[systemd-commits] 2 commits - src/pam-module.c src/util.c src/util.h

Lennart Poettering lennart at kemper.freedesktop.org
Tue Apr 12 12:17:09 PDT 2011 

 src/pam-module.c |   43 +++++++++++++++++++++++++++----------------
 src/util.c       |   18 ++++++++++++++++++
 src/util.h       |    2 ++
 3 files changed, 47 insertions(+), 16 deletions(-)

New commits:
commit 81481c99c2c60a72e4a3e189565f1e786bfbe588
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Apr 12 21:12:06 2011 +0200

    pam: use /proc/self/sessionid only if CAP_AUDIT_CONTROL is set

diff --git a/src/pam-module.c b/src/pam-module.c
index b4130bb..93eb929 100644
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -221,18 +221,19 @@ static uint64_t get_session_id(int *mode) {
 
         /* First attempt: let's use the session ID of the audit
          * system, if it is available. */
-        if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
-                uint32_t u;
-                int r;
+        if (have_effective_cap(CAP_AUDIT_CONTROL) > 0)
+                if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
+                        uint32_t u;
+                        int r;
 
-                r = safe_atou32(s, &u);
-                free(s);
+                        r = safe_atou32(s, &u);
+                        free(s);
 
-                if (r >= 0 && u != (uint32_t) -1 && u > 0) {
-                        *mode = SESSION_ID_AUDIT;
-                        return (uint64_t) u;
+                        if (r >= 0 && u != (uint32_t) -1 && u > 0) {
+                                *mode = SESSION_ID_AUDIT;
+                                return (uint64_t) u;
+                        }
                 }
-        }
 
         /* Second attempt, use our own counter. */
         if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
@@ -289,7 +290,7 @@ static int get_user_data(
         assert(ret_username);
         assert(ret_pw);
 
-        if (have_effective_cap(CAP_AUDIT_CONTROL)) {
+        if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) {
                 /* Only use audit login uid if we are executed with
                  * sufficient capabilities so that pam_loginuid could
                  * do its job. If we are lacking the CAP_AUDIT_CONTROL

commit ac1234459056864aeb04053fdfe9b0001fc32590
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Apr 12 21:08:44 2011 +0200

    pam: use /proc/self/loginuid only if we have CAP_AUDIT_CONTROL

diff --git a/src/pam-module.c b/src/pam-module.c
index 6486546..b4130bb 100644
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -24,6 +24,7 @@
 #include <sys/file.h>
 #include <pwd.h>
 #include <endian.h>
+#include <sys/capability.h>
 
 #include <security/pam_modules.h>
 #include <security/_pam_macros.h>
@@ -288,15 +289,24 @@ static int get_user_data(
         assert(ret_username);
         assert(ret_pw);
 
-        if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
-                uint32_t u;
+        if (have_effective_cap(CAP_AUDIT_CONTROL)) {
+                /* Only use audit login uid if we are executed with
+                 * sufficient capabilities so that pam_loginuid could
+                 * do its job. If we are lacking the CAP_AUDIT_CONTROL
+                 * capabality we most likely are being run in a
+                 * container and /proc/self/loginuid is useless since
+                 * it probably contains a uid of the host system. */
 
-                r = safe_atou32(s, &u);
-                free(s);
+                if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
+                        uint32_t u;
 
-                if (r >= 0 && u != (uint32_t) -1 && u > 0) {
-                        have_loginuid = true;
-                        pw = pam_modutil_getpwuid(handle, u);
+                        r = safe_atou32(s, &u);
+                        free(s);
+
+                        if (r >= 0 && u != (uint32_t) -1 && u > 0) {
+                                have_loginuid = true;
+                                pw = pam_modutil_getpwuid(handle, u);
+                        }
                 }
         }
 
diff --git a/src/util.c b/src/util.c
index d39cb48..75ad56f 100644
--- a/src/util.c
+++ b/src/util.c
@@ -50,6 +50,7 @@
 #include <linux/kd.h>
 #include <dlfcn.h>
 #include <sys/wait.h>
+#include <sys/capability.h>
 
 #include "macro.h"
 #include "util.h"
@@ -4236,6 +4237,23 @@ void parse_syslog_priority(char **p, int *priority) {
         *p += k;
 }
 
+int have_effective_cap(int value) {
+        cap_t cap;
+        cap_flag_value_t fv;
+        int r;
+
+        if (!(cap = cap_get_proc()))
+                return -errno;
+
+        if (cap_get_flag(cap, value, CAP_EFFECTIVE, &fv) < 0)
+                r = -errno;
+        else
+                r = fv == CAP_SET;
+
+        cap_free(cap);
+        return r;
+}
+
 static const char *const ioprio_class_table[] = {
         [IOPRIO_CLASS_NONE] = "none",
         [IOPRIO_CLASS_RT] = "realtime",
diff --git a/src/util.h b/src/util.h
index ff38b35..72ddd36 100644
--- a/src/util.h
+++ b/src/util.h
@@ -396,6 +396,8 @@ bool plymouth_running(void);
 
 void parse_syslog_priority(char **p, int *priority);
 
+int have_effective_cap(int value);
+
 #define NULSTR_FOREACH(i, l)                                    \
         for ((i) = (l); (i) && *(i); (i) = strchr((i), 0)+1)

More information about the systemd-commits mailing list