--- Linux-PAM-1_2_0/modules/pam_xauth/pam_xauth.c.0512~ 2015-04-27 16:57:39.000000000 +0200 +++ Linux-PAM-1_2_0/modules/pam_xauth/pam_xauth.c 2015-06-11 17:30:15.830251670 +0200 @@ -90,7 +90,7 @@ static const char * const xauthpaths[] = * given input on stdin, and storing any output it generates. */ static int run_coprocess(pam_handle_t *pamh, const char *input, char **output, - uid_t uid, gid_t gid, const char *command, ...) + uid_t uid, gid_t gid, const char *name, const char *command, ...) { int ipipe[2], opipe[2], i; char buf[LINE_MAX]; @@ -142,6 +142,12 @@ run_coprocess(pam_handle_t *pamh, const pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m"); _exit (err); } + + /* Mandriva Linux specific: + * we need to set the extra groups because in high security levels + * access to /usr/X11R6/bin dir is controlled by a group */ + initgroups(name, gid); + if (setuid(uid) == -1) { int err = errno; @@ -180,6 +186,7 @@ run_coprocess(pam_handle_t *pamh, const } /* Run the command. */ execv(command, (char *const *) args); + syslog(LOG_ERR, "pam_xauth: execvp of %s failed: %m", command); /* Never reached. */ _exit(1); } @@ -524,7 +531,7 @@ pam_sm_open_session (pam_handle_t *pamh, (unsigned long) getuid(), (unsigned long) getgid()); } if (run_coprocess(pamh, NULL, &cookie, - getuid(), getgid(), + getuid(), getgid(), rpwd->pw_name, xauth, "-f", cookiefile, "nlist", display, NULL) == 0) { #ifdef WITH_SELINUX @@ -583,7 +590,7 @@ pam_sm_open_session (pam_handle_t *pamh, (unsigned long) getgid()); } run_coprocess(pamh, NULL, &cookie, - getuid(), getgid(), + getuid(), getgid(), rpwd->pw_name, xauth, "-f", cookiefile, "nlist", t, NULL); } @@ -725,7 +732,7 @@ pam_sm_open_session (pam_handle_t *pamh, (unsigned long) tpwd->pw_gid); } run_coprocess(pamh, cookie, &tmp, - tpwd->pw_uid, tpwd->pw_gid, + tpwd->pw_uid, tpwd->pw_gid, tpwd->pw_name, xauth, "-f", cookiefile, "nmerge", "-", NULL); /* We don't need to keep a copy of these around any more. */