Remove pwdauth.c
We don't know what it was for. If anyone cares, it's in git history. In my distro, there seem to be no traces of it: alx@debian:~$ apt-file find pwdauth alx@debian:~$ Link: <https://codesearch.debian.net/search?q=pwdauth&literal=1> Link: <https://github.com/shadow-maint/shadow/pull/612> Cc: Christian Göttsche <cgzones@googlemail.com> Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
This commit is contained in:
Alejandro Colomar
Serge Hallyn
parent
74c17c7167
commit
5fae37271e
@ -2,5 +2,5 @@
|
||||
# and also cooperate to make a distribution for `make dist'
|
||||
|
||||
EXTRA_DIST = README adduser.c adduser.sh adduser2.sh \
|
||||
atudel groupmems.shar pwdauth.c shadow-anonftp.patch \
|
||||
atudel groupmems.shar shadow-anonftp.patch \
|
||||
udbachk.tgz
|
||||
|
||||
@ -1,308 +0,0 @@
|
||||
/*
|
||||
* pwdauth.c - program to verify a given username/password pair.
|
||||
*
|
||||
* Run it with username in argv[1] (may be omitted - default is the
|
||||
* current user), and send it the password over a pipe on stdin.
|
||||
* Exit status: 0 - correct password, 1 - wrong password, >1 - other
|
||||
* errors. For use with shadow passwords, this program should be
|
||||
* installed setuid root.
|
||||
*
|
||||
* This can be used, for example, by xlock - you don't have to install
|
||||
* this large and complex (== possibly insecure) program setuid root,
|
||||
* just modify it to run this simple program to do the authentication.
|
||||
*
|
||||
* Recent versions (xlockmore-3.9) are cleaner, and drop privileges as
|
||||
* soon as possible after getting the user's encrypted password.
|
||||
* Using this program probably doesn't make it more secure, and has one
|
||||
* disadvantage: since we don't get the encrypted user's password at
|
||||
* startup (but at the time the user is authenticated), it is not clear
|
||||
* how we should handle errors (like getpwnam() returning NULL).
|
||||
* - fail the authentication? Problem: no way to unlock (other than kill
|
||||
* the process from somewhere else) if the NIS server stops responding.
|
||||
* - succeed and unlock? Problem: it's too easy to unlock by unplugging
|
||||
* the box from the network and waiting until NIS times out...
|
||||
*
|
||||
* This program is Copyright (C) 1996 Marek Michalkiewicz
|
||||
* <marekm@i17linuxb.ists.pwr.wroc.pl>.
|
||||
*
|
||||
* It may be used and distributed freely for any purposes. There is no
|
||||
* warranty - use at your own risk. I am not liable for any damages etc.
|
||||
* If you improve it, please send me your changes.
|
||||
*/
|
||||
|
||||
static char rcsid[] = "$Id$";
|
||||
|
||||
/*
|
||||
* Define USE_SYSLOG to use syslog() to log successful and failed
|
||||
* authentication. This should be safe even if your system has
|
||||
* the infamous syslog buffer overrun security problem...
|
||||
*/
|
||||
#define USE_SYSLOG
|
||||
|
||||
/*
|
||||
* Define HAVE_GETSPNAM to get shadow passwords using getspnam().
|
||||
* Some systems don't have getspnam(), but getpwnam() returns
|
||||
* encrypted passwords only if running as root.
|
||||
*
|
||||
* According to the xlock source (not tested, except Linux) -
|
||||
* define: Linux, Solaris 2.x, SVR4, ...
|
||||
* undef: HP-UX with Secured Passwords, FreeBSD, NetBSD, QNX.
|
||||
* Known not supported (yet): Ultrix, OSF/1, SCO.
|
||||
*/
|
||||
#define HAVE_GETSPNAM
|
||||
|
||||
/*
|
||||
* Define HAVE_PW_ENCRYPT to use pw_encrypt() instead of crypt().
|
||||
* pw_encrypt() is like the standard crypt(), except that it may
|
||||
* support better password hashing algorithms.
|
||||
*
|
||||
* Define if linking with libshadow.a from the shadow password
|
||||
* suite (Linux, SunOS 4.x?).
|
||||
*/
|
||||
#undef HAVE_PW_ENCRYPT
|
||||
|
||||
/*
|
||||
* Define HAVE_AUTH_METHODS to support the shadow suite specific
|
||||
* extension: the encrypted password field contains a list of
|
||||
* administrator defined authentication methods, separated by
|
||||
* semicolons. This program only supports the standard password
|
||||
* authentication method (a string that doesn't start with '@').
|
||||
*/
|
||||
#undef HAVE_AUTH_METHODS
|
||||
|
||||
/*
|
||||
* FAIL_DELAY - number of seconds to sleep before exiting if the
|
||||
* password was wrong, to slow down password guessing attempts.
|
||||
*/
|
||||
#define FAIL_DELAY 2
|
||||
|
||||
/* No user-serviceable parts below :-). */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
|
||||
#ifdef USE_SYSLOG
|
||||
#include <syslog.h>
|
||||
#ifndef LOG_AUTHPRIV
|
||||
#define LOG_AUTHPRIV LOG_AUTH
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_GETSPNAM
|
||||
#include <shadow.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_PW_ENCRYPT
|
||||
extern char *pw_encrypt();
|
||||
#define crypt pw_encrypt
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Read the password (one line) from fp. We don't turn off echo
|
||||
* because we expect input from a pipe.
