don't use a global variable for pass_min_len, don't gratuitously move the

length checking into the "obscure" checks, and internationalize the error strings.
author: vorlon <Unknown> 2007-09-01 18:04:06 +0000
committer: vorlon <Unknown> 2007-09-01 18:04:06 +0000
commit: dc46aba7546a75860f16fab954c620f925ee14f7 (patch)
tree: 49a32bb656fd548cb5d8eaf34caae2a3d01afdc7
parent: 481afb7771e29b3f30878caecdfc49f96849767d (diff)
download: pam-dc46aba7546a75860f16fab954c620f925ee14f7.tar.gz
pam-dc46aba7546a75860f16fab954c620f925ee14f7.tar.bz2
pam-dc46aba7546a75860f16fab954c620f925ee14f7.zip
2 files changed, 140 insertions, 43 deletions
diff --git a/changelog b/changelog
index 4687d3c2..32f1f258 100644
--- a/changelog
+++ b/changelog
@@ -6,8 +6,11 @@ pam (0.99.7.1-5) UNRELEASED; urgency=low
       (closes: #440385).
     - Russian, thanks to Yuri Kozlov <kozlov.y@gmail.com> (closes: #440390)
     - Updated Portuguese, thanks to Américo Monteiro <a_monteiro@netcabo.pt>
+  * Further cleanups of 007_modules_pam_unix -- don't use a global variable
+    for pass_min_len, don't gratuitously move the length checking into the
+    "obscure" checks, and internationalize the error strings.
 
- -- Steve Langasek <vorlon@debian.org>  Sat, 01 Sep 2007 09:46:26 -0700
+ -- Steve Langasek <vorlon@debian.org>  Sat, 01 Sep 2007 10:59:34 -0700
 
 pam (0.99.7.1-4) unstable; urgency=low
 
diff --git a/patches-applied/007_modules_pam_unix b/patches-applied/007_modules_pam_unix
index 3420f64c..f8f3d302 100644
--- a/patches-applied/007_modules_pam_unix
+++ b/patches-applied/007_modules_pam_unix
@@ -12,21 +12,31 @@ Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c
  /*
   * i64c - convert an integer to a radix 64 character
   */
-@@ -991,12 +994,8 @@
+@@ -957,7 +960,8 @@
+ static int _pam_unix_approve_pass(pam_handle_t * pamh
+ 				  ,unsigned int ctrl
+ 				  ,const char *pass_old
+-				  ,const char *pass_new)
++				  ,const char *pass_new,
++                                  int pass_min_len)
+ {
+ 	const void *user;
+ 	const char *remark = NULL;
+@@ -991,11 +995,10 @@
  #ifdef USE_CRACKLIB
  		remark = FascistCheck (pass_new, CRACKLIB_DICTS);
  		D(("called cracklib [%s]", remark));
 -#else
 -		if (strlen(pass_new) < 6)
--		  remark = _("You must choose a longer password");
--		D(("length check [%s]", remark));
- #endif
--		if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
-+		if (!remark && on(UNIX_REMEMBER_PASSWD, ctrl)) {
++#endif
++		if (strlen(pass_new) < pass_min_len)
+ 		  remark = _("You must choose a longer password");
+ 		D(("length check [%s]", remark));
+-#endif
+ 		if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
  			if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
  			  remark = _("Password has been already used. Choose another.");
- 			if (retval == PAM_ABORT) {
-@@ -1005,6 +1004,11 @@
+@@ -1005,6 +1008,11 @@
  				return retval;
  			}
  		}
@@ -38,10 +48,56 @@ Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c
  	}
  	if (remark) {
  		_make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
+@@ -1020,6 +1028,7 @@
+ 	unsigned int ctrl, lctrl;
+ 	int retval, i;
+ 	int remember = -1;
++	int pass_min_len = 6;
+ 
+ 	/* <DO NOT free() THESE> */
+ 	const char *user;
+@@ -1028,7 +1037,7 @@
+ 
+ 	D(("called."));
+ 
+-	ctrl = _set_ctrl(pamh, flags, &remember, argc, argv);
++	ctrl = _set_ctrl(pamh, flags, &remember, &pass_min_len, argc, argv);
+ 
+ 	/*
+ 	 * First get the name of a user
+@@ -1235,7 +1244,8 @@
+ 			if (*(const char *)pass_new == '\0') {	/* "\0" password = NULL */
+ 				pass_new = NULL;
+ 			}
+-			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
++			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
++			                                pass_new, pass_min_len);
+ 		}
+ 
+ 		if (retval != PAM_SUCCESS) {
+@@ -1281,7 +1291,8 @@
+ 			return retval;
+ 		}
+ 
+-		retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
++		retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new,
++		                                pass_min_len);
+ 		if (retval != PAM_SUCCESS) {
+ 			pam_syslog(pamh, LOG_NOTICE,
+ 			         "new password not acceptable 2");
 Index: Linux-PAM/modules/pam_unix/pam_unix_acct.c
 ===================================================================
 --- Linux-PAM/modules/pam_unix/pam_unix_acct.c.orig
 +++ Linux-PAM/modules/pam_unix/pam_unix_acct.c
+@@ -202,7 +202,7 @@
+ 
+ 	D(("called."));
+ 
+-	ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
+ 
+ 	retval = pam_get_item(pamh, PAM_USER, &void_uname);
+ 	uname = void_uname;
 @@ -266,7 +266,9 @@
  
