diff options
author | dtucker <dtucker> | 2004-08-16 13:12:05 +0000 |
---|---|---|
committer | dtucker <dtucker> | 2004-08-16 13:12:05 +0000 |
commit | 398be2bc7beb9b8ac8a4059eceacea71269ecb2e (patch) | |
tree | 9c70683966bc5290dfb8e4388c0df0aa56396bcf /auth-pam.c | |
parent | 0e47740373f4e37149724fd0d88bf53a3527a994 (diff) | |
download | openssh-398be2bc7beb9b8ac8a4059eceacea71269ecb2e.tar.gz |
- (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
to convince Solaris PAM to honour password complexity rules. ok djm@
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 27 |
1 files changed, 26 insertions, 1 deletions
@@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.113 2004/07/21 10:54:47 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -201,6 +201,31 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +/* + * Some platforms, notably Solaris, do not enforce password complexity + * rules during pam_chauthtok() if the real uid of the calling process + * is 0, on the assumption that it's being called by "passwd" run by root. + * This wraps pam_chauthtok and sets/restore the real uid so PAM will do + * the right thing. + */ +#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID +static int +sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags) +{ + int result; + + if (sshpam_authctxt == NULL) + fatal("PAM: sshpam_authctxt not initialized"); + if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + result = pam_chauthtok(pamh, flags); + if (setreuid(0, -1) == -1) + fatal("%s: setreuid failed: %s", __func__, strerror(errno)); + return result; +} +# define pam_chauthtok(a,b) (sshpam_chauthtok_ruid((a), (b))) +#endif + void sshpam_password_change_required(int reqd) { |