diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2013-08-20 22:43:10 +0200 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2013-08-21 21:39:52 +0200 |
| commit | d58f163b5aceb570aa7bd41b2c8edb3307a3a980 (patch) | |
| tree | 92942b165499ed50724a4961300ca025c326f284 | |
| parent | 34365b4e9b43045500b478edb8842b5212e8d3f5 (diff) | |
Return partial shadow information to non-root users
This also returns everything except the password hash from the shadow
database to non-root users (nothing was returned before). This allows
non-root users to do PAM authentication in some configurations.
On some systems there is a setgid executable that is allowed to read
/etc/shadow for authentication by e.g. screensavers. Returning no shadow
information will cause pam_unix to deny authorisation in common
configurations.
See:
http://bugs.debian.org/706913
| -rw-r--r-- | nslcd/common.h | 4 | ||||
| -rw-r--r-- | nslcd/nslcd.c | 6 | ||||
| -rw-r--r-- | nslcd/shadow.c | 13 |
3 files changed, 11 insertions, 12 deletions
diff --git a/nslcd/common.h b/nslcd/common.h index fce92f6..c848e36 100644 --- a/nslcd/common.h +++ b/nslcd/common.h @@ -233,8 +233,8 @@ int nslcd_rpc_all(TFILE *fp, MYLDAP_SESSION *session); int nslcd_service_byname(TFILE *fp, MYLDAP_SESSION *session); int nslcd_service_bynumber(TFILE *fp, MYLDAP_SESSION *session); int nslcd_service_all(TFILE *fp, MYLDAP_SESSION *session); -int nslcd_shadow_byname(TFILE *fp, MYLDAP_SESSION *session); -int nslcd_shadow_all(TFILE *fp, MYLDAP_SESSION *session); +int nslcd_shadow_byname(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid); +int nslcd_shadow_all(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid); int nslcd_pam_authc(TFILE *fp, MYLDAP_SESSION *session, uid_t calleruid); int nslcd_pam_authz(TFILE *fp, MYLDAP_SESSION *session); int nslcd_pam_sess_o(TFILE *fp, MYLDAP_SESSION *session); diff --git a/nslcd/nslcd.c b/nslcd/nslcd.c index 59323eb..073f38c 100644 --- a/nslcd/nslcd.c +++ b/nslcd/nslcd.c @@ -407,10 +407,8 @@ static void handleconnection(int sock, MYLDAP_SESSION *session) case NSLCD_ACTION_SERVICE_BYNAME: (void)nslcd_service_byname(fp, session); break; case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp, session); break; case NSLCD_ACTION_SERVICE_ALL: (void)nslcd_service_all(fp, session); break; - case NSLCD_ACTION_SHADOW_BYNAME: if (uid == 0) (void)nslcd_shadow_byname(fp, session); - else log_log(LOG_DEBUG, "denied shadow request by non-root user"); break; - case NSLCD_ACTION_SHADOW_ALL: if (uid == 0) (void)nslcd_shadow_all(fp, session); - else log_log(LOG_DEBUG, "denied shadow request by non-root user"); break; + case NSLCD_ACTION_SHADOW_BYNAME: (void)nslcd_shadow_byname(fp, session, uid); break; + case NSLCD_ACTION_SHADOW_ALL: (void)nslcd_shadow_all(fp, session, uid); break; case NSLCD_ACTION_PAM_AUTHC: (void)nslcd_pam_authc(fp, session, uid); break; case NSLCD_ACTION_PAM_AUTHZ: (void)nslcd_pam_authz(fp, session); break; case NSLCD_ACTION_PAM_SESS_O: (void)nslcd_pam_sess_o(fp, session); break; diff --git a/nslcd/shadow.c b/nslcd/shadow.c index 6e84d36..031bf4d 100644 --- a/nslcd/shadow.c +++ b/nslcd/shadow.c @@ -216,7 +216,8 @@ void get_shadow_properties(MYLDAP_ENTRY *entry, long *lastchangedate, } } -static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser) +static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser, + uid_t calleruid) { int32_t tmpint32; const char **usernames; @@ -241,7 +242,7 @@ static int write_shadow(TFILE *fp, MYLDAP_ENTRY *entry, const char *requser) /* get password */ passwd = get_userpassword(entry, attmap_shadow_userPassword, passbuffer, sizeof(passbuffer)); - if (passwd == NULL) + if ((passwd == NULL) || (calleruid != 0)) passwd = default_shadow_userPassword; /* get expiry properties */ get_shadow_properties(entry, &lastchangedate, &mindays, &maxdays, &warndays, @@ -299,20 +300,20 @@ MYLDAP_ENTRY *shadow_uid2entry(MYLDAP_SESSION *session, const char *username, return NULL; } -NSLCD_HANDLE( +NSLCD_HANDLE_UID( shadow, byname, NSLCD_ACTION_SHADOW_BYNAME, char name[256]; char filter[4096]; READ_STRING(fp, name); log_setrequest("shadow=\"%s\"", name);, mkfilter_shadow_byname(name, filter, sizeof(filter)), - write_shadow(fp, entry, name) + write_shadow(fp, entry, name, calleruid) ) -NSLCD_HANDLE( +NSLCD_HANDLE_UID( shadow, all, NSLCD_ACTION_SHADOW_ALL, const char *filter; log_setrequest("shadow(all)");, (filter = shadow_filter, 0), - write_shadow(fp, entry, NULL) + write_shadow(fp, entry, NULL, calleruid) ) |