  	curdays = time(NULL) / (60 * 60 * 24);
@@ -90,17 +146,18 @@ Index: Linux-PAM/modules/pam_unix/support.c
 ===================================================================
 --- Linux-PAM/modules/pam_unix/support.c.orig
 +++ Linux-PAM/modules/pam_unix/support.c
-@@ -36,6 +36,9 @@
- #define SELINUX_ENABLED 0
- #endif
+@@ -53,8 +53,8 @@
+  * set the control flags for the UNIX module.
+  */
  
-+/* FIXME: should not be using globals here!! */
-+unsigned int pass_min_len = 6;
-+
- /* this is a front-end for module-application conversations */
+-int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc,
+-              const char **argv)
++int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *pass_min_len,
++              int argc, const char **argv)
+ {
+ 	unsigned int ctrl;
  
- int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
-@@ -80,6 +83,7 @@
+@@ -80,6 +80,7 @@
  		D(("SILENT"));
  		set(UNIX__QUIET, ctrl);
  	}
@@ -108,7 +165,7 @@ Index: Linux-PAM/modules/pam_unix/support.c
  	/* now parse the arguments to this module */
  
  	while (argc-- > 0) {
-@@ -89,7 +93,8 @@
+@@ -89,7 +90,8 @@
  
  		for (j = 0; j < UNIX_CTRLS_; ++j) {
  			if (unix_args[j].token
@@ -118,7 +175,7 @@ Index: Linux-PAM/modules/pam_unix/support.c
  				break;
  			}
  		}
-@@ -101,20 +106,25 @@
+@@ -101,20 +103,25 @@
  			ctrl &= unix_args[j].mask;	/* for turning things off */
  			ctrl |= unix_args[j].flag;	/* for turning things on  */
  
@@ -137,8 +194,8 @@ Index: Linux-PAM/modules/pam_unix/support.c
 +					*remember = -1;
 +				if (*remember > 400)
 +					*remember = 400;
-+			} else if (j == UNIX_MIN_PASS_LEN) {
-+				pass_min_len = atoi(*argv + 4);
++			} else if (pass_min_len && j == UNIX_MIN_PASS_LEN) {
++				*pass_min_len = atoi(*argv + 4);
  			}
  		}
  
@@ -146,13 +203,13 @@ Index: Linux-PAM/modules/pam_unix/support.c
  	}
  
 +	if (off(UNIX_BIGCRYPT,ctrl) && off(UNIX_MD5_PASS,ctrl)
-+	    && pass_min_len > 8)
-+		pass_min_len = 8;
++	    && pass_min_len && *pass_min_len > 8)
++		*pass_min_len = 8;
 +
  	if (flags & PAM_DISALLOW_NULL_AUTHTOK) {
  		D(("DISALLOW_NULL_AUTHTOK"));
  		set(UNIX__NONULL, ctrl);
-@@ -692,6 +702,8 @@
+@@ -692,6 +699,8 @@
  	    } else if (!p || (*salt == '*')) {
  		retval = PAM_AUTH_ERR;
  	    } else {
@@ -234,14 +291,17 @@ Index: Linux-PAM/modules/pam_unix/support.h
  };
  
  #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
-@@ -152,4 +158,7 @@
- extern int _unix_shadowed(const struct passwd *pwd);
+@@ -131,8 +137,8 @@
  
- extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user);
-+
-+extern unsigned int pass_min_len;
-+
- #endif /* _PAM_UNIX_SUPPORT_H */
+ extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
+ 		       ,int type, const char *text);
+-extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc,
+-		     const char **argv);
++extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember,
++                     int *pass_min_len, int argc, const char **argv);
+ extern int _unix_getpwnam (pam_handle_t *pamh,
+ 			   const char *name, int files, int nis,
+ 			   struct passwd **ret);
 Index: Linux-PAM/modules/pam_unix/unix_chkpwd.c
 ===================================================================
 --- Linux-PAM/modules/pam_unix/unix_chkpwd.c.orig
@@ -359,7 +419,7 @@ Index: Linux-PAM/modules/pam_unix/obscure.c
 ===================================================================
 --- /dev/null
 +++ Linux-PAM/modules/pam_unix/obscure.c
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,198 @@
 +/*
 + * Copyright 1989 - 1994, Julianne Frances Haugh
 + * All rights reserved.
@@ -389,13 +449,15 @@ Index: Linux-PAM/modules/pam_unix/obscure.c
 + * SUCH DAMAGE.
 + */
 +
++#include "config.h"
++
 +#include <ctype.h>
 +#include <stdio.h>
 +#include <unistd.h>
 +#include <string.h>
 +#include <stdlib.h>
 +#include <pwd.h>
-+#include<security/pam_modules.h>
++#include <security/pam_modules.h>
 +#include <security/_pam_macros.h>
 +
 +
@@ -488,7 +550,7 @@ Index: Linux-PAM/modules/pam_unix/obscure.c
 +	char *oldmono, *newmono, *wrapped;
 +
 +	if (strcmp(new, old) == 0)
-+		return "Bad: new password must be different than the old one";
++		return _("Bad: new password must be different than the old one");
 +
 +	newmono = str_lower(strdup(new));
 +	oldmono = str_lower(strdup(old));
@@ -497,15 +559,15 @@ Index: Linux-PAM/modules/pam_unix/obscure.c
 +	strcat (wrapped, oldmono);
 +
 +	if (palindrome(oldmono, newmono)) {
-+		msg = "Bad: new password cannot be a palindrome";
++		msg = _("Bad: new password cannot be a palindrome");
 +	} else if (strcmp(oldmono, newmono) == 0) {
-+		msg = "Bad: new and old password must differ by more than just case";
++		msg = _("Bad: new and old password must differ by more than just case");
 +	} else if (similar(oldmono, newmono)) {
-+		msg = "Bad: new and old password are too similar";
++		msg = _("Bad: new and old password are too similar");
 +	} else if (simple(old, new)) {
-+		msg = "Bad: new password is too simple";
++		msg = _("Bad: new password is too simple");
 +	} else if (strstr(wrapped, newmono)) {
-+		msg = "Bad: new password is just a wrapped version of the old one";
++		msg = _("Bad: new password is just a wrapped version of the old one");
 +	}
 +
 +	_pam_delete(newmono);
@@ -527,9 +589,6 @@ Index: Linux-PAM/modules/pam_unix/obscure.c
 +	oldlen = strlen(old);
 +	newlen = strlen(new);
 +
-+	if ( newlen < pass_min_len )
-+		return "Bad: new password is too short";
-+
 +	/* Remaining checks are optional. */
 +	if (off(UNIX_OBSCURE_CHECKS,ctrl))
 +		return NULL;
@@ -893,3 +952,38 @@ Index: Linux-PAM/modules/pam_unix/README
  Invalid arguments are logged with syslog(3).
  
  EXAMPLES
+Index: Linux-PAM/modules/pam_unix/pam_unix_auth.c
+===================================================================
+--- Linux-PAM/modules/pam_unix/pam_unix_auth.c.orig
++++ Linux-PAM/modules/pam_unix/pam_unix_auth.c
+@@ -111,7 +111,7 @@
+ 
+ 	D(("called."));
+ 
+-	ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
+ 
+ 	/* Get a few bytes so we can pass our return value to
+ 	   pam_sm_setcred(). */
+Index: Linux-PAM/modules/pam_unix/pam_unix_sess.c
+===================================================================
+--- Linux-PAM/modules/pam_unix/pam_unix_sess.c.orig
++++ Linux-PAM/modules/pam_unix/pam_unix_sess.c
+@@ -73,7 +73,7 @@
+ 
+ 	D(("called."));
+ 
+-	ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
+ 
+ 	retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
+ 	if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
+@@ -107,7 +107,7 @@
+ 
+ 	D(("called."));
+ 
+-	ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
++	ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
+ 
+ 	retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
+ 	if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
author	vorlon <Unknown>	2007-09-01 18:04:06 +0000
committer	vorlon <Unknown>	2007-09-01 18:04:06 +0000
commit	dc46aba7546a75860f16fab954c620f925ee14f7 (patch)
tree	49a32bb656fd548cb5d8eaf34caae2a3d01afdc7
parent	481afb7771e29b3f30878caecdfc49f96849767d (diff)
download	pam-dc46aba7546a75860f16fab954c620f925ee14f7.tar.gz pam-dc46aba7546a75860f16fab954c620f925ee14f7.tar.bz2 pam-dc46aba7546a75860f16fab954c620f925ee14f7.zip