/*
* Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
* Copyright (C) 1996.
- * Copyright (c) Jan Rêkorajski, 1999.
+ * Copyright (c) Jan Rêkorajski, 1999.
* Copyright (c) Red Hat, Inc., 2007, 2008.
*
* Redistribution and use in source and binary forms, with or without
#include <ctype.h>
#include <sys/time.h>
#include <sys/stat.h>
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
#include <signal.h>
#include <errno.h>
#include <sys/wait.h>
-#ifdef WITH_SELINUX
-static int selinux_enabled=-1;
-#include <selinux/selinux.h>
-#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0))
-#endif
+#include <sys/resource.h>
#include <security/_pam_macros.h>
#include <security/pam_ext.h>
#include <security/pam_modutil.h>
-#include "yppasswd.h"
#include "md5.h"
#include "support.h"
#include "passverify.h"
#include "bigcrypt.h"
-#if !((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1))
+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
+# define HAVE_NIS
+#endif
+
+#ifdef HAVE_NIS
+# include <rpc/rpc.h>
+
+# if HAVE_RPCSVC_YP_PROT_H
+# include <rpcsvc/yp_prot.h>
+# endif
+
+# if HAVE_RPCSVC_YPCLNT_H
+# include <rpcsvc/ypclnt.h>
+# endif
+
+# include "yppasswd.h"
+
+# if !HAVE_DECL_GETRPCPORT &&!HAVE_RPCB_GETADDR
extern int getrpcport(const char *host, unsigned long prognum,
unsigned long versnum, unsigned int proto);
-#endif /* GNU libc 2.1 */
+# endif /* GNU libc 2.1 */
+#endif
/*
How it works:
Sets it.
*/
-/* data tokens */
+#define MAX_PASSWD_TRIES 3
-#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS"
-#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS"
+#ifdef HAVE_NIS
+#ifdef HAVE_RPCB_GETADDR
+static unsigned short
+__taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf)
+{
+ unsigned short port = 0;
+ struct __rpc_sockinfo si;
+ struct sockaddr_in *sin;
+ struct sockaddr_in6 *sin6;
+ if (!__rpc_nconf2sockinfo(nconf, &si))
+ return 0;
+
+ switch (si.si_af)
+ {
+ case AF_INET:
+ sin = nbuf->buf;
+ port = sin->sin_port;
+ break;
+ case AF_INET6:
+ sin6 = nbuf->buf;
+ port = sin6->sin6_port;
+ break;
+ default:
+ break;
+ }
-#define MAX_PASSWD_TRIES 3
+ return htons (port);
+}
+#endif
-static char *getNISserver(pam_handle_t *pamh)
+static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
{
char *master;
char *domainname;
int port, err;
+#if defined(HAVE_RPCB_GETADDR)
+ struct netconfig *nconf;
+ struct netbuf svcaddr;
+ char addrbuf[INET6_ADDRSTRLEN];
+ void *handle;
+ int found;
+#endif
+
+#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
if ((err = yp_get_default_domain(&domainname)) != 0) {
pam_syslog(pamh, LOG_WARNING, "can't get local yp domain: %s",
yperr_string(err));
return NULL;
}
+#elif defined(HAVE_GETDOMAINNAME)
+ char domainname_res[256];
+
+ if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
+ {
+ if (strcmp (domainname_res, "(none)") == 0)
+ {
+ /* If domainname is not set, some systems will return "(none)" */
+ domainname_res[0] = '\0';
+ }
+ domainname = domainname_res;
+ }
+ else domainname = NULL;
+#endif
+
if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
pam_syslog(pamh, LOG_WARNING, "can't find the master ypserver: %s",
yperr_string(err));
return NULL;
}
+#ifdef HAVE_RPCB_GETADDR
+ svcaddr.len = 0;
+ svcaddr.maxlen = sizeof (addrbuf);
+ svcaddr.buf = addrbuf;
+ port = 0;
+ found = 0;
+
+ handle = setnetconfig();
+ while ((nconf = getnetconfig(handle)) != NULL) {
+ if (!strcmp(nconf->nc_proto, "udp")) {
+ if (rpcb_getaddr(YPPASSWDPROG, YPPASSWDPROC_UPDATE,
+ nconf, &svcaddr, master)) {
+ port = __taddr2port (nconf, &svcaddr);
