5 files changed, 64 insertions, 36 deletions
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
index 44b37e94..ea5a7318 100644
--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005, 2006, 2009, 2011 Thorsten Kukuk <kukuk@suse.de>
 #
 
 CLEANFILES = *~
@@ -18,7 +18,8 @@ secureconfdir = $(SCONFIGDIR)
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
 	-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
-	-DUPDATE_HELPER=\"$(sbindir)/unix_update\"
+	-DUPDATE_HELPER=\"$(sbindir)/unix_update\" \
+	$(NIS_CFLAGS)
 
 if HAVE_LIBSELINUX
   AM_CFLAGS += -D"WITH_SELINUX"
@@ -28,8 +29,8 @@ pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module
 if HAVE_VERSIONING
   pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
-pam_unix_la_LIBADD = @LIBNSL@ -L$(top_builddir)/libpam -lpam \
-	@LIBCRYPT@ @LIBSELINUX@
+pam_unix_la_LIBADD = -L$(top_builddir)/libpam -lpam \
+	@LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS)
 
 securelib_LTLIBRARIES = pam_unix.la
 
diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
index 7ee9ed00..1c622ecd 100644
--- a/modules/pam_unix/md5.c
+++ b/modules/pam_unix/md5.c
@@ -148,7 +148,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
 	MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
 	byteReverse((unsigned char *) ctx->buf, 4);
 	memcpy(digest, ctx->buf, 16);
-	memset(ctx, 0, sizeof(ctx));	/* In case it's sensitive */
+	memset(ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
 }
 
 #ifndef ASM_MD5
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 320bc547..631df318 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -54,13 +54,6 @@
 #include <ctype.h>
 #include <sys/time.h>
 #include <sys/stat.h>
-#include <rpc/rpc.h>
-#ifdef HAVE_RPCSVC_YP_PROT_H
-#include <rpcsvc/yp_prot.h>
-#endif
-#ifdef HAVE_RPCSVC_YPCLNT_H
-#include <rpcsvc/ypclnt.h>
-#endif
 
 #include <signal.h>
 #include <errno.h>
@@ -76,16 +69,33 @@
 #include <security/pam_ext.h>
 #include <security/pam_modutil.h>
 
-#include "yppasswd.h"
 #include "md5.h"
 #include "support.h"
 #include "passverify.h"
 #include "bigcrypt.h"
 
-#if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
+# define HAVE_NIS
+#endif
+
+#ifdef HAVE_NIS
+# include <rpc/rpc.h>
+
+# if HAVE_RPCSVC_YP_PROT_H
+#  include <rpcsvc/yp_prot.h>
+# endif
+
+# if HAVE_RPCSVC_YPCLNT_H
+#  include <rpcsvc/ypclnt.h>
+# endif
+
+# include "yppasswd.h"
+
+# if !HAVE_DECL_GETRPCPORT
 extern int getrpcport(const char *host, unsigned long prognum,
 		      unsigned long versnum, unsigned int proto);
-#endif				/* GNU libc 2.1 */
+# endif				/* GNU libc 2.1 */
+#endif
 
 /*
    How it works:
@@ -102,9 +112,9 @@ extern int getrpcport(const char *host, unsigned long prognum,
 
 #define MAX_PASSWD_TRIES	3
 
+#ifdef HAVE_NIS
 static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
 {
-#if (defined(HAVE_YP_GET_DEFAULT_DOMAIN) || defined(HAVE_GETDOMAINNAME)) && defined(HAVE_YP_MASTER)
 	char *master;
 	char *domainname;
 	int port, err;
@@ -151,14 +161,8 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
 		     master, port);
 	}
 	return master;
-#else
-	if (on(UNIX_DEBUG, ctrl)) {
-	  pam_syslog(pamh, LOG_DEBUG, "getNISserver: No NIS support available");
-	}
-
-	return NULL;
-#endif
 }
+#endif
 
