diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-01 18:42:19 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-01 18:42:19 +0000 |
commit | 8d6b7f4c46de3feb66f704ab483e51ea1a3bb0e1 (patch) | |
tree | 41fe3dd71501bbec5b0393f1536c925eaee180e9 /auth.c | |
parent | f045c69060bfdd5cf8759a5f29d7008d02e4de5b (diff) | |
parent | 58bfa257481a1c6938ada9bbd38801cc45633fb0 (diff) |
Debian release 3.6p1-1.
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 50 |
1 files changed, 32 insertions, 18 deletions
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $"); | 26 | RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $"); |
27 | 27 | ||
28 | #ifdef HAVE_LOGIN_H | 28 | #ifdef HAVE_LOGIN_H |
29 | #include <login.h> | 29 | #include <login.h> |
@@ -79,17 +79,20 @@ allowed_user(struct passwd * pw) | |||
79 | char *loginmsg; | 79 | char *loginmsg; |
80 | #endif /* WITH_AIXAUTHENTICATE */ | 80 | #endif /* WITH_AIXAUTHENTICATE */ |
81 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | 81 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ |
82 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | 82 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) |
83 | struct spwd *spw; | 83 | struct spwd *spw; |
84 | time_t today; | ||
85 | #endif | ||
84 | 86 | ||
85 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | 87 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ |
86 | if (!pw || !pw->pw_name) | 88 | if (!pw || !pw->pw_name) |
87 | return 0; | 89 | return 0; |
88 | 90 | ||
91 | #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ | ||
92 | !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | ||
89 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | 93 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ |
90 | spw = getspnam(pw->pw_name); | 94 | if ((spw = getspnam(pw->pw_name)) != NULL) { |
91 | if (spw != NULL) { | 95 | today = time(NULL) / DAY; |
92 | time_t today = time(NULL) / DAY; | ||
93 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" | 96 | debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" |
94 | " sp_max %d", (int)today, (int)spw->sp_expire, | 97 | " sp_max %d", (int)today, (int)spw->sp_expire, |
95 | (int)spw->sp_lstchg, (int)spw->sp_max); | 98 | (int)spw->sp_lstchg, (int)spw->sp_max); |
@@ -116,10 +119,6 @@ allowed_user(struct passwd * pw) | |||
116 | return 0; | 119 | return 0; |
117 | } | 120 | } |
118 | } | 121 | } |
119 | #else | ||
120 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | ||
121 | if (!pw || !pw->pw_name) | ||
122 | return 0; | ||
123 | #endif | 122 | #endif |
124 | 123 | ||
125 | /* | 124 | /* |
@@ -202,7 +201,15 @@ allowed_user(struct passwd * pw) | |||
202 | } | 201 | } |
203 | 202 | ||
204 | #ifdef WITH_AIXAUTHENTICATE | 203 | #ifdef WITH_AIXAUTHENTICATE |
205 | if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { | 204 | /* |
205 | * Don't check loginrestrictions() for root account (use | ||
206 | * PermitRootLogin to control logins via ssh), or if running as | ||
207 | * non-root user (since loginrestrictions will always fail). | ||
208 | */ | ||
209 | if ((pw->pw_uid != 0) && (geteuid() == 0) && | ||
210 | loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { | ||
211 | int loginrestrict_errno = errno; | ||
212 | |||
206 | if (loginmsg && *loginmsg) { | 213 | if (loginmsg && *loginmsg) { |
207 | /* Remove embedded newlines (if any) */ | 214 | /* Remove embedded newlines (if any) */ |
208 | char *p; | 215 | char *p; |
@@ -212,9 +219,13 @@ allowed_user(struct passwd * pw) | |||
212 | } | 219 | } |
213 | /* Remove trailing newline */ | 220 | /* Remove trailing newline */ |
214 | *--p = '\0'; | 221 | *--p = '\0'; |
215 | log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); | 222 | log("Login restricted for %s: %.100s", pw->pw_name, |
223 | loginmsg); | ||
216 | } | 224 | } |
217 | return 0; | 225 | /* Don't fail if /etc/nologin set */ |
226 | if (!(loginrestrict_errno == EPERM && | ||
227 | stat(_PATH_NOLOGIN, &st) == 0)) | ||
228 | return 0; | ||
218 | } | 229 | } |
219 | #endif /* WITH_AIXAUTHENTICATE */ | 230 | #endif /* WITH_AIXAUTHENTICATE */ |
220 | 231 | ||
@@ -417,6 +428,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
417 | uid_t uid = pw->pw_uid; | 428 | uid_t uid = pw->pw_uid; |
418 | char buf[MAXPATHLEN], homedir[MAXPATHLEN]; | 429 | char buf[MAXPATHLEN], homedir[MAXPATHLEN]; |
419 | char *cp; | 430 | char *cp; |
431 | int comparehome = 0; | ||
420 | struct stat st; | 432 | struct stat st; |
421 | 433 | ||
422 | if (realpath(file, buf) == NULL) { | 434 | if (realpath(file, buf) == NULL) { |
@@ -424,11 +436,8 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
424 | strerror(errno)); | 436 | strerror(errno)); |
425 | return -1; | 437 | return -1; |
426 | } | 438 | } |
427 | if (realpath(pw->pw_dir, homedir) == NULL) { | 439 | if (realpath(pw->pw_dir, homedir) != NULL) |
428 | snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir, | 440 | comparehome = 1; |
429 | strerror(errno)); | ||
430 | return -1; | ||
431 | } | ||
432 | 441 | ||
433 | /* check the open file to avoid races */ | 442 | /* check the open file to avoid races */ |
434 | if (fstat(fileno(f), &st) < 0 || | 443 | if (fstat(fileno(f), &st) < 0 || |
@@ -457,7 +466,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, | |||
457 | } | 466 | } |
458 | 467 | ||
459 | /* If are passed the homedir then we can stop */ | 468 | /* If are passed the homedir then we can stop */ |
460 | if (strcmp(homedir, buf) == 0) { | 469 | if (comparehome && strcmp(homedir, buf) == 0) { |
461 | debug3("secure_filename: terminating check at '%s'", | 470 | debug3("secure_filename: terminating check at '%s'", |
462 | buf); | 471 | buf); |
463 | break; | 472 | break; |
@@ -487,6 +496,11 @@ getpwnamallow(const char *user) | |||
487 | if (pw == NULL) { | 496 | if (pw == NULL) { |
488 | log("Illegal user %.100s from %.100s", | 497 | log("Illegal user %.100s from %.100s", |
489 | user, get_remote_ipaddr()); | 498 | user, get_remote_ipaddr()); |
499 | #ifdef WITH_AIXAUTHENTICATE | ||
500 | loginfailed(user, | ||
501 | get_canonical_hostname(options.verify_reverse_mapping), | ||
502 | "ssh"); | ||
503 | #endif | ||
490 | return (NULL); | 504 | return (NULL); |
491 | } | 505 | } |
492 | if (!allowed_user(pw)) | 506 | if (!allowed_user(pw)) |