From 4013218cd8c9840ac6db1084bbdfa22f601bd3b8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 2 Mar 2009 15:26:19 +0100
Subject: added a privileged pipe

---
 sss_client/common.c  | 17 ++++++++++++++++-
 sss_client/sss_cli.h | 14 ++++++++------
 2 files changed, 24 insertions(+), 7 deletions(-)

(limited to 'sss_client')

diff --git a/sss_client/common.c b/sss_client/common.c
index 50aabff2..d0fb0118 100644
--- a/sss_client/common.c
+++ b/sss_client/common.c
@@ -29,6 +29,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
+#include <sys/stat.h>
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdint.h>
@@ -594,6 +595,7 @@ int sss_pam_make_request(enum sss_cli_command cmd,
 {
     int ret;
     char *envval;
+    struct stat stat_buf;
 
     /* avoid looping in the pam daemon */
     envval = getenv("_SSS_LOOPS");
@@ -601,7 +603,20 @@ int sss_pam_make_request(enum sss_cli_command cmd,
         return PAM_SERVICE_ERR;
     }
 
-    ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME);
+    /* only root shall use the privileged pipe */
+    if (getuid() == 0 && getgid() == 0) {
+        ret = stat(SSS_PAM_PRIV_SOCKET_NAME, &stat_buf);
+        if (ret != 0) return PAM_SERVICE_ERR;
+        if ( ! (stat_buf.st_uid == 0 &&
+                stat_buf.st_gid == 0 &&
+                (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) {
+            return PAM_SERVICE_ERR;
+        }
+
+        ret = sss_cli_check_socket(errnop, SSS_PAM_PRIV_SOCKET_NAME);
+    } else {
+        ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME);
+    }
     if (ret != NSS_STATUS_SUCCESS) {
         return PAM_SERVICE_ERR;
     }
diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h
index 5445b5fa..1e19e5e2 100644
--- a/sss_client/sss_cli.h
+++ b/sss_client/sss_cli.h
@@ -19,6 +19,7 @@
  * Also a change in one of the pipes will not affect the others */
 #define SSS_NSS_SOCKET_NAME "/var/lib/sss/pipes/nss"
 #define SSS_PAM_SOCKET_NAME "/var/lib/sss/pipes/pam"
+#define SSS_PAM_PRIV_SOCKET_NAME "/var/lib/sss/pipes/private/pam"
 
 #define SSS_PROTOCOL_VERSION 0
 
@@ -121,12 +122,13 @@ enum sss_cli_command {
 #endif
 
 /* PAM related calls */
-    SSS_PAM_AUTHENTICATE   = 0x00F1,
-    SSS_PAM_SETCRED        = 0x00F2,
-    SSS_PAM_ACCT_MGMT      = 0x00F3,
-    SSS_PAM_OPEN_SESSION   = 0x00F4,
-    SSS_PAM_CLOSE_SESSION  = 0x00F5,
-    SSS_PAM_CHAUTHTOK      = 0x00F6,
+    SSS_PAM_AUTHENTICATE     = 0x00F1,
+    SSS_PAM_SETCRED          = 0x00F2,
+    SSS_PAM_ACCT_MGMT        = 0x00F3,
+    SSS_PAM_OPEN_SESSION     = 0x00F4,
+    SSS_PAM_CLOSE_SESSION    = 0x00F5,
+    SSS_PAM_CHAUTHTOK        = 0x00F6,
+    SSS_PAM_CHAUTHTOK_PRELIM = 0x00F6,
 
 };
 
-- 
cgit