diff options
Diffstat (limited to 'modules/pam_unix')
-rw-r--r-- | modules/pam_unix/Makefile.am | 9 | ||||
-rw-r--r-- | modules/pam_unix/md5.c | 2 | ||||
-rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 48 | ||||
-rw-r--r-- | modules/pam_unix/support.c | 37 | ||||
-rw-r--r-- | modules/pam_unix/yppasswd_xdr.c | 4 |
5 files changed, 64 insertions, 36 deletions
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index 44b37e94..ea5a7318 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -1,5 +1,5 @@ # -# Copyright (c) 2005, 2006, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2005, 2006, 2009, 2011 Thorsten Kukuk <kukuk@suse.de> # CLEANFILES = *~ @@ -18,7 +18,8 @@ secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \ - -DUPDATE_HELPER=\"$(sbindir)/unix_update\" + -DUPDATE_HELPER=\"$(sbindir)/unix_update\" \ + $(NIS_CFLAGS) if HAVE_LIBSELINUX AM_CFLAGS += -D"WITH_SELINUX" @@ -28,8 +29,8 @@ pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_unix_la_LIBADD = @LIBNSL@ -L$(top_builddir)/libpam -lpam \ - @LIBCRYPT@ @LIBSELINUX@ +pam_unix_la_LIBADD = -L$(top_builddir)/libpam -lpam \ + @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) securelib_LTLIBRARIES = pam_unix.la diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c index 7ee9ed00..1c622ecd 100644 --- a/modules/pam_unix/md5.c +++ b/modules/pam_unix/md5.c @@ -148,7 +148,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); byteReverse((unsigned char *) ctx->buf, 4); memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ + memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ } #ifndef ASM_MD5 diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 320bc547..631df318 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -54,13 +54,6 @@ #include <ctype.h> #include <sys/time.h> #include <sys/stat.h> -#include <rpc/rpc.h> -#ifdef HAVE_RPCSVC_YP_PROT_H -#include <rpcsvc/yp_prot.h> -#endif -#ifdef HAVE_RPCSVC_YPCLNT_H -#include <rpcsvc/ypclnt.h> -#endif #include <signal.h> #include <errno.h> @@ -76,16 +69,33 @@ #include <security/pam_ext.h> #include <security/pam_modutil.h> -#include "yppasswd.h" #include "md5.h" #include "support.h" #include "passverify.h" #include "bigcrypt.h" -#if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1)) +#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER +# define HAVE_NIS +#endif + +#ifdef HAVE_NIS +# include <rpc/rpc.h> + +# if HAVE_RPCSVC_YP_PROT_H +# include <rpcsvc/yp_prot.h> +# endif + +# if HAVE_RPCSVC_YPCLNT_H +# include <rpcsvc/ypclnt.h> +# endif + +# include "yppasswd.h" + +# if !HAVE_DECL_GETRPCPORT extern int getrpcport(const char *host, unsigned long prognum, unsigned long versnum, unsigned int proto); -#endif /* GNU libc 2.1 */ +# endif /* GNU libc 2.1 */ +#endif /* How it works: @@ -102,9 +112,9 @@ extern int getrpcport(const char *host, unsigned long prognum, #define MAX_PASSWD_TRIES 3 +#ifdef HAVE_NIS static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) { -#if (defined(HAVE_YP_GET_DEFAULT_DOMAIN) || defined(HAVE_GETDOMAINNAME)) && defined(HAVE_YP_MASTER) char *master; char *domainname; int port, err; @@ -151,14 +161,8 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl) master, port); } return master; -#else - if (on(UNIX_DEBUG, ctrl)) { - pam_syslog(pamh, LOG_DEBUG, "getNISserver: No NIS support available"); - } - - return NULL; -#endif } +#endif #ifdef WITH_SELINUX @@ -326,6 +330,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, } if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { +#ifdef HAVE_NIS if ((master=getNISserver(pamh, ctrl)) != NULL) { struct timeval timeout; struct yppasswd yppwd; @@ -391,6 +396,13 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, } else { retval = PAM_TRY_AGAIN; } +#else + if (on(UNIX_DEBUG, ctrl)) { + pam_syslog(pamh, LOG_DEBUG, "No NIS support available"); + } + + retval = PAM_TRY_AGAIN; +#endif } if (_unix_comesfromsource(pamh, forwho, 1, 0)) { diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index bddafd4b..cc350e58 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -83,7 +83,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, } /* now parse the arguments to this module */ - while (argc-- > 0) { + for (; argc-- > 0; ++argv) { int j; D(("pam_unix arg: %s", *argv)); @@ -99,24 +99,37 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", *argv); } else { - ctrl &= unix_args[j].mask; /* for turning things off */ - ctrl |= unix_args[j].flag; /* for turning things on */ - /* special cases */ - if (remember != NULL && j == UNIX_REMEMBER_PASSWD) { + if (j == UNIX_REMEMBER_PASSWD) { + if (remember == NULL) { + pam_syslog(pamh, LOG_ERR, + "option remember not allowed for this module type"); + continue; + } *remember = strtol(*argv + 9, NULL, 10); if ((*remember == INT_MIN) || (*remember == INT_MAX)) *remember = -1; if (*remember > 400) *remember = 400; - } else if (pass_min_len && j == UNIX_MIN_PASS_LEN) { + } else if (j == UNIX_MIN_PASS_LEN) { + if (pass_min_len == NULL) { + pam_syslog(pamh, LOG_ERR, + "option minlen not allowed for this module type"); + continue; + } *pass_min_len = atoi(*argv + 7); - } - if (rounds != NULL && j == UNIX_ALGO_ROUNDS) + } else if (j == UNIX_ALGO_ROUNDS) { + if (rounds == NULL) { + pam_syslog(pamh, LOG_ERR, + "option rounds not allowed for this module type"); + continue; + } *rounds = strtol(*argv + 7, NULL, 10); - } + } - ++argv; /* step to next argument */ + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + } } if (UNIX_DES_CRYPT(ctrl) @@ -132,7 +145,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, } /* Set default rounds for blowfish */ - if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl)) { + if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) { *rounds = 5; set(UNIX_ALGO_ROUNDS, ctrl); } @@ -493,14 +506,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, if (passwd != NULL) { /* send the password to the child */ if (write(fds[1], passwd, strlen(passwd)+1) == -1) { pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); - close(fds[1]); retval = PAM_AUTH_ERR; } passwd = NULL; } else { /* blank password */ if (write(fds[1], "", 1) == -1) { pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); - close(fds[1]); retval = PAM_AUTH_ERR; } } diff --git a/modules/pam_unix/yppasswd_xdr.c b/modules/pam_unix/yppasswd_xdr.c index 0b95b82b..f2b86a56 100644 --- a/modules/pam_unix/yppasswd_xdr.c +++ b/modules/pam_unix/yppasswd_xdr.c @@ -12,6 +12,8 @@ #include "config.h" +#ifdef HAVE_RPC_RPC_H + #include <rpc/rpc.h> #include "yppasswd.h" @@ -34,3 +36,5 @@ xdr_yppasswd(XDR * xdrs, yppasswd * objp) return xdr_string(xdrs, &objp->oldpass, ~0) && xdr_xpasswd(xdrs, &objp->newpw); } + +#endif |