The branch, v3-0-test has been updated
via e7e5a7c613b73ca5832d18ccd1c2660d012c7b13 (commit)
from 6ba54521aa9628346fcfa28ba27713fc97b5863a (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit e7e5a7c613b73ca5832d18ccd1c2660d012c7b13
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date: Wed Dec 12 17:26:45 2007 -0800
Fix bug #3727 with patch from Steve Langasek <[EMAIL PROTECTED]>
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/pam_smbpass/pam_smb_acct.c | 5 +++++
source/pam_smbpass/pam_smb_auth.c | 6 ++++++
source/pam_smbpass/pam_smb_passwd.c | 5 +++++
source/utils/smbpasswd.c | 4 ++++
4 files changed, 20 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/pam_smbpass/pam_smb_acct.c
b/source/pam_smbpass/pam_smb_acct.c
index 47bf059..b5dbd9c 100644
--- a/source/pam_smbpass/pam_smb_acct.c
+++ b/source/pam_smbpass/pam_smb_acct.c
@@ -70,6 +70,11 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
_log_err( LOG_DEBUG, "acct: username [%s] obtained", name );
}
+ if (geteuid() != 0) {
+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password
database, not running as root.");
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
/* Getting into places that might use LDAP -- protect the app
from a SIGPIPE it's not expecting */
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
diff --git a/source/pam_smbpass/pam_smb_auth.c
b/source/pam_smbpass/pam_smb_auth.c
index df6d20e..2b0735f 100644
--- a/source/pam_smbpass/pam_smb_auth.c
+++ b/source/pam_smbpass/pam_smb_auth.c
@@ -101,6 +101,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
_log_err( LOG_DEBUG, "username [%s] obtained", name );
}
+ if (geteuid() != 0) {
+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password
database, not running as root.");
+ retval = PAM_AUTHINFO_UNAVAIL;
+ AUTH_RETURN;
+ }
+
if (!initialize_password_db(True)) {
_log_err( LOG_ALERT, "Cannot access samba password database" );
retval = PAM_AUTHINFO_UNAVAIL;
diff --git a/source/pam_smbpass/pam_smb_passwd.c
b/source/pam_smbpass/pam_smb_passwd.c
index 79bcfb6..62c056b 100644
--- a/source/pam_smbpass/pam_smb_passwd.c
+++ b/source/pam_smbpass/pam_smb_passwd.c
@@ -125,6 +125,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
_log_err( LOG_DEBUG, "username [%s] obtained", user );
}
+ if (geteuid() != 0) {
+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not
running as root.");
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
/* Getting into places that might use LDAP -- protect the app
from a SIGPIPE it's not expecting */
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
diff --git a/source/utils/smbpasswd.c b/source/utils/smbpasswd.c
index 7460662..d4cacfb 100644
--- a/source/utils/smbpasswd.c
+++ b/source/utils/smbpasswd.c
@@ -96,6 +96,10 @@ static int process_options(int argc, char **argv, int
local_flags)
while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
switch(ch) {
case 'L':
+ if (getuid() != 0) {
+ fprintf(stderr, "smbpasswd -L can only be used
by root.\n");
+ exit(1);
+ }
local_flags |= LOCAL_AM_ROOT;
break;
case 'c':
--
Samba Shared Repository
