diff options
| author | Joep Vesseur <Joep.Vesseur@Sun.COM> | 2008-11-15 21:52:23 +0100 |
|---|---|---|
| committer | Joep Vesseur <Joep.Vesseur@Sun.COM> | 2008-11-15 21:52:23 +0100 |
| commit | 57c407852ad197a758d9fc3212bd9484cacf2a69 (patch) | |
| tree | 626f102c94ec1b57cb5e6d8f2f72340bae6f7029 /usr/src/cmd/su | |
| parent | 728bdc9be5faf84b5dca42f545967bd4910d608e (diff) | |
| download | illumos-joyent-57c407852ad197a758d9fc3212bd9484cacf2a69.tar.gz | |
PSARC 2007/700 Enforcement of PASSREQ=YES
4652487 pam_unix_account does not honor PAM_DISALLOW_NULL_AUTHTOK for root
5070350 pam_unix account allows users with blank passwords if aging prevents change
6494527 PASSREQ not always enforced
Diffstat (limited to 'usr/src/cmd/su')
| -rw-r--r-- | usr/src/cmd/su/su.c | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/usr/src/cmd/su/su.c b/usr/src/cmd/su/su.c index ce73af3bf1..d8006c3f47 100644 --- a/usr/src/cmd/su/su.c +++ b/usr/src/cmd/su/su.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -29,8 +29,6 @@ /* Copyright (c) 1987, 1988 Microsoft Corporation */ /* All Rights Reserved */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * su [-] [name [arg ...]] change userid, `-' changes environment. * If SULOG is defined, all attempts to su to another user are @@ -165,7 +163,7 @@ char *username; /* the invoker */ static int dosyslog = 0; /* use syslog? */ char *myname; #ifdef DYNAMIC_SU -int passreq = 0; +int pam_flags = 0; boolean_t embedded = B_FALSE; #endif /* DYNAMIC_SU */ @@ -307,7 +305,7 @@ main(int argc, char **argv) if ((ptr = defread("PASSREQ=")) != NULL && strcasecmp("YES", ptr) == 0) - passreq = 1; + pam_flags |= PAM_DISALLOW_NULL_AUTHTOK; (void) defopen((char *)NULL); } @@ -321,7 +319,7 @@ main(int argc, char **argv) if (getpwnam_r(nptr, &pwd, pwdbuf, sizeof (pwdbuf)) == NULL) retcode = PAM_USER_UNKNOWN; else if ((flags = (getuid() != (uid_t)ROOT)) != 0) { - retcode = pam_authenticate(pamh, 0); + retcode = pam_authenticate(pamh, pam_flags); } else /* root user does not need to authenticate */ retcode = PAM_SUCCESS; @@ -1259,13 +1257,9 @@ static void validate(char *usernam, int *pw_change) { int error; - int flag = 0; int tries; - if (passreq) - flag = PAM_DISALLOW_NULL_AUTHTOK; - - if ((error = pam_acct_mgmt(pamh, flag)) != PAM_SUCCESS) { + if ((error = pam_acct_mgmt(pamh, pam_flags)) != PAM_SUCCESS) { if (Sulog != NULL) log(Sulog, pwd.pw_name, 0); /* log entry */ if (error == PAM_NEW_AUTHTOK_REQD) { |