Relevant BUGIDs:

Purpose of commit:

Commit summary:
---------------

bugfix: 440107: Add various patches from Linux Distibutors to make
PAM modules reentrant.

6 files changed, 27 insertions, 50 deletions

diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile
index 61c4beaa..3fe0e8ae 100644
--- a/modules/pam_unix/Makefile
+++ b/modules/pam_unix/Makefile
@@ -39,12 +39,15 @@ CHKPWD=unix_chkpwd
 
 EXTRAS += -DCHKPWD_HELPER=\"$(SUPLEMENTED)/$(CHKPWD)\"
 
+LINK_PAMMODUTILS = -L../pammodutil -lpammodutil
+INCLUDE_PAMMODUTILS = -I../pammodutil/include
+
 ########################################################################
 
 CFLAGS += $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) $(EXTRAS) \
-	 -I../pammodutil/include
+	 $(INCLUDE_PAMMODUTILS)
 
-LDLIBS = $(EXTRALS) -L../pammodutil -lpammodutil
+LDLIBS = $(EXTRALS) $(LINK_PAMMODUTILS)
 
 ifdef USE_CRACKLIB
 CRACKLIB = -lcrack
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 58ba93c1..f87b13b1 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -53,6 +53,7 @@
 #define PAM_SM_ACCOUNT
 
 #include <security/pam_modules.h>
+#include <security/_pam_modutil.h>
 
 #ifndef LINUX_PAM
 #include <security/pam_appl.h>
@@ -89,7 +90,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 		return PAM_USER_UNKNOWN;
 	}
 
-	pwent = getpwnam(uname);
+	pwent = _pammodutil_getpwnam(pamh, uname);
 	if (!pwent) {
 		_log_err(LOG_ALERT, pamh
 			 ,"could not identify user (from getpwnam(%s))"
@@ -113,7 +114,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 					return PAM_CRED_INSUFFICIENT;
 			}
 		}
-		spent = getspnam( uname );
+		spent = _pammodutil_getspnam (pamh, uname);
 		if (save_uid == pwent->pw_uid)
 			setreuid( save_uid, save_euid );
 		else {
@@ -123,7 +124,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 		}
 
 	} else if (!strcmp( pwent->pw_passwd, "x" )) {
-		spent = getspnam(uname);
+		spent = _pammodutil_getspnam (pamh, uname);
 	} else {
 		return PAM_SUCCESS;
 	}
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index a0c1da81..39e0cde5 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
 
 	/* if this user does not have a password... */
 
-	if (_unix_blankpasswd(ctrl, name)) {
+	if (_unix_blankpasswd(pamh, ctrl, name)) {
 		D(("user '%s' has blank passwd", name));
 		name = NULL;
 		retval = PAM_SUCCESS;
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 4320171c..f11d2b20 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -73,6 +73,8 @@
 #include <security/pam_appl.h>
 #endif				/* LINUX_PAM */
 
+#include <security/_pam_modutil.h>
+
 #include "yppasswd.h"
 #include "md5.h"
 #include "support.h"
@@ -242,7 +244,8 @@ static int check_old_password(const char *forwho, const char *newpass)
 	return retval;
 }
 
-static int save_old_password(const char *forwho, const char *oldpass,
+static int save_old_password(pam_handle_t *pamh,
+			     const char *forwho, const char *oldpass,
 			     int howmany)
 {
     static char buf[16384];
@@ -314,7 +317,7 @@ static int save_old_password(const char *forwho, const char *oldpass,
     fclose(opwfile);
 
     if (!found) {
-	pwd = getpwnam(forwho);
+	pwd = _pammodutil_getpwnam(pamh, forwho);
 	if (pwd == NULL) {
 	    err = 1;
 	} else {
@@ -550,7 +553,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat,
 		return retval;
 	}
 	/* first, save old password */
-	if (save_old_password(forwho, fromwhat, remember)) {
+	if (save_old_password(pamh, forwho, fromwhat, remember)) {
 		return PAM_AUTHTOK_ERR;
 	}
 
@@ -762,7 +765,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
 		D(("prelim check"));
 
-		if (_unix_blankpasswd(ctrl, user)) {
+		if (_unix_blankpasswd(pamh, ctrl, user)) {
 			return PAM_SUCCESS;
 		} else if (off(UNIX__IAMROOT, ctrl)) {
 
