glibc-2.0.111: getpwuid() result depends on nscd presence in nis+ environment
Dmitry O Panov
dmitry@tsu.tula.ru
Thu Apr 1 00:00:00 GMT 1999
On Tue, 2 Feb 1999, Thorsten Kukuk wrote:
> Hello,
>
> > I have noticed that getpwuid() returns "*NP*" in pw_passwd when nscd is
> > running and encrypted password when nscd is not running. It is
> > critical for some authentication programs (e.g. pam_unix_auth).
> >
> > sp_pwdp (returned by getspnam()) contains an encrypted password in both
> > cases.
> >
> > Can anyone reproduce this?
>
> No, but I think I know what you have done. nscd asks the NIS+ Server as
> root for the entry, getspnam doesn't use nscd and asks the NIS+ Server
> as user with the users authentication. I think in your case, you have
> changed the permissions of passwd.org_dir and only the authenticated
> user is allowed to see the password.
Of course, I have ;) But Solaris clients work fine in this case. I've
applied the following patch to pam_unix_auth.c to make it work on my linux
box:
--- pam_unix_auth.c.orig Thu Jan 15 01:10:01 1998
+++ pam_unix_auth.c Tue Feb 2 17:25:52 1999
@@ -152,6 +152,7 @@
const char *name;
char *p, *pp;
const char *salt;
+ uid_t save_uid;
#ifdef HAVE_SHADOW_H
@@ -189,13 +190,12 @@
pw = getpwnam ( name );
/* For NIS+, root cannot get password for lesser user */
+ save_uid = getuid ();
+
if (pw) {
- uid_t save_uid;
- save_uid = geteuid ();
if (seteuid (pw->pw_uid) >= 0) {
pw = getpwnam ( name );
- seteuid (save_uid);
}
}
if (pw)
@@ -208,9 +208,12 @@
* systems. Shadow passwords are optional on Linux - if
* there is no shadow password, use the non-shadow one.
*/
-
sp = getspnam( name );
- if (sp && (!strcmp(pw->pw_passwd,"x")))
+ seteuid (save_uid);
+ if (!sp)
+ sp = getspnam( name );
+
+ if (sp && (strlen(pw->pw_passwd) < 13))
{
/* TODO: check if password has expired etc. */
salt = sp->sp_pwdp;
@@ -219,9 +222,10 @@
#endif
salt = pw->pw_passwd;
}
- else
+ else {
+ seteuid (save_uid);
return PAM_USER_UNKNOWN;
-
+ }
/* The 'always-encrypt' method does not make sense in PAM
because the framework requires return of a different
error code for non-existant users -- alex */
Am I right?
--
Dmitry O Panov | mailto:dmitry@tsu.tula.ru
Tula State University | http://www.tsu.tula.ru/
Dept. of CS & NIT | Fidonet: Dmitry Panov, 2:5022/8.31 aka 2:5022/5.50
More information about the Libc-alpha
mailing list