openpam_restore_cred.c revision 115619 
175584Sru/*-
275584Sru * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
375584Sru * All rights reserved.
4104862Sru *
575584Sru * This software was developed for the FreeBSD Project by ThinkSec AS and
675584Sru * Network Associates Laboratories, the Security Research Division of
775584Sru * Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
875584Sru * ("CBOSS"), as part of the DARPA CHATS research program.
975584Sru *
1075584Sru * Redistribution and use in source and binary forms, with or without
1175584Sru * modification, are permitted provided that the following conditions
1275584Sru * are met:
1375584Sru * 1. Redistributions of source code must retain the above copyright
1475584Sru *    notice, this list of conditions and the following disclaimer.
15104862Sru * 2. Redistributions in binary form must reproduce the above copyright
1675584Sru *    notice, this list of conditions and the following disclaimer in the
1775584Sru *    documentation and/or other materials provided with the distribution.
1875584Sru * 3. The name of the author may not be used to endorse or promote
1975584Sru *    products derived from this software without specific prior written
2075584Sru *    permission.
2175584Sru *
22104862Sru * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
2375584Sru * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2475584Sru * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2575584Sru * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
2675584Sru * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2775584Sru * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2875584Sru * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2975584Sru * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3075584Sru * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3175584Sru * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3275584Sru * SUCH DAMAGE.
3375584Sru *
3475584Sru * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#8 $
3575584Sru */
3675584Sru
3775584Sru#include <sys/param.h>
3875584Sru
3975584Sru#include <grp.h>
4075584Sru#include <pwd.h>
4175584Sru#include <stdlib.h>
4275584Sru#include <unistd.h>
4375584Sru
4475584Sru#include <security/pam_appl.h>
4575584Sru
4675584Sru#include "openpam_impl.h"
4775584Sru
4875584Sru/*
4975584Sru * OpenPAM extension
5075584Sru *
5175584Sru * Restore credentials
5275584Sru */
5375584Sru
5475584Sruint
5575584Sruopenpam_restore_cred(pam_handle_t *pamh)
5675584Sru{
5775584Sru	struct pam_saved_cred *scred;
5875584Sru	int r;
5975584Sru
6075584Sru	ENTER();
6175584Sru	r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred);
6275584Sru	if (r != PAM_SUCCESS)
6375584Sru		RETURNC(r);
6475584Sru	if (scred == NULL)
6575584Sru		RETURNC(PAM_SYSTEM_ERR);
6675584Sru	if (scred->euid != geteuid()) {
6775584Sru		if (seteuid(scred->euid) < 0 ||
6875584Sru		    setgroups(scred->ngroups, scred->groups) < 0 ||
6975584Sru		    setegid(scred->egid) < 0)
7075584Sru			RETURNC(PAM_SYSTEM_ERR);
7175584Sru	}
7275584Sru	pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL);
7375584Sru	RETURNC(PAM_SUCCESS);
7475584Sru}
7575584Sru
7675584Sru/*
7775584Sru * Error codes:
7875584Sru *
7975584Sru *	=pam_get_data
80104862Sru *	PAM_SYSTEM_ERR
8175584Sru */
8275584Sru
8375584Sru/**
8475584Sru * The =openpam_restore_cred function restores the credentials saved by
8575584Sru * =openpam_borrow_cred.
8675584Sru *
8775584Sru * >setegid
8875584Sru * >seteuid
8975584Sru * >setgroups
9075584Sru */
9175584Sru