+ endnetconfig (handle);
+ found=1;
+ break;
+ }
+
+ if (rpc_createerr.cf_stat != RPC_UNKNOWNHOST) {
+ clnt_pcreateerror (master);
+ pam_syslog (pamh, LOG_ERR,
+ "rpcb_getaddr (%s) failed!", master);
+ return NULL;
+ }
+ }
+ }
+
+ if (!found) {
+ pam_syslog (pamh, LOG_ERR,
+ "Cannot find suitable transport for protocol 'udp'");
+ return NULL;
+ }
+#else
port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
+#endif
if (port == 0) {
pam_syslog(pamh, LOG_WARNING,
"yppasswdd not running on NIS master host");
"yppasswd daemon running on illegal port");
return NULL;
}
+ if (on(UNIX_DEBUG, ctrl)) {
+ pam_syslog(pamh, LOG_DEBUG, "Use NIS server on %s with port %d",
+ master, port);
+ }
return master;
}
+#endif
#ifdef WITH_SELINUX
const char *fromwhat, const char *towhat, int remember)
{
int retval, child, fds[2];
- void (*sighandler)(int) = NULL;
+ struct sigaction newsa, oldsa;
D(("called."));
/* create a pipe for the password */
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_DFL);
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ sigaction(SIGCHLD, &newsa, &oldsa);
}
/* fork */
child = fork();
if (child == 0) {
- int i=0;
- struct rlimit rlim;
static char *envp[] = { NULL };
- char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
+ const char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
char buffer[16];
/* XXX - should really tidy up PAM here too */
/* reopen stdin as pipe */
- dup2(fds[0], STDIN_FILENO);
-
- if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- if (rlim.rlim_max >= MAX_FD_NO)
- rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
- }
+ if (dup2(fds[0], STDIN_FILENO) != STDIN_FILENO) {
+ pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", "stdin");
+ _exit(PAM_AUTHINFO_UNAVAIL);
}
- if (SELINUX_ENABLED && geteuid() == 0) {
- /* must set the real uid to 0 so the helper will not error
- out if pam is called from setuid binary (su, sudo...) */
- setuid(0);
- }
+ if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_IGNORE_FD,
+ PAM_MODUTIL_PIPE_FD,
+ PAM_MODUTIL_PIPE_FD) < 0) {
+ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
/* exec binary helper */
- args[0] = x_strdup(UPDATE_HELPER);
- args[1] = x_strdup(user);
- args[2] = x_strdup("update");
+ args[0] = UPDATE_HELPER;
+ args[1] = user;
+ args[2] = "update";
if (on(UNIX_SHADOW, ctrl))
- args[3] = x_strdup("1");
+ args[3] = "1";
else
- args[3] = x_strdup("0");
+ args[3] = "0";
snprintf(buffer, sizeof(buffer), "%d", remember);
- args[4] = x_strdup(buffer);
-
- execve(UPDATE_HELPER, args, envp);
+ args[4] = buffer;
+
+ execve(UPDATE_HELPER, (char *const *) args, envp);
/* should not get here: exit with error */
D(("helper binary is not available"));
- exit(PAM_AUTHINFO_UNAVAIL);
+ _exit(PAM_AUTHINFO_UNAVAIL);
} else if (child > 0) {
/* wait for child */
/* if the stored password is NULL */
int rc=0;
- if (fromwhat)
- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
- else
- pam_modutil_write(fds[1], "", 1);
- if (towhat) {
- pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
+ if (fromwhat) {
+ int len = strlen(fromwhat);
+
+ if (len > PAM_MAX_RESP_SIZE)
+ len = PAM_MAX_RESP_SIZE;
+ pam_modutil_write(fds[1], fromwhat, len);
}
- else
- pam_modutil_write(fds[1], "", 1);
+ pam_modutil_write(fds[1], "", 1);
+ if (towhat) {
+ int len = strlen(towhat);
+
+ if (len > PAM_MAX_RESP_SIZE)
+ len = PAM_MAX_RESP_SIZE;
+ pam_modutil_write(fds[1], towhat, len);
+ }
+ pam_modutil_write(fds[1], "", 1);
close(fds[0]); /* close here to avoid possible SIGPIPE above */
