From d5f64c1ecd8f13f01681d0a18b8f3174ff9bd225 Mon Sep 17 00:00:00 2001 From: Joseph Richey Date: Fri, 1 Sep 2017 00:50:42 -0700 Subject: security: No more permenant privilege dropping This was creating an issue becasuse fully dropping privileges required spawning a goroutine and using rutime.DropOSThread(). --- pam/pam.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pam/pam.go') diff --git a/pam/pam.go b/pam/pam.go index 657e9fb..998772c 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -134,14 +134,14 @@ func (h *Handle) StartAsPamUser() error { if err := security.KeyringsSetup(h.PamUser, h.OrigUser); err != nil { return err } - return security.SetThreadPrivileges(h.PamUser, false) + return security.SetThreadPrivileges(h.PamUser) } // StopAsPamUser restores the original privileges that were running the // PAM module (this is usually root). As this error is often ignored in a defer // statement, any error is also logged. func (h *Handle) StopAsPamUser() error { - err := security.SetThreadPrivileges(h.OrigUser, false) + err := security.SetThreadPrivileges(h.OrigUser) if err != nil { log.Print(err) } -- cgit v1.2.3 From 1ce72a7367967152948dbe332ea8d9834f194c27 Mon Sep 17 00:00:00 2001 From: Joseph Richey Date: Fri, 1 Sep 2017 00:53:07 -0700 Subject: security: Change user keyring lookup algorithm Now instead of spawning a seperate thread we alternate between changing the euid and ruid to both find the keyring and link it to the process keyring. Note that we also ensure that the user keyring is linked into the root keyring whenever possible. --- pam/pam.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'pam/pam.go') diff --git a/pam/pam.go b/pam/pam.go index 998772c..a3642cc 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -131,8 +131,8 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) { // StartAsPamUser sets the effective privileges to that of the PAM user, and // configures the PAM user's keyrings to be properly linked. func (h *Handle) StartAsPamUser() error { - if err := security.KeyringsSetup(h.PamUser, h.OrigUser); err != nil { - return err + if _, err := security.UserKeyringID(h.PamUser); err != nil { + log.Printf("Setting up keyrings in PAM: %v", err) } return security.SetThreadPrivileges(h.PamUser) } -- cgit v1.2.3