fi
if test ${with_passwd-'no'} != "no"; then
- if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then
+ if test -z "$LIB_CRYPT"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing crypt" >&5
$as_echo_n "checking for library containing crypt... " >&6; }
if test "${ac_cv_search_crypt+set}" = set; then :
case "$with_passwd" in
yes|maybe)
- AUTH_OBJS="$AUTH_OBJS passwd.lo"
+ AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
;;
*)
$as_echo "#define WITHOUT_PASSWD 1" >>confdefs.h
;;
esac
AUTH_OBJS=${AUTH_OBJS# }
-_AUTH=`echo "$AUTH_OBJS" | sed 's/\.lo//g'`
+_AUTH=`echo "$AUTH_OBJS" | sed -e 's/\.lo//g' -e 's/getspwuid *//'`
{ $as_echo "$as_me:${as_lineno-$LINENO}: using the following authentication methods: $_AUTH" >&5
$as_echo "$as_me: using the following authentication methods: $_AUTH" >&6;}
dnl
dnl if crypt(3) not in libc, look elsewhere
dnl
- if test -z "$LIB_CRYPT" -a "$with_passwd" != "no"; then
+ if test -z "$LIB_CRYPT"; then
AC_SEARCH_LIBS([crypt], [crypt crypt_d ufc], [test -n "$ac_lib" && SUDO_LIBS="${SUDO_LIBS} $ac_res"])
fi
SUDO_IO_LOGDIR
dnl
-dnl Use passwd (and secureware) auth modules?
+dnl Use passwd auth module?
dnl
case "$with_passwd" in
yes|maybe)
- AUTH_OBJS="$AUTH_OBJS passwd.lo"
+ AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
;;
*)
AC_DEFINE(WITHOUT_PASSWD)
;;
esac
AUTH_OBJS=${AUTH_OBJS# }
-_AUTH=`echo "$AUTH_OBJS" | sed 's/\.lo//g'`
+_AUTH=`echo "$AUTH_OBJS" | sed -e 's/\.lo//g' -e 's/getspwuid *//'`
AC_MSG_NOTICE([using the following authentication methods: $_AUTH])
dnl
LIBSUDOERS_OBJS = alias.lo audit.lo defaults.lo gram.lo match.lo pwutil.lo \
timestr.lo toke.lo redblack.lo @NONUNIX_GROUPS_IMPL@
-SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo \
- plugin_error.lo env.lo getspwuid.lo \
+SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo plugin_error.lo env.lo \
goodpath.lo group_plugin.lo find_path.lo interfaces.lo \
logging.lo parse.lo set_perms.lo sudoers.lo sudo_nss.lo \
iolog.lo @SUDOERS_OBJS@
if (skeyaccess(pw, user_tty, NULL, NULL) == 0)
return(AUTH_FAILURE);
#endif
+ sudo_setspent();
+ auth->data = sudo_getepw(pw);
+ sudo_endspent();
return(AUTH_SUCCESS);
}
passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
char sav, *epass;
+ char *pw_epasswd = auth->data;
size_t pw_len;
int error;
- pw_len = strlen(pw->pw_passwd);
+ pw_len = strlen(pw_epasswd);
#ifdef HAVE_GETAUTHUID
/* Ultrix shadow passwords may use crypt16() */
- error = strcmp(pw->pw_passwd, (char *) crypt16(pass, pw->pw_passwd));
+ error = strcmp(pw_epasswd, (char *) crypt16(pass, pw_epasswd));
if (!error)
return(AUTH_SUCCESS);
#endif /* HAVE_GETAUTHUID */
* If this turns out not to be safe we will have to use OS #ifdef's (sigh).
*/
sav = pass[8];
- if (pw_len == DESLEN || HAS_AGEINFO(pw->pw_passwd, pw_len))
+ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
pass[8] = '\0';
/*
* HP-UX may add aging info (separated by a ',') at the end so
* only compare the first DESLEN characters in that case.
