Whats the idea with this patch? (pampass.c)

Andrew Bartlett abartlet at pcug.org.au
Thu May 3 10:09:58 GMT 2001 

I'm just trying to understand the reasoning behind this recent change to
the SAMBA_2_2 cvs tree:

The code appears to be dropping support for an 'old password' prompt in
the PAM password chat code.  

Why?  The code inidcates that we are running as root, but this is only
true if (as_root) is true back in chgpasswd.c, and in any case running
as root does not ensure that we don't get the prompt.  Is there any
reason not to just to feed PAM a null if we are ever so unfortunate to
be asked for a nonexistant previous password?

(And yes, we do get the old password occasionaly, or so I understand.)

Andrew Bartlett
-- 
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
===================================================================
RCS file: /cvsroot/samba/source/passdb/pampass.c,v
retrieving revision 1.1.2.22
retrieving revision 1.1.2.23
diff -u -r1.1.2.22 -r1.1.2.23
--- samba/source/passdb/pampass.c	2001/05/01 18:24:58	1.1.2.22
+++ samba/source/passdb/pampass.c	2001/05/02 20:32:12	1.1.2.23
@@ -113,6 +113,9 @@
 
 	*resp = NULL;
 
+	if (num_msg <= 0)
+		return PAM_CONV_ERR;
+
 	/*
 	 * Apparantly HPUX has a buggy PAM that doesn't support the
 	 * appdata_ptr. Fail if this is the case. JRA.
@@ -174,7 +177,6 @@
 {
 	int replies = 0;
 	struct pam_response *reply = NULL;
-	fstring currentpw_prompt;
 	fstring newpw_prompt;
 	fstring repeatpw_prompt;
 	char *p = lp_passwd_chat();
@@ -182,6 +184,9 @@
 
 	*resp = NULL;
 
+	if (num_msg <= 0)
+		return PAM_CONV_ERR;
+
 	/*
 	 * Apparantly HPUX has a buggy PAM that doesn't support the
 	 * appdata_ptr. Fail if this is the case. JRA.
@@ -192,10 +197,8 @@
 		return PAM_CONV_ERR;
 	}
 
-	/* Get the prompts... */
+	/* Get the prompts. We're running as root so we only get 2 prompts. */
 
-	if (!next_token(&p, currentpw_prompt, NULL, sizeof(fstring)))
-		return PAM_CONV_ERR;
 	if (!next_token(&p, newpw_prompt, NULL, sizeof(fstring)))
 		return PAM_CONV_ERR;
 	if (!next_token(&p, repeatpw_prompt, NULL, sizeof(fstring)))
@@ -217,16 +220,14 @@
 		case PAM_PROMPT_ECHO_OFF:
 			reply[replies].resp_retcode = PAM_SUCCESS;
 			DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: Replied: %s\n", msg[replies]->msg));
-			if (strncmp(currentpw_prompt, msg[replies]->msg, strlen(currentpw_prompt)) == 0) {
-				reply[replies].resp = COPY_STRING(udp->PAM_password);
-			} else if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) {
+			if (strncmp(newpw_prompt, msg[replies]->msg, strlen(newpw_prompt)) == 0) {
 				reply[replies].resp = COPY_STRING(udp->PAM_newpassword);
 			} else if (strncmp(repeatpw_prompt, msg[replies]->msg, strlen(repeatpw_prompt)) == 0) {
 				reply[replies].resp = COPY_STRING(udp->PAM_newpassword);
 			} else {
 				DEBUG(3,("smb_pam_passchange_conv: Could not find reply for PAM prompt: %s\n",msg[replies]->msg));
-				DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n CurrentPW: \"%s\"\n NewPW: \"%s\"\n \
-RepeatPW: \"%s\"\n",currentpw_prompt,newpw_prompt,repeatpw_prompt));
+				DEBUG(5,("smb_pam_passchange_conv: Prompts available:\n NewPW: \"%s\"\n \
+RepeatPW: \"%s\"\n",newpw_prompt,repeatpw_prompt));
 				free(reply);
 				reply = NULL;
 				return PAM_CONV_ERR;

More information about the samba-technical mailing list