1 files changed, 97 insertions, 0 deletions

diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
new file mode 100644
index 0000000000..adc464924d
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
@@ -0,0 +1,97 @@
+From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 13 May 2010 12:36:26 +0200
+Subject: [PATCH 2/3] add minimum_uid option
+
+Closes: #580037
+
+This patch was taken from Debian's libpam-ccreds v10-6 source:
+	0002-add-minimum_uid-option.patch
+
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/cc_pam.c b/cc_pam.c
+index d096117..56776aa 100644
+--- a/cc_pam.c
++++ b/cc_pam.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <limits.h>
+ #include <syslog.h>
++#include <pwd.h>
+ 
+ #include "cc_private.h"
+ 
+@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
+ 				int flags, int argc, const char **argv);
+ #endif
+ 
++
++/*
++ * Given the PAM arguments and the user we're authenticating, see if we should
++ * ignore that user because they're root or have a low-numbered UID and we
++ * were configured to ignore such users.  Returns true if we should ignore
++ * them, false otherwise.
++ */
++static int
++_pamcc_should_ignore(const char *username, int minimum_uid)
++{
++	struct passwd *pwd;
++
++	if (minimum_uid > 0) {
++		pwd = getpwnam(username);
++		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
++			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
++				(unsigned long) pwd->pw_uid, minimum_uid);
++			return 1;
++		}
++	}
++	return 0;
++}
++
++
+ static int _pam_sm_interact(pam_handle_t *pamh,
+ 			    int flags,
+ 			    const char **authtok)
+@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 	unsigned int sm_flags = 0, sm_action = 0;
+ 	const char *ccredsfile = NULL;
+ 	const char *action = NULL;
++	const char *name = NULL;
+ 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
++	int minimum_uid = 0;
+ 
+ 	for (i = 0; i < argc; i++) {
+ 		if (strcmp(argv[i], "use_first_pass") == 0)
+@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
+ 		else if (strcmp(argv[i], "service_specific") == 0)
+ 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
++		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
++			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
+ 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
+ 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
+ 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
+@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+ 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
+ 	}
+ 
++	rc = pam_get_user(pamh, &name, NULL);
++	if (rc != PAM_SUCCESS || name == NULL) {
++		if (rc == PAM_CONV_AGAIN)
++			return PAM_INCOMPLETE;
++		else
++			return PAM_SERVICE_ERR;
++	}
++	if (_pamcc_should_ignore(name, minimum_uid))
++		return PAM_USER_UNKNOWN;
++
+ 	switch (sm_action) {
+ 	case SM_ACTION_VALIDATE_CCREDS:
+ 		selector = _pam_sm_validate_cached_credentials;
+-- 
+2.11.0
+