summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2008-02-21 21:12:30 +0000
committerTomas Mraz <tm@t8m.info>2008-02-21 21:12:30 +0000
commit6ccbba1cf178e9de46347e2f9df76f69aebcec20 (patch)
treed1d8b61899152d201746f7a949208767370af590
parent9058692366a17701a67d4a5c2eb306acfc778bd6 (diff)
Relevant BUGIDs: rhbz#433459
Purpose of commit: bugfix Commit summary: --------------- 2008-02-21 Tomas Mraz <t8m@centrum.cz> * libpam/pam_audit.c (_pam_audit_writelog): Silence syslog message on non-error return. * modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged user when checking password of another user. * modules/pam_unix/unix_update.c: Fix comment.
-rw-r--r--ChangeLog9
-rw-r--r--libpam/pam_audit.c19
-rw-r--r--modules/pam_unix/unix_chkpwd.c5
-rw-r--r--modules/pam_unix/unix_update.c11
4 files changed, 28 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index 3bfd3c6a..d5cc413c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2008-02-21 Tomas Mraz <t8m@centrum.cz>
+
+ * libpam/pam_audit.c (_pam_audit_writelog): Silence syslog
+ message on non-error return.
+
+ * modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged
+ user when checking password of another user.
+ * modules/pam_unix/unix_update.c: Fix comment.
+
2008-02-18 Dmitry V. Levin <ldv@altlinux.org>
* libpam/pam_handlers.c (_pam_assemble_line): Fix potential
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
index 6fd6a0c1..7f2e0b2c 100644
--- a/libpam/pam_audit.c
+++ b/libpam/pam_audit.c
@@ -43,18 +43,17 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
best to fix it. */
errno = -rc;
- if (rc < 0 && errno != old_errno)
- {
- old_errno = errno;
- pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m");
- }
-
pamh->audit_state |= PAMAUDIT_LOGGED;
- if (rc == -EPERM && getuid () != 0)
- return 0;
- else
- return rc;
+ if (rc < 0) {
+ if (rc == -EPERM && getuid() != 0)
+ return 0;
+ if (errno != old_errno) {
+ old_errno = errno;
+ pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m");
+ }
+ }
+ return rc;
}
static int
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 11ac3aac..5f872d27 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -101,7 +101,10 @@ int main(int argc, char *argv[])
/* if the caller specifies the username, verify that user
matches it */
if (strcmp(user, argv[1])) {
- return PAM_AUTH_ERR;
+ user = argv[1];
+ /* no match -> permanently change to the real user and proceed */
+ if (setuid(getuid()) != 0)
+ return PAM_AUTH_ERR;
}
}
diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c
index 595b7f8b..f54a59ce 100644
--- a/modules/pam_unix/unix_update.c
+++ b/modules/pam_unix/unix_update.c
@@ -1,11 +1,12 @@
/*
- * This program is designed to run setuid(root) or with sufficient
- * privilege to read all of the unix password databases. It is designed
- * to provide a mechanism for the current user (defined by this
- * process' uid) to verify their own password.
+ * This program is designed to run with sufficient privilege
+ * to read and write all of the unix password databases.
+ * Its purpose is to allow updating the databases when
+ * SELinux confinement of the caller domain prevents them to
+ * do that themselves.
*
* The password is read from the standard input. The exit status of
- * this program indicates whether the user is authenticated or not.
+ * this program indicates whether the password was updated or not.
*
* Copyright information is located at the end of the file.
*