*/
- epass = (char *) crypt(pass, pw->pw_passwd);
+ epass = (char *) crypt(pass, pw_epasswd);
pass[8] = sav;
- if (HAS_AGEINFO(pw->pw_passwd, pw_len) && strlen(epass) == DESLEN)
- error = strncmp(pw->pw_passwd, epass, DESLEN);
+ if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ error = strncmp(pw_epasswd, epass, DESLEN);
else
- error = strcmp(pw->pw_passwd, epass);
+ error = strcmp(pw_epasswd, epass);
return(error ? AUTH_FAILURE : AUTH_SUCCESS);
}
+
+int
+passwd_cleanup(pw, auth)
+ struct passwd *pw;
+ sudo_auth *auth;
+{
+ char *pw_epasswd = auth->data;
+
+ if (pw_epasswd != NULL) {
+ zero_bytes(pw_epasswd, strlen(pw_epasswd));
+ efree(pw_epasswd);
+ }
+ return(AUTH_SUCCESS);
+}
if (crypt_type == INT_MAX)
return(AUTH_FAILURE); /* no shadow */
#endif
+ sudo_setspent();
+ auth->data = sudo_getepw(pw);
+ sudo_endspent();
return(AUTH_SUCCESS);
}
int
secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
+ char *pw_epasswd = auth->data;
#ifdef __alpha
extern int crypt_type;
# ifdef HAVE_DISPCRYPT
- if (strcmp(user_passwd, dispcrypt(pass, user_passwd, crypt_type)) == 0)
+ if (strcmp(pw_epasswd, dispcrypt(pass, pw_epasswd, crypt_type)) == 0)
return(AUTH_SUCCESS);
# else
if (crypt_type == AUTH_CRYPT_BIGCRYPT) {
- if (strcmp(user_passwd, bigcrypt(pass, user_passwd)) == 0)
+ if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
return(AUTH_SUCCESS);
} else if (crypt_type == AUTH_CRYPT_CRYPT16) {
- if (strcmp(user_passwd, crypt(pass, user_passwd)) == 0)
+ if (strcmp(pw_epasswd, crypt(pass, pw_epasswd)) == 0)
return(AUTH_SUCCESS);
}
# endif /* HAVE_DISPCRYPT */
#elif defined(HAVE_BIGCRYPT)
- if (strcmp(user_passwd, bigcrypt(pass, user_passwd)) == 0)
+ if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
return(AUTH_SUCCESS);
#endif /* __alpha */
return(AUTH_FAILURE);
}
+
+int
+secureware_cleanup(pw, auth)
+ struct passwd *pw;
+ sudo_auth *auth;
+{
+ char *pw_epasswd = auth->data;
+
+ if (pw_epasswd != NULL) {
+ zero_bytes(pw_epasswd, strlen(pw_epasswd));
+ efree(pw_epasswd);
+ }
+ return(AUTH_SUCCESS);
+}
/* Non-standalone entries */
#ifndef WITHOUT_PASSWD
- AUTH_ENTRY("passwd", 0, passwd_init, NULL, passwd_verify, NULL, NULL, NULL)
+ AUTH_ENTRY("passwd", 0, passwd_init, NULL, passwd_verify, passwd_cleanup, NULL, NULL)
#endif
#if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD)
- AUTH_ENTRY("secureware", 0, secureware_init, NULL, secureware_verify, NULL, NULL, NULL)
+ AUTH_ENTRY("secureware", 0, secureware_init, NULL, secureware_verify, secureware_cleanup, NULL, NULL)
#endif
#ifdef HAVE_AFS
AUTH_ENTRY("afs", 0, NULL, NULL, afs_verify, NULL, NULL, NULL)
/* Prototypes for normal methods */
int passwd_init(struct passwd *pw, char **prompt, sudo_auth *auth);
int passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth);
+int passwd_cleanup(struct passwd *pw, sudo_auth *auth);
int secureware_init(struct passwd *pw, char **prompt, sudo_auth *auth);
int secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth);
+int secureware_cleanup(struct passwd *pw, sudo_auth *auth);
int rfc1938_setup(struct passwd *pw, char **prompt, sudo_auth *auth);
int rfc1938_verify(struct passwd *pw, char *pass, sudo_auth *auth);
int afs_verify(struct passwd *pw, char *pass, sudo_auth *auth);
pw_delref_item(void *v)
{
struct cache_item *item = v;
- struct passwd *pw = item->d.pw;
-
- if (--item->refcnt == 0) {
- if (pw != NULL && pw->pw_passwd != NULL) {
- zero_bytes(pw->pw_passwd, strlen(pw->pw_passwd));
- if ((char *)pw->pw_passwd < (char *)pw ||
- (char *)pw->pw_passwd > (char *)pw->pw_gecos)
- efree(pw->pw_passwd); /* free if separate allocation */
- }
+
+ if (--item->refcnt == 0)
efree(item);
- }
}
void
{
struct cache_item key, *item;
struct rbnode *node;
- char *cp;
key.k.uid = uid;
if ((node = rbfind(pwcache_byuid, &key)) != NULL) {
#endif
if ((key.d.pw = getpwuid(uid)) != NULL) {
item = make_pwitem(key.d.pw, NULL);
- cp = sudo_getepw(item->d.pw); /* get shadow password */
- if (item->d.pw->pw_passwd != NULL)
- zero_bytes(item->d.pw->pw_passwd, strlen(item->d.pw->pw_passwd));
- item->d.pw->pw_passwd = cp;
if (rbinsert(pwcache_byuid, item) != NULL)
errorx(1, "unable to cache uid %lu (%s), already exists",
uid, item->d.pw->pw_name);
struct cache_item key, *item;
struct rbnode *node;
size_t len;
- char *cp;
key.k.name = (char *) name;
if ((node = rbfind(pwcache_byname, &key)) != NULL) {
#endif
if ((key.d.pw = getpwnam(name)) != NULL) {
item = make_pwitem(key.d.pw, name);
- cp = sudo_getepw(key.d.pw); /* get shadow password */
- if (key.d.pw->pw_passwd != NULL)
- zero_bytes(key.d.pw->pw_passwd, strlen(key.d.pw->pw_passwd));
- key.d.pw->pw_passwd = cp;
if (rbinsert(pwcache_byname, item) != NULL)
errorx(1, "unable to cache user %s, already exists", name);
} else {
sudo_setpwent(void)
{
setpwent();
- sudo_setspent();
if (pwcache_byuid == NULL)
pwcache_byuid = rbcreate(cmp_pwuid);
if (pwcache_byname == NULL)
sudo_endpwent(void)
{
endpwent();
- sudo_endspent();
sudo_freepwcache();
}
projects / sudo / commitdiff