[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (non)reentrancy
From: |
Patrick Pfeifer |
Subject: |
Re: (non)reentrancy |
Date: |
Thu, 5 Jun 2003 17:08:59 +0200 |
On Thu, 5 Jun 2003 14:58:42 +0200, Patrick Pfeifer wrote:
> On on Thu, 5 Jun 2003 04:00:54 +0200, Patrick Pfeifer wrote:
>
> > i just spent an hour debugging my pam_wheel-hack,
> > because it uses nonreentrant get{pw,gr}{uid,nam}.
> >
> > the data i wanted got lost on the way down, it's
> > particulary strange, that the other hack worked,
> > where i examined the data just a few lines before.
Ok - I can live with it now - I just reordered the code
a bit to work around the problem.
Here comes the `hack':
It allowst you to configure pam_wheel more flexible.
There is a new "members" option, that says, that not only
can you only `su' _from_, but also only _to_ "members" of the
`wheel' group. This let's you set it up in a way, that
you can su without password to other user accounts, but _not_
to "root" or others, not beeing member of the `wheel' group.
It does'n work with "deny".
Create a wheel group, "my_wheel", with you and the ones you want
to be able to su to as members and put a line like this in /etc/pam.d/su:
auth sufficient /lib/security/pam_wheel.so group=my_wheel members trust
There are other possible configurations, like if you wanna su to admin
and daemon without password: and add yourself to the adm and daemon group
and put theese lines in /etc/pam.d/su:
auth sufficient /lib/security/pam_wheel.so group=adm members trust
auth sufficient /lib/security/pam_wheel.so group=daemon members trust
comments? - silly? - cool?
regards
pat
<<<license: GPL>>>
<<<copyright: Patrick Pfeifer, 2003>>>
===File /mnt/software/pam/patsoft-Linux-PAM-0.77-pam_wheel.diff===
--- Linux-PAM-0.77/modules/pam_wheel/pam_wheel.c 2002-07-13
07:48:19.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_wheel/patsoft-pam_wheel.c 2003-06-05
16:43:35.000000000 +0200
@@ -71,10 +71,11 @@
/* argument parsing */
-#define PAM_DEBUG_ARG 0x0001
-#define PAM_USE_UID_ARG 0x0002
-#define PAM_TRUST_ARG 0x0004
-#define PAM_DENY_ARG 0x0010
+#define PAM_DEBUG_ARG 001
+#define PAM_USE_UID_ARG 002
+#define PAM_TRUST_ARG 004
+#define PAM_DENY_ARG 010
+#define PAM_MEMBERS_ARG 020
static int _pam_parse(int argc, const char **argv, char *use_group,
size_t group_length)
@@ -96,6 +97,8 @@
ctrl |= PAM_TRUST_ARG;
else if (!strcmp(*argv,"deny"))
ctrl |= PAM_DENY_ARG;
+ else if (!strcmp(*argv,"members"))
+ ctrl |= PAM_MEMBERS_ARG;
else if (!strncmp(*argv,"group=",6))
strncpy(use_group,*argv+6,group_length-1);
else {
@@ -115,6 +118,9 @@
struct group *grp;
int retval = PAM_AUTH_ERR;
+ /* who do we su to ??? -> username
+ */
+
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
if (ctrl & PAM_DEBUG_ARG) {
@@ -123,15 +129,9 @@
return PAM_SERVICE_ERR;
}
- /* su to a uid 0 account ? */
- pwd = getpwnam(username);
- if (!pwd) {
- if (ctrl & PAM_DEBUG_ARG) {
- _pam_log(LOG_NOTICE,"unknown user %s",username);
- }
- return PAM_USER_UNKNOWN;
- }
-
+ /* who is running us ??? -> fromsu, tpwd
+ */
+
if (ctrl & PAM_USE_UID_ARG) {
tpwd = getpwuid(getuid());
if (!tpwd) {
@@ -157,7 +157,10 @@
/*
* At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
*/
-
+
+ /* which is the "`wheel'" group ??? -> grp
+ */
+
if (!use_group[0]) {
if ((grp = getgrnam("wheel")) == NULL) {
grp = getgrgid(0);
@@ -166,6 +169,10 @@
grp = getgrnam(use_group);
}
+ /* is the "`wheel'" group there, has it members
+ * or is it who-is-running-us's primary group ??? -> fail if not
+ */
+
if (!grp || (!grp->gr_mem && (tpwd->pw_gid != grp->gr_gid))) {
if (ctrl & PAM_DEBUG_ARG) {
if (!use_group[0]) {
@@ -190,6 +197,9 @@
* user has the "wheel" (sic) group as its primary group.
*/
+ /* is who is running us in the "`wheel'" group ??? -> retval
+ */
+
if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
if (ctrl & PAM_DENY_ARG) {
@@ -217,6 +227,29 @@
}
}
+ /* su to a uid 0 account ? */
+ pwd = getpwnam(username);
+ if (!pwd) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ _pam_log(LOG_NOTICE,"unknown user %s",username);
+ }
+ return PAM_USER_UNKNOWN;
+ }
+
+ /*
+ * if we were passed "membes", then is who-we-su-to's
+ * primary group or is he member of group "`wheel'" ??? -> retval
+ */
+
+ if (ctrl & PAM_MEMBERS_ARG) {
+ if (!is_on_list(grp->gr_mem, pwd->pw_name) && (grp->gr_gid !=
pwd->pw_gid)) {
+ if (ctrl & PAM_DEBUG_ARG) {
+ _pam_log(LOG_NOTICE, "user %s not member of `wheel' group: %s",
pwd->pw_name, grp->gr_name);
+ }
+ retval = PAM_PERM_DENIED;
+ }
+ }
+
if (ctrl & PAM_DEBUG_ARG) {
if (retval == PAM_IGNORE) {
_pam_log(LOG_NOTICE, "Ignoring access request '%s' for '%s'",
============================================================