diff options
author | Ted Gould <ted@gould.cx> | 2012-08-30 22:35:28 -0500 |
---|---|---|
committer | Ted Gould <ted@gould.cx> | 2012-08-30 22:35:28 -0500 |
commit | dbef2c50ce25e1fbb6a517fa1103d953c5c50dd8 (patch) | |
tree | f5c0dc7ad6a754dab5185dce89eaa987a2cfa800 | |
parent | 038d80506e3ef6686da347057bb45a5bab5dcc81 (diff) | |
download | libpam-freerdp2-dbef2c50ce25e1fbb6a517fa1103d953c5c50dd8.tar.gz libpam-freerdp2-dbef2c50ce25e1fbb6a517fa1103d953c5c50dd8.tar.bz2 libpam-freerdp2-dbef2c50ce25e1fbb6a517fa1103d953c5c50dd8.zip |
Clearing the groups, but handling the EPERM issue with not being root
-rw-r--r-- | src/pam-freerdp.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 24a55d0..b271834 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -28,6 +28,7 @@ #include <sys/un.h> #include <pwd.h> #include <grp.h> +#include <errno.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -234,6 +235,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) _exit(EXIT_FAILURE); } + /* Setting groups, but allowing EPERM as if we're not 100% root + we might not be able to do this */ + if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) { + _exit(EXIT_FAILURE); + } + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { _exit(EXIT_FAILURE); @@ -304,6 +311,12 @@ session_socket_handler (struct passwd * pwdent, int readypipe, const char * ruse /* Track ready writing */ int readywrite = 0; + /* Setting groups, but allowing EPERM as if we're not 100% root + we might not be able to do this */ + if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) { + _exit(EXIT_FAILURE); + } + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { /* Don't need to clean up yet */ @@ -512,6 +525,12 @@ pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, const char **argv pid_t pid = fork(); if (pid == 0) { + /* Setting groups, but allowing EPERM as if we're not 100% root + we might not be able to do this */ + if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) { + _exit(EXIT_FAILURE); + } + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { _exit(EXIT_FAILURE); |