Skip to content
Snippets Groups Projects
Verified Commit ddd9971a authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

[PAM] Set global flag to mark getpwnam unsafe during PAM authentication

parent 9577388b
No related branches found
No related tags found
No related merge requests found
......@@ -80,7 +80,7 @@ impl <'a>UserInfo<'a> {
}
// If we cannot call getpwnam safely, return error (see `is_get_pwnam_safe`)
if !is_getpwnam_safe() {
if !get_is_getpwnam_safe() {
let msg = "Context user cannot be resolved safely right now";
warn!("{}", msg);
return Err(io::Error::new(io::ErrorKind::WouldBlock, msg));
......@@ -160,7 +160,7 @@ impl <'a>UserInfo<'a> {
let target_euid = match self.get_uid() {
Ok(uid) => uid,
Err(e) => {
error!("Could not drop privileges because target UID is not resolved");
debug!("Could not drop privileges because target UID is not resolved");
return Err(e);
}
};
......@@ -294,9 +294,16 @@ fn save_json<O: Serialize>(path: PathBuf, obj: O) -> Result<(), io::Error> {
fs::write(path, json)
}
fn is_getpwnam_safe() -> bool {
// FIXME Implement real logic
return true;
static mut is_getpwnam_safe: bool = true;
fn get_is_getpwnam_safe() -> bool {
unsafe {
is_getpwnam_safe
}
}
pub fn set_is_getpwnam_safe(v: bool) {
unsafe {
is_getpwnam_safe = v
}
}
static mut original_euid: uid_t = uid_t::MAX;
......
......@@ -24,7 +24,7 @@ use crate::oauth::get_access_token_password;
use crate::logging::setup_log;
use crate::cache::get_cache;
use crate::cache::{get_cache, set_is_getpwnam_safe};
use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt};
......@@ -90,8 +90,10 @@ impl PamServiceModule for PamOidc {
match get_access_token_password(&conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) {
Ok(t) => {
info!("Authenticated {} using Resource Owner Password Grant", username);
set_is_getpwnam_safe(false);
get_cache().context_user.set_username(username.to_string());
get_cache().context_user.set_access_token(t);
set_is_getpwnam_safe(true);
return PamError::SUCCESS;
},
Err(e) => {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment