chsh-chfn: fix bugs, improve compilation
* rename --disable-require-password to --disable-chsh-chfn-password * is_local() is really unnecessary when linked with libuser * fix set_value_libuser() returns codes * fix chfn.c, there is no 'pw', but oldf.pw * don't link with PAM when--disable-chsh-chfn-password Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
Karel Zak
parent
82a2c1600d
commit
d86918b6eb
48
configure.ac
48
configure.ac
|
|
@ -1113,23 +1113,9 @@ UL_BUILD_INIT([newgrp])
|
|||
AM_CONDITIONAL(BUILD_NEWGRP, test "x$build_newgrp" = xyes)
|
||||
|
||||
|
||||
AC_ARG_ENABLE([chfn-chsh],
|
||||
AS_HELP_STRING([--enable-chfn-chsh], [build chfn and chsh]),
|
||||
[], enable_chfn_chsh=no
|
||||
)
|
||||
UL_BUILD_INIT([chfn_chsh])
|
||||
UL_REQUIRES_HAVE([chfn_chsh], [security_pam_misc_h], [PAM header file])
|
||||
AM_CONDITIONAL(BUILD_CHFN_CHSH, test "x$build_chfn_chsh" = xyes)
|
||||
|
||||
AC_ARG_ENABLE([chsh-only-listed],
|
||||
AS_HELP_STRING([--disable-chsh-only-listed], [chsh: allow shells not in /etc/shells]),
|
||||
[], enable_chsh_only_listed=yes
|
||||
)
|
||||
|
||||
AC_ARG_WITH([libuser], AS_HELP_STRING([--without-libuser], [compile without libuser (remote chsh)]),
|
||||
AC_ARG_WITH([user], AS_HELP_STRING([--without-user], [compile without libuser (remote chsh)]),
|
||||
[], with_user=auto
|
||||
)
|
||||
|
||||
if test "x$with_user" = xno; then
|
||||
AM_CONDITIONAL(HAVE_USER, false)
|
||||
else
|
||||
|
|
@ -1142,6 +1128,28 @@ else
|
|||
esac
|
||||
fi
|
||||
|
||||
AC_ARG_ENABLE([chfn-chsh-password],
|
||||
AS_HELP_STRING([--disable-chfn-chsh-password], [do not require the user to enter the password in chfn and chsh]),
|
||||
[], enable_chfn_chsh_password=yes
|
||||
)
|
||||
|
||||
AC_ARG_ENABLE([chfn-chsh],
|
||||
AS_HELP_STRING([--enable-chfn-chsh], [build chfn and chsh]),
|
||||
[], enable_chfn_chsh=no
|
||||
)
|
||||
UL_BUILD_INIT([chfn_chsh])
|
||||
|
||||
if test "x$enable_chfn_chsh_password" = xyes -o "x$have_user" = xyes; then
|
||||
UL_REQUIRES_HAVE([chfn_chsh], [security_pam_misc_h], [PAM header file])
|
||||
AC_DEFINE(CHFN_CHSH_PASSWORD, 1, [Should chfn and chsh require the user to enter the password?])
|
||||
fi
|
||||
AM_CONDITIONAL(BUILD_CHFN_CHSH, test "x$build_chfn_chsh" = xyes)
|
||||
AM_CONDITIONAL(CHFN_CHSH_PASSWORD, test "x$enable_chfn_chsh_password" = xyes)
|
||||
|
||||
AC_ARG_ENABLE([chsh-only-listed],
|
||||
AS_HELP_STRING([--disable-chsh-only-listed], [chsh: allow shells not in /etc/shells]),
|
||||
[], enable_chsh_only_listed=yes
|
||||
)
|
||||
|
||||
if test "x$enable_chsh_only_listed" = xyes; then
|
||||
AC_DEFINE(ONLY_LISTED_SHELLS, 1, [Should chsh allow only shells in /etc/shells?])
|
||||
|
|
@ -1333,16 +1341,6 @@ if test "x$enable_pg_bell" = xyes; then
|
|||
fi
|
||||
|
||||
|
||||
AC_ARG_ENABLE([require-password],
|
||||
AS_HELP_STRING([--disable-require-password], [do not require the user to enter the password in chfn and chsh]),
|
||||
[], enable_require_password=yes
|
||||
)
|
||||
|
||||
if test "x$enable_require_password" = xyes; then
|
||||
AC_DEFINE(REQUIRE_PASSWORD, 1, [Should chfn and chsh require the user to enter the password?])
