patches-applied/055_pam_unix_nullok_secure


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

Index: Linux-PAM/modules/pam_unix/support.c
===================================================================
--- Linux-PAM/modules/pam_unix/support.c	(revision 316)
+++ Linux-PAM/modules/pam_unix/support.c	(working copy)
@@ -150,14 +150,23 @@
 	/* now parse the arguments to this module */
 
 	while (argc-- > 0) {
-		int j;
+		int j, sl;
 
 		D(("pam_unix arg: %s", *argv));
 
 		for (j = 0; j < UNIX_CTRLS_; ++j) {
-			if (unix_args[j].token &&
-			    !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token)))
-				break;
+			if (unix_args[j].token) {
+			    sl = strlen(unix_args[j].token);
+			    if (unix_args[j].token[sl-1] == '=') {
+				/* exclude argument from comparison */
+				if (!strncmp(*argv, unix_args[j].token, sl))
+				    break;
+			    } else {
+				/* compare full strings */
+				if (!strcmp(*argv, unix_args[j].token))
+				    break;
+			    }
+			}
 		}
 
 		if (j >= UNIX_CTRLS_) {
@@ -533,6 +542,17 @@
 	if (salt)
 		_pam_delete(salt);
 
+	if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) {
+		int retval2;
+		const char *uttyname;
+		retval2 = pam_get_item(pamh, PAM_TTY, (const void **)&uttyname);
+		if (retval2 != PAM_SUCCESS || uttyname == NULL)
+			return 0;
+
+		if (_pammodutil_tty_secure(uttyname) != PAM_SUCCESS)
+			return 0;
+	}
+
 	return retval;
 }
 
@@ -732,7 +752,7 @@
 	    int salt_len = strlen(salt);
 	    if (!salt_len) {
 		/* the stored password is NULL */
-		if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
+		if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */
 		    D(("user has empty password - access granted"));
 		    retval = PAM_SUCCESS;
 		} else {
Index: Linux-PAM/modules/pam_unix/support.h
===================================================================
--- Linux-PAM/modules/pam_unix/support.h	(revision 295)
+++ Linux-PAM/modules/pam_unix/support.h	(working copy)
@@ -88,8 +88,9 @@
 #define UNIX_MIN_PASS_LEN        24     /* Min length for password */
 #define UNIX_NOOBSCURE_CHECKS    25	/* internal */
 #define UNIX_OBSCURE_CHECKS      26     /* enable obscure checks on passwords */
+#define UNIX_NULLOK_SECURE       27	/* NULL passwords allowed only on secure ttys */
 /* -------------- */
-#define UNIX_CTRLS_              27	/* number of ctrl arguments defined */
+#define UNIX_CTRLS_              28	/* number of ctrl arguments defined */
 
 
 static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
@@ -124,6 +125,7 @@
 /* UNIX_MIN_PASS_LEN */    {"min=",            _ALL_ON_,             0x800000},
 /* UNIX_NOOBSCURE_CHECKS */{NULL,              _ALL_ON_,            0x1000000},
 /* UNIX_OBSCURE_CHECKS */  {"obscure",         _ALL_ON_,            0x2000000},
+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),    0x4000000},
 };
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag | unix_args[UNIX_NOOBSCURE_CHECKS].flag)