diff options
| author | des <des@FreeBSD.org> | 2002-01-23 15:16:01 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2002-01-23 15:16:01 +0000 |
| commit | e64688fcfb6f0f21dfe93591e7e15c93f4a68a3c (patch) | |
| tree | 3821a83b4eda0a26be9220b71fc455103a465a0a | |
| parent | 5307ecb83c1a3c3c2de99358a7b69b67597ed1be (diff) | |
| download | FreeBSD-src-e64688fcfb6f0f21dfe93591e7e15c93f4a68a3c.zip FreeBSD-src-e64688fcfb6f0f21dfe93591e7e15c93f4a68a3c.tar.gz | |
Base the comparison on UIDs, not on user names.
Sponsored by: DARPA, NAI Labs
| -rw-r--r-- | lib/libpam/modules/pam_self/pam_self.8 | 4 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_self/pam_self.c | 22 |
2 files changed, 12 insertions, 14 deletions
diff --git a/lib/libpam/modules/pam_self/pam_self.8 b/lib/libpam/modules/pam_self/pam_self.8 index 2dc968f..5e51445 100644 --- a/lib/libpam/modules/pam_self/pam_self.8 +++ b/lib/libpam/modules/pam_self/pam_self.8 @@ -61,8 +61,8 @@ It also provides a null function for session management. .Ss Self Authentication Module The Self authentication component .Pq Fn pam_sm_authenticate , -returns success if and only if the source and target user names are -identical. +returns success if and only if the target user's user ID is identical +with the current real user ID. .Pp The following options may be passed to the authentication module: .Bl -tag -width ".Cm no_warn" diff --git a/lib/libpam/modules/pam_self/pam_self.c b/lib/libpam/modules/pam_self/pam_self.c index 847e092..1cbc832 100644 --- a/lib/libpam/modules/pam_self/pam_self.c +++ b/lib/libpam/modules/pam_self/pam_self.c @@ -39,6 +39,7 @@ __FBSDID("$FreeBSD$"); #define _BSD_SOURCE +#include <pwd.h> #include <unistd.h> #include <syslog.h> @@ -54,24 +55,21 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { struct options options; - const char *luser, *ruser; - int r; + struct passwd *pwd; + const char *luser; + int pam_err; pam_std_option(&options, NULL, argc, argv); PAM_LOG("Options processed"); - r = pam_get_item(pamh, PAM_USER, (const void **)&luser); - if (r != PAM_SUCCESS) - PAM_RETURN(r); - if (luser == NULL) - PAM_RETURN(PAM_USER_UNKNOWN); - - r = pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); - if (r != PAM_SUCCESS) - PAM_RETURN(r); + pam_err = pam_get_item(pamh, PAM_USER, (const void **)&luser); + if (pam_err != PAM_SUCCESS) + PAM_RETURN(pam_err); + if (luser == NULL || (pwd = getpwnam(luser)) == NULL) + PAM_RETURN(PAM_AUTH_ERR); - if (strcmp(luser, ruser) == 0) + if (getuid() == (uid_t)pwd->pw_uid) PAM_RETURN(PAM_SUCCESS); PAM_VERBOSE_ERROR("Refused; source and target users differ"); |
