From c7c686966d382a88d97afba911e66b6814eac057 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Mon, 18 May 2015 23:34:22 -0400 Subject: [PATCH] openafs: Improved calling of get-token script Directly fork/exec and change uid instead of relying on system() and su in the external program. Newer libafs-pam-session, openafs client, and kernel change behavior enough that running get-token as root and su or sudoing to the target user does not acquire tokens correctly. --- preauthuserdbcommon.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/preauthuserdbcommon.c b/preauthuserdbcommon.c index 6c29778..9fcafe3 100644 --- a/preauthuserdbcommon.c +++ b/preauthuserdbcommon.c @@ -14,13 +14,13 @@ #if HAVE_UNISTD_H #include #endif +#include +#include #include "auth.h" #include "courierauthdebug.h" #include "userdb/userdb.h" - - -#define TOKEN_CMD "/etc/courier/get-token " +#include "numlib/numlib.h" int auth_userdb_pre_common(const char *userid, const char *service, int needpass, @@ -108,18 +108,24 @@ int rc; auth.quota=udb->udb_quota; /* Get tokens for AFS */ - { char uidstr[32] = ""; - char *token_cmd; + { if (auth.sysuserid) - { - snprintf(uidstr, sizeof(uidstr), "%ld", (long)*auth.sysuserid); - if ((token_cmd=malloc(sizeof(TOKEN_CMD)+strlen(uidstr)))) - { - strcat(strcpy(token_cmd, TOKEN_CMD),uidstr); - system(token_cmd); - free(token_cmd); - } - } + { + pid_t pid = fork (); + + if (pid == 0) + { + char uidstr[32] = ""; + snprintf(uidstr, sizeof(uidstr), "%ld", (long)*auth.sysuserid); + + libmail_changeuidgid (*auth.sysuserid, auth.sysgroupid); + execl ("/etc/courier/get-token", "get-token", uidstr, NULL); + } + else + { + waitpid (pid, NULL, 0); + } + } } courier_authdebug_authinfo("DEBUG: authuserdb: ", &auth, 0, passwords); -- 2.20.1