- (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root

   to convince Solaris PAM to honour password complexity rules.  ok djm@

1 files changed, 26 insertions, 1 deletions

diff --git a/auth-pam.c b/auth-pam.c
index 7d610d0bb..b93241f48 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -47,7 +47,7 @@
 
 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh)
 }
 #endif
 
+/*
+ * Some platforms, notably Solaris, do not enforce password complexity
+ * rules during pam_chauthtok() if the real uid of the calling process
+ * is 0, on the assumption that it's being called by "passwd" run by root.
+ * This wraps pam_chauthtok and sets/restore the real uid so PAM will do
+ * the right thing.
+ */
+#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID
+static int
+sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
+{
+        int result;
+
+        if (sshpam_authctxt == NULL)
+                fatal("PAM: sshpam_authctxt not initialized");
+        if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1)
+                fatal("%s: setreuid failed: %s", __func__, strerror(errno));
+        result = pam_chauthtok(pamh, flags);
+        if (setreuid(0, -1) == -1)
+                fatal("%s: setreuid failed: %s", __func__, strerror(errno));
+        return result;
+}
+# define pam_chauthtok(a,b)     (sshpam_chauthtok_ruid((a), (b)))
+#endif
+
 void
 sshpam_password_change_required(int reqd)
 {