diff options
author | Sumit Bose <sbose@redhat.com> | 2009-03-02 15:26:19 +0100 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2009-03-05 09:58:41 -0500 |
commit | 4013218cd8c9840ac6db1084bbdfa22f601bd3b8 (patch) | |
tree | 6e94bc12d427496fe49aa18469f4dc4755219a3d /sss_client/common.c | |
parent | f9f42495c5ab22e17f7e59bd2df3f9353301d8b8 (diff) | |
download | sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.tar.gz sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.tar.bz2 sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.zip |
added a privileged pipe
Diffstat (limited to 'sss_client/common.c')
-rw-r--r-- | sss_client/common.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/sss_client/common.c b/sss_client/common.c index 50aabff2..d0fb0118 100644 --- a/sss_client/common.c +++ b/sss_client/common.c @@ -29,6 +29,7 @@ #include <sys/types.h> #include <sys/socket.h> #include <sys/un.h> +#include <sys/stat.h> #include <unistd.h> #include <stdlib.h> #include <stdint.h> @@ -594,6 +595,7 @@ int sss_pam_make_request(enum sss_cli_command cmd, { int ret; char *envval; + struct stat stat_buf; /* avoid looping in the pam daemon */ envval = getenv("_SSS_LOOPS"); @@ -601,7 +603,20 @@ int sss_pam_make_request(enum sss_cli_command cmd, return PAM_SERVICE_ERR; } - ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME); + /* only root shall use the privileged pipe */ + if (getuid() == 0 && getgid() == 0) { + ret = stat(SSS_PAM_PRIV_SOCKET_NAME, &stat_buf); + if (ret != 0) return PAM_SERVICE_ERR; + if ( ! (stat_buf.st_uid == 0 && + stat_buf.st_gid == 0 && + (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) { + return PAM_SERVICE_ERR; + } + + ret = sss_cli_check_socket(errnop, SSS_PAM_PRIV_SOCKET_NAME); + } else { + ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME); + } if (ret != NSS_STATUS_SUCCESS) { return PAM_SERVICE_ERR; } |