close(fds[1]);
- rc=waitpid(child, &retval, 0); /* wait for helper to complete */
+ /* wait for helper to complete: */
+ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
if (rc<0) {
pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m");
- retval = PAM_AUTH_ERR;
- } else {
+ retval = PAM_AUTHTOK_ERR;
+ } else if (!WIFEXITED(retval)) {
+ pam_syslog(pamh, LOG_ERR, "unix_update abnormal exit: %d", retval);
+ retval = PAM_AUTHTOK_ERR;
+ } else {
retval = WEXITSTATUS(retval);
}
} else {
D(("fork failed"));
close(fds[0]);
- close(fds[1]);
+ close(fds[1]);
retval = PAM_AUTH_ERR;
}
- if (sighandler != SIG_ERR) {
- (void) signal(SIGCHLD, sighandler); /* restore old signal handler */
+ if (off(UNIX_NOREAP, ctrl)) {
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
}
return retval;
char *s_luser, *s_uid, *s_npas, *s_pas;
int retval = PAM_SUCCESS;
FILE *opwfile;
+ size_t len = strlen(forwho);
opwfile = fopen(OLD_PASSWORDS_FILE, "r");
if (opwfile == NULL)
return PAM_ABORT;
while (fgets(buf, 16380, opwfile)) {
- if (!strncmp(buf, forwho, strlen(forwho))) {
+ if (!strncmp(buf, forwho, len) && (buf[len] == ':' ||
+ buf[len] == ',')) {
char *sptr;
buf[strlen(buf) - 1] = '\0';
s_luser = strtok_r(buf, ":,", &sptr);
s_pas = strtok_r(NULL, ":,", &sptr);
while (s_pas != NULL) {
char *md5pass = Goodcrypt_md5(newpass, s_pas);
- if (!strcmp(md5pass, s_pas)) {
+ if (md5pass == NULL || !strcmp(md5pass, s_pas)) {
_pam_delete(md5pass);
retval = PAM_AUTHTOK_ERR;
break;
}
if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
- if ((master=getNISserver(pamh)) != NULL) {
+#ifdef HAVE_NIS
+ if ((master=getNISserver(pamh, ctrl)) != NULL) {
struct timeval timeout;
struct yppasswd yppwd;
CLIENT *clnt;
_("NIS password could not be changed."));
retval = PAM_TRY_AGAIN;
}
-#ifdef DEBUG
+#ifdef PAM_DEBUG
sleep(5);
#endif
} else {
retval = PAM_TRY_AGAIN;
}
+#else
+ if (on(UNIX_DEBUG, ctrl)) {
+ pam_syslog(pamh, LOG_DEBUG, "No NIS support available");
+ }
+
+ retval = PAM_TRY_AGAIN;
+#endif
}
if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
static int _pam_unix_approve_pass(pam_handle_t * pamh
,unsigned int ctrl
,const char *pass_old
- ,const char *pass_new)
+ ,const char *pass_new,
+ int pass_min_len)
{
const void *user;
const char *remark = NULL;
pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
}
_make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
- _("No password supplied") : _("Password unchanged"));
+ _("No password has been supplied.") :
+ _("The password has not been changed."));
return PAM_AUTHTOK_ERR;
}
/*
}
}
if (off(UNIX__IAMROOT, ctrl)) {
- if (strlen(pass_new) < 6)
- remark = _("You must choose a longer password");
+ if (strlen(pass_new) < pass_min_len)
+ remark = _("You must choose a longer password.");
D(("length check [%s]", remark));
if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
return retval;
}
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
- int argc, const char **argv)
+int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
unsigned int ctrl, lctrl;
int retval;
int remember = -1;
int rounds = -1;
+ int pass_min_len = 0;
/* <DO NOT free() THESE> */
const char *user;
- const void *pass_old, *pass_new;
+ const void *item;
+ const char *pass_old, *pass_new;
/* </DO NOT free() THESE> */
D(("called."));
- ctrl = _set_ctrl(pamh, flags, &remember, &rounds, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, &remember, &rounds, &pass_min_len,
+ argc, argv);
/*
* First get the name of a user
* obtain and verify the current password (OLDAUTHTOK) for
* the user.
