From b52bd25910c9a8a32a49be7627a709a081a3768c Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Sat, 16 May 2020 08:00:00 +0000 Subject: modules: do not check user name for emptyness before passing it to pam_modutil_getpwnam pam_modutil_getpwnam is perfectly capable of handling empty strings as user names, no need to double check that. * modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check the user name for emptyness before passing it to pam_modutil_getpwnam. * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise. * modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise. * modules/pam_shells/pam_shells.c (perform_check): Likewise. * modules/pam_tally/pam_tally.c (pam_get_uid): Likewise. * modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise. * modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise. --- modules/pam_access/pam_access.c | 3 +-- modules/pam_lastlog/pam_lastlog.c | 2 +- modules/pam_pwhistory/pam_pwhistory.c | 9 --------- modules/pam_shells/pam_shells.c | 12 ------------ modules/pam_tally/pam_tally.c | 10 +++++----- modules/pam_tally2/pam_tally2.c | 10 +++++----- modules/pam_umask/pam_umask.c | 6 ------ 7 files changed, 12 insertions(+), 40 deletions(-) (limited to 'modules') diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index b0289a3a..8d6cfe7e 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -819,8 +819,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* set username */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS - || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 3e27b3ed..e244cb71 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -669,7 +669,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* which user? */ - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || *user == '\0') { + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); return PAM_USER_UNKNOWN; } diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index 9b44cd87..cf4fc078 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -139,15 +139,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) return retval; - if (strlen (user) == 0) - { - if (options.debug) - pam_syslog (pamh, LOG_DEBUG, - "User is not known to system"); - - return PAM_USER_UNKNOWN; - } - if (flags & PAM_PRELIM_CHECK) { if (options.debug) diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c index 9e15a566..dc8f4878 100644 --- a/modules/pam_shells/pam_shells.c +++ b/modules/pam_shells/pam_shells.c @@ -40,18 +40,6 @@ static int perform_check(pam_handle_t *pamh) return PAM_SERVICE_ERR; } - if (userName[0] == '\0') { - - /* Don't let them use a NULL username... */ - retval = pam_get_user(pamh,&userName,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - - /* It could still be NULL the second time. */ - if (userName[0] == '\0') - return PAM_SERVICE_ERR; - } - pw = pam_modutil_getpwnam(pamh, userName); if (pw == NULL || pw->pw_shell == NULL) { return PAM_AUTH_ERR; /* user doesn't exist */ diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index 08b5ace2..f0a28bba 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -227,6 +227,11 @@ pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_opt #ifdef MAIN user = cline_user; + + if ( !user ) { + pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); + return PAM_AUTH_ERR; + } #else if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "pam_get_user; user?"); @@ -234,11 +239,6 @@ pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_opt } #endif - if ( !user || !*user ) { - pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); - return PAM_AUTH_ERR; - } - if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { opts->ctrl & OPT_AUDIT ? pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index 8c171b68..ff90af7d 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -260,17 +260,17 @@ pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_opt #ifdef MAIN user = cline_user; + + if ( !user ) { + pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); + return PAM_AUTH_ERR; + } #else if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { user = NULL; } #endif - if ( !user || !*user ) { - pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); - return PAM_AUTH_ERR; - } - if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { opts->ctrl & OPT_AUDIT ? pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c index e17d0fc1..3cfe5538 100644 --- a/modules/pam_umask/pam_umask.c +++ b/modules/pam_umask/pam_umask.c @@ -205,12 +205,6 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return (retval == PAM_CONV_AGAIN ? PAM_INCOMPLETE:retval); } - if (name[0] == '\0') - { - pam_syslog (pamh, LOG_NOTICE, "bad username [%s]", name); - return PAM_USER_UNKNOWN; - } - pw = pam_modutil_getpwnam (pamh, name); if (pw == NULL) { -- cgit v1.2.3