summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/pam-module.c21
1 files changed, 11 insertions, 10 deletions
diff --git a/src/pam-module.c b/src/pam-module.c
index b4130bbdd6..93eb929569 100644
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -221,18 +221,19 @@ static uint64_t get_session_id(int *mode) {
/* First attempt: let's use the session ID of the audit
* system, if it is available. */
- if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
- uint32_t u;
- int r;
+ if (have_effective_cap(CAP_AUDIT_CONTROL) > 0)
+ if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
+ uint32_t u;
+ int r;
- r = safe_atou32(s, &u);
- free(s);
+ r = safe_atou32(s, &u);
+ free(s);
- if (r >= 0 && u != (uint32_t) -1 && u > 0) {
- *mode = SESSION_ID_AUDIT;
- return (uint64_t) u;
+ if (r >= 0 && u != (uint32_t) -1 && u > 0) {
+ *mode = SESSION_ID_AUDIT;
+ return (uint64_t) u;
+ }
}
- }
/* Second attempt, use our own counter. */
if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
@@ -289,7 +290,7 @@ static int get_user_data(
assert(ret_username);
assert(ret_pw);
- if (have_effective_cap(CAP_AUDIT_CONTROL)) {
+ if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) {
/* Only use audit login uid if we are executed with
* sufficient capabilities so that pam_loginuid could
* do its job. If we are lacking the CAP_AUDIT_CONTROL