diff options
Diffstat (limited to 'meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch')
-rw-r--r-- | meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch new file mode 100644 index 0000000000..adc464924d --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch @@ -0,0 +1,97 @@ +From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Thu, 13 May 2010 12:36:26 +0200 +Subject: [PATCH 2/3] add minimum_uid option + +Closes: #580037 + +This patch was taken from Debian's libpam-ccreds v10-6 source: + 0002-add-minimum_uid-option.patch + +Reviewed-by: Richard Leitner <richard.leitner@skidata.com> +--- + cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/cc_pam.c b/cc_pam.c +index d096117..56776aa 100644 +--- a/cc_pam.c ++++ b/cc_pam.c +@@ -20,6 +20,7 @@ + #include <errno.h> + #include <limits.h> + #include <syslog.h> ++#include <pwd.h> + + #include "cc_private.h" + +@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, + int flags, int argc, const char **argv); + #endif + ++ ++/* ++ * Given the PAM arguments and the user we're authenticating, see if we should ++ * ignore that user because they're root or have a low-numbered UID and we ++ * were configured to ignore such users. Returns true if we should ignore ++ * them, false otherwise. ++ */ ++static int ++_pamcc_should_ignore(const char *username, int minimum_uid) ++{ ++ struct passwd *pwd; ++ ++ if (minimum_uid > 0) { ++ pwd = getpwnam(username); ++ if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) { ++ syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)", ++ (unsigned long) pwd->pw_uid, minimum_uid); ++ return 1; ++ } ++ } ++ return 0; ++} ++ ++ + static int _pam_sm_interact(pam_handle_t *pamh, + int flags, + const char **authtok) +@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, + unsigned int sm_flags = 0, sm_action = 0; + const char *ccredsfile = NULL; + const char *action = NULL; ++ const char *name = NULL; + int (*selector)(pam_handle_t *, int, unsigned int, const char *); ++ int minimum_uid = 0; + + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "use_first_pass") == 0) +@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, + sm_flags |= SM_FLAGS_TRY_FIRST_PASS; + else if (strcmp(argv[i], "service_specific") == 0) + sm_flags |= SM_FLAGS_SERVICE_SPECIFIC; ++ else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0) ++ minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1); + else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0) + ccredsfile = argv[i] + sizeof("ccredsfile=") - 1; + else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0) +@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, + syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action); + } + ++ rc = pam_get_user(pamh, &name, NULL); ++ if (rc != PAM_SUCCESS || name == NULL) { ++ if (rc == PAM_CONV_AGAIN) ++ return PAM_INCOMPLETE; ++ else ++ return PAM_SERVICE_ERR; ++ } ++ if (_pamcc_should_ignore(name, minimum_uid)) ++ return PAM_USER_UNKNOWN; ++ + switch (sm_action) { + case SM_ACTION_VALIDATE_CCREDS: + selector = _pam_sm_validate_cached_credentials; +-- +2.11.0 + |