[src/trunk]: src/usr.bin/login - Added error checks for initgroups(3) and set...

[shm <shm%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e2494b1c9b39
branches:  trunk
changeset: 341278:e2494b1c9b39
user:      shm <shm%NetBSD.org@localhost>
date:      Thu Oct 29 11:31:52 2015 +0000

description:
- Added error checks for initgroups(3) and setgroups(2).
- Reorder functions in privilege regain - setgroups(2) should be called after
  seteuid(2).

OK christos@

diffstat:

 usr.bin/login/login_pam.c |  20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

diffs (48 lines):

diff -r d154ae22504b -r e2494b1c9b39 usr.bin/login/login_pam.c
--- a/usr.bin/login/login_pam.c Thu Oct 29 10:12:28 2015 +0000
+++ b/usr.bin/login/login_pam.c Thu Oct 29 11:31:52 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: login_pam.c,v 1.24 2014/11/12 22:23:38 aymeric Exp $       */
+/*     $NetBSD: login_pam.c,v 1.25 2015/10/29 11:31:52 shm Exp $       */
 
 /*-
  * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
@@ -39,7 +39,7 @@
 #if 0
 static char sccsid[] = "@(#)login.c    8.4 (Berkeley) 4/2/94";
 #endif
-__RCSID("$NetBSD: login_pam.c,v 1.24 2014/11/12 22:23:38 aymeric Exp $");
+__RCSID("$NetBSD: login_pam.c,v 1.25 2015/10/29 11:31:52 shm Exp $");
 #endif /* not lint */
 
 /*
@@ -420,7 +420,11 @@
        nsaved_gids = getgroups(NGROUPS_MAX, saved_gids);
        
        (void)setegid(pwd->pw_gid);
-       initgroups(username, pwd->pw_gid);
+       if (initgroups(username, pwd->pw_gid) == -1) {
+               syslog(LOG_ERR, "initgroups failed");
+               pam_end(pamh, PAM_SUCCESS);
+               exit(EXIT_FAILURE);
+       }
        (void)seteuid(pwd->pw_uid);
        
        if (chdir(pwd->pw_dir) != 0) {
@@ -446,9 +450,13 @@
        }
 
        /* regain special privileges */
-       setegid(saved_gid);
-       setgroups(nsaved_gids, saved_gids);
-       seteuid(saved_uid);
+       (void)setegid(saved_gid);
+       (void)seteuid(saved_uid);
+       if (setgroups(nsaved_gids, saved_gids) == -1) {
+               syslog(LOG_ERR, "setgroups failed: %m");
+               pam_end(pamh, PAM_SUCCESS);
+               exit(EXIT_FAILURE);
+       }
 
        (void)getgrnam_r(TTYGRPNAME, &grs, grbuf, sizeof(grbuf), &grp);
        (void)chown(ttyn, pwd->pw_uid,