[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_unix_auth cleanup: NIS+ issues



I wouldn't accept such changes without a deep thought.

UID mangling may much more consequences that lie on a surface.
For example, seteuid(pw->pw_uid) call implies that user with uid pw->pw_uid
may send signals to the application calling pam_auth.
Different signals (SIGSTOP, SIGPIPE, SIGURG, SIGALRM) may have different
funny results for FTP server and other applications.

Regards
					Andrey V.
					Savochkin

On Wed, Jun 09, 1999 at 09:56:29AM +0400, Dmitry Panov wrote:
> It returns "*NP*". A few monthes ago I sent the patch to Morgan. Here it is
> (I have no PAM 0.66 sources for now, so it's against 0.65):
> 
> -- cut --
> --- pam_unix_auth.c.orig	Thu Jan 15 01:10:01 1998
> +++ pam_unix_auth.c	Tue Feb  9 20:58:31 1999
> @@ -188,16 +188,6 @@
>  
>  	pw = getpwnam ( name );
>  
> -	/* For NIS+, root cannot get password for lesser user */
> -	if (pw) {
> -	    uid_t save_uid;
> -
> -	    save_uid = geteuid ();
> -	    if (seteuid (pw->pw_uid) >= 0) {
> -		pw = getpwnam ( name );
> -		seteuid (save_uid);
> -	    }
> -	}
>  	if (pw) 
>  		{
>  
> @@ -208,9 +198,16 @@
>  		 * systems.  Shadow passwords are optional on Linux - if
>  		 * there is no shadow password, use the non-shadow one.
>  		 */
> -
> -		sp = getspnam( name );
> -		if (sp && (!strcmp(pw->pw_passwd,"x")))
> +		if (!strcmp(pw->pw_passwd,"*NP*")) { /* NIS+ */
> +		    uid_t save_uid;
> +		    save_uid = geteuid();
> +		    seteuid (pw->pw_uid);
> +		    sp = getspnam( name );
> +		    seteuid (save_uid);
> +		} else
> +		    sp = getspnam( name );
> +		
> +		if (sp && (strlen(pw->pw_passwd) < 13))
>  			{
>  				/* TODO: check if password has expired etc. */
>  				salt = sp->sp_pwdp;
> @@ -221,7 +218,7 @@
>  		} 
>  	else 
>  		return PAM_USER_UNKNOWN;
> -		
> +
>  		/* The 'always-encrypt' method does not make sense in PAM
>  		   because the framework requires return of a different
>  		   error code for non-existant users -- alex */
> -- cut --
> 
> This patch was written in consultation with Thorsten Kukuk and it works just
> fine for me.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []