diff options
author | Ted Gould <ted@gould.cx> | 2012-08-30 22:35:28 -0500 |
---|---|---|
committer | Ted Gould <ted@gould.cx> | 2012-08-30 22:35:28 -0500 |
commit | 50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e (patch) | |
tree | f5c0dc7ad6a754dab5185dce89eaa987a2cfa800 /src | |
parent | 71845510b58df938ac0a64e47a789c166ad6deb5 (diff) | |
download | libpam-x2go-50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e.tar.gz libpam-x2go-50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e.tar.bz2 libpam-x2go-50c56f5a1e20d5d08bff7a1a8b1a824e42b40c5e.zip |
Clearing the groups, but handling the EPERM issue with not being root
Diffstat (limited to 'src')
-rw-r--r-- | src/pam-freerdp.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 24a55d0..b271834 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -28,6 +28,7 @@ #include <sys/un.h> #include <pwd.h> #include <grp.h> +#include <errno.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -234,6 +235,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) _exit(EXIT_FAILURE); } + /* Setting groups, but allowing EPERM as if we're not 100% root + we might not be able to do this */ + if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) { + _exit(EXIT_FAILURE); + } + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { _exit(EXIT_FAILURE); @@ -304,6 +311,12 @@ session_socket_handler (struct passwd * pwdent, int readypipe, const char * ruse /* Track ready writing */ int readywrite = 0; + /* Setting groups, but allowing EPERM as if we're not 100% root + we might not be able to do this */ + if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) { + _exit(EXIT_FAILURE); + } + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { /* Don't need to clean up yet */ @@ -512,6 +525,12 @@ pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, const char **argv pid_t pid = fork(); if (pid == 0) { + /* Setting groups, but allowing EPERM as if we're not 100% root + we might not be able to do this */ + if (setgroups(1, &pwdent->pw_gid) != 0 && errno != EPERM) { + _exit(EXIT_FAILURE); + } + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { _exit(EXIT_FAILURE); |