From ac1234459056864aeb04053fdfe9b0001fc32590 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 12 Apr 2011 21:08:44 +0200 Subject: pam: use /proc/self/loginuid only if we have CAP_AUDIT_CONTROL --- src/pam-module.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'src/pam-module.c') diff --git a/src/pam-module.c b/src/pam-module.c index 6486546e6d..b4130bbdd6 100644 --- a/src/pam-module.c +++ b/src/pam-module.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -288,15 +289,24 @@ static int get_user_data( assert(ret_username); assert(ret_pw); - if (read_one_line_file("/proc/self/loginuid", &s) >= 0) { - uint32_t u; + if (have_effective_cap(CAP_AUDIT_CONTROL)) { + /* Only use audit login uid if we are executed with + * sufficient capabilities so that pam_loginuid could + * do its job. If we are lacking the CAP_AUDIT_CONTROL + * capabality we most likely are being run in a + * container and /proc/self/loginuid is useless since + * it probably contains a uid of the host system. */ - r = safe_atou32(s, &u); - free(s); + if (read_one_line_file("/proc/self/loginuid", &s) >= 0) { + uint32_t u; - if (r >= 0 && u != (uint32_t) -1 && u > 0) { - have_loginuid = true; - pw = pam_modutil_getpwuid(handle, u); + r = safe_atou32(s, &u); + free(s); + + if (r >= 0 && u != (uint32_t) -1 && u > 0) { + have_loginuid = true; + pw = pam_modutil_getpwuid(handle, u); + } } } -- cgit v1.2.3-54-g00ecf