[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-unstable-611-g0723760
Jeremy Allison
jra at samba.org
Thu Dec 13 01:27:25 GMT 2007
The branch, v3-2-test has been updated
via 0723760ba47a465d2ff5a22a680f1b5196eca7d8 (commit)
from 507247dcbf0ef02825a6c5c5f313813714df2d99 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 0723760ba47a465d2ff5a22a680f1b5196eca7d8
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 12 17:26:49 2007 -0800
Fix bug #3727 with patch from Steve Langasek <vorlon at debian.org>
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/pam_smbpass/pam_smb_acct.c | 5 +++++
source/pam_smbpass/pam_smb_auth.c | 8 +++++++-
source/pam_smbpass/pam_smb_passwd.c | 5 +++++
source/utils/smbpasswd.c | 4 ++++
4 files changed, 21 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/pam_smbpass/pam_smb_acct.c b/source/pam_smbpass/pam_smb_acct.c
index c7622fb..59ed4ee 100644
--- a/source/pam_smbpass/pam_smb_acct.c
+++ b/source/pam_smbpass/pam_smb_acct.c
@@ -77,6 +77,11 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
_log_err( LOG_DEBUG, "acct: username [%s] obtained", name );
}
+ if (geteuid() != 0) {
+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
/* Getting into places that might use LDAP -- protect the app
from a SIGPIPE it's not expecting */
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
diff --git a/source/pam_smbpass/pam_smb_auth.c b/source/pam_smbpass/pam_smb_auth.c
index 79856a1..3a841ad 100644
--- a/source/pam_smbpass/pam_smb_auth.c
+++ b/source/pam_smbpass/pam_smb_auth.c
@@ -108,6 +108,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
_log_err( LOG_DEBUG, "username [%s] obtained", name );
}
+ if (geteuid() != 0) {
+ _log_err( LOG_DEBUG, "Cannot access samba password database, not running as root.");
+ retval = PAM_AUTHINFO_UNAVAIL;
+ AUTH_RETURN;
+ }
+
if (!initialize_password_db(True, NULL)) {
_log_err( LOG_ALERT, "Cannot access samba password database" );
retval = PAM_AUTHINFO_UNAVAIL;
@@ -136,7 +142,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
sampass = NULL;
AUTH_RETURN;
}
-
+
/* if this user does not have a password... */
if (_smb_blankpasswd( ctrl, sampass )) {
diff --git a/source/pam_smbpass/pam_smb_passwd.c b/source/pam_smbpass/pam_smb_passwd.c
index f0fa018..de53107 100644
--- a/source/pam_smbpass/pam_smb_passwd.c
+++ b/source/pam_smbpass/pam_smb_passwd.c
@@ -129,6 +129,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
_log_err( LOG_DEBUG, "username [%s] obtained", user );
}
+ if (geteuid() != 0) {
+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
/* Getting into places that might use LDAP -- protect the app
from a SIGPIPE it's not expecting */
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
diff --git a/source/utils/smbpasswd.c b/source/utils/smbpasswd.c
index ea3bb38..deed08f 100644
--- a/source/utils/smbpasswd.c
+++ b/source/utils/smbpasswd.c
@@ -94,6 +94,10 @@ static int process_options(int argc, char **argv, int local_flags)
while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
switch(ch) {
case 'L':
+ if (getuid() != 0) {
+ fprintf(stderr, "smbpasswd -L can only be used by root.\n");
+ exit(1);
+ }
local_flags |= LOCAL_AM_ROOT;
break;
case 'c':
--
Samba Shared Repository
More information about the samba-cvs
mailing list