summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-10-04 19:08:08 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-10-11 14:11:56 +0200
commitdba7903ba7fc04bc331004b0453938c116be3663 (patch)
tree598b19a0b64b38fe9866f43b702ea8f0f5ba5454
parent8ba8222afca3026fd67af08e224b1d9e848aceaa (diff)
downloadsssd-dba7903ba7fc04bc331004b0453938c116be3663.tar.gz
sssd-dba7903ba7fc04bc331004b0453938c116be3663.tar.xz
sssd-dba7903ba7fc04bc331004b0453938c116be3663.zip
PAM: close socket fd with pam_set_data
https://fedorahosted.org/sssd/ticket/1569
-rw-r--r--src/sss_client/common.c6
-rw-r--r--src/sss_client/pam_sss.c25
-rw-r--r--src/sss_client/sss_cli.h2
3 files changed, 33 insertions, 0 deletions
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 1ef3ba15e..a4d523cdf 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -794,6 +794,12 @@ errno_t check_server_cred(int sockfd)
#endif
return 0;
}
+
+int *sss_pam_get_socket(void)
+{
+ return &sss_cli_sd;
+}
+
int sss_pam_make_request(enum sss_cli_command cmd,
struct sss_cli_req_data *rd,
uint8_t **repbuf, size_t *replen,
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index efbc48b6e..90d4c0a33 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -54,6 +54,7 @@
#define FLAGS_USE_AUTHTOK (1 << 2)
#define PWEXP_FLAG "pam_sss:password_expired_flag"
+#define FD_DESTRUCTOR "pam_sss:fd_destructor"
#define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
#define PW_RESET_MSG_MAX_SIZE 4096
@@ -122,6 +123,24 @@ static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
ptr = NULL;
}
+static void close_fd(pam_handle_t *pamh, void *ptr, int err)
+{
+ int fd = *((int *) ptr);
+
+ if (err & PAM_DATA_REPLACE) {
+ /* Nothing to do */
+ return;
+ }
+
+ if (fd == -1) {
+ /* fd not yet initialized */
+ return;
+ }
+
+ D(("Closing the fd"));
+ close(fd);
+}
+
static size_t add_authtok_item(enum pam_item_type type,
enum sss_authtok_type authtok_type,
const char *tok, const size_t size,
@@ -1058,6 +1077,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
enum sss_cli_command task, bool quiet_mode)
{
int ret;
+ int sret;
int errnop;
struct sss_cli_req_data rd;
uint8_t *buf = NULL;
@@ -1078,6 +1098,11 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
errnop = 0;
ret = sss_pam_make_request(task, &rd, &repbuf, &replen, &errnop);
+ sret = pam_set_data(pamh, FD_DESTRUCTOR, sss_pam_get_socket(), close_fd);
+ if (sret != PAM_SUCCESS) {
+ D(("pam_set_data failed, client might leaks fds"));
+ }
+
if (ret != PAM_SUCCESS) {
if (errnop != 0) {
logger(pamh, LOG_ERR, "Request to sssd failed. %s", ssscli_err2string(errnop));
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index f60bd9912..f3cb44adb 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -481,6 +481,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
struct sss_cli_req_data *rd,
uint8_t **repbuf, size_t *replen,
int *errnop);
+int *sss_pam_get_socket(void);
+
int sss_pac_make_request(enum sss_cli_command cmd,
struct sss_cli_req_data *rd,
uint8_t **repbuf, size_t *replen,