerror(pamh, retval));
+
+    retval = pam_open_session(pamh, 0);
+    if (retval != PAM_SUCCESS)
+        printf("E PAM %s error: %s\n", "failed to open pam session", 
pam_strerror(pamh, retval));
+#endif
 
     pw = getpwnam (username);
     if (pw == NULL)
@@ -5140,6 +5169,12 @@
        }
     }
 
+#ifdef HAVE_PAM
+    retval = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
+    if (retval != PAM_SUCCESS)
+        printf("E PAM %s error: %s\n", "failed to establish credentials", 
pam_strerror(pamh, retval));
+#endif
+
     if (setuid (pw->pw_uid) < 0)
     {
        /* Note that this means that if run as a non-root user,
@@ -5356,8 +5391,6 @@
 
 #ifdef HAVE_PAM
 
-# include <security/pam_appl.h>
-
 struct cvs_pam_userinfo {
     char *username;
     char *password;
@@ -5417,7 +5450,6 @@
 static int
 check_system_password( char *username, char *password )
 {
-    pam_handle_t *pamh = NULL;
     int retval, err;
     struct cvs_pam_userinfo ui = { username, password };
     struct pam_conv conv = { cvs_pam_conv, (void *)&ui };
@@ -5438,6 +5470,7 @@
     if (retval != PAM_SUCCESS)
        printf("E PAM %s error: %s\n", pam_stage, pam_strerror(pamh, retval));
 
+#if 0
     if ((err = pam_end(pamh, retval)) != PAM_SUCCESS)
     {
        printf("E Fatal error, aborting.\n"
@@ -5445,7 +5478,7 @@
                "PAM error %s\n", pam_strerror(NULL, err));
        exit (EXIT_FAILURE);
     }
-
+#endif
     return (retval == PAM_SUCCESS);       /* indicate success */
 }
 #else

reply via email to

[Prev in Thread] Current Thread [Next in Thread]