glibc-2.0.111: getpwuid() result depends on nscd presence in nis+ environment
Thorsten Kukuk
kukuk@suse.de
Thu Apr 1 00:00:00 GMT 1999
Hello,
On Tue, Feb 02, 1999 at 05:34:10PM +0300, Dmitry O Panov wrote:
> On Tue, 2 Feb 1999, Thorsten Kukuk wrote:
>
> > Hello,
> >
> > > I have noticed that getpwuid() returns "*NP*" in pw_passwd when nscd is
> > > running and encrypted password when nscd is not running. It is
> > > critical for some authentication programs (e.g. pam_unix_auth).
> > >
> > > sp_pwdp (returned by getspnam()) contains an encrypted password in both
> > > cases.
> > >
> > > Can anyone reproduce this?
> >
> > No, but I think I know what you have done. nscd asks the NIS+ Server as
> > root for the entry, getspnam doesn't use nscd and asks the NIS+ Server
> > as user with the users authentication. I think in your case, you have
> > changed the permissions of passwd.org_dir and only the authenticated
> > user is allowed to see the password.
>
> Of course, I have ;) But Solaris clients work fine in this case. I've
Yes, because Solaris has a nice littel program: nscd_check. If it detects
this situation, nscd is not allowed to cache passwd queries. I hadn't the
time to implement this.
> applied the following patch to pam_unix_auth.c to make it work on my linux
> box:
>
> --- pam_unix_auth.c.orig Thu Jan 15 01:10:01 1998
> +++ pam_unix_auth.c Tue Feb 2 17:25:52 1999
> @@ -152,6 +152,7 @@
> const char *name;
> char *p, *pp;
> const char *salt;
> + uid_t save_uid;
>
> #ifdef HAVE_SHADOW_H
>
> @@ -189,13 +190,12 @@
> pw = getpwnam ( name );
>
> /* For NIS+, root cannot get password for lesser user */
> + save_uid = getuid ();
> +
> if (pw) {
> - uid_t save_uid;
>
> - save_uid = geteuid ();
> if (seteuid (pw->pw_uid) >= 0) {
> pw = getpwnam ( name );
> - seteuid (save_uid);
> }
> }
> if (pw)
> @@ -208,9 +208,12 @@
> * systems. Shadow passwords are optional on Linux - if
> * there is no shadow password, use the non-shadow one.
> */
> -
> sp = getspnam( name );
> - if (sp && (!strcmp(pw->pw_passwd,"x")))
> + seteuid (save_uid);
> + if (!sp)
> + sp = getspnam( name );
> +
> + if (sp && (strlen(pw->pw_passwd) < 13))
> {
> /* TODO: check if password has expired etc. */
> salt = sp->sp_pwdp;
> @@ -219,9 +222,10 @@
> #endif
> salt = pw->pw_passwd;
> }
> - else
> + else {
> + seteuid (save_uid);
> return PAM_USER_UNKNOWN;
> -
> + }
> /* The 'always-encrypt' method does not make sense in PAM
> because the framework requires return of a different
> error code for non-existant users -- alex */
>
> Am I right?
No, because my old solution for PAM is wrong, too. Not my fault,
the patch from me works, but some other people thought, they
are cleverer then I and changed it.
The Problem: Maybe it will work with NIS+, but it doesn't work
with passwd.adjunct or shadow over NIS. In this case, the query
must be done from a privilegd port.
I don't use PAM any more, so I could and will not check this
and fix it.
Thorsten
--
Thorsten Kukuk http://home.pages.de/~kukuk/ kukuk@suse.de
SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg
Linux is like a Vorlon. It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.
More information about the Libc-alpha
mailing list