You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some services use root user on start up but change effective user to less privileged user. So the check to use private socket should use the effective user id api.
Some services use root user on start up but change effective user to less privileged user. So the check to use private socket should use the effective user id api.
https://github.com/sgallagher/sssd/blob/5509ced1f4082c9864f669ee19d727f15f57ecff/src/sss_client/common.c#L870
/* only root shall use the privileged pipe */
if (getuid() == 0 && getgid() == 0) { //<==== The wrong apis to use
socket_name = SSS_PAM_PRIV_SOCKET_NAME;
statret = stat(socket_name, &stat_buf);
if (statret != 0) {
ret = PAM_SERVICE_ERR;
goto out;
}
if ( ! (stat_buf.st_uid == 0 &&
stat_buf.st_gid == 0 &&
S_ISSOCK(stat_buf.st_mode) &&
(stat_buf.st_mode & ~S_IFMT) == 0600 )) {
*errnop = ESSS_BAD_PRIV_SOCKET;
ret = PAM_SERVICE_ERR;
goto out;
}
} else {
socket_name = SSS_PAM_SOCKET_NAME;
statret = stat(socket_name, &stat_buf);
if (statret != 0) {
The text was updated successfully, but these errors were encountered: