diff options
Diffstat (limited to 'modules/pam_unix')
| -rw-r--r-- | modules/pam_unix/Makefile | 3 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 4 | ||||
| -rw-r--r-- | modules/pam_unix/support.c | 9 | ||||
| -rw-r--r-- | modules/pam_unix/unix_chkpwd.c | 34 |
4 files changed, 24 insertions, 26 deletions
diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile index dc0b6ac2..e627d728 100644 --- a/modules/pam_unix/Makefile +++ b/modules/pam_unix/Makefile @@ -148,7 +148,8 @@ ifdef DYNAMIC for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session;\ do ln -sf $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)/$$x.so ; done endif - install $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) + $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) + install -m 4555 $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) remove: rm -f $(FAKEROOT)$(SECUREDIR)/$(LIBSHARED) diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 5d8d2d7d..3fe8a27a 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -328,7 +328,7 @@ static int save_old_password(const char *forwho, const char *oldpass, int howman return retval; } -static int _update_passwd(const char *forwho, char *towhat) +static int _update_passwd(const char *forwho, const char *towhat) { struct passwd *tmpent = NULL; FILE *pwfile, *opwfile; @@ -588,7 +588,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh ,const char *pass_new) { const char *user; - char *remark = NULL; + const char *remark = NULL; int retval = PAM_SUCCESS; D(("&new=%p, &old=%p", pass_old, pass_new)); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 87a5d938..69071408 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -394,7 +394,8 @@ int _unix_blankpasswd(unsigned int ctrl, const char *name) #include <sys/types.h> #include <sys/wait.h> -static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsigned int ctrl) +static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + unsigned int ctrl, const char *user) { int retval, child, fds[2]; @@ -408,8 +409,8 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig /* fork */ child = fork(); if (child == 0) { - static char *args[] = { NULL, NULL }; static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL }; /* XXX - should really tidy up PAM here too */ @@ -419,6 +420,8 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); + execve(CHKPWD_HELPER, args, envp); /* should not get here: exit with error */ @@ -530,7 +533,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (geteuid()) { /* we are not root perhaps this is the reason? Run helper */ D(("running helper binary")); - retval = _unix_run_helper_binary(pamh, p, ctrl); + retval = _unix_run_helper_binary(pamh, p, ctrl, name); if (pwd == NULL && !on(UNIX_AUDIT,ctrl) && retval != PAM_SUCCESS) { diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 6e7d3b28..5b9ed43e 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -165,22 +165,6 @@ static int _unix_verify_password(const char *name, const char *p, int opt) static char *getuidname(uid_t uid) { struct passwd *pw; -#if 0 - char *envname; - - envname = getenv("LOGNAME"); - if (envname == NULL) - return NULL; - - pw = getpwuid(uid); - if (pw == NULL) - return NULL; - - if (strcmp(envname, pw->pw_name)) - return NULL; - - return envname; -#else static char username[32]; pw = getpwuid(uid); @@ -192,7 +176,6 @@ static char *getuidname(uid_t uid) username[31] = '\0'; return username; -#endif } int main(int argc, char *argv[]) @@ -200,6 +183,7 @@ int main(int argc, char *argv[]) char pass[MAXPASS + 1]; char option[8]; int npass, opt; + int force_failure = 0; int retval = UNIX_FAILED; char *user; @@ -228,12 +212,18 @@ int main(int argc, char *argv[]) sleep(10); /* this should discourage/annoy the user */ return UNIX_FAILED; } + /* * determine the current user's name is - * 1. supplied as a environment variable as LOGNAME - * 2. the uid has to match the one associated with the LOGNAME. */ user = getuidname(getuid()); + if (argc == 2) { + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { + force_failure = 1; + } + } /* read the nollok/nonull option */ @@ -281,7 +271,11 @@ int main(int argc, char *argv[]) /* return pass or fail */ - return retval; + if ((retval != UNIX_PASSED) || force_failure) { + return UNIX_FAILED; + } else { + return UNIX_PASSED; + } } /* |