D12937: Drop privileges when reading the salt file

Rolf Eike Beer noreply at phabricator.kde.org
Fri May 25 18:03:38 UTC 2018 

dakon requested changes to this revision.
dakon added inline comments.
This revision now requires changes to proceed.

INLINE COMMENTS

> pam_kwallet.c:705
> +{
> +    int readSaltPipe[2] = { -1, -1};
> +    if (pipe(readSaltPipe) < 0) {

no init necessary, either pipe overwrites it or it returns error.

> pam_kwallet.c:711
> +
> +    const int pid = fork();
> +    if (pid == -1) {

Use pid_t

> pam_kwallet.c:714
> +        syslog(LOG_ERR, "%s: Couldn't fork to read salt file", logPrefix);
> +        return NULL;
> +    } else if (pid == 0) {

leaks the pipe descriptors

> pam_kwallet.c:720
> +            syslog(LOG_ERR, "%s: could not set gid/uid/euid/egit for salt file reading", logPrefix);
> +            exit(-1);
> +        }

leaks path

> pam_kwallet.c:726
> +            syslog(LOG_ERR, "%s: Couldn't open file: %s because: %d-%s", logPrefix, path, errno, strerror(errno));
> +            exit(-1);
> +        }

leaks pipe 1 and path

> pam_kwallet.c:728
> +        }
> +        char *salt = (char*) malloc(KWALLET_PAM_SALTSIZE);
> +        memset(salt, '\0', KWALLET_PAM_SALTSIZE);

Just use  a buffer on the stack, which can even be statically initialized (i.e. no explicit memset() needed). free(path) here.

> pam_kwallet.c:730
> +        memset(salt, '\0', KWALLET_PAM_SALTSIZE);
> +        fread(salt, KWALLET_PAM_SALTSIZE, 1, fd);
> +        fclose(fd);

Check return code. I would prefer to use open()/read()/close() directly, but that can be seen as a matter of personal preferences.

> pam_kwallet.c:735
> +
> +        if (written != KWALLET_PAM_SALTSIZE) {
> +            syslog(LOG_ERR, "%s: Couldn't write the full salt file contents to pipe");

close pipe 1 here.

> pam_kwallet.c:749
> +    waitpid(pid, &status, 0);
> +    if (status == 0) {
> +        salt = (char*) malloc(KWALLET_PAM_SALTSIZE);

please use WIFEXITED and WEXITSTATUS here. The compiler is free to optimize that into a simple compare if that's what it is, but you are now relying on an implementation detail of that status code.

> pam_kwallet.c:750
> +    if (status == 0) {
> +        salt = (char*) malloc(KWALLET_PAM_SALTSIZE);
> +        const ssize_t readBytes = read(readSaltPipe[0], salt, KWALLET_PAM_SALTSIZE);

check for NULL

REPOSITORY
  R107 KWallet PAM Integration

REVISION DETAIL
  https://phabricator.kde.org/D12937

To: aacid, dakon
Cc: dakon, mgerstner, fvogt, plasma-devel, ragreen, Pitel, ZrenBot, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20180525/1d89a778/attachment-0001.html>

More information about the Plasma-devel mailing list