[PATCH] More null passwords :-)

Andrew Bartlett abartlet at pcug.org.au
Tue Apr 17 08:58:45 GMT 2001 

This code, in passdb/pass_check.c:pass_check() does not give me warm
fuzzy feelings :-(

We seem to be out to second-guess PAM.  I suggest wrapping almost the
entire function in an #indef WITH_PAM.  As a bonus, it will be faster,
as we don't need to do a getpwnam for PAM anyway.

	fstrcpy(this_crypted, pass->pw_passwd);

	if (!*this_crypted) {
		if (!lp_null_passwords()) {
			DEBUG(2, ("Disallowing %s with null password\n",
				  this_user));
			return (False);
		}
		if (!*password) {
			DEBUG(3,
			      ("Allowing access to %s with null password\n",
			       this_user));
			return (True);
		}
	}

Untested patch (again, sorry - but similar code seems to be functioning
in my development version) attached.  (This is mainly just a heads up so
it doesn't miss the release).

Note that with my patch we push the issue of accounts with 'anything'
passwords back to PAM, its up to pam to allow or deny access to those
accounts.  There is little samba could do in that situation anyway.  If
PAM allows access to these accounts, I don't think its for samba to do
anything about it.  (Samba should however still stop null's being passed
as passwords, as most of the time these just waste CPU time and logfile
entries).

Andrew Bartlett
abartlet at pcug.org.au

-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
Index: source/passdb/pass_check.c
===================================================================
RCS file: /cvsroot/samba/source/passdb/pass_check.c,v
retrieving revision 1.11.4.3
diff -u -r1.11.4.3 pass_check.c
--- source/passdb/pass_check.c	2001/04/10 19:43:12	1.11.4.3
+++ source/passdb/pass_check.c	2001/04/17 08:47:44
@@ -686,7 +686,8 @@
 {
 	pstring pass2;
 	int level = lp_passwordlevel();
-	struct passwd *pass;
+
+	fstrcpy(this_user, user);
 
 	if (password)
 		password[pwlen] = 0;
@@ -701,6 +702,10 @@
 	if (((!*password) || (!pwlen)) && !lp_null_passwords())
 		return (False);
 
+#ifndef WITH_PAM
+      {
+	struct passwd *pass;
+
 	if (pwd && !user) {
 		pass = (struct passwd *)pwd;
 		user = pass->pw_name;
@@ -777,7 +782,6 @@
 #endif
 
 	/* extract relevant info */
-	fstrcpy(this_user, pass->pw_name);
 	fstrcpy(this_salt, pass->pw_passwd);
 
 #if defined(HAVE_TRUNCATED_SALT)
@@ -801,6 +805,8 @@
 			return (True);
 		}
 	}
+      }
+#endif /* not WITH_PAM */
 
 	/* try it as it came to us */
 	if (password_check(password)) {

More information about the samba-technical mailing list