|
||||
fi
|
||||
|
||||
|
||||
AC_DEFUN([FS_PATHS_DEFAULT], [/sbin:/sbin/fs.d:/sbin/fs])
|
||||
AC_ARG_ENABLE([fs-paths-default],
|
||||
AS_HELP_STRING([--enable-fs-paths-default=paths], [default search path for fs helpers @<:@FS_PATHS_DEFAULT@:>@]),
|
||||
|
|
|
|||
|
|
@ -59,16 +59,17 @@ dist_man_MANS += \
|
|||
login-utils/chfn.1 \
|
||||
login-utils/chsh.1
|
||||
|
||||
chfn_chsh_sources = \
|
||||
login-utils/islocal.c \
|
||||
login-utils/islocal.h \
|
||||
login-utils/auth.c \
|
||||
login-utils/auth.h \
|
||||
login-utils/setpwnam.c \
|
||||
login-utils/setpwnam.h
|
||||
chfn_chsh_sources =
|
||||
chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
|
||||
chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
|
||||
chfn_chsh_ldadd = libcommon.la -lpam -lpam_misc
|
||||
chfn_chsh_ldadd = libcommon.la
|
||||
|
||||
if CHFN_CHSH_PASSWORD
|
||||
chfn_chsh_ldadd += -lpam -lpam_misc
|
||||
chfn_chsh_sources += \
|
||||
login-utils/auth.c \
|
||||
login-utils/auth.h
|
||||
endif
|
||||
|
||||
if HAVE_USER
|
||||
chfn_chsh_ldflags += $(LIBUSER_LIBS)
|
||||
|
|
@ -76,6 +77,12 @@ chfn_chsh_cflags += $(LIBUSER_CFLAGS)
|
|||
chfn_chsh_sources+= \
|
||||
login-utils/libuser.c \
|
||||
login-utils/libuser.h
|
||||
else
|
||||
chfn_chsh_sources += \
|
||||
login-utils/islocal.c \
|
||||
login-utils/islocal.h \
|
||||
login-utils/setpwnam.c \
|
||||
login-utils/setpwnam.h
|
||||
endif
|
||||
|
||||
if HAVE_SELINUX
|
||||
|
|
|
|||
|
|
@ -9,11 +9,10 @@
|
|||
*/
|
||||
|
||||
#include "auth.h"
|
||||
|
||||
#include "pamfail.h"
|
||||
|
||||
int auth_pam(const char *service_name, uid_t uid, const char *username) {
|
||||
#ifdef REQUIRE_PASSWORD
|
||||
int auth_pam(const char *service_name, uid_t uid, const char *username)
|
||||
{
|
||||
if (uid != 0) {
|
||||
pam_handle_t *pamh = NULL;
|
||||
struct pam_conv conv = { misc_conv, NULL };
|
||||
|
|
@ -43,5 +42,4 @@ int auth_pam(const char *service_name, uid_t uid, const char *username) {
|
|||
* session-oriented activity... */
|
||||
}
|
||||
return TRUE;
|
||||
#endif /* REQUIRE_PASSWORD */
|
||||
}
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@
|
|||
#ifdef HAVE_LIBUSER
|
||||
# include <libuser/user.h>
|
||||
# include "libuser.h"
|
||||
#else
|
||||
#elif CHFN_CHSH_PASSWORD
|
||||
# include "auth.h"
|
||||
#endif
|
||||
|
||||
|
|
@ -133,8 +133,10 @@ int main(int argc, char **argv)
|
|||
newf.username);
|
||||
}
|
||||
|
||||
#ifndef HAVE_LIBUSER
|
||||
if (!(is_local(oldf.username)))
|
||||
errx(EXIT_FAILURE, _("can only change local entries"));
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LIBSELINUX
|
||||
if (is_selinux_enabled() > 0) {
|
||||
|
|
@ -158,18 +160,18 @@ int main(int argc, char **argv)
|
|||
|
||||
#ifdef HAVE_LIBUSER
|
||||
/* If we're setuid and not really root, disallow the password change. */
|
||||
if (geteuid() != getuid() && uid != pw->pw_uid) {
|
||||
if (geteuid() != getuid() && uid != oldf.pw->pw_uid) {
|
||||
#else
|
||||
if (uid != 0 && uid != pw->pw_uid) {
|
||||
if (uid != 0 && uid != oldf.pw->pw_uid) {
|
||||
#endif
|
||||
errno = EACCES;
|
||||
err(EXIT_FAILURE, _("running UID doesn't match UID of user we're "
|
||||
"altering, change denied")););
|
||||
"altering, change denied"));
|
||||
}
|
||||
|
||||
printf(_("Changing finger information for %s.\n"), oldf.username);
|
||||
|
||||
#ifndef HAVE_LIBUSER
|
||||
