Re: (non)reentrancy

bug-glibc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (non)reentrancy

From:	Patrick Pfeifer
Subject:	Re: (non)reentrancy
Date:	Thu, 5 Jun 2003 17:08:59 +0200

On Thu, 5 Jun 2003 14:58:42 +0200, Patrick Pfeifer wrote:

> On on Thu, 5 Jun 2003 04:00:54 +0200, Patrick Pfeifer wrote:
>
> > i just spent an hour debugging my pam_wheel-hack,
> > because it uses nonreentrant get{pw,gr}{uid,nam}.
> > 
> > the data i wanted got lost on the way down, it's
> > particulary strange, that the other hack worked,
> > where i examined the data just a few lines before.

Ok - I can live with it now - I just reordered the code
a bit to work around the problem.

Here comes the `hack':

It allowst you to configure pam_wheel more flexible.
There is a new "members" option, that says, that not only
can you only `su' _from_, but also only _to_ "members" of the
`wheel' group. This let's you set it up in a way, that
you can su without password to other user accounts, but _not_
to "root" or others, not beeing member of the `wheel' group.

It does'n work with "deny".

Create a wheel group, "my_wheel", with you and the ones you want
to be able to su to as members and put a line like this in /etc/pam.d/su:

auth  sufficient  /lib/security/pam_wheel.so group=my_wheel members trust

There are other possible configurations, like if you wanna su to admin
and daemon without password: and add yourself to the adm and daemon group
and put theese lines in /etc/pam.d/su:

auth  sufficient  /lib/security/pam_wheel.so group=adm members trust
auth  sufficient  /lib/security/pam_wheel.so group=daemon members trust

comments? - silly? - cool?

regards

pat


<<<license: GPL>>>
<<<copyright: Patrick Pfeifer, 2003>>>

===File /mnt/software/pam/patsoft-Linux-PAM-0.77-pam_wheel.diff===
--- Linux-PAM-0.77/modules/pam_wheel/pam_wheel.c        2002-07-13 
07:48:19.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_wheel/patsoft-pam_wheel.c        2003-06-05 
16:43:35.000000000 +0200
@@ -71,10 +71,11 @@
 
 /* argument parsing */
 
-#define PAM_DEBUG_ARG       0x0001
-#define PAM_USE_UID_ARG     0x0002
-#define PAM_TRUST_ARG       0x0004
-#define PAM_DENY_ARG        0x0010  
+#define PAM_DEBUG_ARG       001
+#define PAM_USE_UID_ARG     002
+#define PAM_TRUST_ARG       004
+#define PAM_DENY_ARG        010  
+#define PAM_MEMBERS_ARG     020  
 
 static int _pam_parse(int argc, const char **argv, char *use_group,
                      size_t group_length)
@@ -96,6 +97,8 @@
                ctrl |= PAM_TRUST_ARG;
           else if (!strcmp(*argv,"deny"))
                ctrl |= PAM_DENY_ARG;
+          else if (!strcmp(*argv,"members"))
+               ctrl |= PAM_MEMBERS_ARG;
           else if (!strncmp(*argv,"group=",6))
               strncpy(use_group,*argv+6,group_length-1);
           else {
@@ -115,6 +118,9 @@
     struct group *grp;
     int retval = PAM_AUTH_ERR;
 
+    /* who do we su to ??? -> username
+     */
+
     retval = pam_get_user(pamh, &username, NULL);
     if ((retval != PAM_SUCCESS) || (!username)) {
         if (ctrl & PAM_DEBUG_ARG) {
@@ -123,15 +129,9 @@
         return PAM_SERVICE_ERR;
     }
 
-    /* su to a uid 0 account ? */
-    pwd = getpwnam(username);
-    if (!pwd) {
-        if (ctrl & PAM_DEBUG_ARG) {
-            _pam_log(LOG_NOTICE,"unknown user %s",username);
-       }
-        return PAM_USER_UNKNOWN;
-    }
-     
+    /* who is running us ??? -> fromsu, tpwd
+     */
+
     if (ctrl & PAM_USE_UID_ARG) {
        tpwd = getpwuid(getuid());
        if (!tpwd) {
@@ -157,7 +157,10 @@
     /*
      * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
      */
-     
+ 
+    /* which is the "`wheel'" group ??? -> grp
+     */
+
     if (!use_group[0]) {
        if ((grp = getgrnam("wheel")) == NULL) {
            grp = getgrgid(0);
@@ -166,6 +169,10 @@
        grp = getgrnam(use_group);
     }
 
+    /* is the "`wheel'" group there, has it members
+     * or is it who-is-running-us's primary group ??? -> fail if not
+     */
+
     if (!grp || (!grp->gr_mem && (tpwd->pw_gid != grp->gr_gid))) {
        if (ctrl & PAM_DEBUG_ARG) {
            if (!use_group[0]) {
@@ -190,6 +197,9 @@
      * user has the "wheel" (sic) group as its primary group.
      */
 
+    /* is who is running us in the "`wheel'" group ??? -> retval
+     */
+
     if (is_on_list(grp->gr_mem, fromsu) || (tpwd->pw_gid == grp->gr_gid)) {
 
        if (ctrl & PAM_DENY_ARG) {
@@ -217,6 +227,29 @@
        }
     }
 
+    /* su to a uid 0 account ? */
+    pwd = getpwnam(username);
+    if (!pwd) {
+        if (ctrl & PAM_DEBUG_ARG) {
+            _pam_log(LOG_NOTICE,"unknown user %s",username);
+       }
+        return PAM_USER_UNKNOWN;
+    }
+     
+    /*
+     * if we were passed "membes", then is who-we-su-to's
+     * primary group or is he member of group "`wheel'" ??? -> retval
+     */
+
+    if (ctrl & PAM_MEMBERS_ARG) {
+       if (!is_on_list(grp->gr_mem, pwd->pw_name) && (grp->gr_gid != 
pwd->pw_gid)) {
+            if (ctrl & PAM_DEBUG_ARG) {
+               _pam_log(LOG_NOTICE, "user %s not member of `wheel' group: %s", 
pwd->pw_name, grp->gr_name);
+           }
+           retval = PAM_PERM_DENIED;
+       }
+    }
+
     if (ctrl & PAM_DEBUG_ARG) {
        if (retval == PAM_IGNORE) {
            _pam_log(LOG_NOTICE, "Ignoring access request '%s' for '%s'",
============================================================

[Prev in Thread]

Current Thread

[Next in Thread]

(non)reentrancy, Patrick Pfeifer, 2003/06/04
- Re: (non)reentrancy, Patrick Pfeifer, 2003/06/05
  - Re: (non)reentrancy, Patrick Pfeifer <=

Prev by Date: PR glibc/5049 (was: Re: [linux-sh:02761] Re: Fixing glibc-2.3.2:sysdeps/unix/sysv/linux/{sh,s390}/asm/user.h)
Next by Date: release function
Previous by thread: Re: (non)reentrancy
Next by thread: glibc-2.3.1 for cris
Index(es):
- Date
- Thread