[SECURITY][PATCH] PAM change reverses test for valid password

Andrew Bartlett abartlet at pcug.org.au
Tue May 1 08:40:26 GMT 2001

The change to the PAM setup to use NT_STATUS constants had an
unfortunate side-effect - it reversed the check for a password being
valid, ie WRONG passwords are considered correct.

This affects both plaintext logins and SWAT.  My patch (on which the
changes were based) included changes that made this not entirely obvious
when the patch was not applied in full.  (I'll be more careful about my
comments in future).

The error was introduced into the CVS tree at Mon Apr 30 20:37:44 2001

This patch also fixes some bugs introduced in the PAM changes that made
correct plain-text authentication impossible.

This patch is tested in regard to smbd authentications.

Andrew Bartlett
abartlet at pcug.org.au

Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
Index: source/passdb/pampass.c
RCS file: /cvsroot/samba/source/passdb/pampass.c,v
retrieving revision
diff -u -r1.1.2.19 pampass.c
--- source/passdb/pampass.c	2001/05/01 01:26:16
+++ source/passdb/pampass.c	2001/05/01 08:32:58
@@ -664,9 +664,9 @@
 	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
-		return False;
-	if (!smb_pam_start(&pamh, user, NULL, NULL))
+	if (!smb_pam_start(&pamh, user, NULL, pconv))
 	if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) {
Index: source/passdb/pass_check.c
RCS file: /cvsroot/samba/source/passdb/pass_check.c,v
retrieving revision
diff -u -r1.11.4.5 pass_check.c
--- source/passdb/pass_check.c	2001/04/23 04:08:29
+++ source/passdb/pass_check.c	2001/05/01 08:32:59
@@ -599,7 +599,7 @@
 #ifdef WITH_PAM
-	return (smb_pam_passcheck(this_user, password));
+	return (smb_pam_passcheck(this_user, password) == NT_STATUS_NOPROBLEMO);
 #endif /* WITH_PAM */
 #ifdef WITH_AFS

More information about the samba-technical mailing list