diff options
| author | Jeremy Allison <jra@samba.org> | 2001-05-02 23:32:19 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2001-05-02 23:32:19 +0000 |
| commit | 05fe1233deb648f8c77218b9a4e277bade5bd831 (patch) | |
| tree | dff3fc21d7249ef14e29107cd7f7a7b95ea6e626 | |
| parent | c92f869b7edc27bd7534eaf903431524d9c2e1d2 (diff) | |
| download | samba-05fe1233deb648f8c77218b9a4e277bade5bd831.tar.gz samba-05fe1233deb648f8c77218b9a4e277bade5bd831.tar.xz samba-05fe1233deb648f8c77218b9a4e277bade5bd831.zip | |
Had to add a "pam password change" parameter (defaults to "off") and inlined
the pam password change code to ensure that existing and working password
chat scripts don't break with 2.2.1. PAM password changing has to be explicitly
requested.
Allowed wildcards in pam password change matching (matches password chat
script matching). Had to add const (sorry Tim :-) to ms_fnmatch() to
stop warnings. Don't worry - the const changes are isolated and don't
cause any other warnings :-).
Jeremy.
| -rw-r--r-- | source/auth/pampass.c | 4 | ||||
| -rw-r--r-- | source/include/local.h | 4 | ||||
| -rw-r--r-- | source/include/proto.h | 4 | ||||
| -rw-r--r-- | source/lib/ms_fnmatch.c | 10 | ||||
| -rw-r--r-- | source/param/loadparm.c | 4 | ||||
| -rw-r--r-- | source/passdb/pampass.c | 4 | ||||
| -rw-r--r-- | source/smbd/chgpasswd.c | 96 |
7 files changed, 57 insertions, 69 deletions
diff --git a/source/auth/pampass.c b/source/auth/pampass.c index 7ccde695ac7..2d7bdcdf6a9 100644 --- a/source/auth/pampass.c +++ b/source/auth/pampass.c @@ -220,9 +220,9 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { + if (ms_fnmatch( newpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) { + } else if (ms_fnmatch(repeatpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); } else { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); diff --git a/source/include/local.h b/source/include/local.h index 38dd6547f0d..6e5958e18e7 100644 --- a/source/include/local.h +++ b/source/include/local.h @@ -171,11 +171,7 @@ * Default passwd chat script. */ -#ifdef WITH_PAM -#define DEFAULT_PASSWD_CHAT "(current) New Retype" -#else #define DEFAULT_PASSWD_CHAT "*new*password* %n\\n *new*password* %n\\n *changed*" -#endif /* Minimum length of allowed password when changing UNIX password. */ #define MINPASSWDLENGTH 5 diff --git a/source/include/proto.h b/source/include/proto.h index 895696c1d2b..2cd3ca2dd4f 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -158,7 +158,7 @@ BOOL message_send_all(TDB_CONTEXT *conn_tdb, int msg_type, void *buf, size_t len /*The following definitions come from lib/ms_fnmatch.c */ -int ms_fnmatch(char *pattern, char *string); +int ms_fnmatch(const char *pattern, const char *string); /*The following definitions come from lib/pidfile.c */ @@ -1788,6 +1788,7 @@ BOOL lp_debug_uid(void); BOOL lp_browse_list(void); BOOL lp_nis_home_map(void); BOOL lp_bind_interfaces_only(void); +BOOL lp_pam_password_change(void); BOOL lp_unix_password_sync(void); BOOL lp_passwd_chat_debug(void); BOOL lp_nt_smb_support(void); @@ -3866,7 +3867,6 @@ void process_blocking_lock_queue(time_t t); BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root); BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root); -BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root); BOOL check_lanman_password(char *user, uchar * pass1, uchar * pass2, struct smb_passwd **psmbpw); BOOL change_lanman_password(struct smb_passwd *smbpw, uchar * pass1, diff --git a/source/lib/ms_fnmatch.c b/source/lib/ms_fnmatch.c index 4b1545bda1b..87e40049e05 100644 --- a/source/lib/ms_fnmatch.c +++ b/source/lib/ms_fnmatch.c @@ -30,9 +30,9 @@ bugger. we need a separate wildcard routine for older versions of the protocol. This is not yet perfect, but its a lot better thaan what we had */ -static int ms_fnmatch_lanman_core(char *pattern, char *string) +static int ms_fnmatch_lanman_core(const char *pattern, const char *string) { - char *p = pattern, *n = string; + const char *p = pattern, *n = string; char c; if (strcmp(p,"?")