Skip to content
Snippets Groups Projects
Verified Commit 832d9e4a authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

[Cache] Add `persist` flag to tell `set_access_token` whether to write to $HOME or not

parent 45dfbc0c
No related branches found
No related tags found
No related merge requests found
......@@ -311,31 +311,36 @@ impl UserInfo {
///
/// This will store the token in memory in the `access_token` slot, and attempt to
/// write the token to disk afterwards
pub fn set_access_token(&mut self, token: BasicTokenResponse) -> Result<(), io::Error> {
pub fn set_access_token(&mut self, token: BasicTokenResponse, persist: bool) -> Result<(), io::Error> {
self.access_token = Some(token.clone());
debug!("Saved token in memory");
// Try to write user's token cache file
// We need to ensure privileges were dropped successfully to avoid symlink attacks
// cf. https://capec.mitre.org/data/definitions/132.html
let res = match self.drop_privileges() {
Ok(_) => match self.place_user_cache_file(USER_TOKEN_FILENAME.to_string()) {
Ok(path) => {
debug!("Storing token for in cache file");
save_json(path, token)
if persist {
// Try to write user's token cache file
// We need to ensure privileges were dropped successfully to avoid symlink attacks
// cf. https://capec.mitre.org/data/definitions/132.html
let res = match self.drop_privileges() {
Ok(_) => match self.place_user_cache_file(USER_TOKEN_FILENAME.to_string()) {
Ok(path) => {
debug!("Storing token for in cache file");
save_json(path, token)
},
Err(e) => {
error!("Error getting cache path in user home: {}", e);
Err(e)
}
},
Err(e) => {
error!("Error getting cache path in user home: {}", e);
error!("Error dropping privileges to store token in user home: {}", e);
Err(e)
}
},
Err(e) => {
error!("Error dropping privileges to store token in user home: {}", e);
Err(e)
}
};
restore_privileges();
return res;
};
restore_privileges();
res
} else {
Ok(())
}
}
}
......
......@@ -102,16 +102,15 @@ impl PamServiceModule for PamOidc {
// 1. ...mark getpwnam unsafe (prevent cache code from calling it)
set_is_getpwnam_safe(false);
// 2. ...store the access token (will not go through to $HOME, as getpwnam
// is locked)
get_context_user().set_access_token(t.clone()).ok();
// 2. ...store the access token in memory
get_context_user().set_access_token(t.clone(), false).ok();
// 3. ...call getpwnam ourselves without having the cache object locked
let passwd = getpwnam_safe(username.to_string());
if passwd.is_ok() {
// 4. ...if getpwnam was successful, store the token again (this time,
// modulo other errors, it will go through to $HOME)
get_context_user().set_passwd(passwd.unwrap());
get_context_user().set_access_token(t.clone()).ok();
get_context_user().set_access_token(t.clone(), true).ok();
}
// 5. ...unlock getpwnam again (somewhat unnecessary)
set_is_getpwnam_safe(true);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment