Skip to content
Browse files

pam_duo: replace match on 'su' service with a use_uid parameter.

This make it behave a lot like Linux-PAM's pam_wheel, and allows using
the same behaviour with any other similar service, rather than just
with su.
  • Loading branch information...
1 parent 56a0394 commit bf180a96f64bfb92857cae406046d98b4fdabcae @Flameeyes committed Mar 27, 2012
Showing with 11 additions and 6 deletions.
  1. +10 −6 pam_duo/pam_duo.c
  2. +1 −0 pam_duo/pam_duo_options.h
View
16 pam_duo/pam_duo.c
@@ -234,6 +234,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
options |= PAM_OPT_TRY_FIRST_PASS;
} else if (strcmp("use_first_pass", argv[i]) == 0) {
options |= PAM_OPT_USE_FIRST_PASS|PAM_OPT_TRY_FIRST_PASS;
+ } else if (strcmp("use_uid", argv[i]) == 0) {
+ options |= PAM_OPT_USE_UID;
} else {
_syslog(LOG_ERR, "Invalid pam_duo option: '%s'",
argv[i]);
@@ -270,6 +272,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
(duopam_const void *)&service) != PAM_SUCCESS) {
return (PAM_SERVICE_ERR);
}
+ if (options & PAM_OPT_USE_UID) {
+ /* Check calling user for Duo auth, just like sudo */
+ if ((pw = getpwuid(getuid())) == NULL) {
+ return (PAM_USER_UNKNOWN);
+ }
+ user = pw->pw_name;
+ }
+
if (strcmp(service, "sshd") == 0) {
/*
* Disable incremental status reporting for sshd :-(
@@ -279,12 +289,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
flags |= DUO_FLAG_SYNC;
} else if (strcmp(service, "sudo") == 0) {
cmd = getenv("SUDO_COMMAND");
- } else if (strcmp(service, "su") == 0) {
- /* Check calling user for Duo auth, just like sudo */
- if ((pw = getpwuid(getuid())) == NULL) {
- return (PAM_USER_UNKNOWN);
- }
- user = pw->pw_name;
}
/* Check group membership */
if (cfg.groups_cnt > 0) {
View
1 pam_duo/pam_duo_options.h
@@ -12,6 +12,7 @@
#define PAM_OPT_TRY_FIRST_PASS 0x02
#define PAM_OPT_USE_FIRST_PASS 0x04
#define PAM_OPT_ECHO_PASS 0x08
+#define PAM_OPT_USE_UID 0x10
int pam_get_pass(pam_handle_t *, int, const char **, const char *, int);

0 comments on commit bf180a9

Please sign in to comment.
Something went wrong with that request. Please try again.