initial commit

AUTHORS

@@ -0,0 +1 @@
+Scott Balneaves <sbalneav@ltsp.org>

Makefile.am

@@ -0,0 +1,11 @@
+AUTOMAKE_OPTIONS = dist-bzip2
+DISTCLEANFILES = ChangeLog
+EXTRA_DIST = autogen.sh
+
+SUBDIRS = src man
+
+.PHONY: ChangeLog
+ChangeLog:
+		git log > ChangeLog || touch ChangeLog
+
+dist-hook: ChangeLog

NEWS

@@ -0,0 +1 @@
+2016/02/04 Initial Release

README.md

@@ -0,0 +1,18 @@
+libpam-envclean
+===============
+
+What is it?
+-----------
+
+It's a pam module that removes the XDG_RUNTIME_DIR environment variable from
+the environment if the user authenticating is different from the user owning
+it.  This is for the case of programs like gksu clobbering the users' dconf
+settings.
+
+How do I use it?
+----------------
+
+Simply place it after the pam_systemd.so line:
+
+session optional        pam_systemd.so
+session optional        pam_envclean.so

autogen.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+autoreconf --force --install

configure.ac

@@ -0,0 +1,20 @@
+AC_INIT([libpam-envclean], [0.4], [sbalneav@ltsp.org])
+AC_CONFIG_HEADER(config.h)
+
+AM_MAINTAINER_MODE
+
+AM_INIT_AUTOMAKE
+AC_CONFIG_SRCDIR([src/pam_envclean.c])
+
+AC_PREREQ([2.59])
+AC_PROG_CC
+AM_PROG_CC_C_O
+
+AC_CHECK_HEADER([security/pam_modules.h], ,
+                    [AC_MSG_ERROR([PAM headers missing])])
+AC_CHECK_LIB(pam, pam_start, [PAM_LIBS="-lpam"],
+                AC_MSG_ERROR([PAM library missing]))
+AC_SUBST(PAM_LIBS)
+
+AC_CONFIG_FILES([Makefile] [src/Makefile] [man/Makefile])
+AC_OUTPUT

man/Makefile.am

@@ -0,0 +1 @@
+dist_man_MANS = pam_envclean.8

man/pam_envclean.8

@@ -0,0 +1,51 @@
+.TH "PAM_ENVCLEAN" "8" "2016/09/14"
+.nh
+.ad l
+.SH "NAME"
+pam_envclean \- PAM module which fixes pam_systemd XDG_RUNTIME_DIR breakage\&.
+.SH "SYNOPSIS"
+.HP \w'\fBpam_envclean\&.so\fR\
+.SH "DESCRIPTION"
+.PP
+pam_envclean is a PAM module that should be placed after pam_systemd in the
+session stack.  If the session user is different from the XDG_RUNTIME_DIR
+owner, it will unset the variable so that permissions will not get clobbered
+(as in the case of gksu)\&.
+.RE
+.PP
+.SH "MODULE TYPES PROVIDED"
+.PP
+Only the \fBsession\fR module type is provided\&.
+.SH "RETURN VALUES"
+.PP
+.PP
+PAM_SUCCESS
+.RS 4
+The user authenticated successfully\&.
+.RE
+.PP
+PAM_SYSTEM_ERR
+.RS 4
+A system error occurred\&.
+.RE
+.SH "EXAMPLES"
+.PP
+For an authentication line:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+        session required pam_envclean\&.so
+.fi
+.if n \{\
+.RE
+.\}
+.SH "SEE ALSO"
+.PP
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(7)
+.SH "AUTHOR"
+.PP
+pam_envclean was written by Scott Balneaves <sbalneav\&@ltsp\&.org\&>\&.

