[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_unix_auth cleanup

The next patch in my series of pam_unix modifications is a fairly large
cleanup and redesign of the pam_unix_auth component of the module set.
Most of the original code remains intact, although some significant
restructuring makes this a rather large patch.  In addition to the code
reordering, I've made the following changes:

  * addition of several configuration options in compliance with the
    Linux-PAM module writer's guide
  * addition of useful debugging information and logging code
  * fix of the memory leak mentioned on the list
  * Attempt to clean up the NIS+ support

This patch, like the previous ones, is against the pam-0.66 distributed with
RedHat 6.0.  It has been tested against glibc 2.0 and 2.1 with a Linux 2.2
kernel (RH5.2, RH6.0).

The NIS+ support in pam_unix_auth appears to have been using inverted logic:
instead of checking for a failed call to getpwnam() before changing uids, it
checked for a /successful/ call.  Does anyone know for certain that
pam_unix_auth did do NIS+ authentication correctly?  If so, I'll change it
back.  In any case, the uid handling code was broken for suid binaries run
by a non-root user when requesting authentication for a non-root user (e.g.,
su).  It is still broken for NIS+ under these conditions, and will have to
be cleaned up if anyone plans to use pam_unix_auth with NIS+.

-Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []