pam_shrundir: fix lockfile race

2021-01-29 14:52:04 +01:00 · 2021-01-29 14:52:04 +01:00 · 1274a8e2fd
commit 1274a8e2fd
parent e1713eaf29
3 changed files with 51 additions and 44 deletions
--- a/pam_shrundir/.signature
+++ b/pam_shrundir/.signature
@ -1,6 +1,6 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF38kSJKzvrIA0Wc7tUQXmMhDLsrXKOEN/GkroPLzha+HmocIsc9pefNs2crmgT5dx2T18OfbnfDxoN1F+NmmM4g4=
-SHA256 (Pkgfile) = 0c7700d5a03721c3679d46beb13ebdb4c3101f8be9666d55f5c48f9e51ce636f
+RWSagIOpLGJF37j5m3ENnI/CdZ9/UxM5HJfqz+tGHFzKhN+PrYJZNqRpA1mHWbZNDSOoDoQ1AQ0OA85InS1nMYGm+pqz5s5E1wo=
+SHA256 (Pkgfile) = e4d9c3d188a386f827acd0fbfc2403f9f60a7f1778138a818244236c78b8e230
 SHA256 (.footprint) = 477b045ddf332d5c081e4dfc5104f8c829e0c28058855b72b5832489b1406645
-SHA256 (pam_shrundir) = 0c544a9352bd68a6a743363caa8b44a8fe5d03f4b98fc3bcab859e11b2b9350e
+SHA256 (pam_shrundir) = 5c7a86ca0962fa2a0a67b8e2f1687ba9d58d73f72c76a590a09d128de88eb365
 SHA256 (pam_shrundir.8) = 3c757d3dd6d4573c8ee3dbddc7754a28cab2f423dc5fbcf3b682e3e46e78c9cb
--- a/pam_shrundir/Pkgfile
+++ b/pam_shrundir/Pkgfile
@ -3,14 +3,14 @@
 # Maintainer:  Steffen Nurpmeso, steffen at sdaoden dot eu

 name=pam_shrundir
-version=20210126
+version=20210129
 release=1
 source=($name $name.8)

 build () {
   install -d $PKG/sbin $PKG/usr/share/man/man8
-   install -m 755 $name $PKG/sbin
-   install -m 644 $name.8 $PKG/usr/share/man/man8/
+   install -m 0755 $name $PKG/sbin
+   install -m 0644 $name.8 $PKG/usr/share/man/man8/
 }

 # s-sh-mode
--- a/pam_shrundir/pam_shrundir
+++ b/pam_shrundir/pam_shrundir
@ -2,71 +2,78 @@
 #@ Create /run/user/`id -u` when the first session is opened, and remove it
 #@ again once the last is closed.
 #@ Place this 0755 in /sbin/pam_shrundir (or wherever you want), then put
-#@ 	session required pam_exec.so quiet /sbin/pam_shrundir
+#@    session required pam_exec.so quiet /sbin/pam_shrundir
 #@ (or "optional" not "required") in /etc/pam.d/common-session, or wherever.
+#
+# 2021 Steffen Nurpmeso <steffen@sdaoden.eu>.
+# Public Domain.

 lckfile=.pam_shrundir.lck
 datfile=.pam_shrundir.dat

 cd /run || {
-	logger -t pam_rundir 'ERROR: /run must exist'
-	exit 1
+   logger -t pam_rundir 'ERROR: /run must exist'
+   exit 1
 }

 command -v flock >/dev/null 2>&1 || {
-	logger -t pam_rundir 'ERROR: i need flock(1) from util-linux'
-	exit 2
+   logger -t pam_rundir 'ERROR: i need flock(1) from util-linux'
+   exit 2
 }

 [ -d user ] || mkdir -m 0755 user || [ -d user ] || {
-	logger -t pam_rundir 'ERROR: cannot create /run/user'
-	exit 3
+   logger -t pam_rundir 'ERROR: cannot create /run/user'
+   exit 3
 }

 cd user || {
-	logger -t pam_rundir 'ERROR: cannot cd to /run/user'
-	exit 4
-
+   logger -t pam_rundir 'ERROR: cannot cd to /run/user'
+   exit 4
 }

 user=`id -u ${PAM_USER}`
 group=`id -g ${PAM_USER}`
 umask 0077

-touch "${lckfile}"
-flock "${lckfile}" -c '
-	ex=0
-	if [ "'"${PAM_TYPE}"'" = open_session ]; then
-		if [ -d '"${user}"' ]; then :; else
-			mkdir -m 0700 '"${user}"' || exit 5
-			chown '"${user}"':'"${group}"' '"${user}"' || exit 6
-			echo 0 > '"${user}"'/'"${datfile}"'
-			chmod 0600 '"${user}"'/'"${datfile}"'
-		fi
-		op=+
-	else
-		op=-
-	fi
+(
+   flock 8 || exit 10
+   ex=0
+   if [ "${PAM_TYPE}" = open_session ]; then
+      if [ -d "${user}" ]; then :; else
+         mkdir -m 0700 "${user}" || exit 5
+         chown "${user}":"${group}" "${user}" || exit 6
+         echo 0 > "${user}"/"${datfile}"
+         chmod 0600 "${user}"/"${datfile}"
+      fi
+      op=+
+   else
+      op=-
+   fi

-	read cnt < '"${user}"'/'"${datfile}"'
-	[ -z "${cnt}" ] && cnt=0
-	cnt=`expr ${cnt} ${op} 1`
-	if [ ${cnt} -le 0 ]; then
-		rm -rf '"${user}"' || ex=7
-	else
-		echo ${cnt} > '"${user}"'/'"${datfile}"'
-	fi
+   read cnt < "${user}"/"${datfile}"
+   [ -z "${cnt}" ] && cnt=0
+   cnt=`expr ${cnt} ${op} 1`
+   if [ ${cnt} -le 0 ]; then
+      rm -rf "${user}" || ex=7
+   else
+      echo ${cnt} > "${user}"/"${datfile}"
+   fi

-	exit ${ex}
-'
+   exit ${ex}
+) 8>"${lckfile}"
 e=${?}
 rm -f "${lckfile}"

+em=
 case ${e} in
-*) ;;
-5) logger -t pam_rundir 'ERROR: cannot create /run/user/'${user};;
-6) logger -t pam_rundir 'ERROR: cannot impersonate /run/user/'${user};;
-7) logger -t pam_rundir 'ERROR: cannot remove /run/user/'${user};;
+0) ;;
+5) em='cannot create /run/user/'${user};;
+6) em='cannot impersonate /run/user/'${user};;
+7) em='cannot remove /run/user/'${user};;
+10) em='cannot flock(1) '${lckfile};;
+*) em='unsorted flock(1) error';;
 esac
+[ -n "${em}" ] && logger -t pam_rundir 'ERROR: '"${em}"

 exit ${e}
+# s-sh-mode