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 3b1feb96..05c51fed 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -282,19 +282,13 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err)
  * - to avoid prompting for one in such cases (CG)
  */
 
-int _unix_blankpasswd(unsigned int ctrl, const char *name)
+int
+_unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
 {
 	struct passwd *pwd = NULL;
 	struct spwd *spwdent = NULL;
 	char *salt = NULL;
 	int retval;
-#if HAVE_GETPWNAM_R
-	char *buf = NULL;
-	int bufsize = 0;
-	struct passwd pwd_buf;
-
-	pwd = &pwd_buf;
-#endif
 
 	D(("called"));
 
@@ -310,23 +304,7 @@ int _unix_blankpasswd(unsigned int ctrl, const char *name)
 	/* UNIX passwords area */
 
 	/* Get password file entry... */
-#if HAVE_GETPWNAM_R
-	bufsize = 1024;
-	buf = malloc(bufsize);
-
-	if ((retval = getpwnam_r(name, pwd, buf, bufsize, &pwd))) {
-		pwd = NULL;
-	}
-	while (retval == ERANGE) {
-		bufsize += 1024;
-		buf = realloc(buf, bufsize);
-		if ((retval = getpwnam_r(name, pwd, buf, bufsize, &pwd))) {
-			pwd = NULL;
-		}
-	}
-#else
-	pwd = getpwnam(name);
-#endif
+	pwd = _pammodutil_getpwnam (pamh, name);
 
 	if (pwd != NULL) {
 		if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
@@ -344,15 +322,11 @@ int _unix_blankpasswd(unsigned int ctrl, const char *name)
 					setreuid( 0, -1 );
 					if(setreuid( -1, pwd->pw_uid ) == -1)
 						/* Will fail elsewhere. */
-#if HAVE_GETPWNAM_R
-						if (buf)
-							free(buf);
-#endif
 						return 0;
 				}
 			}
 	
-			spwdent = getspnam( name );
+			spwdent = _pammodutil_getspnam (pamh, name);
 			if (save_uid == pwd->pw_uid)
 				setreuid( save_uid, save_euid );
 			else {
@@ -365,7 +339,7 @@ int _unix_blankpasswd(unsigned int ctrl, const char *name)
 			 * ...and shadow password file entry for this user,
 			 * if shadowing is enabled
 			 */
-			spwdent = getspnam(name);
+			spwdent = _pammodutil_getspnam(pamh, name);
 		}
 		if (spwdent)
 			salt = x_strdup(spwdent->sp_pwdp);
@@ -387,11 +361,6 @@ int _unix_blankpasswd(unsigned int ctrl, const char *name)
 	if (salt)
 		_pam_delete(salt);
 
-#if HAVE_GETPWNAM_R
-	if (buf)
-		free(buf);
-#endif
-
 	return retval;
 }
 
@@ -503,7 +472,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
 	D(("locating user's record"));
 
 	/* UNIX passwords area */
-	pwd = getpwnam(name);	/* Get password file entry... */
+	pwd = _pammodutil_getpwnam (pamh, name);	/* Get password file entry... */
 
 	if (pwd != NULL) {
 		if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
@@ -524,7 +493,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
 				}
 			}
 	
-			spwdent = getspnam( name );
+			spwdent = _pammodutil_getspnam (pamh, name);
 			if (save_uid == pwd->pw_uid)
 				setreuid( save_uid, save_euid );
 			else {
@@ -537,7 +506,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
 			 * ...and shadow password file entry for this user,
 			 * if shadowing is enabled
 			 */
-			spwdent = getspnam(name);
+			spwdent = _pammodutil_getspnam (pamh, name);
 		}
 		if (spwdent)
 			salt = x_strdup(spwdent->sp_pwdp);
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index d9212c28..7219cd99 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -133,7 +133,8 @@ extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
 		       ,int type, const char *text);
 extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc,
 		     const char **argv);
-extern int _unix_blankpasswd(unsigned int ctrl, const char *name);
+extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
+			     const char *name);
 extern int _unix_verify_password(pam_handle_t * pamh, const char *name
 			  ,const char *p, unsigned int ctrl);
 extern int _unix_read_password(pam_handle_t * pamh