From: Yu Watanabe Date: Thu, 25 Jan 2024 18:09:13 +0000 (+0900) Subject: core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) after pam_close_session() X-Git-Tag: v256-rc1~997^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41ad01520573d5d2cb0ff05cfcfb492fcc0f5d22;p=thirdparty%2Fsystemd.git core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) after pam_close_session() The man page pam_setcred(3) states: > The credentials should be deleted after the session has been closed > (with pam_close_session(3)). Follow-up for 3bb39ea936a51a6a63a8b65a135521df098c32c4. --- diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index ab13f0342a5..a36b094babb 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -1098,6 +1098,22 @@ static int null_conv( return PAM_CONV_ERR; } +static int pam_close_session_and_delete_credentials(pam_handle_t *handle, int flags) { + int r, s; + + assert(handle); + + r = pam_close_session(handle, flags); + if (r != PAM_SUCCESS) + log_debug("pam_close_session() failed: %s", pam_strerror(handle, r)); + + s = pam_setcred(handle, PAM_DELETE_CRED | flags); + if (s != PAM_SUCCESS) + log_debug("pam_setcred(PAM_DELETE_CRED) failed: %s", pam_strerror(handle, s)); + + return r != PAM_SUCCESS ? r : s; +} + #endif static int setup_pam( @@ -1250,13 +1266,9 @@ static int setup_pam( assert(sig == SIGTERM); } - pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags); - if (pam_code != PAM_SUCCESS) - goto child_finish; - /* If our parent died we'll end the session */ if (getppid() != parent_pid) { - pam_code = pam_close_session(handle, flags); + pam_code = pam_close_session_and_delete_credentials(handle, flags); if (pam_code != PAM_SUCCESS) goto child_finish; } @@ -1299,7 +1311,7 @@ fail: if (handle) { if (close_session) - pam_code = pam_close_session(handle, flags); + pam_code = pam_close_session_and_delete_credentials(handle, flags); (void) pam_end(handle, pam_code | flags); }