Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.0:Update
sddm.8613
0007-Honor-PAMs-ambient-supplemental-groups.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0007-Honor-PAMs-ambient-supplemental-groups.patch of Package sddm.8613
From 1bc813d08b8130e458a6550ec47fb2bfbe6de080 Mon Sep 17 00:00:00 2001 From: Konrad Tegtmeier <jktr@users.noreply.github.com> Date: Fri, 13 Apr 2018 14:06:11 +0200 Subject: [PATCH] Honor PAM's ambient supplemental groups. (#834) When compiled with USE_PAM, prefer a combination of getgroups(3) and getgrouplist(3) for ambient and user groups, respectively, to initgroups(3). This way, groups injected into the PAM environment by means of pam_groups.so aren't ignored. Signed-off-by: J. Konrad Tegtmeier-Rottach <jktr@0x16.de> Backported to 0.17.0 Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> --- src/helper/UserSession.cpp | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp index 4221ada0..d4fd2cff 100644 --- a/src/helper/UserSession.cpp +++ b/src/helper/UserSession.cpp @@ -116,10 +116,69 @@ qCritical() << "setgid(" << pw->pw_gid << ") failed for user: " << username; exit(Auth::HELPER_OTHER_ERROR); } + +#ifdef USE_PAM + + // fetch ambient groups from PAM's environment; + // these are set by modules such as pam_groups.so + int n_pam_groups = getgroups(0, NULL); + gid_t *pam_groups = NULL; + if (n_pam_groups > 0) { + pam_groups = new gid_t[n_pam_groups]; + if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) { + qCritical() << "getgroups() failed to fetch supplemental" + << "PAM groups for user:" << username; + exit(Auth::HELPER_OTHER_ERROR); + } + } else { + n_pam_groups = 0; + } + + // fetch session's user's groups + int n_user_groups = 0; + gid_t *user_groups = NULL; + if (-1 == getgrouplist(username.constData(), pw->pw_gid, + NULL, &n_user_groups)) { + user_groups = new gid_t[n_user_groups]; + if ((n_user_groups = getgrouplist(username.constData(), + pw->pw_gid, user_groups, + &n_user_groups)) == -1 ) { + qCritical() << "getgrouplist(" << username << ", " << pw->pw_gid + << ") failed"; + //free(buffer); + exit(Auth::HELPER_OTHER_ERROR); + } + } + + // set groups to concatenation of PAM's ambient + // groups and the session's user's groups + int n_groups = n_pam_groups + n_user_groups; + if (n_groups > 0) { + gid_t *groups = new gid_t[n_groups]; + memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t))); + memcpy((groups + n_pam_groups), user_groups, + (n_user_groups * sizeof(gid_t))); + + // setgroups(2) handles duplicate groups + if (setgroups(n_groups, groups) != 0) { + qCritical() << "setgroups() failed for user: " << username; + //free(buffer); + exit (Auth::HELPER_OTHER_ERROR); + } + delete[] groups; + } + delete[] pam_groups; + delete[] user_groups; + +#else + if (initgroups(pw->pw_name, pw->pw_gid) != 0) { qCritical() << "initgroups(" << pw->pw_name << ", " << pw->pw_gid << ") failed for user: " << username; exit(Auth::HELPER_OTHER_ERROR); } + +#endif /* USE_PAM */ + if (setuid(pw->pw_uid) != 0) { qCritical() << "setuid(" << pw->pw_uid << ") failed for user: " << username; exit(Auth::HELPER_OTHER_ERROR);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor