From 1ac3268b7a787d2a9ae641355b80b7f3131bea71 Mon Sep 17 00:00:00 2001 From: David Zeuthen Date: Mon, 30 Jul 2007 19:08:58 -0400 Subject: [PATCH] remove the isatty() call so it's easier to audit the helper The isatty() check is just to catch users poking around; it provides little or no real security. With this change, you can do stuff like $ /usr/libexec/polkit-grant-helper-pam davidz PAM_PROMPT_ECHO_OFF Password: SUCCESS $ /usr/libexec/polkit-grant-helper-pam davidz PAM_PROMPT_ECHO_OFF Password: not_my_password polkit-grant-helper-pam: pam_authenticated failed: Authentication failure FAILURE which is useful for auditing. --- polkit-grant/polkit-grant-helper-pam.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/polkit-grant/polkit-grant-helper-pam.c b/polkit-grant/polkit-grant-helper-pam.c index 184960f..16d53cb 100644 --- a/polkit-grant/polkit-grant-helper-pam.c +++ b/polkit-grant/polkit-grant-helper-pam.c @@ -71,12 +71,14 @@ main (int argc, char *argv[]) goto error; } +#if 0 /* check we're running with a non-tty stdin */ if (isatty (STDIN_FILENO) != 0) { syslog (LOG_NOTICE, "inappropriate use of helper, stdin is a tty [uid=%d]", getuid ()); fprintf (stderr, "polkit-grant-helper-pam: inappropriate use of helper, stdin is a tty. This incident has been logged.\n"); goto error; } +#endif /* get user to auth */ if (fgets (user_to_auth, sizeof user_to_auth, stdin) == NULL) -- 2.7.4