src/.deps/pam_superuserauth_so-pam_superuserauth.Po

@@ -0,0 +1,96 @@
+pam_superuserauth_so-pam_superuserauth.o: pam_superuserauth.c \
+ /usr/include/stdc-predef.h /usr/include/unistd.h /usr/include/features.h \
+ /usr/include/x86_64-linux-gnu/sys/cdefs.h \
+ /usr/include/x86_64-linux-gnu/bits/wordsize.h \
+ /usr/include/x86_64-linux-gnu/gnu/stubs.h \
+ /usr/include/x86_64-linux-gnu/gnu/stubs-64.h \
+ /usr/include/x86_64-linux-gnu/bits/posix_opt.h \
+ /usr/include/x86_64-linux-gnu/bits/environments.h \
+ /usr/include/x86_64-linux-gnu/bits/types.h \
+ /usr/include/x86_64-linux-gnu/bits/typesizes.h \
+ /usr/lib/gcc/x86_64-linux-gnu/4.9/include/stddef.h \
+ /usr/include/x86_64-linux-gnu/bits/confname.h /usr/include/getopt.h \
+ /usr/include/syslog.h /usr/include/x86_64-linux-gnu/sys/syslog.h \
+ /usr/lib/gcc/x86_64-linux-gnu/4.9/include/stdarg.h \
+ /usr/include/x86_64-linux-gnu/bits/syslog-path.h /usr/include/string.h \
+ /usr/include/xlocale.h /usr/include/x86_64-linux-gnu/bits/string.h \
+ /usr/include/x86_64-linux-gnu/bits/string2.h /usr/include/endian.h \
+ /usr/include/x86_64-linux-gnu/bits/endian.h \
+ /usr/include/x86_64-linux-gnu/bits/byteswap.h \
+ /usr/include/x86_64-linux-gnu/bits/byteswap-16.h /usr/include/stdlib.h \
+ /usr/include/pwd.h /usr/include/stdio.h /usr/include/shadow.h \
+ /usr/include/paths.h /usr/include/crypt.h ../config.h \
+ /usr/include/security/pam_modules.h /usr/include/security/_pam_types.h \
+ /usr/include/security/_pam_compat.h
+
+/usr/include/stdc-predef.h:
+
+/usr/include/unistd.h:
+
+/usr/include/features.h:
+
+/usr/include/x86_64-linux-gnu/sys/cdefs.h:
+
+/usr/include/x86_64-linux-gnu/bits/wordsize.h:
+
+/usr/include/x86_64-linux-gnu/gnu/stubs.h:
+
+/usr/include/x86_64-linux-gnu/gnu/stubs-64.h:
+
+/usr/include/x86_64-linux-gnu/bits/posix_opt.h:
+
+/usr/include/x86_64-linux-gnu/bits/environments.h:
+
+/usr/include/x86_64-linux-gnu/bits/types.h:
+
+/usr/include/x86_64-linux-gnu/bits/typesizes.h:
+
+/usr/lib/gcc/x86_64-linux-gnu/4.9/include/stddef.h:
+
+/usr/include/x86_64-linux-gnu/bits/confname.h:
+
+/usr/include/getopt.h:
+
+/usr/include/syslog.h:
+
+/usr/include/x86_64-linux-gnu/sys/syslog.h:
+
+/usr/lib/gcc/x86_64-linux-gnu/4.9/include/stdarg.h:
+
+/usr/include/x86_64-linux-gnu/bits/syslog-path.h:
+
+/usr/include/string.h:
+
+/usr/include/xlocale.h:
+
+/usr/include/x86_64-linux-gnu/bits/string.h:
+
+/usr/include/x86_64-linux-gnu/bits/string2.h:
+
+/usr/include/endian.h:
+
+/usr/include/x86_64-linux-gnu/bits/endian.h:
+
+/usr/include/x86_64-linux-gnu/bits/byteswap.h:
+
+/usr/include/x86_64-linux-gnu/bits/byteswap-16.h:
+
+/usr/include/stdlib.h:
+
+/usr/include/pwd.h:
+
+/usr/include/stdio.h:
+
+/usr/include/shadow.h:
+
+/usr/include/paths.h:
+
+/usr/include/crypt.h:
+
+../config.h:
+
+/usr/include/security/pam_modules.h:
+
+/usr/include/security/_pam_types.h:
+
+/usr/include/security/_pam_compat.h:

src/Makefile.am

@@ -0,0 +1,7 @@
+pammod_PROGRAMS = pam_envclean.so
+pammoddir=/lib/security
+
+pam_envclean_so_SOURCES = pam_envclean.c
+pam_envclean_so_CFLAGS = -fpic $(GLIB_CFLAGS)
+pam_envclean_so_LDFLAGS = -shared
+pam_envclean_so_LDADD = $(PAM_LIBS) $(CRYPT_LIBS) $(GLIB_LIBS)

src/pam_envclean.c

@@ -0,0 +1,96 @@
+/*
+ * pam_sshauth: PAM module for authentication via a remote ssh server.
+ * Copyright (C) 2016 Scott Balneaves <sbalneav@ltsp.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <unistd.h>
+#include <syslog.h>
+#include <string.h>
+#include <pwd.h>
+#include <shadow.h>
+#include <crypt.h>
+#include <config.h>
+
+/*
+ * PAM_SM_* define.
+ */
+
+#define PAM_SM_SESSION		/* supports session managemtent */
+
+#include <security/pam_modules.h>
+#include <security/pam_modutils.h>
+
+#define ENVVAR "XDG_RUNTIME_DIR"
+
+/*
+ * PAM functions
+ */
+
+PAM_EXTERN int
+pam_sm_open_session (pam_handle_t * pamh, int flags, int argc,
+		     const char **argv)
+{
+  const char *username;
+  const char *runtime_dir;
+  struct passwd *pwent;
+  struct stat st;
+  int pam_result;
+
+  /*
+   * Get the username.
+   */
+
+  pam_result = pam_get_user (pamh, &username, NULL);
+  if (pam_result != PAM_SUCCESS)
+    {
+      pam_syslog (pamh, LOG_ERR, "Couldn't determine username.");
+      return pam_result;
+    }
+
+  pwent = pam_modutil_getpwnam (pamh, username);
+  if (!pwent)
+    {
+      pam_syslog (pamh, LOG_ERR, "Cannot lookup user %s passwd entry", username);
+      return PAM_SYSTEM_ERR;
+    }
+
+  /*
+   * Deal with env variable
+   */
+
+  if (!(runtime_dir = pam_getenv(pamh, envvar)))
+    {
+      /* envvar isn't there, just return quietly */
+      return PAM_SUCCESS;
+    }
+
+  if (lstat (runtime_dir, &st))
+    {
+      pam_syslog(handle, LOG_ERR, "Failed to stat %s: %s", envvar, strerror(errno));
+     return PAM_SYSTEM_ERR;
+    }
+
+  if (st.st_uid != pw->pw_uid)
+    {
+      pam_result = pam_putenv(handle, envvar);
+      return pam_result;
+    }
+  else
+    {
+      return PAM_SUCCESS;
+    }
+}