]> granicus.if.org Git - linux-pam/blobdiff - modules/pam_unix/pam_unix_passwd.c
projects / linux-pam / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Relevant BUGIDs:
[linux-pam] / modules / pam_unix / pam_unix_passwd.c
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 838eb0a7d863df0ff03a6dbf3b7fa3ae981810d0..099888166fafab74e7314cb7c66e3a5098e93bbd 100644 (file)
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -78,12 +78,8 @@ static security_context_t prev_context=NULL;
 #define PAM_SM_PASSWORD
 
 #include <security/pam_modules.h>
-
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif                         /* LINUX_PAM */
-
-#include <security/_pam_modutil.h>
+#include <security/pam_ext.h>
+#include <security/pam_modutil.h>
 
 #include "yppasswd.h"
 #include "md5.h"
@@ -197,24 +193,24 @@ static char *getNISserver(pam_handle_t *pamh)
        int port, err;
 
        if ((err = yp_get_default_domain(&domainname)) != 0) {
-               _log_err(LOG_WARNING, pamh, "can't get local yp domain: %s\n",
+               pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s",
                         yperr_string(err));
                return NULL;
        }
        if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
-               _log_err(LOG_WARNING, pamh, "can't find the master ypserver: %s\n",
+               pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s",
                         yperr_string(err));
                return NULL;
        }
        port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
        if (port == 0) {
-               _log_err(LOG_WARNING, pamh,
-                        "yppasswdd not running on NIS master host\n");
+               pam_syslog(pamh, LOG_WARNING,
+                        "yppasswdd not running on NIS master host");
                return NULL;
        }
        if (port >= IPPORT_RESERVED) {
-               _log_err(LOG_WARNING, pamh,
-                        "yppasswd daemon running on illegal port.\n");
+               pam_syslog(pamh, LOG_WARNING,
+                        "yppasswd daemon running on illegal port");
                return NULL;
        }
        return master;
@@ -267,6 +263,13 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const
                   close(i);
          }
        }
+
+        if (SELINUX_ENABLED && geteuid() == 0) {
+          /* must set the real uid to 0 so the helper will not error
+             out if pam is called from setuid binary (su, sudo...) */
+          setuid(0);
+        }
+
        /* exec binary helper */
        args[0] = x_strdup(CHKPWD_HELPER);
        args[1] = x_strdup(user);
@@ -282,20 +285,20 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const
        /* if the stored password is NULL */
         int rc=0;
        if (fromwhat)
-         _pammodutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+         pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
        else
-         _pammodutil_write(fds[1], "", 1);
+         pam_modutil_write(fds[1], "", 1);
        if (towhat) {
-         _pammodutil_write(fds[1], towhat, strlen(towhat)+1);
+         pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
        }
        else
-         _pammodutil_write(fds[1], "", 1);
+         pam_modutil_write(fds[1], "", 1);
 
        close(fds[0]);       /* close here to avoid possible SIGPIPE above */
        close(fds[1]);
        rc=waitpid(child, &retval, 0);  /* wait for helper to complete */
        if (rc<0) {
-         _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno));
+         pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
          retval = PAM_AUTH_ERR;
        } else {
          retval = WEXITSTATUS(retval);
@@ -463,7 +466,7 @@ static int save_old_password(pam_handle_t *pamh,
     fclose(opwfile);
 
     if (!found) {
-       pwd = _pammodutil_getpwnam(pamh, forwho);
+       pwd = pam_modutil_getpwnam(pamh, forwho);
        if (pwd == NULL) {
            err = 1;
        } else {
@@ -598,7 +601,7 @@ static int _update_passwd(pam_handle_t *pamh,
 done:
     if (!err) {
        if (!rename(PW_TMPFILE, "/etc/passwd"))
-           _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho);
+           pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho);
        else
            err = 1;
     }
@@ -714,7 +717,7 @@ static int _update_shadow(pam_handle_t *pamh, const char *forwho, char *towhat)
  done:
     if (!err) {
        if (!rename(SH_TMPFILE, "/etc/shadow"))
-           _log_err(LOG_NOTICE, pamh, "password changed for %s", forwho);
+           pam_syslog(pamh, LOG_NOTICE, "password changed for %s", forwho);
        else
            err = 1;
     }
@@ -808,7 +811,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
                }
                D(("The password has%s been changed on %s.",
                   (err || status) ? " not" : "", master));
-               _log_err(LOG_NOTICE, pamh, "password%s changed for %s on %s",
+               pam_syslog(pamh, LOG_NOTICE, "password%s changed for %s on %s",
                         (err || status) ? " not" : "", pwd->pw_name, master);
 
