diff options
| -rw-r--r-- | patches-applied/049_pam_unix_sane_locking | 242 |
1 files changed, 55 insertions, 187 deletions
diff --git a/patches-applied/049_pam_unix_sane_locking b/patches-applied/049_pam_unix_sane_locking index 76d2a3bf..49ebc27f 100644 --- a/patches-applied/049_pam_unix_sane_locking +++ b/patches-applied/049_pam_unix_sane_locking @@ -1,71 +1,39 @@ Delta from 1.12 to 1.13 from Linux-PAM pam_unix_passwd.c -made to work with our changes. - +made to work with our changes. Not sure this is actually relevant, as +other changes seem to have been made upstream. Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c =================================================================== -RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/modules/pam_unix/pam_unix_passwd.c,v -retrieving revision 1.10 -diff -u -r1.10 pam_unix_passwd.c ---- Linux-PAM/modules/pam_unix/pam_unix_passwd.c 12 Jan 2004 06:43:14 -0000 1.10 -+++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c 12 Jan 2004 06:44:03 -0000 -@@ -88,7 +88,7 @@ - */ - - #ifdef NEED_LCKPWDF --#include "./lckpwdf.-c" -+# include "./lckpwdf.-c" - #endif - - extern char *bigcrypt(const char *key, const char *salt); -@@ -494,10 +494,7 @@ - - D(("called")); - -- setpwent(); - pwd = getpwnam(forwho); -- endpwent(); -- - if (pwd == NULL) - return PAM_AUTHTOK_ERR; - -@@ -569,6 +566,24 @@ - if (save_old_password(forwho, fromwhat, remember)) { - return PAM_AUTHTOK_ERR; - } -+ -+#ifdef USE_LCKPWDF -+ /* -+ * These values for the number of attempts and the sleep time -+ * are, of course, completely arbitrary. -+ * -+ * My reading of the PAM docs is that, once pam_chauthtok() -+ * has been called with PAM_UPDATE_AUTHTOK, we are obliged to -+ * take any reasonable steps to make sure the token is -+ * updated; so retrying for 1/10 sec. isn't overdoing it. -+ */ +--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c (revision 295) ++++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c (working copy) +@@ -553,6 +553,15 @@ + retval = PAM_AUTHTOK_ERR; + goto done; + } + -+ retval = lckpwdf(); -+ if (retval != 0) { -+ return PAM_AUTHTOK_LOCK_BUSY; -+ } -+#endif /* def USE_LCKPWDF */ -+ - if (on(UNIX_SHADOW, ctrl) || (strcmp(pwd->pw_passwd, "x") == 0)) { - retval = _update_shadow(forwho, towhat); - if (retval == PAM_SUCCESS) -@@ -580,6 +595,10 @@ - if (retval == PAM_SUCCESS) - _log_err(LOG_NOTICE, pamh, "Password for %s was changed", forwho); - +#ifdef USE_LCKPWDF -+ ulckpwdf(); ++ retval = lckpwdf(); ++ if (retval != 0) { ++ retval = PAM_AUTHTOK_LOCK_BUSY; ++ goto done; ++ } +#endif /* def USE_LCKPWDF */ + - return retval; - } - -@@ -708,7 +727,7 @@ + if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) { + retval = _update_shadow(pamh, forwho, towhat); + if (retval == PAM_SUCCESS) +@@ -569,10 +578,6 @@ + int status; + int err = 0; + +- /* Unlock passwd file to avoid deadlock */ +-#ifdef USE_LCKPWDF +- ulckpwdf(); +-#endif + /* Make RPC call to NIS server */ + if ((master = getNISserver(pamh)) == NULL) + return PAM_TRY_AGAIN; +@@ -770,7 +775,7 @@ int argc, const char **argv) { unsigned int ctrl, lctrl; @@ -74,111 +42,39 @@ diff -u -r1.10 pam_unix_passwd.c int remember = -1; /* <DO NOT free() THESE> */ -@@ -718,33 +737,12 @@ - - D(("called.")); - --#ifdef USE_LCKPWDF -- /* our current locking system requires that we lock the -- entire password database. This avoids both livelock -- and deadlock. */ -- /* These values for the number of attempts and the sleep time -- are, of course, completely arbitrary. -- My reading of the PAM docs is that, once pam_chauthtok() has been -- called with PAM_UPDATE_AUTHTOK, we are obliged to take any -- reasonable steps to make sure the token is updated; so retrying -- for 1/10 sec. isn't overdoing it. -- The other possibility is to call lckpwdf() on the first -- pam_chauthtok() pass, and hold the lock until released in the -- second pass--but is this guaranteed to work? -SRL */ -- i=0; -- while((retval = lckpwdf()) != 0 && i < 100) { -- usleep(1000); -- } -- if(retval != 0) { -- return PAM_AUTHTOK_LOCK_BUSY; -- } --#endif - ctrl = _set_ctrl(pamh, flags, &remember, argc, argv); - - /* - * First get the name of a user - */ -- retval = pam_get_user(pamh, &user, "Username: "); -+ retval = pam_get_user(pamh, &user, NULL); - if (retval == PAM_SUCCESS) { - /* - * Various libraries at various times have had bugs related to -@@ -754,9 +752,6 @@ - */ - if (user == NULL || !isalnum(*user)) { - _log_err(LOG_ERR, pamh, "bad username [%s]", user); --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return PAM_USER_UNKNOWN; +@@ -1007,30 +1012,11 @@ + pass_new = pass_old = NULL; /* tidy up */ + return retval; } - if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) -@@ -766,9 +761,6 @@ - if (on(UNIX_DEBUG, ctrl)) - _log_err(LOG_DEBUG, pamh, - "password - could not identify user"); -#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - -@@ -790,9 +782,6 @@ - D(("prelim check")); - - if (_unix_blankpasswd(ctrl, user)) { --#ifdef USE_LCKPWDF -- ulckpwdf(); +- /* These values for the number of attempts and the sleep time +- are, of course, completely arbitrary. +- My reading of the PAM docs is that, once pam_chauthtok() has been +- called with PAM_UPDATE_AUTHTOK, we are obliged to take any +- reasonable steps to make sure the token is updated; so retrying +- for 1/10 sec. isn't overdoing it. */ +- i=0; +- while((retval = lckpwdf()) != 0 && i < 100) { +- usleep(1000); +- i++; +- } +- if(retval != 0) { +- return PAM_AUTHTOK_LOCK_BUSY; +- } -#endif - return PAM_SUCCESS; - } else if (off(UNIX__IAMROOT, ctrl) || on(UNIX_NIS, ctrl)) { -@@ -802,9 +791,6 @@ - if (Announce == NULL) { - _log_err(LOG_CRIT, pamh, - "password - out of memory"); --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return PAM_BUF_ERR; - } - (void) strcpy(Announce, greeting); -@@ -826,9 +812,6 @@ + if (pass_old) { + retval = _unix_verify_password(pamh, user, pass_old, ctrl); if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh - ,"password - (old) token not obtained"); + _log_err(LOG_NOTICE, pamh, "user password changed by another process"); -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif return retval; } - /* verify that this is the password for this user -@@ -846,9 +829,6 @@ - if (retval != PAM_SUCCESS) { - D(("Authentication failed")); - pass_old = NULL; --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); -@@ -901,17 +881,11 @@ - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, pamh, "user not authenticated"); --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; } - retval = _unix_verify_shadow(user, ctrl); +@@ -1038,9 +1024,6 @@ + retval = _unix_verify_shadow(pamh, user, ctrl); if (retval != PAM_SUCCESS) { _log_err(LOG_NOTICE, pamh, "user not authenticated 2"); -#ifdef USE_LCKPWDF @@ -186,28 +82,18 @@ diff -u -r1.10 pam_unix_passwd.c -#endif return retval; } - D(("get new password now")); -@@ -942,9 +916,6 @@ - ,"password - new password not obtained"); - } - pass_old = NULL; /* tidy up */ --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - D(("returned to _unix_chauthtok")); -@@ -965,9 +936,6 @@ + +@@ -1049,9 +1032,6 @@ _log_err(LOG_NOTICE, pamh, - "new password not acceptable"); + "new password not acceptable 2"); pass_new = pass_old = NULL; /* tidy up */ -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif return retval; } - /* -@@ -1008,9 +976,6 @@ + +@@ -1093,9 +1073,6 @@ _log_err(LOG_CRIT, pamh, "out of memory for password"); pass_new = pass_old = NULL; /* tidy up */ @@ -217,21 +103,3 @@ diff -u -r1.10 pam_unix_passwd.c return PAM_BUF_ERR; } /* copy first 8 bytes of password */ -@@ -1032,6 +997,7 @@ - - retval = _do_setpass(pamh, user, pass_old, tpass, ctrl, - remember); -+ - _pam_delete(tpass); - pass_old = pass_new = NULL; - } else { /* something has broken with the module */ -@@ -1042,9 +1008,6 @@ - - D(("retval was %d", retval)); - --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - |