Skip to content

Commit

Permalink
setuidgid: Call pam_setcred() to establish user credentials
Browse files Browse the repository at this point in the history 
This patch is required to grant RBAC privileges to the user on Solaris.
  • Loading branch information
@fumiyas
fumiyas committed Jan 1, 2016
1 parent 5526cf4 commit c37db5d
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 0 deletions.
38 changes: 38 additions & 0 deletions setuidgid.c
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,24 @@
#include <sys/types.h>
#include <pwd.h>
#include <stdlib.h>
#include <string.h>
#include <security/pam_appl.h>
#include "prot.h"
#include "strerr.h"
#include "pathexec.h"
#include "sgetopt.h"

#ifndef PAM_DATA_SILENT
# define PAM_DATA_SILENT 0
#endif

#ifndef SETUIDGID_PAM_SERVICE_NAME_ENV
# define SETUIDGID_PAM_SERVICE_NAME_ENV "SETUIDGID_PAM_SERVICE"
#endif
#ifndef SETUIDGID_PAM_SERVICE_NAME_DEFAULT
# define SETUIDGID_PAM_SERVICE_NAME_DEFAULT "other"
#endif

#define FATAL "setuidgid: fatal: "

void usage() {
Expand All @@ -15,6 +29,28 @@ const char *account;
struct passwd *pw;
int flag2ndgids = 0;

static void pam_prep_user(void)
{
pam_handle_t *pamh;
const char *pam_service_name = getenv(SETUIDGID_PAM_SERVICE_NAME_ENV);
struct pam_conv pam_conv;

if (!pam_service_name)
pam_service_name = SETUIDGID_PAM_SERVICE_NAME_DEFAULT;

/* FIXME: Is this OK? */
memset(&pam_conv, 0, sizeof(pam_conv));

if (pam_start(pam_service_name, pw->pw_name, &pam_conv, &pamh) != PAM_SUCCESS)
strerr_die2x(111,FATAL,"unable to initialize PAM");

pam_set_item(pamh, PAM_USER, pw->pw_name);
pam_setcred(pamh, PAM_ESTABLISH_CRED);

if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) != PAM_SUCCESS)
strerr_die2x(111,FATAL,"unable to finish PAM");
}

int main(int argc,const char *const *argv,const char *const *envp)
{
int opt;
Expand All @@ -34,6 +70,8 @@ int main(int argc,const char *const *argv,const char *const *envp)
if (!pw)
strerr_die3x(111,FATAL,"unknown account ",account);

pam_prep_user();

if (prot_gid(pw->pw_gid) == -1)
strerr_die2sys(111,FATAL,"unable to setgid");
if (flag2ndgids && prot_gids(pw->pw_name, pw->pw_gid) == -1)
Expand Down
1 change: 1 addition & 0 deletions setuidgid=x
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
unix.a
byte.a
-lpam

0 comments on commit c37db5d

Please sign in to comment.