Commit 15199d3e authored by Michael Stapelberg's avatar Michael Stapelberg

pam: Check $XDG_RUNTIME_DIR owner

from Ubuntu’s patches/pam-check-runtime-dir-user.patch:

From: Martin Pitt <martinpitt@gnome.org>
Date: Wed, 13 Nov 2013 13:02:28 +0100
Subject: [PATCH] pam: Check $XDG_RUNTIME_DIR owner

http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html requires
that $XDG_RUNTIME_DIR "MUST be owned by the user, and he MUST be the only one
having read and write access to it.".

Don't set an existing $XDG_RUNTIME_DIR in the PAM module if it isn't owned by
the session user. Otherwise su sessions get a runtime dir from a different user
which leads to either permission errors or scribbling over the other user's
files.

Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=753882
Bug-Ubuntu: https://launchpad.net/bugs/1197395
parent 73b71c7f
......@@ -13,6 +13,7 @@ systemd (204-8) UNRELEASED; urgency=low
* set capabilities cap_dac_override,cap_sys_ptrace=ep for
systemd-detect-virt, so that it works for unprivileged users.
(Closes: #739699)
* pam: Check $XDG_RUNTIME_DIR owner (Closes: #731300)
[ Michael Biebl ]
* do a one-time migration of RAMTMP= from /etc/default/rcS and
......
......@@ -329,6 +329,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
dbus_bool_t remote, existing;
int r;
uint32_t vtnr = 0;
struct stat st;
assert(handle);
......@@ -565,11 +566,25 @@ _public_ PAM_EXTERN int pam_sm_open_session(
goto finish;
}
r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", runtime_path, 0);
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
/* only set $XDG_RUNTIME_DIR if it is owned by the target user, as per
* XDG basedir-spec; this avoids su sessions to scribble over a runtime
* dir of a different user */
r = lstat(runtime_path, &st);
if (r != 0) {
pam_syslog(handle, LOG_ERR, "Failed to stat runtime dir: %s", strerror(errno));
r = PAM_SYSTEM_ERR;
goto finish;
}
if (st.st_uid == uid) {
r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", runtime_path, 0);
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
goto finish;
}
} else if (debug) {
pam_syslog(handle, LOG_DEBUG, "Runtime dir %s is not owned by the target uid %u, ignoring.",
runtime_path, uid);
}
if (!isempty(seat)) {
r = pam_misc_setenv(handle, "XDG_SEAT", seat, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment