From: Todd C. Miller Date: Mon, 21 Sep 1998 04:00:56 +0000 (+0000) Subject: new shadow password scheme. Always include shadow support if the X-Git-Tag: SUDO_1_5_7~107 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1c66c857e471478e9c5f7b046d721bca0af238a7;p=sudo new shadow password scheme. Always include shadow support if the platform supports it and the user did not disable it via configure --- diff --git a/aclocal.m4 b/aclocal.m4 index ad630843b..bb949dd5c 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -147,99 +147,6 @@ else fi ])dnl -dnl -dnl check for shadow passwords -dnl NOTE: not verbose -dnl -AC_DEFUN(SUDO_CHECK_SHADOW_GENERIC, [ -if test -z "$SHADOW_TYPE" -a -d /tcb/files/auth; then - AC_CHECK_FUNC(getprpwuid, SHADOW_TYPE="SPW_SECUREWARE") -fi -if test -z "$SHADOW_TYPE" -a -s /etc/shadow; then - AC_CHECK_FUNC(getspnam, SHADOW_TYPE="SPW_SVR4") -fi -if test -z "$SHADOW_TYPE" -a -s /etc/master.passwd; then - SHADOW_TYPE="SPW_BSD" -fi -if test -z "$SHADOW_TYPE"; then - SHADOW_TYPE="SPW_NONE" - $2 -else - $1 -fi -AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_SUNOS4, [AC_MSG_CHECKING(for shadow passwords) -if test -s /etc/security/passwd.adjunct; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_ULTRIX4, [AC_MSG_CHECKING(for shadow passwords) -if test -s /etc/auth.pag; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_BSD, [AC_MSG_CHECKING(for shadow passwords) -if test -s /etc/master.passwd; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_HPUX9, [AC_MSG_CHECKING(for shadow passwords) -if test -s /.secure/etc/passwd; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_SVR4, [AC_MSG_CHECKING(for shadow passwords) -if test -s /etc/shadow; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_SECUREWARE, [AC_MSG_CHECKING(for shadow passwords) -if test -d /tcb/files/auth; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - -AC_DEFUN(SUDO_CHECK_SHADOW_DUNIX, [AC_MSG_CHECKING(for shadow passwords) -if test "`. /etc/rc.config ; echo $SECURITY`" = "ENHANCED"; then - AC_MSG_RESULT(yes) - [$1] -else - AC_MSG_RESULT(no) - [$2] -fi -]) - dnl dnl dnl check for fullly working void diff --git a/check.c b/check.c index f75a6294d..9a05f2471 100644 --- a/check.c +++ b/check.c @@ -67,14 +67,14 @@ static char rcsid[] = "$Id$"; #include #include "insults.h" #include "version.h" -#if (SHADOW_TYPE == SPW_SECUREWARE) +#ifdef HAVE_GETPRPWUID # ifdef __hpux # include # else # include # endif /* __hpux */ # include -#endif /* SPW_SECUREWARE */ +#endif /* HAVE_GETPRPWUID */ #ifdef HAVE_KERB4 # include #endif /* HAVE_KERB4 */ @@ -141,9 +141,9 @@ struct skey skey; #ifdef HAVE_OPIE struct opie opie; #endif -#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha) -extern uchar_t crypt_type; -#endif /* SPW_SECUREWARE && __alpha */ +#if defined(HAVE_GETPRPWUID) && defined(__alpha) +extern int crypt_type; +#endif /* HAVE_GETPRPWUID && __alpha */ @@ -585,42 +585,44 @@ static void check_passwd() /* * If we use shadow passwords with a different crypt(3) * check that here, else use standard crypt(3). + * XXX - break out into separate functions. */ -# if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD) -# if (SHADOW_TYPE == SPW_ULTRIX4) +# ifdef HAVE_GETAUTHUID if (!strcmp(user_passwd, (char *) crypt16(pass, user_passwd))) return; /* if the passwd is correct return() */ -# endif /* ULTRIX4 */ -# if (SHADOW_TYPE == SPW_SECUREWARE) && !defined(__alpha) +# endif /* HAVE_GETAUTHUID */ +# ifdef HAVE_GETPRPWUID +# ifndef __alpha # ifdef HAVE_BIGCRYPT if (strcmp(user_passwd, (char *) bigcrypt(pass, user_passwd)) == 0) return; /* if the passwd is correct return() */ -# else - if (strcmp(user_passwd, crypt(pass, user_passwd)) == 0) - return; /* if the passwd is correct return() */ # endif /* HAVE_BIGCRYPT */ -# endif /* SECUREWARE && !__alpha */ -# if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha) - if (crypt_type == AUTH_CRYPT_BIGCRYPT) { - if (!strcmp(user_passwd, bigcrypt(pass, user_passwd))) - return; /* if the passwd is correct return() */ - } else if (crypt_type == AUTH_CRYPT_CRYPT16) { - if (!strcmp(user_passwd, crypt16(pass, user_passwd))) - return; /* if the passwd is correct return() */ +# else /* !__alpha */ + switch (crypt_type) { + case AUTH_CRYPT_BIGCRYPT: + if (!strcmp(user_passwd, bigcrypt(pass, user_passwd))) + return; /* if the passwd is correct return() */ + break; + case AUTH_CRYPT_CRYPT16: + if (!strcmp(user_passwd, crypt16(pass, user_passwd))) + return; /* if the passwd is correct return() */ + break; # ifdef AUTH_CRYPT_OLDCRYPT - } else if (crypt_type == AUTH_CRYPT_OLDCRYPT || - crypt_type == AUTH_CRYPT_C1CRYPT) { - if (!strcmp(user_passwd, crypt(pass, user_passwd))) - return; /* if the passwd is correct return() */ + case AUTH_CRYPT_OLDCRYPT: + case AUTH_CRYPT_C1CRYPT: # endif - } else { - (void) fprintf(stderr, - "%s: Sorry, I don't know how to deal with crypt type %d.\n", - Argv[0], crypt_type); - exit(1); + case -1: + if (!strcmp(user_passwd, crypt(pass, user_passwd))) + return; /* if the passwd is correct return() */ + break; + default: + (void) fprintf(stderr, + "%s: Sorry, I don't know how to deal with crypt type %d.\n", + Argv[0], crypt_type); + exit(1); } -# endif /* SECUREWARE && __alpha */ -# endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */ +# endif /* __alpha */ +# endif /* HAVE_GETPRPWUID */ /* Normal UN*X password check */ if (!strcmp(user_passwd, (char *) crypt(pass, user_passwd))) diff --git a/compat.h b/compat.h index 01467b3fb..3721be35a 100644 --- a/compat.h +++ b/compat.h @@ -100,7 +100,7 @@ # undef _PASSWD_LEN # define _PASSWD_LEN 256 #else -# if (SHADOW_TYPE == SPW_SECUREWARE) +# ifdef HAVE_GETPRPWUID # undef _PASSWD_LEN # define _PASSWD_LEN AUTH_MAX_PASSWD_LENGTH # else @@ -116,7 +116,7 @@ # endif /* PASS_MAX */ # endif /* !_PASSWD_LEN */ # endif /* HAVE_KERB4 || HAVE_AFS || HAVE_DCE || HAVE_SKEY || HAVE_OPIE */ -#endif /* SPW_SECUREWARE */ +#endif /* HAVE_GETPRPWUID */ /* * Some OS's lack these diff --git a/config.h.in b/config.h.in index 3d98abd7b..426793b5a 100644 --- a/config.h.in +++ b/config.h.in @@ -201,6 +201,21 @@ /* Define if you have set_auth_parameters(3). */ #undef HAVE_SET_AUTH_PARAMETERS +/* Define if you have getspnam(3). [SVR4-style shadow passwords] */ +#undef HAVE_GETSPNAM + +/* Define if you have getprpwuid(3). [SecureWare-style shadow passwords] */ +#undef HAVE_GETPRPWUID + +/* Define if you have getspwuid(3). [HP-UX <= 9.X shadow passwords] */ +#undef HAVE_GETSPWUID + +/* Define if you have getpwanam(3). [SunOS 4.x shadow passwords] */ +#undef HAVE_GETPWANAM + +/* Define if you have getauthuid(3). [ULTRIX 4.x shadow passwords] */ +#undef HAVE_GETAUTHUID + /* Define if you have seteuid(3). */ #undef HAVE_SETEUID @@ -265,18 +280,6 @@ /* Define if your struct sockadr has an sa_len field. */ #undef HAVE_SA_LEN -/* Supported shadow password types */ -#define SPW_NONE 0x00 -#define SPW_SECUREWARE 0x01 -#define SPW_HPUX9 0x02 -#define SPW_SUNOS4 0x03 -#define SPW_SVR4 0x04 -#define SPW_ULTRIX4 0x05 -#define SPW_BSD 0x06 - -/* Define to the variety of shadow passwords supported on your OS */ -#undef SHADOW_TYPE - /* Define to void if your C compiler fully groks void, else char */ #undef VOID @@ -303,36 +306,3 @@ /* Define if you want the log file line to be wrapped */ #undef WRAP_LOG - -/* - * Paths to commands used by sudo. There are used by pathnames.h. - * If you want to override these values, do so in pathnames.h, not here! - */ - -#ifndef _CONFIG_PATH_SENDMAIL -#undef _CONFIG_PATH_SENDMAIL -#endif /* _CONFIG_PATH_SENDMAIL */ - -#ifndef _CONFIG_PATH_VI -#undef _CONFIG_PATH_VI -#endif /* _CONFIG_PATH_VI */ - -#ifndef _CONFIG_PATH_PWD -#undef _CONFIG_PATH_PWD -#endif /* _CONFIG_PATH_PWD */ - -#ifndef _CONFIG_PATH_MV -#undef _CONFIG_PATH_MV -#endif /* _CONFIG_PATH_MV */ - -#ifndef _CONFIG_PATH_BSHELL -#undef _CONFIG_PATH_BSHELL -#endif /* _CONFIG_PATH_BSHELL */ - -#ifndef _CONFIG_PATH_LOGFILE -#undef _CONFIG_PATH_LOGFILE -#endif /* _CONFIG_PATH_LOGFILE */ - -#ifndef _CONFIG_PATH_TIMEDIR -#undef _CONFIG_PATH_TIMEDIR -#endif /* _CONFIG_PATH_TIMEDIR */ diff --git a/configure.in b/configure.in index 3ebee1982..10b571fd8 100644 --- a/configure.in +++ b/configure.in @@ -40,6 +40,7 @@ MANTYPE="man" AC_SUBST(MANTYPE)dnl MAN_POSTINSTALL="" AC_SUBST(MAN_POSTINSTALL)dnl +CHECKSHADOW="true" dnl dnl Override default configure dirs... @@ -53,6 +54,22 @@ dnl dnl Options for --enable dnl +AC_MSG_CHECKING(whether to disable shadow password support) +AC_ARG_ENABLE(tgetpass, +[ --enable-shadow Use shadow passwords if they exist (default) + --disable-shadow Never use shadow passwords], +[ case "$enableval" in + yes) AC_MSG_RESULT(no) + ;; + no) AC_MSG_RESULT(yes) + CHECKSHADOW="false" + ;; + *) AC_MSG_RESULT(no) + echo "Ignoring unknown argument to --enable-tgetpass: $enableval" + ;; + esac +], AC_MSG_RESULT(no)) + AC_MSG_CHECKING(whether to use the system getpass function) AC_ARG_ENABLE(tgetpass, [ --enable-tgetpass Use sudo's getpass() that times out (default) @@ -376,24 +393,13 @@ case "$host" in # getcwd(3) opens a pipe to getpwd(1)!?! BROKEN_GETCWD=1 - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SUNOS4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SUNOS4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + # check for password adjunct functions (shadow passwords) + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_FUNCS(getpwanam) + CHECKSHADOW="false" fi ;; *-*-solaris2*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" != "no"; then - with_C2="yes" - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi - # AFS support needs -lucb if test "$with_AFS" = "yes"; then AFS_LIBS="-lc -lucb" @@ -404,8 +410,9 @@ case "$host" in SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp" ;; *-*-hiuxmpp*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsec"], AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"])) + CHECKSHADOW="false" fi ;; *-*-hpux1[[0-9]]*) @@ -413,14 +420,9 @@ case "$host" in # (XXX - should be an option to configure) #STATIC_SUDO=true - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SECUREWARE" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - SUDO_LIBS="${SUDO_LIBS} -lsec" - LIBS="${LIBS} -lsec" + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsec"]) + CHECKSHADOW="false" fi