[SECURITY][PATCH] PAM change reverses test for valid password
Andrew Bartlett
abartlet at pcug.org.au
Tue May 1 08:40:26 GMT 2001
The change to the PAM setup to use NT_STATUS constants had an
unfortunate side-effect - it reversed the check for a password being
valid, ie WRONG passwords are considered correct.
This affects both plaintext logins and SWAT. My patch (on which the
changes were based) included changes that made this not entirely obvious
when the patch was not applied in full. (I'll be more careful about my
comments in future).
The error was introduced into the CVS tree at Mon Apr 30 20:37:44 2001
UTC
This patch also fixes some bugs introduced in the PAM changes that made
correct plain-text authentication impossible.
This patch is tested in regard to smbd authentications.
Andrew Bartlett
abartlet at pcug.org.au
--
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
Index: source/passdb/pampass.c
===================================================================
RCS file: /cvsroot/samba/source/passdb/pampass.c,v
retrieving revision 1.1.2.19
diff -u -r1.1.2.19 pampass.c
--- source/passdb/pampass.c 2001/05/01 01:26:16 1.1.2.19
+++ source/passdb/pampass.c 2001/05/01 08:32:58
@@ -664,9 +664,9 @@
*/
if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, password, NULL)) == NULL)
- return False;
+ return NT_STATUS_LOGON_FAILURE;
- if (!smb_pam_start(&pamh, user, NULL, NULL))
+ if (!smb_pam_start(&pamh, user, NULL, pconv))
return NT_STATUS_LOGON_FAILURE;
if ((nt_status = smb_pam_auth(pamh, user)) != NT_STATUS_NOPROBLEMO) {
Index: source/passdb/pass_check.c
===================================================================
RCS file: /cvsroot/samba/source/passdb/pass_check.c,v
retrieving revision 1.11.4.5
diff -u -r1.11.4.5 pass_check.c
--- source/passdb/pass_check.c 2001/04/23 04:08:29 1.11.4.5
+++ source/passdb/pass_check.c 2001/05/01 08:32:59
@@ -599,7 +599,7 @@
{
#ifdef WITH_PAM
- return (smb_pam_passcheck(this_user, password));
+ return (smb_pam_passcheck(this_user, password) == NT_STATUS_NOPROBLEMO);
#endif /* WITH_PAM */
#ifdef WITH_AFS
More information about the samba-technical
mailing list