[Pkg-shadow-commits] r2721 - in upstream/trunk: . src
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Mon Apr 20 12:27:27 UTC 2009
Author: nekral-guest
Date: 2009-04-20 12:27:27 +0000 (Mon, 20 Apr 2009)
New Revision: 2721
Modified:
upstream/trunk/ChangeLog
upstream/trunk/src/login.c
Log:
* src/login.c: Added comments.
* src/login.c: Close the user and group files before dropping root
privileges.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2009-04-20 12:17:38 UTC (rev 2720)
+++ upstream/trunk/ChangeLog 2009-04-20 12:27:27 UTC (rev 2721)
@@ -1,5 +1,11 @@
2009-04-20 Nicolas François <nicolas.francois at centraliens.net>
+ * src/login.c: Added comments.
+ * src/login.c: Close the user and group files before dropping root
+ privileges.
+
+2009-04-20 Nicolas François <nicolas.francois at centraliens.net>
+
* src/login.c: We do not need to keep the old umask. Discard the
umask() return value.
Modified: upstream/trunk/src/login.c
===================================================================
--- upstream/trunk/src/login.c 2009-04-20 12:17:38 UTC (rev 2720)
+++ upstream/trunk/src/login.c 2009-04-20 12:27:27 UTC (rev 2721)
@@ -2,7 +2,7 @@
* Copyright (c) 1989 - 1994, Julianne Frances Haugh
* Copyright (c) 1996 - 2001, Marek Michałkiewicz
* Copyright (c) 2001 - 2006, Tomasz Kłoczko
- * Copyright (c) 2007 - 2008, Nicolas François
+ * Copyright (c) 2007 - 2009, Nicolas François
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -838,6 +838,10 @@
exit (1);
}
+ /* This set up the process credential (group) and initialize the
+ * supplementary group access list.
+ * This has to be done before pam_setcred
+ */
if (setup_groups (pwd) != 0) {
exit (1);
}
@@ -1156,10 +1160,24 @@
}
}
- /* We call set_groups() above because this clobbers pam_groups.so */
+
+ /*
+ * Close all the files so that unauthorized access won't occur.
+ */
+ endpwent (); /* stop access to password file */
+ endgrent (); /* stop access to group file */
+ endspent (); /* stop access to shadow passwd file */
+#ifdef SHADOWGRP
+ endsgent (); /* stop access to shadow group file */
+#endif
+
+ /* Drop root privileges */
#ifndef USE_PAM
if (setup_uid_gid (&pwent, is_console))
#else
+ /* The group privileges were already dropped.
+ * See setup_groups() above.
+ */
if (change_uid (&pwent))
#endif
{
@@ -1247,12 +1265,6 @@
(void) signal (SIGHUP, SIG_DFL); /* added this. --marekm */
(void) signal (SIGINT, SIG_DFL); /* default interrupt signal */
- endpwent (); /* stop access to password file */
- endgrent (); /* stop access to group file */
- endspent (); /* stop access to shadow passwd file */
-#ifdef SHADOWGRP
- endsgent (); /* stop access to shadow group file */
-#endif
if (0 == pwent.pw_uid) {
SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost));
} else if (getdef_bool ("LOG_OK_LOGINS")) {
More information about the Pkg-shadow-commits
mailing list