if test -n "$STATIC_SUDO"; then @@ -452,12 +454,9 @@ case "$host" in AC_DEFINE(BROKEN_SYSLOG) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_HPUX9(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_HPUX9" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_FUNCS(getspwuid) + CHECKSHADOW="false" fi if test -n "$STATIC_SUDO"; then @@ -508,26 +507,12 @@ case "$host" in # ignore envariables wrt dynamic lib path SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement" - # C2 security stuff - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_DUNIX(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -lsecurity -laud" - LIBS="${LIBS} -lsecurity -laud" - SHADOW_TYPE="SPW_SECUREWARE" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"]) + CHECKSHADOW="false" fi ;; *-*-irix*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi - # configure may not think irix has stdc headers # but it's good enough for sudo AC_DEFINE(STDC_HEADERS) @@ -547,16 +532,10 @@ case "$host" in fi ;; *-*-linux*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - OSDEFS="${OSDEFS} -DSHADOW_PWD" - AC_CHECK_FUNC(getspnam, , - SUDO_LIBS="${SUDO_LIBS} -lshadow" - LIBS="${LIBS} -lshadow") + # Some Linux versions need to link with -lshadow + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_FUNC(getspnam, AC_DEFINE(HAVE_GETSPNAM), AC_CHECK_LIB(shadow, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lshadow"])) + CHECKSHADOW="false" fi ;; *-convex-bsd*) @@ -565,38 +544,19 @@ case "$host" in CFLAGS="${CFLAGS} -D__STDC__" fi - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - OSDEFS="${OSDEFS} -D_AUDIT -D_ACL -DSecureWare" - SUDO_LIBS="${SUDO_LIBS} -lprot" - LIBS="${LIBS} -lprot" - SHADOW_TYPE="SPW_SECUREWARE" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lprot"; OSDEFS="${OSDEFS} -D_AUDIT -D_ACL -DSecureWare"]) + CHECKSHADOW="false" fi ;; *-*-ultrix*) OS="ultrix" - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_ULTRIX4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -lauth" - LIBS="${LIBS} -lauth" - SHADOW_TYPE="SPW_ULTRIX4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(auth, getauthuid, AC_DEFINE(HAVE_GETAUTHUID) [SUDO_LIBS="${SUDO_LIBS} -lauth"]) + CHECKSHADOW="false" fi ;; *-*-riscos*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi - SUDO_LIBS="${SUDO_LIBS} -lsun -lbsd" LIBS="${LIBS} -lsun -lbsd" CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd" @@ -608,25 +568,15 @@ case "$host" in SUDO_LIBS="${SUDO_LIBS} -lcrypt" LIBS="${LIBS} -lcrypt" - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -lsec" - LIBS="${LIBS} -lsec" - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"]) + CHECKSHADOW="false" fi ;; *-*-sco*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SECUREWARE" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - SUDO_LIBS="${SUDO_LIBS} -lprot -lx" - LIBS="${LIBS} -lprot -lx" + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(prot, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lprot -lx"]) + CHECKSHADOW="false" fi ;; *-*-unicos*) @@ -638,14 +588,9 @@ case "$host" in # we don't want -linet LIB_INET=0 - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - SUDO_LIBS="${SUDO_LIBS} -lsec" - LIBS="${LIBS} -lsec" + if test "$CHECKSHADOW" = "true"; then + AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"]) + CHECKSHADOW="false" fi ;; *-ccur-sysv4|*-ccur-sysvr4) @@ -653,14 +598,6 @@ case "$host" in SUDO_LIBS="${SUDO_LIBS} -lgen -lsocket -lnsl" LIB_SOCKET=1 LIB_NSL=1 - - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi ;; *-*-bsdi*) # Use shlicc for BSD/OS 2.x unless asked to do otherwise @@ -670,23 +607,10 @@ case "$host" in ac_cv_prog_CC=shlicc CC="$ac_cv_prog_CC" fi - - # This should always be true but why not be careful... - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_BSD(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_BSD" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi ;; *-*-*bsd*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_BSD(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_BSD" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) + if test "$CHECKSHADOW" = "true"; then + CHECKSHADOW="false" fi ;; *-*-svr4*|*-*-sysv4*) @@ -694,85 +618,18 @@ case "$host" in SUDO_LIBS="${SUDO_LIBS} -lsocket -lnsl" LIB_SOCKET=1 LIB_NSL=1 - - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi - ;; - *-*-sysv*) - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_SVR4(with_C2="yes") - fi - if test "$with_C2" = "yes"; then - SHADOW_TYPE="SPW_SVR4" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi - ;; - *) - if test -z "$host"; then - echo "Unable to guess system type, you may need to specify on the command line." - fi - - dnl - dnl Is this OS using shadow passwords? - dnl Just check the most common schemes. - dnl - if test -z "$with_C2"; then - SUDO_CHECK_SHADOW_GENERIC(with_C2="yes") - AC_MSG_CHECKING(for shadow passwords and type) - case "$SHADOW_TYPE" in - "SPW_SVR4") - echo "SVR4" - ;; - "SPW_BSD") - echo "BSD" - ;; - "SPW_SECUREWARE") - echo "SecureWare" - SUDO_LIBS="${SUDO_LIBS} -lprot -lx" - LIBS="${LIBS} -lprot -lx" - ;; - "SPW_NONE") - echo "none" - esac - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) - fi ;; esac dnl -dnl Guess shadow password type unless we already know it. -dnl This is used when the user specified --with-C2 option. +dnl Check for shadow password routines if we have not already done so. +dnl We check for SVR4-style first and then SecureWare-style. dnl -if test "$with_C2" = "yes" -a -z "$SHADOW_TYPE"; then - AC_CHECK_FUNC(getprpwuid, SHADOW_TYPE="SPW_SECUREWARE", [AC_CHECK_FUNC(getspnam, SHADOW_TYPE="SPW_SVR4", [test -f /etc/master.passwd && SHADOW_TYPE="SPW_BSD"])]) - AC_MSG_CHECKING(for shadow password type) - case "$SHADOW_TYPE" in - "SPW_SVR4") - echo "SVR4" - ;; - "SPW_BSD") - echo "BSD" - ;; - "SPW_SECUREWARE") - echo "SecureWare" - SUDO_LIBS="${SUDO_LIBS} -lprot -lx" - LIBS="${LIBS} -lprot -lx" - ;; - *) - SHADOW_TYPE="SPW_NONE" - echo "unknown" - echo "Unable to determine shadow passwd type, sudo may not be able to verify passwords" - ;; - esac - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) -elif test -z "$SHADOW_TYPE"; then - SHADOW_TYPE="SPW_NONE" - AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE) +if test "$CHECKSHADOW" = "true"; then + AC_CHECK_FUNC(getspnam, AC_DEFINE(HAVE_GETSPNAM) [CHECKSHADOW="false"]) +fi +if test "$CHECKSHADOW" = "true"; then + AC_CHECK_FUNC(getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"], AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lsec"], AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lsecurity"], AC_CHECK_LIB(prot, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lprot"])))) fi