diff options
author | Lennart Poettering <lennart@poettering.net> | 2011-04-12 21:12:06 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2011-04-12 21:12:06 +0200 |
commit | 81481c99c2c60a72e4a3e189565f1e786bfbe588 (patch) | |
tree | 62d9b0c1fde12c0dfc543230f447561525b3f351 /src/pam-module.c | |
parent | ac1234459056864aeb04053fdfe9b0001fc32590 (diff) |
pam: use /proc/self/sessionid only if CAP_AUDIT_CONTROL is set
Diffstat (limited to 'src/pam-module.c')
-rw-r--r-- | src/pam-module.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/src/pam-module.c b/src/pam-module.c index b4130bbdd6..93eb929569 100644 --- a/src/pam-module.c +++ b/src/pam-module.c @@ -221,18 +221,19 @@ static uint64_t get_session_id(int *mode) { /* First attempt: let's use the session ID of the audit * system, if it is available. */ - if (read_one_line_file("/proc/self/sessionid", &s) >= 0) { - uint32_t u; - int r; + if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) + if (read_one_line_file("/proc/self/sessionid", &s) >= 0) { + uint32_t u; + int r; - r = safe_atou32(s, &u); - free(s); + r = safe_atou32(s, &u); + free(s); - if (r >= 0 && u != (uint32_t) -1 && u > 0) { - *mode = SESSION_ID_AUDIT; - return (uint64_t) u; + if (r >= 0 && u != (uint32_t) -1 && u > 0) { + *mode = SESSION_ID_AUDIT; + return (uint64_t) u; + } } - } /* Second attempt, use our own counter. */ if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) { @@ -289,7 +290,7 @@ static int get_user_data( assert(ret_username); assert(ret_pw); - if (have_effective_cap(CAP_AUDIT_CONTROL)) { + if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) { /* Only use audit login uid if we are executed with * sufficient capabilities so that pam_loginuid could * do its job. If we are lacking the CAP_AUDIT_CONTROL |