diff options
author | Darren Tucker <dtucker@zip.com.au> | 2004-08-16 23:12:05 +1000 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2004-08-16 23:12:05 +1000 |
commit | 21dd0897d53b5850c3fe1dff43494db3024e3d97 (patch) | |
tree | 726cc8d8f72b2a22209bc13a730018db055985e9 /auth-pam.c | |
parent | 0cbc3c65094079b5908b3357d69e6cf7b1d94a80 (diff) |
- (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
to convince Solaris PAM to honour password complexity rules. ok djm@
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/auth-pam.c b/auth-pam.c index 7d610d0bb..b93241f48 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -47,7 +47,7 @@ | |||
47 | 47 | ||
48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ | 48 | /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ |
49 | #include "includes.h" | 49 | #include "includes.h" |
50 | RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $"); | 50 | RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); |
51 | 51 | ||
52 | #ifdef USE_PAM | 52 | #ifdef USE_PAM |
53 | #if defined(HAVE_SECURITY_PAM_APPL_H) | 53 | #if defined(HAVE_SECURITY_PAM_APPL_H) |
@@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh) | |||
201 | } | 201 | } |
202 | #endif | 202 | #endif |
203 | 203 | ||
204 | /* | ||
205 | * Some platforms, notably Solaris, do not enforce password complexity | ||
206 | * rules during pam_chauthtok() if the real uid of the calling process | ||
207 | * is 0, on the assumption that it's being called by "passwd" run by root. | ||
208 | * This wraps pam_chauthtok and sets/restore the real uid so PAM will do | ||
209 | * the right thing. | ||
210 | */ | ||
211 | #ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID | ||
212 | static int | ||
213 | sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) | ||
214 | { | ||
215 | int result; | ||
216 | |||
217 | if (sshpam_authctxt == NULL) | ||
218 | fatal("PAM: sshpam_authctxt not initialized"); | ||
219 | if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) | ||
220 | fatal("%s: setreuid failed: %s", __func__, strerror(errno)); | ||
221 | result = pam_chauthtok(pamh, flags); | ||
222 | if (setreuid(0, -1) == -1) | ||
223 | fatal("%s: setreuid failed: %s", __func__, strerror(errno)); | ||
224 | return result; | ||
225 | } | ||
226 | # define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) | ||
227 | #endif | ||
228 | |||
204 | void | 229 | void |
205 | sshpam_password_change_required(int reqd) | 230 | sshpam_password_change_required(int reqd) |
206 | { | 231 | { |