1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
From d3953e88a94ec25a87d3c5136517b3d1009cb1fd Mon Sep 17 00:00:00 2001
From: "J. Konrad Tegtmeier-Rottach" <jktr@0x16.de>
Date: Wed, 8 May 2019 18:58:53 +0200
Subject: [PATCH] Revert "Honor PAM's ambient supplemental groups. (#834)"
This reverts commit 1bc813d08b8130e458a6550ec47fb2bfbe6de080, which
misuses PAM and leads to pulling in all of root's supplemental groups
during session initialization instead of only adding PAM's extra
groups. The problem was masked due to the root user not having any
supplemental groups in some common contexts, like running sddm from a
systemd unit.
---
src/helper/UserSession.cpp | 57 --------------------------------------
1 file changed, 57 deletions(-)
diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
index b3aec356..f71fd358 100644
--- a/src/helper/UserSession.cpp
+++ b/src/helper/UserSession.cpp
@@ -150,67 +150,10 @@ namespace SDDM {
qCritical() << "setgid(" << pw.pw_gid << ") failed for user: " << username;
exit(Auth::HELPER_OTHER_ERROR);
}
-
-#ifdef USE_PAM
-
- // fetch ambient groups from PAM's environment;
- // these are set by modules such as pam_groups.so
- int n_pam_groups = getgroups(0, NULL);
- gid_t *pam_groups = NULL;
- if (n_pam_groups > 0) {
- pam_groups = new gid_t[n_pam_groups];
- if ((n_pam_groups = getgroups(n_pam_groups, pam_groups)) == -1) {
- qCritical() << "getgroups() failed to fetch supplemental"
- << "PAM groups for user:" << username;
- exit(Auth::HELPER_OTHER_ERROR);
- }
- } else {
- n_pam_groups = 0;
- }
-
- // fetch session's user's groups
- int n_user_groups = 0;
- gid_t *user_groups = NULL;
- if (-1 == getgrouplist(username.constData(), pw.pw_gid,
- NULL, &n_user_groups)) {
- user_groups = new gid_t[n_user_groups];
- if ((n_user_groups = getgrouplist(username.constData(),
- pw.pw_gid, user_groups,
- &n_user_groups)) == -1 ) {
- qCritical() << "getgrouplist(" << username << ", " << pw.pw_gid
- << ") failed";
- exit(Auth::HELPER_OTHER_ERROR);
- }
- }
-
- // set groups to concatenation of PAM's ambient
- // groups and the session's user's groups
- int n_groups = n_pam_groups + n_user_groups;
- if (n_groups > 0) {
- gid_t *groups = new gid_t[n_groups];
- memcpy(groups, pam_groups, (n_pam_groups * sizeof(gid_t)));
- memcpy((groups + n_pam_groups), user_groups,
- (n_user_groups * sizeof(gid_t)));
-
- // setgroups(2) handles duplicate groups
- if (setgroups(n_groups, groups) != 0) {
- qCritical() << "setgroups() failed for user: " << username;
- exit (Auth::HELPER_OTHER_ERROR);
- }
- delete[] groups;
- }
- delete[] pam_groups;
- delete[] user_groups;
-
-#else
-
if (initgroups(pw.pw_name, pw.pw_gid) != 0) {
qCritical() << "initgroups(" << pw.pw_name << ", " << pw.pw_gid << ") failed for user: " << username;
exit(Auth::HELPER_OTHER_ERROR);
}
-
-#endif /* USE_PAM */
-
if (setuid(pw.pw_uid) != 0) {
qCritical() << "setuid(" << pw.pw_uid << ") failed for user: " << username;
exit(Auth::HELPER_OTHER_ERROR);
|