File 0007-Honor-PAMs-ambient-supplemental-groups.patch of Package sddm.8613

Overview Repositories Revisions Requests Users Attributes Meta

File 0007-Honor-PAMs-ambient-supplemental-groups.patch of Package sddm.8613

From 1bc813d08b8130e458a6550ec47fb2bfbe6de080 Mon Sep 17 00:00:00 2001
From: Konrad Tegtmeier <jktr@users.noreply.github.com>
Date: Fri, 13 Apr 2018 14:06:11 +0200
Subject: [PATCH] Honor PAM's ambient supplemental groups. (#834)

When compiled with USE_PAM, prefer a combination of
getgroups(3) and getgrouplist(3) for ambient and user
groups, respectively, to initgroups(3).

This way, groups injected into the PAM environment
by means of pam_groups.so aren't ignored.

Signed-off-by: J. Konrad Tegtmeier-Rottach <jktr@0x16.de>

Backported to 0.17.0

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>

---
 src/helper/UserSession.cpp | 59 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
index 4221ada0..d4fd2cff 100644
--- a/src/helper/UserSession.cpp
+++ b/src/helper/UserSession.cpp
@@ -116,10 +116,69 @@
             qCritical() << "setgid(" << pw->pw_gid << ") failed for user: " << username;
             exit(Auth::HELPER_OTHER_ERROR);
         }
+
+#ifdef USE_PAM
+
+        // fetch ambient groups from PAM's environment;
+        // these are set by modules such as pam_groups.so
+        int n_pam_groups = getgroups(0, NULL);
+        gid_t *pam_groups = NULL;
+        if (n_pam_groups > 0) {
+            pam_groups = new gid_t[n_pam_groups];
+            if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) {
+                qCritical() << "getgroups() failed to fetch supplemental"
+                            << "PAM groups for user:" << username;
+                exit(Auth::HELPER_OTHER_ERROR);
+            }
+        } else {
+            n_pam_groups = 0;
+        }
+
+        // fetch session's user's groups
+        int n_user_groups = 0;
+        gid_t *user_groups = NULL;
+        if (-1 == getgrouplist(username.constData(), pw->pw_gid,
+                               NULL, &n_user_groups)) {
+            user_groups = new gid_t[n_user_groups];
+            if ((n_user_groups = getgrouplist(username.constData(),
+                                              pw->pw_gid, user_groups,
+                                              &n_user_groups)) == -1 ) {
+                qCritical() << "getgrouplist(" << username << ", " << pw->pw_gid
+                            << ") failed";
+                //free(buffer);
+                exit(Auth::HELPER_OTHER_ERROR);
+            }
+        }
+
+        // set groups to concatenation of PAM's ambient
+        // groups and the session's user's groups
+        int n_groups = n_pam_groups + n_user_groups;
+        if (n_groups > 0) {
+            gid_t *groups = new gid_t[n_groups];
+            memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t)));
+            memcpy((groups + n_pam_groups), user_groups,
+                   (n_user_groups * sizeof(gid_t)));
+
+            // setgroups(2) handles duplicate groups
+            if (setgroups(n_groups, groups) != 0) {
+                qCritical() << "setgroups() failed for user: " << username;
+                //free(buffer);
+                exit (Auth::HELPER_OTHER_ERROR);
+            }
+            delete[] groups;
+        }
+        delete[] pam_groups;
+        delete[] user_groups;
+
+#else
+
         if (initgroups(pw->pw_name, pw->pw_gid) != 0) {
             qCritical() << "initgroups(" << pw->pw_name << ", " << pw->pw_gid << ") failed for user: " << username;
             exit(Auth::HELPER_OTHER_ERROR);
         }
+
+#endif /* USE_PAM */
+
         if (setuid(pw->pw_uid) != 0) {
             qCritical() << "setuid(" << pw->pw_uid << ") failed for user: " << username;
             exit(Auth::HELPER_OTHER_ERROR);

Places

File 0007-Honor-PAMs-ambient-supplemental-groups.patch of Package sddm.8613

Places