diff options
| author | Tomas Mraz <tm@t8m.info> | 2008-02-21 21:12:30 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2008-02-21 21:12:30 +0000 |
| commit | 6ccbba1cf178e9de46347e2f9df76f69aebcec20 (patch) | |
| tree | d1d8b61899152d201746f7a949208767370af590 | |
| parent | 9058692366a17701a67d4a5c2eb306acfc778bd6 (diff) | |
| download | pam-6ccbba1cf178e9de46347e2f9df76f69aebcec20.tar.gz pam-6ccbba1cf178e9de46347e2f9df76f69aebcec20.tar.bz2 pam-6ccbba1cf178e9de46347e2f9df76f69aebcec20.zip | |
Relevant BUGIDs: rhbz#433459
Purpose of commit: bugfix
Commit summary:
---------------
2008-02-21 Tomas Mraz <t8m@centrum.cz>
* libpam/pam_audit.c (_pam_audit_writelog): Silence syslog
message on non-error return.
* modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged
user when checking password of another user.
* modules/pam_unix/unix_update.c: Fix comment.
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | libpam/pam_audit.c | 19 | ||||
| -rw-r--r-- | modules/pam_unix/unix_chkpwd.c | 5 | ||||
| -rw-r--r-- | modules/pam_unix/unix_update.c | 11 |
4 files changed, 28 insertions, 16 deletions
@@ -1,3 +1,12 @@ +2008-02-21 Tomas Mraz <t8m@centrum.cz> + + * libpam/pam_audit.c (_pam_audit_writelog): Silence syslog + message on non-error return. + + * modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged + user when checking password of another user. + * modules/pam_unix/unix_update.c: Fix comment. + 2008-02-18 Dmitry V. Levin <ldv@altlinux.org> * libpam/pam_handlers.c (_pam_assemble_line): Fix potential diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c index 6fd6a0c1..7f2e0b2c 100644 --- a/libpam/pam_audit.c +++ b/libpam/pam_audit.c @@ -43,18 +43,17 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, best to fix it. */ errno = -rc; - if (rc < 0 && errno != old_errno) - { - old_errno = errno; - pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m"); - } - pamh->audit_state |= PAMAUDIT_LOGGED; - if (rc == -EPERM && getuid () != 0) - return 0; - else - return rc; + if (rc < 0) { + if (rc == -EPERM && getuid() != 0) + return 0; + if (errno != old_errno) { + old_errno = errno; + pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m"); + } + } + return rc; } static int diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 11ac3aac..5f872d27 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -101,7 +101,10 @@ int main(int argc, char *argv[]) /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { - return PAM_AUTH_ERR; + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ + if (setuid(getuid()) != 0) + return PAM_AUTH_ERR; } } diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 595b7f8b..f54a59ce 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -1,11 +1,12 @@ /* - * This program is designed to run setuid(root) or with sufficient - * privilege to read all of the unix password databases. It is designed - * to provide a mechanism for the current user (defined by this - * process' uid) to verify their own password. + * This program is designed to run with sufficient privilege + * to read and write all of the unix password databases. + * Its purpose is to allow updating the databases when + * SELinux confinement of the caller domain prevents them to + * do that themselves. * * The password is read from the standard input. The exit status of - * this program indicates whether the user is authenticated or not. + * this program indicates whether the password was updated or not. * * Copyright information is located at the end of the file. * |