Re: pam_wheel

2001-08-08 Thread Mark Murray 

 This piece obviously has at least two errors. First, if PAM_OPT_AUTH_AS_SELF
 is true, then value of user is undefined. It should probably log
 pwd-pw_name instead. Second, check for root must of course be reversed
 and become if (!pwd-pw_uid).

Fixed locally. Commit coming soon.

M
-- 
Mark Murray
Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message

[PATCH] pam_wheel fix

2001-08-07 Thread Eugene L. Vorokov 

Hello,

can anyone please commit this fix to pam_wheel authentication module. It
fixed two problem I mentioned in my previous mail (currently for any
non-root user PAM_IGNORE is returned, and in case of auth_as_self and
debug options used together it logs strange things instead of username).

The patch must be applied in src/lib/libpam/modules/pam_wheel/

Regards,
Eugene



--- pam_wheel_old.c Tue Aug  7 17:46:20 2001
+++ pam_wheel.c Tue Aug  7 17:48:04 2001
@@ -84,11 +84,14 @@
PAM_RETURN(retval);
pwd = getpwnam(user);
}
+   
+   if (!pwd)
+   PAM_RETURN(PAM_IGNORE);
 
-   PAM_LOG(Got user: %s, user);
+   PAM_LOG(Got user: %s, pwd-pw_name);
 
/* Ignore if already uid 0 */
-   if (pwd-pw_uid)
+   if (!pwd-pw_uid)
PAM_RETURN(PAM_IGNORE);
 
PAM_LOG(Not superuser);

pam_wheel

2001-08-06 Thread Eugene L. Vorokov 

Hello,

pam_wheel authentication module seems to be broken in -current. Look at
this (from src/lib/libpam/modules/pam_wheel):

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
struct options options;
struct passwd *pwd;
struct group *grp;
int retval;
const char *user;
char *use_group;

pam_std_option(options, other_options, argc, argv);

PAM_LOG(Options processed);

if (pam_test_option(options, PAM_OPT_AUTH_AS_SELF, NULL))
pwd = getpwnam(getlogin());
else {
retval = pam_get_user(pamh, user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
pwd = getpwnam(user);
}

PAM_LOG(Got user: %s, user);
  
/* Ignore if already uid 0 */
if (pwd-pw_uid) 
PAM_RETURN(PAM_IGNORE);

PAM_LOG(Not superuser);

This piece obviously has at least two errors. First, if PAM_OPT_AUTH_AS_SELF
is true, then value of user is undefined. It should probably log
pwd-pw_name instead. Second, check for root must of course be reversed
and become if (!pwd-pw_uid).

The way it works now, it always returns PAM_IGNORE for all non-root users,
which causes in allowing su for anyone who knows root password.

Or am I missing something again ? 8=)

Regards,
Eugene


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message