Skip to content
Snippets Groups Projects
Verified Commit ddd9971a authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

[PAM] Set global flag to mark getpwnam unsafe during PAM authentication

parent 9577388b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/cache.rs
+ 12
5
View file @ ddd9971a
...@@ -80,7 +80,7 @@ impl <'a>UserInfo<'a> { ...@@ -80,7 +80,7 @@ impl <'a>UserInfo<'a> {
} }
// If we cannot call getpwnam safely, return error (see `is_get_pwnam_safe`) // If we cannot call getpwnam safely, return error (see `is_get_pwnam_safe`)
if !is_getpwnam_safe() { if !get_is_getpwnam_safe() {
let msg = "Context user cannot be resolved safely right now"; let msg = "Context user cannot be resolved safely right now";
warn!("{}", msg); warn!("{}", msg);
return Err(io::Error::new(io::ErrorKind::WouldBlock, msg)); return Err(io::Error::new(io::ErrorKind::WouldBlock, msg));
...@@ -160,7 +160,7 @@ impl <'a>UserInfo<'a> { ...@@ -160,7 +160,7 @@ impl <'a>UserInfo<'a> {
let target_euid = match self.get_uid() { let target_euid = match self.get_uid() {
Ok(uid) => uid, Ok(uid) => uid,
Err(e) => { Err(e) => {
error!("Could not drop privileges because target UID is not resolved"); debug!("Could not drop privileges because target UID is not resolved");
return Err(e); return Err(e);
} }
}; };
...@@ -294,9 +294,16 @@ fn save_json<O: Serialize>(path: PathBuf, obj: O) -> Result<(), io::Error> { ...@@ -294,9 +294,16 @@ fn save_json<O: Serialize>(path: PathBuf, obj: O) -> Result<(), io::Error> {
fs::write(path, json) fs::write(path, json)
} }
fn is_getpwnam_safe() -> bool { static mut is_getpwnam_safe: bool = true;
// FIXME Implement real logic fn get_is_getpwnam_safe() -> bool {
return true; unsafe {
is_getpwnam_safe
}
}
pub fn set_is_getpwnam_safe(v: bool) {
unsafe {
is_getpwnam_safe = v
}
} }
static mut original_euid: uid_t = uid_t::MAX; static mut original_euid: uid_t = uid_t::MAX;
......
src/pam.rs
+ 3
1
View file @ ddd9971a
...@@ -24,7 +24,7 @@ use crate::oauth::get_access_token_password; ...@@ -24,7 +24,7 @@ use crate::oauth::get_access_token_password;
use crate::logging::setup_log; use crate::logging::setup_log;
use crate::cache::get_cache; use crate::cache::{get_cache, set_is_getpwnam_safe};
use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt}; use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt};
...@@ -90,8 +90,10 @@ impl PamServiceModule for PamOidc { ...@@ -90,8 +90,10 @@ impl PamServiceModule for PamOidc {
match get_access_token_password(&conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) { match get_access_token_password(&conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) {
Ok(t) => { Ok(t) => {
info!("Authenticated {} using Resource Owner Password Grant", username); info!("Authenticated {} using Resource Owner Password Grant", username);
set_is_getpwnam_safe(false);
get_cache().context_user.set_username(username.to_string()); get_cache().context_user.set_username(username.to_string());
get_cache().context_user.set_access_token(t); get_cache().context_user.set_access_token(t);
set_is_getpwnam_safe(true);
return PamError::SUCCESS; return PamError::SUCCESS;
}, },
Err(e) => { Err(e) => {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment