1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
Delta from 1.12 to 1.13 from Linux-PAM pam_unix_passwd.c
made to work with our changes. Not sure this is actually relevant, as
other changes seem to have been made upstream.
Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c
===================================================================
--- Linux-PAM/modules/pam_unix/pam_unix_passwd.c (revision 295)
+++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c (working copy)
@@ -553,6 +553,15 @@
retval = PAM_AUTHTOK_ERR;
goto done;
}
+
+#ifdef USE_LCKPWDF
+ retval = lckpwdf();
+ if (retval != 0) {
+ retval = PAM_AUTHTOK_LOCK_BUSY;
+ goto done;
+ }
+#endif /* def USE_LCKPWDF */
+
if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) {
retval = _update_shadow(pamh, forwho, towhat);
if (retval == PAM_SUCCESS)
@@ -569,10 +578,6 @@
int status;
int err = 0;
- /* Unlock passwd file to avoid deadlock */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
/* Make RPC call to NIS server */
if ((master = getNISserver(pamh)) == NULL)
return PAM_TRY_AGAIN;
@@ -770,7 +775,7 @@
int argc, const char **argv)
{
unsigned int ctrl, lctrl;
- int retval, i;
+ int retval;
int remember = -1;
/* <DO NOT free() THESE> */
@@ -1007,30 +1012,11 @@
pass_new = pass_old = NULL; /* tidy up */
return retval;
}
-#ifdef USE_LCKPWDF
- /* These values for the number of attempts and the sleep time
- are, of course, completely arbitrary.
- My reading of the PAM docs is that, once pam_chauthtok() has been
- called with PAM_UPDATE_AUTHTOK, we are obliged to take any
- reasonable steps to make sure the token is updated; so retrying
- for 1/10 sec. isn't overdoing it. */
- i=0;
- while((retval = lckpwdf()) != 0 && i < 100) {
- usleep(1000);
- i++;
- }
- if(retval != 0) {
- return PAM_AUTHTOK_LOCK_BUSY;
- }
-#endif
if (pass_old) {
retval = _unix_verify_password(pamh, user, pass_old, ctrl);
if (retval != PAM_SUCCESS) {
_log_err(LOG_NOTICE, pamh, "user password changed by another process");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
}
@@ -1038,9 +1024,6 @@
retval = _unix_verify_shadow(pamh, user, ctrl);
if (retval != PAM_SUCCESS) {
_log_err(LOG_NOTICE, pamh, "user not authenticated 2");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
@@ -1049,9 +1032,6 @@
_log_err(LOG_NOTICE, pamh,
"new password not acceptable 2");
pass_new = pass_old = NULL; /* tidy up */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
@@ -1093,9 +1073,6 @@
_log_err(LOG_CRIT, pamh,
"out of memory for password");
pass_new = pass_old = NULL; /* tidy up */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return PAM_BUF_ERR;
}
/* copy first 8 bytes of password */
|
