[SECURITY][PATCH] PAM change reverses test for valid password
Jeremy Allison
jeremy at valinux.com
Tue May 1 16:56:40 GMT 2001
On Tue, May 01, 2001 at 06:40:26PM +1000, Andrew Bartlett wrote:
> The change to the PAM setup to use NT_STATUS constants had an
> unfortunate side-effect - it reversed the check for a password being
> valid, ie WRONG passwords are considered correct.
>
> This affects both plaintext logins and SWAT. My patch (on which the
> changes were based) included changes that made this not entirely obvious
> when the patch was not applied in full. (I'll be more careful about my
> comments in future).
>
> The error was introduced into the CVS tree at Mon Apr 30 20:37:44 2001
> UTC
>
> This patch also fixes some bugs introduced in the PAM changes that made
> correct plain-text authentication impossible.
>
Thanks Andrew for the tidyups, I've committed them in 2.2
and HEAD. What did you think of the other changes to the
patch ? I removed the use of the global variables, and
added the userdata pointer stuff in the dynamic pwconv
code instead. I also changed the style of :
if (do_something == success)
if (do_something_else == success)
if (do_another_thing == success)
return success;
return fail;
To the (much preferable in Tridge's and my opinion) style
of :
if (do_something != success)
return Fail;
if (do_something_else != success)
return Fail;
if (do_another_thing != success)
return Fail;
return success;
As this style of code is *much* easier to understand.
Jeremy.
--
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------
More information about the samba-technical
mailing list