Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/pam_modules/unix_cred/unix_cred.c
          +++ new/usr/src/lib/pam_modules/unix_cred/unix_cred.c
↓ open down ↓ 583 lines elided ↑ open up ↑
 584  584                  ret = PAM_SYSTEM_ERR;
 585  585                  goto out;
 586  586          }
 587  587  
 588  588          if (def == NULL) {
 589  589                  def = priv_allocset();
 590  590                  if (def == NULL) {
 591  591                          ret = PAM_SYSTEM_ERR;
 592  592                          goto out;
 593  593                  }
 594      -                priv_basicset(def);
      594 +                priv_defaultset(def);
 595  595                  errno = 0;
 596  596                  if ((pathconf("/", _PC_CHOWN_RESTRICTED) == -1) && (errno == 0))
 597  597                          (void) priv_addset(def, PRIV_FILE_CHOWN_SELF);
 598  598          }
 599  599          /*
 600  600           * Silently limit the privileges to those actually available
 601  601           * in the current zone.
      602 +         *
      603 +         * XXX: i think this applies to non-zone cases too, fix the comment.
 602  604           */
 603  605          tset = priv_allocset();
 604  606          if (tset == NULL) {
 605  607                  ret = PAM_SYSTEM_ERR;
 606  608                  goto out;
 607  609          }
 608  610          if (getppriv(PRIV_PERMITTED, tset) != 0) {
 609  611                  ret = PAM_SYSTEM_ERR;
 610  612                  goto out;
 611  613          }
↓ open down ↓ 60 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX