diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | modules/pam_keyinit/pam_keyinit.c | 22 |
2 files changed, 17 insertions, 10 deletions
@@ -19,6 +19,11 @@ * modules/pam_unix/support.c (_unix_verify_password): Use strncmp only for bigcrypt result. + + * modules/pam_keyinit/pam_keyinit.c (kill_keyrings): Switch to new + egid first, euid next. Revert euid/egid to old euid/egid and not + ruid/rgid. + (pam_sm_open_session): Switch to new rgid first, ruid next. 2006-12-13 Thorsten Kukuk <kukuk@thkukuk.de> diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c index 452b0005..378a7723 100644 --- a/modules/pam_keyinit/pam_keyinit.c +++ b/modules/pam_keyinit/pam_keyinit.c @@ -132,21 +132,21 @@ static void kill_keyrings(pam_handle_t *pamh) if (my_session_keyring > 0) { debug(pamh, "REVOKE %d", my_session_keyring); - old_uid = getuid(); - old_gid = getgid(); + old_uid = geteuid(); + old_gid = getegid(); debug(pamh, "UID:%d [%d] GID:%d [%d]", revoke_as_uid, old_uid, revoke_as_gid, old_gid); /* switch to the real UID and GID so that we have permission to * revoke the key */ - if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0) - error(pamh, "Unable to change UID to %d temporarily\n", - revoke_as_uid); - if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid); + if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0) + error(pamh, "Unable to change UID to %d temporarily\n", + revoke_as_uid); + syscall(__NR_keyctl, KEYCTL_REVOKE, my_session_keyring); @@ -211,12 +211,14 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, /* switch to the real UID and GID so that the keyring ends up owned by * the right user */ - if (uid != old_uid && setreuid(uid, -1) < 0) - return error(pamh, "Unable to change UID to %d temporarily\n", uid); - if (gid != old_gid && setregid(gid, -1) < 0) { error(pamh, "Unable to change GID to %d temporarily\n", gid); - setreuid(old_uid, -1); + return PAM_SESSION_ERR; + } + + if (uid != old_uid && setreuid(uid, -1) < 0) { + error(pamh, "Unable to change UID to %d temporarily\n", uid); + setregid(old_gid, -1); return PAM_SESSION_ERR; } |