morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 16:37:19 +09:00
Code Issues Packages Projects Releases Wiki Activity

core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) after pam_close_session()

Browse Source 
The man page pam_setcred(3) states:
> The credentials should be deleted after the session has been closed
> (with pam_close_session(3)).

Follow-up for 3bb39ea936.
This commit is contained in:
Yu Watanabe
2024-01-26 03:09:13 +09:00
parent de39202426
commit 41ad015205
1 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/core/exec-invoke.c
View File

@@ -1098,6 +1098,22 @@ static int null_conv(
return PAM_CONV_ERR;
}
static int pam_close_session_and_delete_credentials(pam_handle_t *handle, int flags) {
int r, s;
assert(handle);
r = pam_close_session(handle, flags);
if (r != PAM_SUCCESS)
log_debug("pam_close_session() failed: %s", pam_strerror(handle, r));
s = pam_setcred(handle, PAM_DELETE_CRED | flags);
if (s != PAM_SUCCESS)
log_debug("pam_setcred(PAM_DELETE_CRED) failed: %s", pam_strerror(handle, s));
return r != PAM_SUCCESS ? r : s;
}
#endif
static int setup_pam(
@@ -1250,13 +1266,9 @@ static int setup_pam(
assert(sig == SIGTERM);
}
pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags);
if (pam_code != PAM_SUCCESS)
goto child_finish;
/* If our parent died we'll end the session */
if (getppid() != parent_pid) {
pam_code = pam_close_session(handle, flags);
pam_code = pam_close_session_and_delete_credentials(handle, flags);
if (pam_code != PAM_SUCCESS)
goto child_finish;
}
@@ -1299,7 +1311,7 @@ fail:
if (handle) {
if (close_session)
pam_code = pam_close_session(handle, flags);
pam_code = pam_close_session_and_delete_credentials(handle, flags);
(void) pam_end(handle, pam_code | flags);
}