diff options
| author | Michal Zidek <mzidek@redhat.com> | 2014-10-15 18:15:53 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-22 15:44:42 +0200 |
| commit | b547bd685cb71bb450b0c86487767f02e66f6cea (patch) | |
| tree | 4cb0c02899db601be33c62892148525336a5c305 | |
| parent | 8bccd95e275fae760a991da394235e4e70e57bbd (diff) | |
| download | sssd-b547bd685cb71bb450b0c86487767f02e66f6cea.tar.gz sssd-b547bd685cb71bb450b0c86487767f02e66f6cea.tar.xz sssd-b547bd685cb71bb450b0c86487767f02e66f6cea.zip | |
PAM: Create pipe file descriptors before privileges are dropped
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | src/responder/pam/pamsrv.c | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index a3f866273..d3cf0c770 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -181,7 +181,8 @@ done: static int pam_process_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - struct confdb_ctx *cdb) + struct confdb_ctx *cdb, + int pipe_fd, int priv_pipe_fd) { struct resp_ctx *rctx; struct sss_cmd_table *pam_cmds; @@ -194,8 +195,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, pam_cmds = get_pam_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, pam_cmds, - SSS_PAM_SOCKET_NAME, -1, - SSS_PAM_PRIV_SOCKET_NAME, -1, + SSS_PAM_SOCKET_NAME, pipe_fd, + SSS_PAM_PRIV_SOCKET_NAME, priv_pipe_fd, CONFDB_PAM_CONF_ENTRY, SSS_PAM_SBUS_SERVICE_NAME, SSS_PAM_SBUS_SERVICE_VERSION, @@ -318,6 +319,8 @@ int main(int argc, const char *argv[]) int ret; uid_t uid; gid_t gid; + int pipe_fd; + int priv_pipe_fd; struct poptOption long_options[] = { POPT_AUTOHELP @@ -347,6 +350,24 @@ int main(int argc, const char *argv[]) /* set up things like debug, signals, daemonization, etc... */ debug_log_file = "sssd_pam"; + /* Crate pipe file descriptors here before privileges are dropped + * in server_setup() */ + ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, 0111); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "create_pipe_fd failed [%d]: %s.\n", + ret, sss_strerror(ret)); + return 2; + } + + ret = create_pipe_fd(SSS_PAM_PRIV_SOCKET_NAME, &priv_pipe_fd, 0177); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "create_pipe_fd failed (priviledged pipe) [%d]: %s.\n", + ret, sss_strerror(ret)); + return 2; + } + ret = server_setup("sssd[pam]", 0, 0, 0, CONFDB_PAM_CONF_ENTRY, &main_ctx); if (ret != EOK) return 2; @@ -359,7 +380,8 @@ int main(int argc, const char *argv[]) ret = pam_process_init(main_ctx, main_ctx->event_ctx, - main_ctx->confdb_ctx); + main_ctx->confdb_ctx, + pipe_fd, priv_pipe_fd); if (ret != EOK) return 3; /* loop on main */ |