Print this page 
uts: add a concept of a 'default' set of privileges, separate from 'basic'


 574                 }
 575                 return (PAM_SYSTEM_ERR);
 576         }
 577 
 578         tset = def = lim = NULL;
 579         deflim.def = deflim.lim = NULL;
 580 
 581         (void) _enum_attrs(user, finddeflim, NULL, &deflim);
 582 
 583         if (getset(deflim.lim, &lim) != 0 || getset(deflim.def, &def) != 0) {
 584                 ret = PAM_SYSTEM_ERR;
 585                 goto out;
 586         }
 587 
 588         if (def == NULL) {
 589                 def = priv_allocset();
 590                 if (def == NULL) {
 591                         ret = PAM_SYSTEM_ERR;
 592                         goto out;
 593                 }
 594                 priv_basicset(def);
 595                 errno = 0;
 596                 if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0))
 597                         (void) priv_addset(def, PRIV_FILE_CHOWN_SELF);
 598         }
 599         /*
 600          * Silently limit the privileges to those actually available
 601          * in the current zone.


 602          */
 603         tset = priv_allocset();
 604         if (tset == NULL) {
 605                 ret = PAM_SYSTEM_ERR;
 606                 goto out;
 607         }
 608         if (getppriv(PRIV_PERMITTED, tset) != 0) {
 609                 ret = PAM_SYSTEM_ERR;
 610                 goto out;
 611         }
 612         if (!priv_issubset(def, tset))
 613                 priv_intersect(tset, def);
 614         /*
 615          * We set privilege awareness here so that I gets copied to
 616          * P & E when the final setuid(uid) happens.
 617          */
 618         (void) setpflags(PRIV_AWARE, 1);
 619         if (setppriv(PRIV_SET, PRIV_INHERITABLE, def) != 0) {
 620                 syslog(LOG_AUTH | LOG_ERR,
 621                     "pam_setcred: setppriv(defaultpriv) failed: %m");




 574                 }
 575                 return (PAM_SYSTEM_ERR);
 576         }
 577 
 578         tset = def = lim = NULL;
 579         deflim.def = deflim.lim = NULL;
 580 
 581         (void) _enum_attrs(user, finddeflim, NULL, &deflim);
 582 
 583         if (getset(deflim.lim, &lim) != 0 || getset(deflim.def, &def) != 0) {
 584                 ret = PAM_SYSTEM_ERR;
 585                 goto out;
 586         }
 587 
 588         if (def == NULL) {
 589                 def = priv_allocset();
 590                 if (def == NULL) {
 591                         ret = PAM_SYSTEM_ERR;
 592                         goto out;
 593                 }
 594                 priv_defaultset(def);
 595                 errno = 0;
 596                 if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0))
 597                         (void) priv_addset(def, PRIV_FILE_CHOWN_SELF);
 598         }
 599         /*
 600          * Silently limit the privileges to those actually available
 601          * in the current zone.
 602          *
 603          * XXX: i think this applies to non-zone cases too, fix the comment.
 604          */
 605         tset = priv_allocset();
 606         if (tset == NULL) {
 607                 ret = PAM_SYSTEM_ERR;
 608                 goto out;
 609         }
 610         if (getppriv(PRIV_PERMITTED, tset) != 0) {
 611                 ret = PAM_SYSTEM_ERR;
 612                 goto out;
 613         }
 614         if (!priv_issubset(def, tset))
 615                 priv_intersect(tset, def);
 616         /*
 617          * We set privilege awareness here so that I gets copied to
 618          * P & E when the final setuid(uid) happens.
 619          */
 620         (void) setpflags(PRIV_AWARE, 1);
 621         if (setppriv(PRIV_SET, PRIV_INHERITABLE, def) != 0) {
 622                 syslog(LOG_AUTH | LOG_ERR,
 623                     "pam_setcred: setppriv(defaultpriv) failed: %m");