dnl diff --git a/getspwuid.c b/getspwuid.c index 6d997784c..d0be90663 100644 --- a/getspwuid.c +++ b/getspwuid.c @@ -52,27 +52,27 @@ static char rcsid[] = "$Id$"; #include #include "sudo.h" #include -#if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD) -# if (SHADOW_TYPE == SPW_SVR4) -# include -# endif /* SVR4 */ -# if (SHADOW_TYPE == SPW_SECUREWARE) -# ifdef __hpux -# include -# else -# include -# endif /* __hpux */ -# include -# endif /* SECUREWARE */ -# if (SHADOW_TYPE == SPW_ULTRIX4) -# include -# endif /* ULTRIX4 */ -# if (SHADOW_TYPE == SPW_SUNOS4) -# include -# include -# include -# endif /* SUNOS4 */ -#endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */ + +/* Shadow password includes */ +#ifdef HAVE_GETSPNAM +# include +#endif /* HAVE_GETSPNAM */ +#ifdef HAVE_GETPRPWUID +# ifdef __hpux +# include +# else +# include +# endif /* __hpux */ +# include +#endif /* HAVE_GETPRPWUID */ +#ifdef HAVE_GETPWANAM +# include +# include +# include +#endif /* HAVE_GETPWANAM */ +#ifdef HAVE_GETAUTHUID +# include +#endif /* HAVE_GETAUTHUID */ #ifndef STDC_HEADERS #ifndef __GNUC__ /* gcc has its own malloc */ @@ -87,16 +87,16 @@ extern char *strdup __P((const char *)); /* * Global variables (yuck) */ -#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha) -uchar_t crypt_type; -#endif /* SPW_SECUREWARE && __alpha */ +#if defined(HAVE_GETPRPWUID) && defined(__alpha) +int crypt_type = -1; +#endif /* HAVE_GETPRPWUID && __alpha */ /* * Local functions not visible outside getspwuid.c */ static char *sudo_getshell __P((struct passwd *)); -static char *sudo_getspwd __P((struct passwd *)); +static char *sudo_getepw __P((struct passwd *)); @@ -128,78 +128,68 @@ static char *sudo_getshell(pw_ent) /********************************************************************** * - * sudo_getspwd() + * sudo_getepw() * - * This function returns the shadow password for the user described - * by pw_ent. If there is no shadow password the normal UN*X password - * is returned instead. + * This function returns the encrypted password for the user described + * by pw_ent. If there is a shadow password it is returned, else the + * normal UN*X password is returned instead. */ -static char *sudo_getspwd(pw_ent) +static char *sudo_getepw(pw_ent) struct passwd *pw_ent; -#if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD) -# if (SHADOW_TYPE == SPW_SVR4) { - struct spwd *spw_ent; +#ifdef HAVE_GETPRPWUID + { + struct pr_passwd *spw_ent; + + spw_ent = getprpwuid(pw_ent->pw_uid); + if (spw_ent != NULL && spw_ent->ufld.fd_encrypt != NULL) { +# ifdef __alpha + crypt_type = spw_ent -> ufld.fd_oldcrypt; +# ifdef AUTH_CRYPT_C1CRYPT + if (crypt_type != AUTH_CRYPT_C1CRYPT) +# endif /* AUTH_CRYPT_C1CRYPT */ +# endif /* __alpha */ + return(spw_ent -> ufld.fd_encrypt); + } + } +#endif /* HAVE_GETPRPWUID */ +#ifdef HAVE_GETSPNAM + { + struct spwd *spw_ent; - if ((spw_ent = getspnam(pw_ent -> pw_name)) && spw_ent -> sp_pwdp) - return(spw_ent -> sp_pwdp); - else - return(pw_ent -> pw_passwd); -} -# endif /* SVR4 */ -# if (SHADOW_TYPE == SPW_HPUX9) -{ - struct s_passwd *spw_ent; + if ((spw_ent = getspnam(pw_ent -> pw_name)) && spw_ent -> sp_pwdp) + return(spw_ent -> sp_pwdp); + } +#endif /* HAVE_GETSPNAM */ +#ifdef HAVE_GETSPWUID + { + struct s_passwd *spw_ent; - if ((spw_ent = getspwuid(pw_ent -> pw_uid)) && spw_ent -> pw_passwd) - return(spw_ent -> pw_passwd); - else - return(pw_ent -> pw_passwd); -} -# endif /* HPUX9 */ -# if (SHADOW_TYPE == SPW_SUNOS4) -{ - struct passwd_adjunct *spw_ent; + if ((spw_ent = getspwuid(pw_ent -> pw_uid)) && spw_ent -> pw_passwd) + return(spw_ent -> pw_passwd); + } +#endif /* HAVE_GETSPWUID */ +#ifdef HAVE_GETPWANAM + { + struct passwd_adjunct *spw_ent; - if ((spw_ent = getpwanam(pw_ent -> pw_name)) && spw_ent -> pwa_passwd) - return(spw_ent -> pwa_passwd); - else - return(pw_ent -> pw_passwd); -} -# endif /* SUNOS4 */ -# if (SHADOW_TYPE == SPW_ULTRIX4) -{ - AUTHORIZATION *spw_ent; + if ((spw_ent = getpwanam(pw_ent -> pw_name)) && spw_ent -> pwa_passwd) + return(spw_ent -> pwa_passwd); + } +#endif /* HAVE_GETPWANAM */ +#ifdef HAVE_GETAUTHUID + { + AUTHORIZATION *spw_ent; - if ((spw_ent = getauthuid(pw_ent -> pw_uid)) && spw_ent -> a_password) - return(spw_ent -> a_password); - else - return(pw_ent -> pw_passwd); -} -# endif /* ULTRIX4 */ -# if (SHADOW_TYPE == SPW_SECUREWARE) -{ - struct pr_passwd *spw_ent; - - if ((spw_ent = getprpwuid(pw_ent->pw_uid)) && spw_ent->ufld.fd_encrypt) { -# ifdef __alpha - crypt_type = spw_ent -> ufld.fd_oldcrypt; -# ifdef AUTH_CRYPT_C1CRYPT - if (crypt_type == AUTH_CRYPT_C1CRYPT) - return(pw_ent -> pw_passwd); -# endif /* AUTH_CRYPT_C1CRYPT */ -# endif /* __alpha */ - return(spw_ent -> ufld.fd_encrypt); - } else - return(pw_ent -> pw_passwd); -} -# endif /* SECUREWARE */ -#else -{ + if ((spw_ent = getauthuid(pw_ent -> pw_uid)) && spw_ent -> a_password) + return(spw_ent -> a_password); + } +#endif /* HAVE_GETAUTHUID */ + + /* Fall back on normal passwd */ return(pw_ent->pw_passwd); } -#endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */ /********************************************************************** @@ -255,7 +245,7 @@ struct passwd *sudo_getpwuid(uid) } /* pw_passwd gets a shadow password if applicable */ - local_pw_ent->pw_passwd = (char *) strdup(sudo_getspwd(pw_ent)); + local_pw_ent->pw_passwd = (char *) strdup(sudo_getepw(pw_ent)); if (local_pw_ent->pw_passwd == NULL) { perror("malloc"); (void) fprintf(stderr, "%s: cannot allocate memory!\n", Argv[0]); diff --git a/sudo.c b/sudo.c index 5ff547871..8c28fc8ff 100644 --- a/sudo.c +++ b/sudo.c @@ -83,14 +83,9 @@ static char rcsid[] = "$Id$"; #include #include #include -#if (SHADOW_TYPE == SPW_SECUREWARE) -# ifdef __hpux -# include -# else -# include -# endif /* __hpux */ -# include -#endif /* SPW_SECUREWARE */ +#ifdef HAVE_GETPRPWUID +#include +#endif /* HAVE_GETPRPWUID */ #ifdef HAVE_DCE #include #endif /* HAVE_DCE */ @@ -193,9 +188,9 @@ int main(argc, argv) int sudo_mode = MODE_RUN; extern char ** environ; -#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(HAVE_SET_AUTH_PARAMETERS) +#if defined(HAVE_GETPRPWUID) && defined(HAVE_SET_AUTH_PARAMETERS) (void) set_auth_parameters(argc, argv); -#endif /* SPW_SECUREWARE */ +#endif /* HAVE_GETPRPWUID && HAVE_SET_AUTH_PARAMETERS */ Argv = argv; Argc = argc; diff --git a/tgetpass.c b/tgetpass.c index 2b35d2864..b01b5269f 100644 --- a/tgetpass.c +++ b/tgetpass.c @@ -68,14 +68,9 @@ static char rcsid[] = "$Id$"; #include #endif /* HAVE_TERMIO_H */ #endif /* HAVE_TERMIOS_H */ -#if (SHADOW_TYPE == SPW_SECUREWARE) -# ifdef __hpux -# include -# else -# include -# endif /* __hpux */ -# include -#endif /* SPW_SECUREWARE */ +#ifdef HAVE_GETPRPWUID +#include /* for AUTH_MAX_PASSWD_LENGTH */ +#endif /* HAVE_GETPRPWUID */ #include #include "compat.h"