Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 54121 Details for
Bug 64700
start-stop-daemon doesn't use pam
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add support for creating a PAM session for daemons
start-stop-daemon.patch (text/plain), 5.25 KB, created by
Scott Dial
on 2005-03-21 17:33:25 UTC
(
hide
)
Description:
Add support for creating a PAM session for daemons
Filename:
MIME Type:
Creator:
Scott Dial
Created:
2005-03-21 17:33:25 UTC
Size:
5.25 KB
patch
obsolete
>--- start-stop-daemon.c.orig 2004-05-10 09:21:55.000000000 -0500 >+++ start-stop-daemon.c 2005-03-21 20:31:56.000000000 -0500 >@@ -21,20 +21,24 @@ > * > * Modified for Gentoo rc-scripts by Donny Davies <woodchip@gentoo.org>: > * I removed the BSD/Hurd/OtherOS stuff, added #include <stddef.h> > * and stuck in a #define VERSION "1.9.18". Now it compiles without > * the whole automake/config.h dance. > * > * Updated by Aron Griffis <agriffis@gentoo.org>: > * Fetched updates from Debian's dpkg-1.10.20, including fix for > * Gentoo bug 22686 (start-stop-daemon in baselayout doesn't allow > * altered nicelevel). >+ * >+ * Updated by Scott Dial <scott@scottdial.com>: >+ * Provides PAM support, Gentoo bug 64700 (start-stop-daemon doesn't use pam) >+ * > */ > > #define VERSION "1.10.20" > #include <stddef.h> > > #define NONRETURNPRINTFFORMAT(x, y) \ > __attribute__((noreturn, format(printf, x, y))) > #define NONRETURNING \ > __attribute__((noreturn)) > >@@ -95,20 +99,25 @@ > #include <pwd.h> > #include <grp.h> > #include <sys/ioctl.h> > #include <sys/types.h> > #include <sys/termios.h> > #include <fcntl.h> > #include <limits.h> > #include <assert.h> > #include <ctype.h> > >+#ifdef USE_PAM >+# include <security/pam_appl.h> >+# include <security/pam_misc.h> >+#endif >+ > #ifdef HAVE_ERROR_H > # include <error.h> > #endif > #ifdef HURD_IHASH_H > #include <hurd/ihash.h> > #endif > > static int testmode = 0; > static int quietmode = 0; > static int exitnodo = 1; >@@ -283,20 +292,21 @@ > " start-stop-daemon -K|--stop options ...\n" > " start-stop-daemon -H|--help\n" > " start-stop-daemon -V|--version\n" > "\n" > "Options (at least one of --exec|--pidfile|--user is required):\n" > " -x|--exec <executable> program to start/check if it is running\n" > " -p|--pidfile <pid-file> pid file to check\n" > " -c|--chuid <name|uid[:group|gid]>\n" > " change to this user/group before starting process\n" > " -u|--user <username>|<uid> stop processes owned by this user\n" >+" user for PAM session\n" > " -g|--group <group|gid> run process as this group\n" > " -n|--name <process-name> stop processes with this name\n" > " -s|--signal <signal> signal to send (default TERM)\n" > " -a|--startas <pathname> program to start (default is <executable>)\n" > " -C|--chdir <directory> Change to <directory>(default is /)\n" > " -N|--nicelevel <incr> add incr to the process's nice level\n" > " -b|--background force the process to detach\n" > " -m|--make-pidfile create the pidfile before starting\n" > " -R|--retry <schedule> check whether processes die, and retry\n" > " -t|--test test mode, don't do anything\n" >@@ -1131,25 +1141,33 @@ > x_finished: > if (!anykilled) { > if (quietmode <= 0) > printf("No %s found running; none killed.\n", what_stop); > return exitnodo; > } else { > return 0; > } > } > >+#ifdef USE_PAM >+// We are not supporting authentication conversations >+static struct pam_conv conv = {NULL, NULL }; >+#endif > > int main(int argc, char **argv) NONRETURNING; > int > main(int argc, char **argv) > { >+#ifdef USE_PAM >+ pam_handle_t *pamh=NULL; >+ int retval; >+#endif > int devnull_fd = -1; > #ifdef HAVE_TIOCNOTTY > int tty_fd = -1; > #endif > progname = argv[0]; > > parse_options(argc, argv); > argc -= optind; > argv += optind; > >@@ -1252,20 +1270,48 @@ > fclose(pidf); > } > if (changeroot != NULL) { > if (chdir(changeroot) < 0) > fatal("Unable to chdir() to %s", changeroot); > if (chroot(changeroot) < 0) > fatal("Unable to chroot() to %s", changeroot); > } > if (changedir != NULL && chdir(changedir) < 0) > fatal("Unable to chdir() to %s", changedir); >+ >+// Before we change users, we need to do PAM >+#ifdef USE_PAM >+ // -c takes priority because it will be what the process ends up running as >+ // -u comes in second to allow daemons to be started as root (as most require) >+ // but use the effective session for another user >+ // else we use "nobody" to avoid promoting any daemon >+ >+ if(changeuser != NULL) >+ retval = pam_start("start-stop-daemon", changeuser, &conv, &pamh); >+ else if (userspec != NULL) >+ retval = pam_start("start-stop-daemon", userspec, &conv, &pamh); >+ else >+ retval = pam_start("start-stop-daemon", "nobody", &conv, &pamh); >+ >+ if(retval == PAM_SUCCESS) >+ retval = pam_authenticate(pamh, PAM_SILENT); >+ >+ if(retval == PAM_SUCCESS) >+ retval = pam_acct_mgmt(pamh, PAM_SILENT); >+ >+ if(retval == PAM_SUCCESS) >+ retval = pam_open_session(pamh, PAM_SILENT); >+ >+ if(retval != PAM_SUCCESS) >+ printf(pam_strerror(pamh, retval)); >+#endif >+ > if (changeuser != NULL) { > if (setgid(runas_gid)) > fatal("Unable to set gid to %d", runas_gid); > if (initgroups(changeuser, runas_gid)) > fatal("Unable to set initgroups() with gid %d", runas_gid); > if (setuid(runas_uid)) > fatal("Unable to set uid to %s", changeuser); > } > if (background) { /* continue background setup */ > int i; >@@ -1287,13 +1333,19 @@ > #endif > > /* create a new session */ > #ifdef HAVE_SETSID > setsid(); > #else > setpgid(0,0); > #endif > } > execv(startas, argv); >- fatal("Unable to start %s: %s", startas, strerror(errno)); >+#ifdef USE_PAM >+ if(retval == PAM_SUCCESS) >+ pam_close_session(pamh, PAM_SILENT); >+ >+ pam_end(pamh, retval); >+#endif >+ fatal("Unable to start %s: %s", startas, strerror(errno)); > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 64700
: 54121 |
54122
|
54123
|
74646
|
74647
|
74887