1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-15 03:14:23 +00:00
freebsd-ports/databases/gnats/files/patch-gnats::gnatsd.c
Dag-Erling Smørgrav 0e9073a57e [1] Avoid leaking potentially sensitive information into system logs
[2] Add PAM support to gnatsd

PR:		[1] ports/41342
Submitted by:	[1] Igor Kucherenko <kivvy@sunbay.com>
		[2] ru
2003-02-04 16:31:34 +00:00

131 lines
2.7 KiB
C

--- gnats/gnatsd.c.orig Wed Sep 22 02:18:39 1999
+++ gnats/gnatsd.c Tue Aug 20 21:11:28 2002
@@ -24,6 +24,15 @@
#include "query.h"
#include "db_conf.h"
+#ifdef HAVE_PAM
+#include <security/pam_appl.h>
+#ifdef _OPENPAM
+#include <security/openpam.h>
+#endif
+
+static int issetuidroot;
+#endif /* HAVE_PAM */
+
char myname[MAXHOSTNAMELEN];
char *program_name;
@@ -387,9 +396,9 @@
return found;
}
-/* Get the access lever for this user. */
-int
-get_user_access (database, filename, user, passwd)
+/* Get the access level for this user using the file backend. */
+static int
+get_user_access_file (database, filename, user, passwd)
char *database;
char *filename;
char *user;
@@ -489,6 +498,86 @@
return access;
}
+#ifdef HAVE_PAM
+#ifndef _OPENPAM
+int
+pam_conv (n, msg, resp, data)
+ int n;
+ const struct pam_message **msg;
+ struct pam_response **resp;
+ void *data;
+{
+
+ if (n != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
+ return(PAM_CONV_ERR);
+ if ((*resp = malloc(sizeof(struct pam_response))) == NULL)
+ return(PAM_CONV_ERR);
+ (*resp)[0].resp = strdup((const char *)data);
+ (*resp)[0].resp_retcode = 0;
+
+ return ((*resp)[0].resp != NULL ? PAM_SUCCESS : PAM_CONV_ERR);
+}
+#endif /* _OPENPAM */
+
+/* Get the access level for this user using the PAM backend. */
+static int
+get_user_access_pam (user, passwd)
+ char *user;
+ char *passwd;
+{
+ int access;
+ pam_handle_t *pamh;
+ struct pam_conv pamc = {
+#ifdef _OPENPAM
+ &openpam_nullconv, NULL
+#else
+ &pam_conv, passwd
+#endif
+ };
+
+ access = -1;
+
+ /* PAM chain may require super-user. */
+ if (issetuidroot)
+ seteuid(0);
+
+ if (pam_start("gnatsd", user, &pamc, &pamh) == PAM_SUCCESS &&
+#ifdef _OPENPAM
+ pam_set_item(pamh, PAM_AUTHTOK, passwd) == PAM_SUCCESS &&
+#endif
+ pam_authenticate(pamh, 0) == PAM_SUCCESS)
+ {
+ access = ACCESS_EDIT;
+ }
+
+ /* Revert back to real UID. */
+ if (issetuidroot)
+ seteuid(getuid());
+
+ return access;
+}
+#endif /* HAVE_PAM */
+
+/* Get the access level for this user. */
+int
+get_user_access (database, filename, user, passwd)
+ char *database;
+ char *filename;
+ char *user;
+ char *passwd;
+{
+ int access;
+
+ access = -1;
+
+#ifdef HAVE_PAM
+ if ((access = get_user_access_pam(user, passwd)) == -1)
+#endif /* HAVE_PAM */
+ access = get_user_access_file(database, filename, user, passwd);
+
+ return access;
+}
+
void
start_connection ()
{
@@ -680,6 +769,11 @@
int optc;
int not_inetd = 0;
int access, access_required;
+
+#ifdef HAVE_PAM
+ if ((issetuidroot = geteuid() == 0 && getuid() != 0))
+ seteuid(getuid());
+#endif /* HAVE_PAM */
outfile = stdout;