picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

pam: use /proc/self/sessionid only if CAP_AUDIT_CONTROL is set

Browse source
This commit is contained in:
Lennart Poettering 2011-04-12 21:12:06 +02:00
parent ac12344590
commit 81481c99c2
1 changed files with 11 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
src/pam-module.c
View file

@ -221,18 +221,19 @@ static uint64_t get_session_id(int *mode) {
/* First attempt: let's use the session ID of the audit
* system, if it is available. */
if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
uint32_t u;
int r;
if (have_effective_cap(CAP_AUDIT_CONTROL) > 0)
if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
uint32_t u;
int r;
r = safe_atou32(s, &u);
free(s);
r = safe_atou32(s, &u);
free(s);
if (r >= 0 && u != (uint32_t) -1 && u > 0) {
*mode = SESSION_ID_AUDIT;
return (uint64_t) u;
if (r >= 0 && u != (uint32_t) -1 && u > 0) {
*mode = SESSION_ID_AUDIT;
return (uint64_t) u;
}
}
}
/* Second attempt, use our own counter. */
if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
@ -289,7 +290,7 @@ static int get_user_data(
assert(ret_username);
assert(ret_pw);
if (have_effective_cap(CAP_AUDIT_CONTROL)) {
if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) {
/* Only use audit login uid if we are executed with
* sufficient capabilities so that pam_loginuid could
* do its job. If we are lacking the CAP_AUDIT_CONTROL