pam_winbind: Fix CID 242274 Time of check time of use

Always issue the mkdir call to avoid the TOCTOU issue. Only if there is
already an object with the requested name, check whether it is a
directory.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 61ce4fd6b21e036969ca751c7a064ba11d7e4043..aee45bfe9bc92f67906485604ca4bc45fb067933 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1582,14 +1582,23 @@ static int _pam_create_homedir(struct pwb_context *ctx,
                               const char *dirname,
                               mode_t mode)
 {
-       struct stat sbuf;
+       int ret;
 
-       if (stat(dirname, &sbuf) == 0) {
-               return PAM_SUCCESS;
-       }
+       ret = mkdir(dirname, mode);
+       if (ret != 0 && errno == EEXIST) {
+               struct stat sbuf;
 
-       if (mkdir(dirname, mode) != 0) {
+               ret = stat(dirname, &sbuf);
+               if (ret != 0) {
+                       return PAM_PERM_DENIED;
+               }
+
+               if (!S_ISDIR(sbuf.st_mode)) {
+                       return PAM_PERM_DENIED;
+               }
+       }
 
+       if (ret != 0) {
                _make_remark_format(ctx, PAM_TEXT_INFO,
                                    _("Creating directory: %s failed: %s"),
                                    dirname, strerror(errno));