Use SO_PEERCRED on the PAM socket

This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.

On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.

The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
  enhanced
- internal error codes are introduced on the client side to generate
  more specific log messages if an error occurs

1 files changed, 12 insertions, 0 deletions

diff --git a/src/external/platform.m4 b/src/external/platform.m4
index 71b4f2c85..ee0093789 100644
--- a/src/external/platform.m4
+++ b/src/external/platform.m4
@@ -27,3 +27,15 @@ fi
 AM_CONDITIONAL([HAVE_FEDORA], [test x"$osname" == xfedora])
 AM_CONDITIONAL([HAVE_REDHAT], [test x"$osname" == xredhat])
 AM_CONDITIONAL([HAVE_SUSE], [test x"$osname" == xsuse])
+
+AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , ,
+                 [[#define _GNU_SOURCE
+                   #include <sys/socket.h>]])
+
+if test x"$ac_cv_member_struct_ucred_pid" = xyes -a \
+        x"$ac_cv_member_struct_ucred_uid" = xyes -a \
+        x"$ac_cv_member_struct_ucred_gid" = xyes ; then
+    AC_DEFINE([HAVE_UCRED], [1], [Define if struct ucred is available])
+else
+    AC_MSG_WARN([struct ucred is not available])
+fi