==0 && strcmp(n,".")==0) goto match; @@ -111,7 +111,7 @@ next: return 0; } -static int ms_fnmatch_lanman1(char *pattern, char *string) +static int ms_fnmatch_lanman1(const char *pattern, const char *string) { if (!strpbrk(pattern, "?*<>\"")) { if (strcmp(string,"..") == 0) string = "."; @@ -135,9 +135,9 @@ static int ms_fnmatch_lanman1(char *pattern, char *string) Returns 0 on match, -1 on fail. */ -int ms_fnmatch(char *pattern, char *string) +int ms_fnmatch(const char *pattern, const char *string) { - char *p = pattern, *n = string; + const char *p = pattern, *n = string; char c; extern int Protocol; diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 0df9f491b39..78ca8ecb408 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -256,6 +256,7 @@ typedef struct BOOL bNISHomeMap; BOOL bTimeServer; BOOL bBindInterfacesOnly; + BOOL bPamPasswordChange; BOOL bUnixPasswdSync; BOOL bPasswdChatDebug; BOOL bTimestampLogs; @@ -684,6 +685,7 @@ static struct parm_struct parm_table[] = { {"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, {"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, + {"pam password change", P_BOOL, P_GLOBAL, &Globals.bPamPasswordChange, NULL, NULL, 0}, {"passwd program", P_STRING, P_GLOBAL, &Globals.szPasswdProgram, NULL, NULL, 0}, {"passwd chat", P_STRING, P_GLOBAL, &Globals.szPasswdChat, NULL, NULL, 0}, {"passwd chat debug", P_BOOL, P_GLOBAL, &Globals.bPasswdChatDebug, NULL, NULL, 0}, @@ -1268,6 +1270,7 @@ static void init_globals(void) Globals.bTimeServer = False; Globals.bBindInterfacesOnly = False; Globals.bUnixPasswdSync = False; + Globals.bPamPasswordChange = False; Globals.bPasswdChatDebug = False; Globals.bNTSmbSupport = True; /* Do NT SMB's by default. */ Globals.bNTPipeSupport = True; /* Do NT pipes by default. */ @@ -1527,6 +1530,7 @@ FN_GLOBAL_BOOL(lp_browse_list, &Globals.bBrowseList) FN_GLOBAL_BOOL(lp_nis_home_map, &Globals.bNISHomeMap) static FN_GLOBAL_BOOL(lp_time_server, &Globals.bTimeServer) FN_GLOBAL_BOOL(lp_bind_interfaces_only, &Globals.bBindInterfacesOnly) +FN_GLOBAL_BOOL(lp_pam_password_change, &Globals.bPamPasswordChange) FN_GLOBAL_BOOL(lp_unix_password_sync, &Globals.bUnixPasswdSync) FN_GLOBAL_BOOL(lp_passwd_chat_debug, &Globals.bPasswdChatDebug) FN_GLOBAL_BOOL(lp_nt_smb_support, &Globals.bNTSmbSupport) diff --git a/source/passdb/pampass.c b/source/passdb/pampass.c index 7ccde695ac7..2d7bdcdf6a9 100644 --- a/source/passdb/pampass.c +++ b/source/passdb/pampass.c @@ -220,9 +220,9 @@ static int smb_pam_passchange_conv(int num_msg, case PAM_PROMPT_ECHO_OFF: reply[replies].resp_retcode = PAM_SUCCESS; DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg)); - if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) { + if (ms_fnmatch( newpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); - } else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) { + } else if (ms_fnmatch(repeatpw_prompt, msg[replies]->msg) == 0) { reply[replies].resp = COPY_STRING(udp->PAM_newpassword); } else { DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg)); diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c index 1b879890813..06f48f1002b 100644 --- a/source/smbd/chgpasswd.c +++ b/source/smbd/chgpasswd.c @@ -20,9 +20,9 @@ */ /* fork a child process to exec passwd and write to its -* tty to