                auth_destroy(clnt->cl_auth);
@@ -920,10 +923,22 @@ static int _unix_verify_shadow(pam_handle_t *pamh, const char *user, unsigned in
                if (off(UNIX__IAMROOT, ctrl)) {
                        /* Get the current number of days since 1970 */
                        curdays = time(NULL) / (60 * 60 * 24);
-                       if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
-                           && (spwdent->sp_min != -1))
+                       if (curdays < spwdent->sp_lstchg) {
+                               pam_syslog(pamh, LOG_DEBUG,
+                                       "account %s has password changed in future",
+                                       user);
+                               curdays = spwdent->sp_lstchg;
+                       }
+                       if ((curdays - spwdent->sp_lstchg < spwdent->sp_min)
+                                && (spwdent->sp_min != -1))
+                               /*
+                                * The last password change was too recent.
+                                */
                                retval = PAM_AUTHTOK_ERR;
-                       else if ((curdays > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact))
+                       else if ((curdays - spwdent->sp_lstchg > spwdent->sp_max)
+                                && (curdays - spwdent->sp_lstchg > spwdent->sp_inact)
+                                && (curdays - spwdent->sp_lstchg >
+                                    spwdent->sp_max + spwdent->sp_inact)
                                 && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1)
                                 && (spwdent->sp_lstchg != 0))
                                /*
@@ -956,7 +971,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
 
        if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
                if (on(UNIX_DEBUG, ctrl)) {
-                       _log_err(LOG_DEBUG, pamh, "bad authentication token");
+                       pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
                }
                _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
                        _("No password supplied") : _("Password unchanged"));
@@ -970,7 +985,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
        retval = pam_get_item(pamh, PAM_USER, &user);
        if (retval != PAM_SUCCESS) {
                if (on(UNIX_DEBUG, ctrl)) {
-                       _log_err(LOG_ERR, pamh, "Can not get username");
+                       pam_syslog(pamh, LOG_ERR, "Can not get username");
                        return PAM_AUTHTOK_ERR;
                }
        }
@@ -987,7 +1002,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
                        if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
                          remark = _("Password has been already used. Choose another.");
                        if (retval == PAM_ABORT) {
-                               _log_err(LOG_ERR, pamh, "can't open %s file to check old passwords",
+                               pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
                                        OLD_PASSWORDS_FILE);
                                return retval;
                        }
@@ -1029,15 +1044,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 * alphanumeric character.
                 */
                if (user == NULL || !isalnum(*user)) {
-                       _log_err(LOG_ERR, pamh, "bad username [%s]", user);
+                       pam_syslog(pamh, LOG_ERR, "bad username [%s]", user);
                        return PAM_USER_UNKNOWN;
                }
                if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
-                       _log_err(LOG_DEBUG, pamh, "username [%s] obtained",
+                       pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained",
                                 user);
        } else {
                if (on(UNIX_DEBUG, ctrl))
-                       _log_err(LOG_DEBUG, pamh,
+                       pam_syslog(pamh, LOG_DEBUG,
                                 "password - could not identify user");
                return retval;
        }
@@ -1051,23 +1066,23 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
         * getpwnam() doesn't tell you *where* the information it gives you
         * came from, nor should it.  That's our job.
         */
-       if (_unix_comesfromsource(pamh, user, 1, 1) == 0) {
-               _log_err(LOG_DEBUG, pamh,
-                        "user \"%s\" does not exist in /etc/passwd or NIS",
-                        user);
+       if (_unix_comesfromsource(pamh, user, 1, on(UNIX_NIS, ctrl)) == 0) {
+               pam_syslog(pamh, LOG_DEBUG,
+                        "user \"%s\" does not exist in /etc/passwd%s",
+                        user, on(UNIX_NIS, ctrl) ? " or NIS" : "");
                return PAM_USER_UNKNOWN;
        } else {
                struct passwd *pwd;
                _unix_getpwnam(pamh, user, 1, 1, &pwd);
                if (pwd == NULL) {
-                       _log_err(LOG_DEBUG, pamh,
+                       pam_syslog(pamh, LOG_DEBUG,
                                "user \"%s\" has corrupted passwd entry",
                                user);
                        return PAM_USER_UNKNOWN;
                }
                if (!_unix_shadowed(pwd) &&
                    (strchr(pwd->pw_passwd, '*') != NULL)) {
-                       _log_err(LOG_DEBUG, pamh,
+                       pam_syslog(pamh, LOG_DEBUG,
                                "user \"%s\" does not have modifiable password",
                                user);
                        return PAM_USER_UNKNOWN;
@@ -1097,7 +1112,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 #define greeting "Changing password for "
                        Announce = (char *) malloc(sizeof(greeting) + strlen(user));
                        if (Announce == NULL) {
-                               _log_err(LOG_CRIT, pamh,
+                               pam_syslog(pamh, LOG_CRIT,
                                         "password - out of memory");
                                return PAM_BUF_ERR;
                        }
@@ -1109,15 +1124,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                        set(UNIX__OLD_PASSWD, lctrl);
                        retval = _unix_read_password(pamh, lctrl
                                                     ,Announce
-                                            ,"(current) UNIX password: "
+                                            ,_("(current) UNIX password: ")
                                                     ,NULL
                                                     ,_UNIX_OLD_AUTHTOK
                                             ,&pass_old);
                        free(Announce);
 