 #ifdef WITH_SELINUX
 
@@ -326,6 +330,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
 	}
 
 	if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
+#ifdef HAVE_NIS
 	  if ((master=getNISserver(pamh, ctrl)) != NULL) {
 		struct timeval timeout;
 		struct yppasswd yppwd;
@@ -391,6 +396,13 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
 	    } else {
 		    retval = PAM_TRY_AGAIN;
 	    }
+#else
+          if (on(UNIX_DEBUG, ctrl)) {
+            pam_syslog(pamh, LOG_DEBUG, "No NIS support available");
+          }
+
+          retval = PAM_TRY_AGAIN;
+#endif
 	}
 
 	if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index bddafd4b..cc350e58 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -83,7 +83,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 	}
 	/* now parse the arguments to this module */
 
-	while (argc-- > 0) {
+	for (; argc-- > 0; ++argv) {
 		int j;
 
 		D(("pam_unix arg: %s", *argv));
@@ -99,24 +99,37 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 			pam_syslog(pamh, LOG_ERR,
 			         "unrecognized option [%s]", *argv);
 		} else {
-			ctrl &= unix_args[j].mask;	/* for turning things off */
-			ctrl |= unix_args[j].flag;	/* for turning things on  */
-
 			/* special cases */
-			if (remember != NULL && j == UNIX_REMEMBER_PASSWD) {
+			if (j == UNIX_REMEMBER_PASSWD) {
+				if (remember == NULL) {
+					pam_syslog(pamh, LOG_ERR,
+					    "option remember not allowed for this module type");
+					continue;
+				}
 				*remember = strtol(*argv + 9, NULL, 10);
 				if ((*remember == INT_MIN) || (*remember == INT_MAX))
 					*remember = -1;
 				if (*remember > 400)
 					*remember = 400;
-			} else if (pass_min_len && j == UNIX_MIN_PASS_LEN) {
+			} else if (j == UNIX_MIN_PASS_LEN) {
+				if (pass_min_len == NULL) {
+					pam_syslog(pamh, LOG_ERR,
+					    "option minlen not allowed for this module type");
+					continue;
+				}
 				*pass_min_len = atoi(*argv + 7);
- 			}
-			if (rounds != NULL && j == UNIX_ALGO_ROUNDS)
+			} else if (j == UNIX_ALGO_ROUNDS) {
+				if (rounds == NULL) {
+					pam_syslog(pamh, LOG_ERR,
+					    "option rounds not allowed for this module type");
+					continue;
+				}
 				*rounds = strtol(*argv + 7, NULL, 10);
-		}
+			}
 
-		++argv;		/* step to next argument */
+			ctrl &= unix_args[j].mask;	/* for turning things off */
+			ctrl |= unix_args[j].flag;	/* for turning things on  */
+		}
 	}
 
 	if (UNIX_DES_CRYPT(ctrl)
@@ -132,7 +145,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 	}
 
 	/* Set default rounds for blowfish */
-	if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl)) {
+	if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
 		*rounds = 5;
 		set(UNIX_ALGO_ROUNDS, ctrl);
 	}
@@ -493,14 +506,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
 	if (passwd != NULL) {            /* send the password to the child */
 	    if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
 	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
-	      close(fds[1]);
 	      retval = PAM_AUTH_ERR;
 	    }
 	    passwd = NULL;
 	} else {                         /* blank password */
 	    if (write(fds[1], "", 1) == -1) {
 	      pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
-	      close(fds[1]);
 	      retval = PAM_AUTH_ERR;
 	    }
 	}
diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c
index 0b95b82b..f2b86a56 100644
--- a/modules/pam_unix/yppasswd_xdr.c
+++ b/modules/pam_unix/yppasswd_xdr.c
@@ -12,6 +12,8 @@
 
 #include "config.h"
 
+#ifdef HAVE_RPC_RPC_H
+
 #include <rpc/rpc.h>
 #include "yppasswd.h"
 
@@ -34,3 +36,5 @@ xdr_yppasswd(XDR * xdrs, yppasswd * objp)
 	return xdr_string(xdrs, &objp->oldpass, ~0)
 	    && xdr_xpasswd(xdrs, &objp->newpw);
 }
+
+#endif