summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-10-06 16:03:01 +0200
committerLennart Poettering <lennart@poettering.net>2016-10-06 19:04:10 +0200
commit2d6fce8d7c397fe915230b728cb92aa749245e43 (patch)
tree26ad5d4ebabbd6fb3dee5645f5e1f80797d12dad /src
parent729c6467df4887e55b57b4efe9541bff0d31016b (diff)
core: leave PAM stub process around with GIDs updated
In the process execution code of PID 1, before 096424d1230e0a0339735c51b43949809e972430 the GID settings where changed before invoking PAM, and the UID settings after. After the change both changes are made after the PAM session hooks are run. When invoking PAM we fork once, and leave a stub process around which will invoke the PAM session end hooks when the session goes away. This code previously was dropping the remaining privs (which were precisely the UID). Fix this code to do this correctly again, by really dropping them else (i.e. the GID as well). While we are at it, also fix error logging of this code. Fixes: #4238
Diffstat (limited to 'src')
-rw-r--r--src/core/execute.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 019ff8490b..e4a23ac169 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -843,6 +843,7 @@ static int setup_pam(
const char *name,
const char *user,
uid_t uid,
+ gid_t gid,
const char *tty,
char ***env,
int fds[], unsigned n_fds) {
@@ -948,8 +949,13 @@ static int setup_pam(
* and this will make PR_SET_PDEATHSIG work in most cases.
* If this fails, ignore the error - but expect sd-pam threads
* to fail to exit normally */
+
+ if (maybe_setgroups(0, NULL) < 0)
+ log_warning_errno(errno, "Failed to setgroups() in sd-pam: %m");
+ if (setresgid(gid, gid, gid) < 0)
+ log_warning_errno(errno, "Failed to setresgid() in sd-pam: %m");
if (setresuid(uid, uid, uid) < 0)
- log_error_errno(r, "Error: Failed to setresuid() in sd-pam: %m");
+ log_warning_errno(errno, "Failed to setresuid() in sd-pam: %m");
(void) ignore_signals(SIGPIPE, -1);
@@ -2413,7 +2419,7 @@ static int exec_child(
}
if (context->pam_name && username) {
- r = setup_pam(context->pam_name, username, uid, context->tty_path, &accum_env, fds, n_fds);
+ r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds);
if (r < 0) {
*exit_status = EXIT_PAM;
return r;