aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTed Gould <ted@gould.cx>2012-08-30 22:35:28 -0500
committerTed Gould <ted@gould.cx>2012-08-30 22:35:28 -0500
commit50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e (patch)
treef5c0dc7ad6a754dab5185dce89eaa987a2cfa800
parent71845510b58df938ac0a64e47a789c166ad6deb5 (diff)
downloadlibpam-x2go-50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e.tar.gz
libpam-x2go-50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e.tar.bz2
libpam-x2go-50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e.zip
Clearing the groups, but handling the EPERM issue with not being root
-rw-r--r--src/pam-freerdp.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c
index 24a55d0..b271834 100644
--- a/src/pam-freerdp.c
+++ b/src/pam-freerdp.c
@@ -28,6 +28,7 @@
#include <sys/un.h>
#include <pwd.h>
#include <grp.h>
+#include <errno.h>
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
@@ -234,6 +235,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv)
_exit(EXIT_FAILURE);
}
+ /* Setting groups, but allowing EPERM as if we're not 100% root
+ we might not be able to do this */
+ if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) {
+ _exit(EXIT_FAILURE);
+ }
+
if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 ||
setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) {
_exit(EXIT_FAILURE);
@@ -304,6 +311,12 @@ session_socket_handler (struct passwd * pwdent, int readypipe, const char * ruse
/* Track ready writing */
int readywrite = 0;
+ /* Setting groups, but allowing EPERM as if we're not 100% root
+ we might not be able to do this */
+ if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) {
+ _exit(EXIT_FAILURE);
+ }
+
if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 ||
setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) {
/* Don't need to clean up yet */
@@ -512,6 +525,12 @@ pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, const char **argv
pid_t pid = fork();
if (pid == 0) {
+ /* Setting groups, but allowing EPERM as if we're not 100% root
+ we might not be able to do this */
+ if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) {
+ _exit(EXIT_FAILURE);
+ }
+
if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 ||
setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) {
_exit(EXIT_FAILURE);