*/
- char *Announce;
-
D(("prelim check"));
if (_unix_blankpasswd(pamh, ctrl, user)) {
return PAM_SUCCESS;
- } else if (off(UNIX__IAMROOT, ctrl)) {
+ } else if (off(UNIX__IAMROOT, ctrl) ||
+ (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
/* instruct user what is happening */
- if (asprintf(&Announce, _("Changing password for %s."),
- user) < 0) {
- pam_syslog(pamh, LOG_CRIT,
- "password - out of memory");
- return PAM_BUF_ERR;
+ if (off(UNIX__QUIET, ctrl)) {
+ retval = pam_info(pamh, _("Changing password for %s."), user);
+ if (retval != PAM_SUCCESS)
+ return retval;
}
-
- lctrl = ctrl;
- set(UNIX__OLD_PASSWD, lctrl);
- retval = _unix_read_password(pamh, lctrl
- ,Announce
- ,_("(current) UNIX password: ")
- ,NULL
- ,_UNIX_OLD_AUTHTOK
- ,&pass_old);
- free(Announce);
+ retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_NOTICE,
pass_old = NULL;
return retval;
}
- retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
pass_old = NULL;
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_CRIT,
- "failed to set PAM_OLDAUTHTOK");
- }
retval = _unix_verify_shadow(pamh,user, ctrl);
if (retval == PAM_AUTHTOK_ERR) {
if (off(UNIX__IAMROOT, ctrl))
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
- _("You must wait longer to change your password"));
+ _("You must wait longer to change your password."));
else
retval = PAM_SUCCESS;
}
* previous call to this function].
*/
- if (off(UNIX_NOT_SET_PASS, ctrl)) {
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK
- ,&pass_old);
- } else {
- retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK
- ,&pass_old);
- if (retval == PAM_NO_MODULE_DATA) {
- retval = PAM_SUCCESS;
- pass_old = NULL;
- }
- }
- D(("pass_old [%s]", pass_old));
+ retval = pam_get_item(pamh, PAM_OLDAUTHTOK, &item);
if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_NOTICE, "user not authenticated");
return retval;
}
+ pass_old = item;
+ D(("pass_old [%s]", pass_old));
D(("get new password now"));
if (on(UNIX_USE_AUTHTOK, lctrl)) {
set(UNIX_USE_FIRST_PASS, lctrl);
}
- retry = 0;
+ if (on(UNIX_USE_FIRST_PASS, lctrl)) {
+ retry = MAX_PASSWD_TRIES-1;
+ }
retval = PAM_AUTHTOK_ERR;
while ((retval != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
/*
* password -- needed for pluggable password strength checking
*/
- retval = _unix_read_password(pamh, lctrl
- ,NULL
- ,_("Enter new UNIX password: ")
- ,_("Retype new UNIX password: ")
- ,_UNIX_NEW_AUTHTOK
- ,&pass_new);
+ retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL);
if (retval != PAM_SUCCESS) {
if (on(UNIX_DEBUG, ctrl)) {
- pam_syslog(pamh, LOG_ALERT,
+ pam_syslog(pamh, LOG_ERR,
"password - new password not obtained");
}
pass_old = NULL; /* tidy up */
if (*(const char *)pass_new == '\0') { /* "\0" password = NULL */
pass_new = NULL;
}
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
-
- if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) {
+ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
+ pass_new, pass_min_len);
+
+ if (retval != PAM_SUCCESS) {
pam_set_item(pamh, PAM_AUTHTOK, NULL);
}
}
return retval;
}
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
+ retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new,
+ pass_min_len);
if (retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_NOTICE,
"new password not acceptable 2");
* First we encrypt the new password.
*/
- tpass = create_password_hash(pass_new, ctrl, rounds);
+ tpass = create_password_hash(pamh, pass_new, ctrl, rounds);
if (tpass == NULL) {
pam_syslog(pamh, LOG_CRIT,
- "out of memory for password");
+ "crypt() failure or out of memory for password");
pass_new = pass_old = NULL; /* tidy up */
unlock_pwdf();
return PAM_BUF_ERR;
_pam_delete(tpass);
pass_old = pass_new = NULL;
} else { /* something has broken with the module */
- pam_syslog(pamh, LOG_ALERT,
+ pam_syslog(pamh, LOG_CRIT,
"password received unknown request");
retval = PAM_ABORT;
}
return retval;
}
-
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_unix_passwd_modstruct = {
- "pam_unix_passwd",
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- pam_sm_chauthtok,
-};
-#endif
projects / linux-pam / blobdiff