This is the mail archive of the libc-alpha@cygnus.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: glibc-2.0.111: getpwuid() result depends on nscd presence in nis+ environment



Hello,

On Tue, Feb 02, 1999 at 05:34:10PM +0300, Dmitry O Panov wrote:
> On Tue, 2 Feb 1999, Thorsten Kukuk wrote:
> 
> > Hello,
> > 
> > > I have noticed that getpwuid() returns "*NP*" in pw_passwd when nscd is
> > > running and encrypted password when nscd is not running. It is
> > > critical for some authentication programs (e.g. pam_unix_auth).
> > >  
> > > sp_pwdp (returned by getspnam()) contains an encrypted password in both
> > > cases.
> > > 
> > > Can anyone reproduce this?
> > 
> > No, but I think I know what you have done. nscd asks the NIS+ Server as
> > root for the entry, getspnam doesn't use nscd and asks the NIS+ Server
> > as user with the users authentication. I think in your case, you have
> > changed the permissions of passwd.org_dir and only the authenticated
> > user is allowed to see the password. 
> 
> Of course, I have ;) But Solaris clients work fine in this case. I've 

Yes, because Solaris has a nice littel program: nscd_check. If it detects
this situation, nscd is not allowed to cache passwd queries. I hadn't the
time to implement this.

> applied the following patch to pam_unix_auth.c to make it work on my linux
> box:
> 
> --- pam_unix_auth.c.orig	Thu Jan 15 01:10:01 1998
> +++ pam_unix_auth.c	Tue Feb  2 17:25:52 1999
> @@ -152,6 +152,7 @@
>  	const char *name;
>  	char *p, *pp;
>  	const char *salt;
> +	uid_t save_uid;
>  
>  #ifdef HAVE_SHADOW_H
>  
> @@ -189,13 +190,12 @@
>  	pw = getpwnam ( name );
>  
>  	/* For NIS+, root cannot get password for lesser user */
> +	save_uid = getuid ();
> +	
>  	if (pw) {
> -	    uid_t save_uid;
>  
> -	    save_uid = geteuid ();
>  	    if (seteuid (pw->pw_uid) >= 0) {
>  		pw = getpwnam ( name );
> -		seteuid (save_uid);
>  	    }
>  	}
>  	if (pw) 
> @@ -208,9 +208,12 @@
>  		 * systems.  Shadow passwords are optional on Linux - if
>  		 * there is no shadow password, use the non-shadow one.
>  		 */
> -
>  		sp = getspnam( name );
> -		if (sp && (!strcmp(pw->pw_passwd,"x")))
> +		seteuid (save_uid);
> +		if (!sp)
> +		    sp = getspnam( name );
> +		
> +		if (sp && (strlen(pw->pw_passwd) < 13))
>  			{
>  				/* TODO: check if password has expired etc. */
>  				salt = sp->sp_pwdp;
> @@ -219,9 +222,10 @@
>  #endif
>  		salt = pw->pw_passwd;
>  		} 
> -	else 
> +	else {
> +		seteuid (save_uid);
>  		return PAM_USER_UNKNOWN;
> -		
> +	}
>  		/* The 'always-encrypt' method does not make sense in PAM
>  		   because the framework requires return of a different
>  		   error code for non-existant users -- alex */
> 
> Am I right?

No, because my old solution for PAM is wrong, too. Not my fault,
the patch from me works, but some other people thought, they
are cleverer then I and changed it.
The Problem: Maybe it will work with NIS+, but it doesn't work
with passwd.adjunct or shadow over NIS. In this case, the query
must be done from a privilegd port.

I don't use PAM any more, so I could and will not check this
and fix it.

  Thorsten

-- 
Thorsten Kukuk      http://home.pages.de/~kukuk/      kukuk@suse.de
SuSE GmbH           Schanzaeckerstr. 10             90443 Nuernberg
Linux is like a Vorlon.  It is incredibly powerful, gives terse,
cryptic answers and has a lot of things going on in the background.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]