Commit 6248ad60 authored by William Lallemand's avatar William Lallemand Committed by Romain Bignon

- Change users of child process with pam authentification

It could be interesting to change the users of the child in the daemon fork
mode to allow several crappy skype for example.
parent 3e2f62f7
...@@ -130,6 +130,8 @@ aaa { ...@@ -130,6 +130,8 @@ aaa {
# Enable PAM authentication/authorization (need the ENABLE_PAM compile flag) # Enable PAM authentication/authorization (need the ENABLE_PAM compile flag)
#use_pam = false #use_pam = false
# Child process setuid with the pam user (needs root and pam auth)
#pam_setuid = false
# Enable connection information for authentication/authorization # Enable connection information for authentication/authorization
# (currently only used with TLS client certificates) # (currently only used with TLS client certificates)
......
...@@ -82,6 +82,7 @@ Minbif::Minbif() ...@@ -82,6 +82,7 @@ Minbif::Minbif()
section->AddItem(new ConfigItem_bool("use_local", "Use local database to authenticate users", "true")); section->AddItem(new ConfigItem_bool("use_local", "Use local database to authenticate users", "true"));
#ifdef HAVE_PAM #ifdef HAVE_PAM
section->AddItem(new ConfigItem_bool("use_pam", "Use PAM mechanisms to authenticate/authorize users", "false")); section->AddItem(new ConfigItem_bool("use_pam", "Use PAM mechanisms to authenticate/authorize users", "false"));
section->AddItem(new ConfigItem_bool("pam_setuid", "Child process setuid with the pam user (needs root and pam auth)", "false"));
#endif #endif
section->AddItem(new ConfigItem_bool("use_connection", "Use connection information to authenticate/authorize users", "false")); section->AddItem(new ConfigItem_bool("use_connection", "Use connection information to authenticate/authorize users", "false"));
......
...@@ -18,6 +18,9 @@ ...@@ -18,6 +18,9 @@
#include <cstring> #include <cstring>
#include <cerrno> #include <cerrno>
#include <sys/types.h>
#include <pwd.h>
#include "auth.h" #include "auth.h"
#include "core/log.h" #include "core/log.h"
#include "core/util.h" #include "core/util.h"
...@@ -119,7 +122,21 @@ bool AuthPAM::checkPassword(const string& password) ...@@ -119,7 +122,21 @@ bool AuthPAM::checkPassword(const string& password)
retval = pam_start("minbif", username.c_str(), &pam_conversation, &pamh); retval = pam_start("minbif", username.c_str(), &pam_conversation, &pamh);
if (retval == PAM_SUCCESS) if (retval == PAM_SUCCESS)
{
if (conf.GetSection("aaa")->GetItem("pam_setuid")->Boolean() == true)
{
struct passwd *pwd;
pwd = getpwnam(username.c_str());
if (setuid(pwd->pw_uid) != 0)
{
b_log[W_ERR] << "Minbif needs to be launched in root for setuid_pam: ";
close();
return false;
}
}
retval = pam_authenticate(pamh, 0); /* is user really user? */ retval = pam_authenticate(pamh, 0); /* is user really user? */
}
if (retval == PAM_SUCCESS) if (retval == PAM_SUCCESS)
retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment