115
116
errno = save_errno;
116
117
pam_syslog(pamh, LOG_ERR,
118
@@ -614,10 +672,35 @@
120
/* Set permissions on the new file and dispose of the
122
+#ifdef HAVE_SYS_FSUID_H
123
setfsuid(tpwd->pw_uid);
126
+ if (uid == tpwd->pw_uid)
127
+ setreuid(euid, uid);
130
+ if (setreuid(-1, uid) == -1) {
133
+ if (setreuid(-1, tpwd->pw_uid))
134
+ return PAM_CRED_INSUFFICIENT;
138
if (fchown(fd, tpwd->pw_uid, tpwd->pw_gid) < 0)
139
pam_syslog (pamh, LOG_ERR, "fchown: %m");
140
+#ifdef HAVE_SYS_FSUID_H
143
+ if (uid == tpwd->pw_uid)
144
+ setreuid(uid, euid);
146
+ if (setreuid(-1, 0) == -1)
148
+ setreuid(-1, euid);
153
/* Get a copy of the filename to save as a data item for
156
uid_t unlinkuid, euid;
157
unlinkuid = euid = geteuid ();
158
+#ifndef HAVE_SYS_FSUID_H
162
if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS)
163
pam_syslog(pamh, LOG_ERR, "error determining target user's name");
167
/* NFS with root_squash requires non-root user */
168
+#ifdef HAVE_SYS_FSUID_H
169
setfsuid (unlinkuid);
172
+ if (uid == unlinkuid)
173
+ setreuid(euid, uid);
176
+ if (setreuid(-1, uid) == -1) {
179
+ if (setreuid(-1, unlinkuid))
180
+ return PAM_CRED_INSUFFICIENT;
184
unlink((char*)cookiefile);
185
+#ifdef HAVE_SYS_FSUID_H
188
+ if (uid == unlinkuid)
189
+ setreuid(uid, euid);
191
+ if (setreuid(-1, 0) == -1)
193
+ setreuid(-1, euid);
196
*((char*)cookiefile) = '\0';
199
Index: pam.debian/modules/pam_env/pam_env.c
200
===================================================================
201
--- pam.debian.orig/modules/pam_env/pam_env.c
202
+++ pam.debian/modules/pam_env/pam_env.c
206
#include <sys/stat.h>
207
+#ifdef HAVE_SYS_FSUID_H
208
#include <sys/fsuid.h>
210
#include <sys/types.h>
215
if (stat(envpath, &statbuf) == 0) {
216
uid_t euid = geteuid();
218
+#ifdef HAVE_SYS_FSUID_H
219
setfsuid (user_entry->pw_uid);
221
+ uid_t uid = getuid();
222
+ if (uid == user_entry->pw_uid)
223
+ setreuid(euid, uid);
226
+ if (setreuid(-1, uid) == -1) {
229
+ setreuid(-1, user_entry->pw_uid);
230
+ /* If this fails we didn't have root privs anyway, so we fall
231
+ through; not the safest, but no different from what we do in
232
+ the setfsuid() case. */
236
retval = _parse_config_file(pamh, envpath);
237
+#ifdef HAVE_SYS_FSUID_H
240
+ if (uid == user_entry->pw_uid)
241
+ setreuid(uid, euid);
243
+ if (setreuid(-1, 0) == 0)
245
+ setreuid(-1, euid);
248
if (retval == PAM_IGNORE)
249
retval = PAM_SUCCESS;
251
Index: pam.debian/modules/pam_mail/pam_mail.c
252
===================================================================
253
--- pam.debian.orig/modules/pam_mail/pam_mail.c
254
+++ pam.debian/modules/pam_mail/pam_mail.c
257
#include <sys/stat.h>
258
#include <sys/types.h>
259
+#ifdef HAVE_SYS_FSUID_H
260
#include <sys/fsuid.h>
266
|| (!est && (ctrl & PAM_LOGOUT_TOO))) {
267
uid_t euid = geteuid();
269
+#ifdef HAVE_SYS_FSUID_H
270
setfsuid (pwd->pw_uid);
272
+ uid_t uid = getuid();
274
+ if (uid == pwd->pw_uid)
275
+ setreuid(euid, uid);
278
+ if (setreuid(-1, uid) == -1) {
281
+ setreuid(-1, pwd->pw_uid);
282
+ /* If this fails we didn't have root privs anyway, so we fall
283
+ through; not the safest, but no different from what we do in
284
+ the setfsuid() case. */
288
type = get_mail_status(pamh, ctrl, folder);
289
+#ifdef HAVE_SYS_FSUID_H
292
+ if (uid == pwd->pw_uid)
293
+ setreuid(uid, euid);
295
+ if (setreuid(-1, 0) == 0)
297
+ setreuid(-1, euid);
302
retval = report_mail(pamh, ctrl, type, folder);