#include <sys/file.h>
#include <pwd.h>
#include <endian.h>
+#include <sys/capability.h>
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
assert(ret_username);
assert(ret_pw);
- if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
- uint32_t u;
+ if (have_effective_cap(CAP_AUDIT_CONTROL)) {
+ /* Only use audit login uid if we are executed with
+ * sufficient capabilities so that pam_loginuid could
+ * do its job. If we are lacking the CAP_AUDIT_CONTROL
+ * capabality we most likely are being run in a
+ * container and /proc/self/loginuid is useless since
+ * it probably contains a uid of the host system. */
- r = safe_atou32(s, &u);
- free(s);
+ if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
+ uint32_t u;
- if (r >= 0 && u != (uint32_t) -1 && u > 0) {
- have_loginuid = true;
- pw = pam_modutil_getpwuid(handle, u);
+ r = safe_atou32(s, &u);
+ free(s);
+
+ if (r >= 0 && u != (uint32_t) -1 && u > 0) {
+ have_loginuid = true;
+ pw = pam_modutil_getpwuid(handle, u);
+ }
}
}
#include <linux/kd.h>
#include <dlfcn.h>
#include <sys/wait.h>
+#include <sys/capability.h>
#include "macro.h"
#include "util.h"
*p += k;
}
+int have_effective_cap(int value) {
+ cap_t cap;
+ cap_flag_value_t fv;
+ int r;
+
+ if (!(cap = cap_get_proc()))
+ return -errno;
+
+ if (cap_get_flag(cap, value, CAP_EFFECTIVE, &fv) < 0)
+ r = -errno;
+ else
+ r = fv == CAP_SET;
+
+ cap_free(cap);
+ return r;
+}
+
static const char *const ioprio_class_table[] = {
[IOPRIO_CLASS_NONE] = "none",
[IOPRIO_CLASS_RT] = "realtime",
void parse_syslog_priority(char **p, int *priority);
+int have_effective_cap(int value);
+
#define NULSTR_FOREACH(i, l) \
for ((i) = (l); (i) && *(i); (i) = strchr((i), 0)+1)