You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 lines
3.5 KiB
88 lines
3.5 KiB
5 years ago
|
From d3953e88a94ec25a87d3c5136517b3d1009cb1fd Mon Sep 17 00:00:00 2001
|
||
|
From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de>
|
||
|
Date: Wed, 8 May 2019 18:58:53 +0200
|
||
|
Subject: [PATCH] Revert "Honor PAM's ambient supplemental groups. (#834)"
|
||
|
|
||
|
This reverts commit 1bc813d08b8130e458a6550ec47fb2bfbe6de080, which
|
||
|
misuses PAM and leads to pulling in all of root's supplemental groups
|
||
|
during session initialization instead of only adding PAM's extra
|
||
|
groups. The problem was masked due to the root user not having any
|
||
|
supplemental groups in some common contexts, like running sddm from a
|
||
|
systemd unit.
|
||
|
---
|
||
|
src/helper/UserSession.cpp | 57 --------------------------------------
|
||
|
1 file changed, 57 deletions(-)
|
||
|
|
||
|
diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
|
||
|
index b3aec356..f71fd358 100644
|
||
|
--- a/src/helper/UserSession.cpp
|
||
|
+++ b/src/helper/UserSession.cpp
|
||
|
@@ -150,67 +150,10 @@ namespace SDDM {
|
||
|
qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username;
|
||
|
exit(Auth::HELPER_OTHER_ERROR);
|
||
|
}
|
||
|
-
|
||
|
-#ifdef USE_PAM
|
||
|
-
|
||
|
- // fetch ambient groups from PAM's environment;
|
||
|
- // these are set by modules such as pam_groups.so
|
||
|
- int n_pam_groups = getgroups(0, NULL);
|
||
|
- gid_t *pam_groups = NULL;
|
||
|
- if (n_pam_groups > 0) {
|
||
|
- pam_groups = new gid_t[n_pam_groups];
|
||
|
- if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) {
|
||
|
- qCritical() << "getgroups() failed to fetch supplemental"
|
||
|
- << "PAM groups for user:" << username;
|
||
|
- exit(Auth::HELPER_OTHER_ERROR);
|
||
|
- }
|
||
|
- } else {
|
||
|
- n_pam_groups = 0;
|
||
|
- }
|
||
|
-
|
||
|
- // fetch session's user's groups
|
||
|
- int n_user_groups = 0;
|
||
|
- gid_t *user_groups = NULL;
|
||
|
- if (-1 == getgrouplist(username.constData(), pw.pw_gid,
|
||
|
- NULL, &n_user_groups)) {
|
||
|
- user_groups = new gid_t[n_user_groups];
|
||
|
- if ((n_user_groups = getgrouplist(username.constData(),
|
||
|
- pw.pw_gid, user_groups,
|
||
|
- &n_user_groups)) == -1 ) {
|
||
|
- qCritical() << "getgrouplist(" << username << ", " << pw.pw_gid
|
||
|
- << ") failed";
|
||
|
- exit(Auth::HELPER_OTHER_ERROR);
|
||
|
- }
|
||
|
- }
|
||
|
-
|
||
|
- // set groups to concatenation of PAM's ambient
|
||
|
- // groups and the session's user's groups
|
||
|
- int n_groups = n_pam_groups + n_user_groups;
|
||
|
- if (n_groups > 0) {
|
||
|
- gid_t *groups = new gid_t[n_groups];
|
||
|
- memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t)));
|
||
|
- memcpy((groups + n_pam_groups), user_groups,
|
||
|
- (n_user_groups * sizeof(gid_t)));
|
||
|
-
|
||
|
- // setgroups(2) handles duplicate groups
|
||
|
- if (setgroups(n_groups, groups) != 0) {
|
||
|
- qCritical() << "setgroups() failed for user: " << username;
|
||
|
- exit (Auth::HELPER_OTHER_ERROR);
|
||
|
- }
|
||
|
- delete[] groups;
|
||
|
- }
|
||
|
- delete[] pam_groups;
|
||
|
- delete[] user_groups;
|
||
|
-
|
||
|
-#else
|
||
|
-
|
||
|
if (initgroups(pw.pw_name, pw.pw_gid) != 0) {
|
||
|
qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username;
|
||
|
exit(Auth::HELPER_OTHER_ERROR);
|
||
|
}
|
||
|
-
|
||
|
-#endif /* USE_PAM */
|
||
|
-
|
||
|
if (setuid(pw.pw_uid) != 0) {
|
||
|
qCritical() << "setuid(" << pw.pw_uid << ") failed for user: " << username;
|
||
|
exit(Auth::HELPER_OTHER_ERROR);
|