summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2004-09-30 12:29:18 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2004-09-30 12:29:18 +0000
commitb651aa8d81ecf3072cc52dcd0192905b686d17b1 (patch)
treea6540ec6e1feafc94da6245fbe3e61045c0a85c0 /modules
parent6fb01537462a326a139f0c2d975145b26cd54bbe (diff)
Relevant BUGIDs:
Purpose of commit: Commit summary: --------------- bugfix: Preserve permissions of shadow/passwd file. From Red Hat.
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_unix/pam_unix_passwd.c90
1 files changed, 67 insertions, 23 deletions
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index f11d2b20..91625c61 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -1,5 +1,5 @@
/*
- * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
+ * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
* Copyright (C) 1996.
* Copyright (c) Jan RÍkorajski, 1999.
*
@@ -116,7 +116,9 @@ extern char *bigcrypt(const char *key, const char *salt);
#define MAX_PASSWD_TRIES 3
#define PW_TMPFILE "/etc/npasswd"
#define SH_TMPFILE "/etc/nshadow"
+#ifndef CRACKLIB_DICTS
#define CRACKLIB_DICTS "/usr/share/dict/cracklib_dict"
+#endif
#define OPW_TMPFILE "/etc/security/nopasswd"
#define OLD_PASSWORDS_FILE "/etc/security/opasswd"
@@ -257,6 +259,7 @@ static int save_old_password(pam_handle_t *pamh,
int oldmask;
int found = 0;
struct passwd *pwd = NULL;
+ struct stat st;
if (howmany < 0) {
return PAM_SUCCESS;
@@ -279,8 +282,25 @@ static int save_old_password(pam_handle_t *pamh,
return PAM_AUTHTOK_ERR;
}
- chown(OPW_TMPFILE, 0, 0);
- chmod(OPW_TMPFILE, 0600);
+ if (fstat (fileno (opwfile), &st) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+
+ if (fchown (fileno (pwfile), st.st_uid, st.st_gid) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+ if (fchmod (fileno (pwfile), st.st_mode) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
while (fgets(buf, 16380, opwfile)) {
if (!strncmp(buf, forwho, strlen(forwho))) {
@@ -368,14 +388,26 @@ static int _update_passwd(pam_handle_t *pamh,
return PAM_AUTHTOK_ERR;
}
- if (fstat(fileno(opwfile), &st) == -1) {
- chown(PW_TMPFILE, 0, 0);
- chmod(PW_TMPFILE, 0644);
- } else {
- chown(PW_TMPFILE, st.st_uid, st.st_gid);
- chmod(PW_TMPFILE, st.st_mode);
- }
- tmpent = fgetpwent(opwfile);
+ if (fstat (fileno (opwfile), &st) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+
+ if (fchown (fileno (pwfile), st.st_uid, st.st_gid) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+ if (fchmod (fileno (pwfile), st.st_mode) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ }
+
+ tmpent = fgetpwent (opwfile);
while (tmpent) {
if (!strcmp(tmpent->pw_name, forwho)) {
/* To shut gcc up */
@@ -384,7 +416,7 @@ static int _update_passwd(pam_handle_t *pamh,
char *charp;
} assigned_passwd;
assigned_passwd.const_charp = towhat;
-
+
tmpent->pw_passwd = assigned_passwd.charp;
err = 0;
}
@@ -437,13 +469,26 @@ static int _update_shadow(const char *forwho, char *towhat)
return PAM_AUTHTOK_ERR;
}
- if (fstat(fileno(opwfile), &st) == -1) {
- chown(SH_TMPFILE, 0, 0);
- chmod(SH_TMPFILE, 0600);
- } else {
- chown(SH_TMPFILE, st.st_uid, st.st_gid);
- chmod(SH_TMPFILE, st.st_mode);
- }
+ if (fstat (fileno (opwfile), &st) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+
+ if (fchown (fileno (pwfile), st.st_uid, st.st_gid) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+ if (fchmod (fileno (pwfile), st.st_mode) == -1)
+ {
+ fclose (opwfile);
+ fclose (pwfile);
+ return PAM_AUTHTOK_ERR;
+ }
+
stmpent = fgetspent(opwfile);
while (stmpent) {
@@ -573,7 +618,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat,
return PAM_AUTHTOK_LOCK_BUSY;
}
#endif /* def USE_LCKPWDF */
-
+
if (on(UNIX_SHADOW, ctrl) || (strcmp(pwd->pw_passwd, "x") == 0)) {
retval = _update_shadow(forwho, towhat);
if (retval == PAM_SUCCESS)
@@ -611,7 +656,7 @@ static int _unix_verify_shadow(const char *user, unsigned int ctrl)
if (spwdent == NULL)
return PAM_AUTHINFO_UNAVAIL;
} else {
- if (strcmp(pwd->pw_passwd,"*NP*") == 0) { /* NIS+ */
+ if (strcmp(pwd->pw_passwd,"*NP*") == 0) { /* NIS+ */
uid_t save_uid;
save_uid = geteuid();
@@ -943,7 +988,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
salt[2] = '\0';
if (off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8) {
- /*
+ /*
* to avoid using the _extensions_ of the bigcrypt()
* function we truncate the newly entered password
* [Problems that followed from this are fixed as per
@@ -1003,4 +1048,3 @@ struct pam_module _pam_unix_passwd_modstruct = {
pam_sm_chauthtok,
};
#endif
-