From 374539da4c9e1b4ea5ca889771ce89b27b119f48 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Fri, 17 Jun 2016 22:29:02 -0400 Subject: PAM: don't trust AsRoot --- go/parabola_hackers/nslcd_backend/db_pam.go | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/go/parabola_hackers/nslcd_backend/db_pam.go b/go/parabola_hackers/nslcd_backend/db_pam.go index 353fe5e..607c550 100644 --- a/go/parabola_hackers/nslcd_backend/db_pam.go +++ b/go/parabola_hackers/nslcd_backend/db_pam.go @@ -137,8 +137,9 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_ user := o.users[uid] // Check the OldPassword - switch req.AsRoot { - case 0: /* user password */ + if req.AsRoot == 1 && cred.Uid == 0 { + // bypass the password check + } else { if !checkPassword(req.OldPassword, user.Passwd.PwHash) { ret <- p.PAM_PwMod{ Result: p.NSLCD_PAM_PERM_DENIED, @@ -146,11 +147,6 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_ } return } - case 1: /* root password */ - // do nothing - default: - logger.Info("Invalid AsRoot value in PwMod request: %d", req.AsRoot) - return } // Update the PwHash in memory -- cgit v1.2.3-54-g00ecf