diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2004-08-16 23:12:05 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2004-08-16 23:12:05 +1000 |
| commit | 21dd0897d53b5850c3fe1dff43494db3024e3d97 (patch) | |
| tree | 726cc8d8f72b2a22209bc13a730018db055985e9 /auth-pam.c | |
| parent | 0cbc3c65094079b5908b3357d69e6cf7b1d94a80 (diff) | |
- (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
to convince Solaris PAM to honour password complexity rules. ok djm@
Diffstat (limited to 'auth-pam.c')
| -rw-r--r-- | auth-pam.c | 27 |
1 files changed, 26 insertions, 1 deletions
@@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +/* + * Some platforms, notably Solaris, do not enforce password complexity + * rules during pam_chauthtok() if the real uid of the calling process + * is 0, on the assumption that it's being called by "passwd" run by root. + * This wraps pam_chauthtok and sets/restore the real uid so PAM will do + * the right thing. + */ +#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID +static int +sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) +{ + int result; + + if (sshpam_authctxt == NULL) + fatal("PAM: sshpam_authctxt not initialized"); + if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + result = pam_chauthtok(pamh, flags); + if (setreuid(0, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + return result; +} +# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) +#endif + void sshpam_password_change_required(int reqd) { |