1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

Merge pull request #31107 from yuwata/pam-setcred-vs-close-session

core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) after pam_close_session()
This commit is contained in:
Mike Yuan 2024-02-01 19:02:40 +08:00 committed by GitHub
commit 75971cd68a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -1098,6 +1098,22 @@ static int null_conv(
return PAM_CONV_ERR; return PAM_CONV_ERR;
} }
static int pam_close_session_and_delete_credentials(pam_handle_t *handle, int flags) {
int r, s;
assert(handle);
r = pam_close_session(handle, flags);
if (r != PAM_SUCCESS)
log_debug("pam_close_session() failed: %s", pam_strerror(handle, r));
s = pam_setcred(handle, PAM_DELETE_CRED | flags);
if (s != PAM_SUCCESS)
log_debug("pam_setcred(PAM_DELETE_CRED) failed: %s", pam_strerror(handle, s));
return r != PAM_SUCCESS ? r : s;
}
#endif #endif
static int setup_pam( static int setup_pam(
@ -1178,7 +1194,7 @@ static int setup_pam(
pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | flags); pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | flags);
if (pam_code != PAM_SUCCESS) if (pam_code != PAM_SUCCESS)
log_debug("pam_setcred() failed, ignoring: %s", pam_strerror(handle, pam_code)); log_debug("pam_setcred(PAM_ESTABLISH_CRED) failed, ignoring: %s", pam_strerror(handle, pam_code));
pam_code = pam_open_session(handle, flags); pam_code = pam_open_session(handle, flags);
if (pam_code != PAM_SUCCESS) if (pam_code != PAM_SUCCESS)
@ -1250,13 +1266,9 @@ static int setup_pam(
assert(sig == SIGTERM); assert(sig == SIGTERM);
} }
pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags);
if (pam_code != PAM_SUCCESS)
goto child_finish;
/* If our parent died we'll end the session */ /* If our parent died we'll end the session */
if (getppid() != parent_pid) { if (getppid() != parent_pid) {
pam_code = pam_close_session(handle, flags); pam_code = pam_close_session_and_delete_credentials(handle, flags);
if (pam_code != PAM_SUCCESS) if (pam_code != PAM_SUCCESS)
goto child_finish; goto child_finish;
} }
@ -1299,7 +1311,7 @@ fail:
if (handle) { if (handle) {
if (close_session) if (close_session)
pam_code = pam_close_session(handle, flags); pam_code = pam_close_session_and_delete_credentials(handle, flags);
(void) pam_end(handle, pam_code | flags); (void) pam_end(handle, pam_code | flags);
} }