From 013abf64fded40efdd5533114b03e16916cd1314 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Sat, 18 Jun 2016 02:09:56 -0400 Subject: PAM: more special cases --- go/parabola_hackers/nslcd_backend/db_pam.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'go/parabola_hackers/nslcd_backend') diff --git a/go/parabola_hackers/nslcd_backend/db_pam.go b/go/parabola_hackers/nslcd_backend/db_pam.go index e20a63f..a0c390f 100644 --- a/go/parabola_hackers/nslcd_backend/db_pam.go +++ b/go/parabola_hackers/nslcd_backend/db_pam.go @@ -44,6 +44,14 @@ func hashPassword(newPassword p.String, oldHash p.String) p.String { return p.String(crypt.Crypt(string(newPassword), salt)) } +func dirExists(path string) bool { + stat, err := os.Stat(path) + if err != nil { + return false + } + return stat.IsDir() +} + func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication { o.lock.RLock() ret := make(chan p.PAM_Authentication) @@ -141,6 +149,12 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_ if req.AsRoot == 1 && cred.Uid == 0 { goto update } + // special hack: if the old password is not + // set, but the home directory exists, let the + // user set their password + if string(user.Passwd.PwHash) == "!" && dirExists(string(user.Passwd.HomeDir)) { + goto update + } if !checkPassword(req.OldPassword, user.Passwd.PwHash) { ret <- p.PAM_PwMod{ Result: p.NSLCD_PAM_PERM_DENIED, @@ -149,6 +163,13 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_ return } update: + if len(req.NewPassword) == 0 { + ret <- p.PAM_PwMod{ + Result: p.NSLCD_PAM_PERM_DENIED, + Error: p.String("password cannot be empty"), + } + return + } // Update the PwHash in memory user.Passwd.PwHash = hashPassword(req.NewPassword, user.Passwd.PwHash) -- cgit v1.2.3-54-g00ecf