From: Clinton Ebadi Date: Tue, 19 May 2015 03:34:22 +0000 (-0400) Subject: openafs: Improved calling of get-token script X-Git-Tag: debian/0.66.1-1+hcoop3~1 X-Git-Url: https://git.hcoop.net/hcoop/debian/courier-authlib.git/commitdiff_plain/c7c686966d382a88d97afba911e66b6814eac057?hp=6d167bb1539ec7eeffd77bef20b73fee3761af63;ds=sidebyside openafs: Improved calling of get-token script Directly fork/exec and change uid instead of relying on system() and su in the external program. Newer libafs-pam-session, openafs client, and kernel change behavior enough that running get-token as root and su or sudoing to the target user does not acquire tokens correctly. --- diff --git a/preauthuserdbcommon.c b/preauthuserdbcommon.c index 6c29778..9fcafe3 100644 --- a/preauthuserdbcommon.c +++ b/preauthuserdbcommon.c @@ -14,13 +14,13 @@ #if HAVE_UNISTD_H #include #endif +#include +#include #include "auth.h" #include "courierauthdebug.h" #include "userdb/userdb.h" - - -#define TOKEN_CMD "/etc/courier/get-token " +#include "numlib/numlib.h" int auth_userdb_pre_common(const char *userid, const char *service, int needpass, @@ -108,18 +108,24 @@ int rc; auth.quota=udb->udb_quota; /* Get tokens for AFS */ - { char uidstr[32] = ""; - char *token_cmd; + { if (auth.sysuserid) - { - snprintf(uidstr, sizeof(uidstr), "%ld", (long)*auth.sysuserid); - if ((token_cmd=malloc(sizeof(TOKEN_CMD)+strlen(uidstr)))) - { - strcat(strcpy(token_cmd, TOKEN_CMD),uidstr); - system(token_cmd); - free(token_cmd); - } - } + { + pid_t pid = fork (); + + if (pid == 0) + { + char uidstr[32] = ""; + snprintf(uidstr, sizeof(uidstr), "%ld", (long)*auth.sysuserid); + + libmail_changeuidgid (*auth.sysuserid, auth.sysgroupid); + execl ("/etc/courier/get-token", "get-token", uidstr, NULL); + } + else + { + waitpid (pid, NULL, 0); + } + } } courier_authdebug_authinfo("DEBUG: authuserdb: ", &auth, 0, passwords);