                        if (retval != PAM_SUCCESS) {
-                               _log_err(LOG_NOTICE, pamh
-                                ,"password - (old) token not obtained");
+                               pam_syslog(pamh, LOG_NOTICE,
+                                   "password - (old) token not obtained");
                                return retval;
                        }
                        /* verify that this is the password for this user */
@@ -1137,7 +1152,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
                pass_old = NULL;
                if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_CRIT, pamh,
+                       pam_syslog(pamh, LOG_CRIT,
                                 "failed to set PAM_OLDAUTHTOK");
                }
                retval = _unix_verify_shadow(pamh,user, ctrl);
@@ -1183,7 +1198,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                D(("pass_old [%s]", pass_old));
 
                if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, pamh, "user not authenticated");
+                       pam_syslog(pamh, LOG_NOTICE, "user not authenticated");
                        return retval;
                }
 
@@ -1204,15 +1219,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                        retval = _unix_read_password(pamh, lctrl
                                                     ,NULL
-                                            ,"Enter new UNIX password: "
-                                           ,"Retype new UNIX password: "
+                                            ,_("Enter new UNIX password: ")
+                                           ,_("Retype new UNIX password: ")
                                                     ,_UNIX_NEW_AUTHTOK
                                             ,&pass_new);
 
                        if (retval != PAM_SUCCESS) {
                                if (on(UNIX_DEBUG, ctrl)) {
-                                       _log_err(LOG_ALERT, pamh
-                                                ,"password - new password not obtained");
+                                       pam_syslog(pamh, LOG_ALERT,
+                                                "password - new password not obtained");
                                }
                                pass_old = NULL;        /* tidy up */
                                return retval;
@@ -1232,7 +1247,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                }
 
                if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, pamh,
+                       pam_syslog(pamh, LOG_NOTICE,
                                 "new password not acceptable");
                        pass_new = pass_old = NULL;     /* tidy up */
                        return retval;
@@ -1257,7 +1272,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                if (pass_old) {
                        retval = _unix_verify_password(pamh, user, pass_old, ctrl);
                        if (retval != PAM_SUCCESS) {
-                               _log_err(LOG_NOTICE, pamh, "user password changed by another process");
+                               pam_syslog(pamh, LOG_NOTICE, "user password changed by another process");
 #ifdef USE_LCKPWDF
                                ulckpwdf();
 #endif
@@ -1267,7 +1282,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                retval = _unix_verify_shadow(pamh, user, ctrl);
                if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, pamh, "user not authenticated 2");
+                       pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2");
 #ifdef USE_LCKPWDF
                        ulckpwdf();
 #endif
@@ -1276,7 +1291,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
                retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
                if (retval != PAM_SUCCESS) {
-                       _log_err(LOG_NOTICE, pamh,
+                       pam_syslog(pamh, LOG_NOTICE,
                                 "new password not acceptable 2");
                        pass_new = pass_old = NULL;     /* tidy up */
 #ifdef USE_LCKPWDF
@@ -1320,7 +1335,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                                char *temp = malloc(9);
 
                                if (temp == NULL) {
-                                       _log_err(LOG_CRIT, pamh,
+                                       pam_syslog(pamh, LOG_CRIT,
                                                 "out of memory for password");
                                        pass_new = pass_old = NULL;     /* tidy up */
 #ifdef USE_LCKPWDF
@@ -1352,7 +1367,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                _pam_delete(tpass);
                pass_old = pass_new = NULL;
        } else {                /* something has broken with the module */
-               _log_err(LOG_ALERT, pamh,
+               pam_syslog(pamh, LOG_ALERT,
                         "password received unknown request");
                retval = PAM_ABORT;
        }
Unnamed repository; edit this file 'description' to name the repository.