Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop leaks; enable saved password #16

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions README
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,16 @@ Supported PAM module parameters are:
with HMAC-SHA-1 Challenge-Response configurations. See the
man-page ykpamcfg(1) for further details on how to configure
offline Challenge-Response validation.
"supply_authtoken":
If mode of operation is "challenge-response", extract
encrypted data from the file created by the action
"add_saved_password" of ykpamcfg command and supply
it as PAM_AUTHTOKEN for subsequent PAM modules to use.
This makes sense if yubikey is used as the sole
authentication factor (i.e. the user does not need to
enter password), but the password is needed for other
PAM module(s), for instance to decrypt Gnome/KDE
keyring.

------

Expand Down
29 changes: 24 additions & 5 deletions drop_privs.c
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
static uid_t saved_euid;
static gid_t saved_egid;

static gid_t *saved_groups;
static gid_t *saved_groups = NULL;
static int saved_groups_length;
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */

Expand Down Expand Up @@ -82,13 +82,19 @@ int drop_privileges(struct passwd *pw, pam_handle_t *pamh) {
saved_euid = geteuid();
saved_egid = getegid();

if ((saved_euid == pw->pw_uid) && (saved_egid == pw->pw_gid)) {
D (("Privilges already dropped, pretend it is all right"));
return 0;
}

saved_groups_length = getgroups(0, NULL);
if (saved_groups_length < 0) {
D (("getgroups: %s", strerror(errno)));
return -1;
}

if (saved_groups_length > 0) {
if (saved_groups) free(saved_groups); /* size might have changed */
saved_groups = malloc(saved_groups_length * sizeof(gid_t));
if (saved_groups == NULL) {
D (("malloc: %s", strerror(errno)));
Expand All @@ -97,26 +103,30 @@ int drop_privileges(struct passwd *pw, pam_handle_t *pamh) {

if (getgroups(saved_groups_length, saved_groups) < 0) {
D (("getgroups: %s", strerror(errno)));
return -1;
goto free_out;
}
}

if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
D (("initgroups: %s", strerror(errno)));
return -1;
goto free_out;
}

if (setegid(pw->pw_gid) < 0) {
D (("setegid: %s", strerror(errno)));
return -1;
goto free_out;
}

if (seteuid(pw->pw_uid) < 0) {
D (("seteuid: %s", strerror(errno)));
return -1;
goto free_out;
}

return 0;
free_out:
free(saved_groups);
saved_groups = NULL;
return -1;
#endif /* HAVE_PAM_MODUTIL_DROP_PRIV */
}

Expand All @@ -130,6 +140,11 @@ int restore_privileges(pam_handle_t *pamh) {
_privs_location(1);
return res;
#else
if ((saved_euid == geteuid()) && (saved_egid == getegid())) {
D (("Privilges already as requested, pretend it is all right"));
return 0;
}

if (seteuid(saved_euid) < 0) {
D (("seteuid: %s", strerror(errno)));
return -1;
Expand All @@ -140,6 +155,10 @@ int restore_privileges(pam_handle_t *pamh) {
return -1;
}

if (saved_groups == NULL) {
D (("saved groups are empty, looks like a program error!"));
return -1;
}
if (setgroups(saved_groups_length, saved_groups) < 0) {
D (("setgroups: %s", strerror(errno)));
return -1;
Expand Down
Loading