The branch, v3-0-test has been updated via e7e5a7c613b73ca5832d18ccd1c2660d012c7b13 (commit) from 6ba54521aa9628346fcfa28ba27713fc97b5863a (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log ----------------------------------------------------------------- commit e7e5a7c613b73ca5832d18ccd1c2660d012c7b13 Author: Jeremy Allison <[EMAIL PROTECTED]> Date: Wed Dec 12 17:26:45 2007 -0800 Fix bug #3727 with patch from Steve Langasek <[EMAIL PROTECTED]> Jeremy. ----------------------------------------------------------------------- Summary of changes: source/pam_smbpass/pam_smb_acct.c | 5 +++++ source/pam_smbpass/pam_smb_auth.c | 6 ++++++ source/pam_smbpass/pam_smb_passwd.c | 5 +++++ source/utils/smbpasswd.c | 4 ++++ 4 files changed, 20 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source/pam_smbpass/pam_smb_acct.c b/source/pam_smbpass/pam_smb_acct.c index 47bf059..b5dbd9c 100644 --- a/source/pam_smbpass/pam_smb_acct.c +++ b/source/pam_smbpass/pam_smb_acct.c @@ -70,6 +70,11 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "acct: username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + return PAM_AUTHINFO_UNAVAIL; + } + /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); diff --git a/source/pam_smbpass/pam_smb_auth.c b/source/pam_smbpass/pam_smb_auth.c index df6d20e..2b0735f 100644 --- a/source/pam_smbpass/pam_smb_auth.c +++ b/source/pam_smbpass/pam_smb_auth.c @@ -101,6 +101,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + retval = PAM_AUTHINFO_UNAVAIL; + AUTH_RETURN; + } + if (!initialize_password_db(True)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; diff --git a/source/pam_smbpass/pam_smb_passwd.c b/source/pam_smbpass/pam_smb_passwd.c index 79bcfb6..62c056b 100644 --- a/source/pam_smbpass/pam_smb_passwd.c +++ b/source/pam_smbpass/pam_smb_passwd.c @@ -125,6 +125,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", user ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + return PAM_AUTHINFO_UNAVAIL; + } + /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); diff --git a/source/utils/smbpasswd.c b/source/utils/smbpasswd.c index 7460662..d4cacfb 100644 --- a/source/utils/smbpasswd.c +++ b/source/utils/smbpasswd.c @@ -96,6 +96,10 @@ static int process_options(int argc, char **argv, int local_flags) while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { switch(ch) { case 'L': + if (getuid() != 0) { + fprintf(stderr, "smbpasswd -L can only be used by root.\n"); + exit(1); + } local_flags |= LOCAL_AM_ROOT; break; case 'c': -- Samba Shared Repository