#if !defined(HAVE_LIBUSER) && defined(CHFN_CHSH_PASSWORD)
|
||||
if(!auth_pam("chfn", uid, oldf.username)) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
|
@ -460,14 +462,14 @@ static int save_new_data(struct finfo *pinfo)
|
|||
}
|
||||
|
||||
#ifdef HAVE_LIBUSER
|
||||
if(set_value_libuser("chfn", pinfo->pw->pw_name, pinfo->pw->pw_uid,
|
||||
LU_GECOS, gecos)) {
|
||||
if (set_value_libuser("chfn", pinfo->pw->pw_name, pinfo->pw->pw_uid,
|
||||
LU_GECOS, gecos) < 0) {
|
||||
#else /* HAVE_LIBUSER */
|
||||
/* write the new struct passwd to the passwd file. */
|
||||
pinfo->pw->pw_gecos = gecos;
|
||||
if (setpwnam(pinfo->pw) < 0) {
|
||||
warn("setpwnam failed");
|
||||
#endif
|
||||
warn("setpwnam");
|
||||
printf(_
|
||||
("Finger information *NOT* changed. Try again later.\n"));
|
||||
return -1;
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@
|
|||
#ifdef HAVE_LIBUSER
|
||||
# include <libuser/user.h>
|
||||
# include "libuser.h"
|
||||
#else
|
||||
#elif CHFN_CHSH_PASSWORD
|
||||
# include "auth.h"
|
||||
#endif
|
||||
|
||||
|
|
@ -110,8 +110,10 @@ int main(int argc, char **argv)
|
|||
info.username);
|
||||
}
|
||||
|
||||
#ifndef HAVE_LIBUSER
|
||||
if (!(is_local(pw->pw_name)))
|
||||
errx(EXIT_FAILURE, _("can only change local entries."));
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LIBSELINUX
|
||||
if (is_selinux_enabled() > 0) {
|
||||
|
|
@ -160,12 +162,11 @@ int main(int argc, char **argv)
|
|||
|
||||
printf(_("Changing shell for %s.\n"), pw->pw_name);
|
||||
|
||||
#ifndef HAVE_LIBUSER
|
||||
#if !defined(HAVE_LIBUSER) && defined(CHFN_CHSH_PASSWORD)
|
||||
if(!auth_pam("chsh", uid, pw->pw_name)) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (!shell) {
|
||||
shell = prompt(_("New shell"), oldshell);
|
||||
if (!shell)
|
||||
|
|
@ -179,7 +180,9 @@ int main(int argc, char **argv)
|
|||
errx(EXIT_SUCCESS, _("Shell not changed."));
|
||||
|
||||
#ifdef HAVE_LIBUSER
|
||||
set_value_libuser("chsh", pw->pw_name, uid, LU_LOGINSHELL, shell);
|
||||
if (set_value_libuser("chsh", pw->pw_name, uid,
|
||||
LU_LOGINSHELL, shell) < 0)
|
||||
errx(EXIT_FAILURE, _("Shell *NOT* changed. Try again later."));
|
||||
#else
|
||||
pw->pw_shell = shell;
|
||||
if (setpwnam(pw) < 0)
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ static int auth_lu(const char *service_name, struct lu_context *ctx, uid_t uid,
|
|||
|
||||
static int auth_lu(const char *service_name, struct lu_context *ctx, uid_t uid,
|
||||
const char *username) {
|
||||
if(!lu_uses_elevated_privileges(ctx)) {
|
||||
if (!lu_uses_elevated_privileges(ctx)) {
|
||||
/* Drop privileges */
|
||||
if (setegid(getgid()) == -1)
|
||||
err(EXIT_FAILURE, _("Couldn't drop group privileges"));
|
||||
|
|
@ -47,7 +47,7 @@ int set_value_libuser(const char *service_name, const char *username, uid_t uid,
|
|||
errx(EXIT_FAILURE, _("libuser initialization failed: %s."),
|
||||
lu_strerror(error));
|
||||
|
||||
if(!auth_lu(service_name, ctx, uid, username)) {
|
||||
if (!auth_lu(service_name, ctx, uid, username)) {
|
||||
errno = EACCES;
|
||||
err(EXIT_FAILURE, _("changing user attribute failed"));
|
||||
}
|
||||
|
|
@ -67,5 +67,6 @@ int set_value_libuser(const char *service_name, const char *username, uid_t uid,
|
|||
}
|
||||
lu_ent_free(ent);
|
||||
lu_end(ctx);
|
||||
return TRUE;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue