pam: Fork and switch UID before connecting to daemon

bilelmoussaoui · bilelmoussaoui · commit 3c57ab6c6892 · 2025-10-27T09:55:16.000+01:00
When gdm-session-worker (running as root) connects to the PAM socket,
namespace isolation causes peer credentials to show UID 65534 instead of
the actual UID, breaking authentication

gnome-keyring solves this by forking a child process and using
setuid()/setgid() to switch to the target user's credentials before
connecting
diff --git a/pam/src/lib.rs b/pam/src/lib.rs
@@ -85,8 +85,8 @@ unsafe fn get_auth_token_internal(
     Ok(Zeroizing::new(password_bytes))
 }
 
-/// Get the UID for a username using getpwnam (handles NSS/LDAP/etc)
-fn get_user_uid(username: &str) -> Option<u32> {
+/// Get the UID and GID for a username using getpwnam (handles NSS/LDAP/etc)
+fn get_user_credentials(username: &str) -> Option<(u32, u32)> {
     use std::ffi::CString;
 
     let username_c = CString::new(username).ok()?;
@@ -95,7 +95,7 @@ fn get_user_uid(username: &str) -> Option<u32> {
     if pwd.is_null() {
         None
     } else {
-        Some(unsafe { (*pwd).pw_uid })
+        Some(unsafe { ((*pwd).pw_uid, (*pwd).pw_gid) })
     }
 }
 
@@ -266,19 +266,19 @@ pub unsafe extern "C" fn pam_sm_open_session(
         }
     };
 
-    let user_uid = match get_user_uid(&username) {
-        Some(uid) => uid,
+    let (user_uid, user_gid) = match get_user_credentials(&username) {
+        Some(creds) => creds,
         None => {
-            tracing::error!("Failed to get UID for user: {}", username);
+            tracing::error!("Failed to get credentials for user: {}", username);
             return PAM_SUCCESS;
         }
     };
 
     let message = PamMessage::unlock(username.clone(), password.to_vec());
 
     // Send the secret to the oo7 daemon
-    std::thread::spawn(
-        move || match send_secret_to_daemon(message, user_uid, auto_start) {
+    std::thread::spawn(move || {
+        match send_secret_to_daemon(message, user_uid, user_gid, auto_start) {
             Ok(_) => {
                 tracing::info!(
                     "Successfully sent secret to oo7 daemon for user: {}",
@@ -288,8 +288,8 @@ pub unsafe extern "C" fn pam_sm_open_session(
             Err(e) => {
                 tracing::error!("Failed to send secret to oo7 daemon: {}", e);
             }
-        },
-    );
+        }
+    });
 
     PAM_SUCCESS
 }
@@ -336,10 +336,10 @@ pub unsafe extern "C" fn pam_sm_chauthtok(
             }
         };
 
-        let user_uid = match get_user_uid(&username) {
-            Some(uid) => uid,
+        let (user_uid, user_gid) = match get_user_credentials(&username) {
+            Some(creds) => creds,
             None => {
-                tracing::error!("Failed to get UID for user: {}", username);
+                tracing::error!("Failed to get credentials for user: {}", username);
                 return PAM_SYSTEM_ERR;
             }
         };
@@ -384,8 +384,8 @@ pub unsafe extern "C" fn pam_sm_chauthtok(
             new_password.to_vec(),
         );
 
-        std::thread::spawn(
-            move || match send_secret_to_daemon(message, user_uid, false) {
+        std::thread::spawn(move || {
+            match send_secret_to_daemon(message, user_uid, user_gid, false) {
                 Ok(_) => {
                     tracing::info!(
                         "Successfully sent password change request to oo7 daemon for user: {}",
@@ -395,8 +395,8 @@ pub unsafe extern "C" fn pam_sm_chauthtok(
                 Err(e) => {
                     tracing::error!("Failed to send password change to oo7 daemon: {}", e);
                 }
-            },
-        );
+            }
+        });
 
         return PAM_SUCCESS;
     }
diff --git a/pam/src/socket.rs b/pam/src/socket.rs
@@ -41,11 +41,105 @@ impl std::error::Error for SocketError {
 pub fn send_secret_to_daemon(
     message: PamMessage,
     uid: u32,
+    gid: u32,
     auto_start: bool,
 ) -> Result<(), SocketError> {
-    let runtime = tokio::runtime::Runtime::new().map_err(SocketError::Connect)?;
+    // Check if we're already running as the target user
+    let current_uid = unsafe { libc::getuid() };
+    let current_gid = unsafe { libc::getgid() };
+    let current_euid = unsafe { libc::geteuid() };
+    let current_egid = unsafe { libc::getegid() };
+
+    if uid == current_uid && gid == current_gid && uid == current_euid && gid == current_egid {
+        tracing::debug!("Already running as target user (UID={uid}, GID={gid})",);
+        let runtime = tokio::runtime::Runtime::new().map_err(SocketError::Connect)?;
+        return runtime
+            .block_on(async { send_secret_to_daemon_async(message, uid, auto_start).await });
+    }
+
+    // Need to fork and switch credentials
+    tracing::debug!(
+        "Running as different user (current UID={current_uid}, target UID={uid}), forking to switch credentials"
+    );
+
+    match unsafe { libc::fork() } {
+        -1 => {
+            tracing::error!("Failed to fork process for credential switch");
+            Err(SocketError::Connect(io::Error::last_os_error()))
+        }
+        0 => {
+            unsafe {
+                if libc::setgid(gid) < 0
+                    || libc::setuid(uid) < 0
+                    || libc::setegid(gid) < 0
+                    || libc::seteuid(uid) < 0
+                {
+                    tracing::error!(
+                        "Failed to switch to user credentials (UID={uid}, GID={gid}): {}",
+                        io::Error::last_os_error()
+                    );
+                    libc::_exit(1);
+                }
+            }
+
+            tracing::debug!("Child process switched to UID={uid}, GID={gid}");
+
+            let runtime = match tokio::runtime::Runtime::new() {
+                Ok(rt) => rt,
+                Err(e) => {
+                    tracing::error!("Failed to create tokio runtime in child: {e}",);
+                    unsafe { libc::_exit(1) };
+                }
+            };
 
-    runtime.block_on(async { send_secret_to_daemon_async(message, uid, auto_start).await })
+            let result = runtime
+                .block_on(async { send_secret_to_daemon_async(message, uid, auto_start).await });
+
+            match result {
+                Ok(_) => unsafe { libc::_exit(0) },
+                Err(e) => {
+                    tracing::error!("Failed to send message in child process: {e}",);
+                    unsafe { libc::_exit(1) }
+                }
+            }
+        }
+        child_pid => {
+            // Parent process - wait for child to complete
+            tracing::debug!("Forked child process with PID {child_pid}",);
+            let mut status: libc::c_int = 0;
+
+            loop {
+                let wait_result = unsafe { libc::waitpid(child_pid, &mut status, 0) };
+                if wait_result == child_pid {
+                    break;
+                } else if wait_result == -1 {
+                    let err = io::Error::last_os_error();
+                    if err.kind() != io::ErrorKind::Interrupted {
+                        tracing::error!("Failed to wait for child process: {err}",);
+                        return Err(SocketError::Connect(err));
+                    }
+                }
+            }
+
+            if libc::WIFEXITED(status) {
+                let exit_code = libc::WEXITSTATUS(status);
+                if exit_code == 0 {
+                    tracing::debug!("Child process completed successfully");
+                    Ok(())
+                } else {
+                    tracing::error!("Child process exited with code {exit_code}");
+                    Err(SocketError::Connect(io::Error::other(format!(
+                        "Child process failed with exit code {exit_code}"
+                    ))))
+                }
+            } else {
+                tracing::error!("Child process terminated abnormally");
+                Err(SocketError::Connect(io::Error::other(
+                    "Child process terminated abnormally",
+                )))
+            }
+        }
+    }
 }
 
 /// Start the oo7-daemon for the current user
diff --git a/server/src/pam_listener.rs b/server/src/pam_listener.rs
@@ -103,8 +103,6 @@ impl PamListener {
 
     /// Handle a single PAM connection
     async fn handle_connection(&self, mut stream: UnixStream) -> Result<(), Error> {
-        tracing::debug!("Accepted PAM connection");
-
         // Accept connections from:
         // 1. Root (UID 0) as PAM modules run as root during authentication
         // 2. Same UID as us
@@ -114,8 +112,9 @@ impl PamListener {
 
         if peer_uid != 0 && peer_uid != our_uid {
             tracing::warn!(
-                "Rejected PAM connection from UID {} (expected 0 or {})",
+                "Rejected PAM connection from UID {} PID {} (expected UID 0 or {})",
                 peer_uid,
+                peer_cred.pid().unwrap_or(0),
                 our_uid
             );
             return Err(Error::IO(std::io::Error::new(
