[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix_auth cleanup: NIS+ issues



On Tue, Jun 08, 1999 at 06:12:39PM -0500, Stephen Langasek wrote:
> Hello all,
> 
> I've taken a closer look at the NIS+ uid issue in the pam_unix source code
> and have realized that I made a serious mistake in changing it: NIS+ really
> /does/ need to make two calls to getpwnam(), and my changes will actually
> cause the app to segfault (non-destructively) if the user isn't in the
> passwd file (shame on me).
> 
> The uid handling remains broken, so I'm hesitant to change the getpwnam()
> calls back to the way they were.  Does anyone here know what NIS+
> returns in the password field for getpwnam() when called by a different
> user?  I'd like to be able to check for this value, so that the module will

It returns "*NP*". A few monthes ago I sent the patch to Morgan. Here it is
(I have no PAM 0.66 sources for now, so it's against 0.65):

-- cut --
--- pam_unix_auth.c.orig	Thu Jan 15 01:10:01 1998
+++ pam_unix_auth.c	Tue Feb  9 20:58:31 1999
@@ -188,16 +188,6 @@
 
 	pw = getpwnam ( name );
 
-	/* For NIS+, root cannot get password for lesser user */
-	if (pw) {
-	    uid_t save_uid;
-
-	    save_uid = geteuid ();
-	    if (seteuid (pw->pw_uid) >= 0) {
-		pw = getpwnam ( name );
-		seteuid (save_uid);
-	    }
-	}
 	if (pw) 
 		{
 
@@ -208,9 +198,16 @@
 		 * systems.  Shadow passwords are optional on Linux - if
 		 * there is no shadow password, use the non-shadow one.
 		 */
-
-		sp = getspnam( name );
-		if (sp && (!strcmp(pw->pw_passwd,"x")))
+		if (!strcmp(pw->pw_passwd,"*NP*")) { /* NIS+ */
+		    uid_t save_uid;
+		    save_uid = geteuid();
+		    seteuid (pw->pw_uid);
+		    sp = getspnam( name );
+		    seteuid (save_uid);
+		} else
+		    sp = getspnam( name );
+		
+		if (sp && (strlen(pw->pw_passwd) < 13))
 			{
 				/* TODO: check if password has expired etc. */
 				salt = sp->sp_pwdp;
@@ -221,7 +218,7 @@
 		} 
 	else 
 		return PAM_USER_UNKNOWN;
-		
+
 		/* The 'always-encrypt' method does not make sense in PAM
 		   because the framework requires return of a different
 		   error code for non-existant users -- alex */
-- cut --

This patch was written in consultation with Thorsten Kukuk and it works just
fine for me.

--
Dmitry O Panov         |  mailto:dmitry@tsu.tula.ru
Tula State University  |  http://www.tsu.tula.ru/
Dept. of CS & NIT      |  Fidonet: Dmitry Panov, 2:5022/8.31 aka 2:5022/5.50



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []