Lines 24-29
Link Here
|
24 |
# include <security/pam_modutil.h> |
24 |
# include <security/pam_modutil.h> |
25 |
#endif |
25 |
#endif |
26 |
#include <stdlib.h> |
26 |
#include <stdlib.h> |
|
|
27 |
#include <unistd.h> |
27 |
|
28 |
|
28 |
#if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT) |
29 |
#if !defined(HAVE_KRB5_GET_ERROR_MESSAGE) && !defined(HAVE_KRB5_GET_ERR_TEXT) |
29 |
# if !defined(HAVE_KRB5_GET_ERROR_STRING) |
30 |
# if !defined(HAVE_KRB5_GET_ERROR_STRING) |
Lines 146-151
pamk5_compat_free_error(krb5_context ctx, const char *msg)
Link Here
|
146 |
|
147 |
|
147 |
|
148 |
|
148 |
/* |
149 |
/* |
|
|
150 |
* AIX's NAS Kerberos implementation mysteriously provides the struct and the |
151 |
* krb5_verify_init_creds function but not this function. |
152 |
*/ |
153 |
#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT |
154 |
void |
155 |
krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt) |
156 |
{ |
157 |
opt->flags = 0; |
158 |
opt->ap_req_nofail = 0; |
159 |
} |
160 |
#endif |
161 |
|
162 |
|
163 |
/* |
164 |
* MIT provides a krb5_init_secure_context that ignores all the environment |
165 |
* variables that may otherwise influence context creation. We call that |
166 |
* function if we detect that we're setuid. Heimdal doesn't have this |
167 |
* function, but instead automatically ignores the environment variables if it |
168 |
* detects we're setuid. This means that we should be able to fall back |
169 |
* safely to krb5_init_context if krb5_init_secure_context isn't available. |
170 |
*/ |
171 |
krb5_error_code |
172 |
pamk5_compat_secure_context(krb5_context *ctx) |
173 |
{ |
174 |
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT |
175 |
return krb5_init_secure_context(ctx); |
176 |
#else |
177 |
return krb5_init_context(ctx); |
178 |
#endif |
179 |
} |
180 |
|
181 |
|
182 |
/* |
149 |
* Linux PAM provides a thread-safe version of getpwnam that we want to use if |
183 |
* Linux PAM provides a thread-safe version of getpwnam that we want to use if |
150 |
* available. If it's not, fall back on getpwnam. (Ideally, we should check |
184 |
* available. If it's not, fall back on getpwnam. (Ideally, we should check |
151 |
* for getpwnam_r and use it, but I haven't written that routine.) |
185 |
* for getpwnam_r and use it, but I haven't written that routine.) |
Lines 162-175
pamk5_compat_getpwnam(struct pam_args *args UNUSED, const char *user)
Link Here
|
162 |
|
196 |
|
163 |
|
197 |
|
164 |
/* |
198 |
/* |
165 |
* AIX's NAS Kerberos implementation mysteriously provides the struct and the |
199 |
* Call the Solaris issetugid function if available. If not, check whether |
166 |
* krb5_verify_init_creds function but not this function. |
200 |
* the real and effective UIDs and GIDs match. |
167 |
*/ |
201 |
*/ |
168 |
#ifndef HAVE_KRB5_VERIFY_INIT_CREDS_OPT_INIT |
202 |
int |
169 |
void |
203 |
pamk5_compat_issetugid(void) |
170 |
krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt) |
|
|
171 |
{ |
204 |
{ |
172 |
opt->flags = 0; |
205 |
#ifdef HAVE_ISSETUGID |
173 |
opt->ap_req_nofail = 0; |
206 |
return issetugid(); |
174 |
} |
207 |
#else |
|
|
208 |
if (getuid() != geteuid()) |
209 |
return 1; |
210 |
if (getgid() != getegid()) |
211 |
return 1; |
212 |
return 0; |
175 |
#endif |
213 |
#endif |
|
|
214 |
} |