change a users password. This is running as the -* user who is attempting to change the password. -*/ + * tty to change a users password. This is running as the + * user who is attempting to change the password. + */ /* * This code was copied/borrowed and stolen from various sources. @@ -53,24 +53,6 @@ extern int DEBUGLEVEL; #if ALLOW_CHANGE_PASSWORD -#ifdef WITH_PAM -BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) -{ - BOOL ret; - - if (as_root) - become_root(); - - ret = smb_pam_passchange(name, oldpass, newpass); - - if (as_root) - unbecome_root(); - - return ret; -} - -#else /* WITH_PAM */ - static int findpty(char **slave) { int master; @@ -474,47 +456,28 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) /* Take the passed information and test it for minimum criteria */ /* Minimum password length */ - if (strlen(newpass) < lp_min_passwd_length()) /* too short, must be at least MINPASSWDLENGTH */ - { - DEBUG(0, - ("Password Change: user %s, New password is shorter than minimum password length = %d\n", + if (strlen(newpass) < lp_min_passwd_length()) { + /* too short, must be at least MINPASSWDLENGTH */ + DEBUG(0, ("Password Change: user %s, New password is shorter than minimum password length = %d\n", name, lp_min_passwd_length())); return (False); /* inform the user */ } /* Password is same as old password */ - if (strcmp(oldpass, newpass) == 0) /* don't allow same password */ - { - DEBUG(2, - ("Password Change: %s, New password is same as old\n", name)); /* log the attempt */ + if (strcmp(oldpass, newpass) == 0) { + /* don't allow same password */ + DEBUG(2, ("Password Change: %s, New password is same as old\n", name)); /* log the attempt */ return (False); /* inform the user */ } - pstrcpy(passwordprogram, lp_passwd_program()); - pstrcpy(chatsequence, lp_passwd_chat()); - - if (!*chatsequence) - { - DEBUG(2, ("Null chat sequence - no password changing\n")); - return (False); - } - - if (!*passwordprogram) - { - DEBUG(2, ("Null password program - no password changing\n")); - return (False); - } - /* * Check the old and new passwords don't contain any control * characters. */ len = strlen(oldpass); - for (i = 0; i < len; i++) - { - if (iscntrl((int)oldpass[i])) - { + for (i = 0; i < len; i++) { + if (iscntrl((int)oldpass[i])) { DEBUG(0, ("chat_with_program: oldpass contains control characters (disallowed).\n")); return False; @@ -522,16 +485,43 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) } len = strlen(newpass); - for (i = 0; i < len; i++) - { - if (iscntrl((int)newpass[i])) - { + for (i = 0; i < len; i++) { + if (iscntrl((int)newpass[i])) { DEBUG(0, ("chat_with_program: newpass contains control characters (disallowed).\n")); return False; } } +#ifdef WITH_PAM + if (lp_pam_password_change()) { + BOOL ret; + + if (as_root) + become_root(); + + ret = smb_pam_passchange(name, oldpass, newpass); + + if (as_root) + unbecome_root(); + + return ret; + } +#endif + + pstrcpy(passwordprogram, lp_passwd_program()); + pstrcpy(chatsequence, lp_passwd_chat()); + + if (!*chatsequence) { + DEBUG(2, ("Null chat sequence - no password changing\n")); + return (False); + } + + if (!*passwordprogram) { + DEBUG(2, ("Null password program - no password changing\n")); + return (False); + } + pstring_sub(passwordprogram, "%u", name); /* note that we do NOT substitute the %o and %n in the password program as this would open up a security hole where the user could use @@ -544,8 +534,6 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) (passwordprogram, name, chatsequence, as_root)); } -#endif /* WITH_PAM */ - #else /* ALLOW_CHANGE_PASSWORD */ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) |