diff options
| author | Tomas Mraz <tm@t8m.info> | 2004-11-11 13:19:34 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2004-11-11 13:19:34 +0000 |
| commit | f135e2b8bca4998e100d412690e493dfff90dbbd (patch) | |
| tree | 1e7e211637834ca2c68476799f91fe14bd377607 /modules/pam_unix | |
| parent | 0185894c8971caf571087ff5ef9b022968544a39 (diff) | |
| download | pam-f135e2b8bca4998e100d412690e493dfff90dbbd.tar.gz pam-f135e2b8bca4998e100d412690e493dfff90dbbd.tar.bz2 pam-f135e2b8bca4998e100d412690e493dfff90dbbd.zip | |
Relevant BUGIDs: Red Hat bz 77646
Purpose of commit: bugfix
Commit summary:
---------------
Test return value of renames for failure so user knows
that his password wasn't really changed.
Also report error when /etc/security/opasswd is missing and
pam_unix module is called with remember=x.
Diffstat (limited to 'modules/pam_unix')
| -rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 49 |
1 files changed, 29 insertions, 20 deletions
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 5114393e..7c602766 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -219,7 +219,7 @@ static int check_old_password(const char *forwho, const char *newpass) opwfile = fopen(OLD_PASSWORDS_FILE, "r"); if (opwfile == NULL) - return PAM_AUTHTOK_ERR; + return PAM_ABORT; while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) { @@ -358,12 +358,13 @@ static int save_old_password(pam_handle_t *pamh, } if (!err) { - rename(OPW_TMPFILE, OLD_PASSWORDS_FILE); - return PAM_SUCCESS; - } else { - unlink(OPW_TMPFILE); - return PAM_AUTHTOK_ERR; + if (!rename(OPW_TMPFILE, OLD_PASSWORDS_FILE)) { + return PAM_SUCCESS; + } } + + unlink(OPW_TMPFILE); + return PAM_AUTHTOK_ERR; } static int _update_passwd(pam_handle_t *pamh, @@ -435,13 +436,14 @@ static int _update_passwd(pam_handle_t *pamh, } if (!err) { - rename(PW_TMPFILE, "/etc/passwd"); - _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); - return PAM_SUCCESS; - } else { - unlink(PW_TMPFILE); - return PAM_AUTHTOK_ERR; + if (!rename(PW_TMPFILE, "/etc/passwd")) { + _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); + return PAM_SUCCESS; + } } + + unlink(PW_TMPFILE); + return PAM_AUTHTOK_ERR; } static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) @@ -515,13 +517,14 @@ static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat) } if (!err) { - rename(SH_TMPFILE, "/etc/shadow"); - _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); - return PAM_SUCCESS; - } else { - unlink(SH_TMPFILE); - return PAM_AUTHTOK_ERR; + if (!rename(SH_TMPFILE, "/etc/shadow")) { + _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho); + return PAM_SUCCESS; + } } + + unlink(SH_TMPFILE); + return PAM_AUTHTOK_ERR; } static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat, @@ -734,9 +737,15 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh remark = "You must choose a longer password"; D(("length check [%s]", remark)); #endif - if (on(UNIX_REMEMBER_PASSWD, ctrl)) - if ((retval = check_old_password(user, pass_new)) != PAM_SUCCESS) + if (on(UNIX_REMEMBER_PASSWD, ctrl)) { + if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) remark = "Password has been already used. Choose another."; + if (retval == PAM_ABORT) { + _log_err(LOG_ERR, pamh, "can't open %s file to check old passwords", + OLD_PASSWORDS_FILE); + return retval; + } + } } if (remark) { _make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); |