|
||||
*/
|
||||
static char *
|
||||
get_line(fp)
|
||||
FILE *fp;
|
||||
{
|
||||
static char buf[128];
|
||||
char *cp;
|
||||
int ch;
|
||||
|
||||
cp = buf;
|
||||
while ((ch = getc(fp)) != EOF && ch != '\0' && ch != '\n') {
|
||||
if (cp >= buf + sizeof buf - 1)
|
||||
break;
|
||||
*cp++ = ch;
|
||||
}
|
||||
*cp = '\0';
|
||||
return buf;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the password file entry for the current user. If the name
|
||||
* returned by getlogin() is correct (matches the current real uid),
|
||||
* return the entry for that user. Otherwise, return the entry (if
|
||||
* any) matching the current real uid. Return NULL on failure.
|
||||
*/
|
||||
static struct passwd *
|
||||
get_my_pwent()
|
||||
{
|
||||
uid_t uid = getuid();
|
||||
char *name = getlogin();
|
||||
|
||||
if (name && *name) {
|
||||
struct passwd *pw = getpwnam(name);
|
||||
|
||||
if (pw && pw->pw_uid == uid)
|
||||
return pw;
|
||||
}
|
||||
return getpwuid(uid);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the password. The system-dependent shadow support is here.
|
||||
*/
|
||||
static int
|
||||
password_auth_ok(pw, pass)
|
||||
const struct passwd *pw;
|
||||
const char *pass;
|
||||
{
|
||||
int result;
|
||||
char *cp;
|
||||
#ifdef HAVE_AUTH_METHODS
|
||||
char *buf;
|
||||
#endif
|
||||
#ifdef HAVE_GETSPNAM
|
||||
struct spwd *sp;
|
||||
#endif
|
||||
|
||||
if (pw) {
|
||||
#ifdef HAVE_GETSPNAM
|
||||
sp = getspnam(pw->pw_name);
|
||||
if (sp)
|
||||
cp = sp->sp_pwdp;
|
||||
else
|
||||
#endif
|
||||
cp = pw->pw_passwd;
|
||||
} else
|
||||
cp = "xx";
|
||||
|
||||
#ifdef HAVE_AUTH_METHODS
|
||||
buf = strdup(cp); /* will be modified by strtok() */
|
||||
if (!buf) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
exit(13);
|
||||
}
|
||||
cp = strtok(buf, ";");
|
||||
while (cp && *cp == '@')
|
||||
cp = strtok(NULL, ";");
|
||||
|
||||
/* fail if no password authentication for this user */
|
||||
if (!cp)
|
||||
cp = "xx";
|
||||
#endif
|
||||
|
||||
if (*pass || *cp)
|
||||
result = (strcmp(crypt(pass, cp), cp) == 0);
|
||||
else
|
||||
result = 1; /* user with no password */
|
||||
|
||||
#ifdef HAVE_AUTH_METHODS
|
||||
free(buf);
|
||||
#endif
|
||||
return result;
|
||||
}
|
||||
|
||||
/*
|
||||
* Main program.
|
||||
*/
|
||||
int
|
||||
main(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
struct passwd *pw;
|
||||
char *pass, *name;
|
||||
char myname[32];
|
||||
|
||||
#ifdef USE_SYSLOG
|
||||
openlog("pwdauth", LOG_PID | LOG_CONS, LOG_AUTHPRIV);
|
||||
#endif
|
||||
pw = get_my_pwent();
|
||||
if (!pw) {
|
||||
#ifdef USE_SYSLOG
|
||||
syslog(LOG_ERR, "can't get login name for uid %d.\n",
|
||||
(int) getuid());
|
||||
#endif
|
||||
fprintf(stderr, "Who are you?\n");
|
||||
exit(2);
|
||||
}
|
||||
strncpy(myname, pw->pw_name, sizeof myname - 1);
|
||||
myname[sizeof myname - 1] = '\0';
|
||||
name = myname;
|
||||
|
||||
if (argc > 1) {
|
||||
name = argv[1];
|
||||
pw = getpwnam(name);
|
||||
}
|
||||
|
||||
pass = get_line(stdin);
|
||||
if (password_auth_ok(pw, pass)) {
|
||||
#ifdef USE_SYSLOG
|
||||
syslog(pw->pw_uid ? LOG_INFO : LOG_NOTICE,
|
||||
"user `%s' entered correct password for `%.32s'.\n",
|
||||
myname, name);
|
||||
#endif
|
||||
exit(0);
|
||||
}
|
||||
#ifdef USE_SYSLOG
|
||||
/* be careful not to overrun the syslog buffer */
|
||||
syslog((!pw || pw->pw_uid) ? LOG_NOTICE : LOG_WARNING,
|
||||
"user `%s' entered incorrect password for `%.32s'.\n",
|
||||
myname, name);
|
||||
#endif
|
||||
#ifdef FAIL_DELAY
|
||||
sleep(FAIL_DELAY);
|
||||
#endif
|
||||
fprintf(stderr, "Wrong password.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
#if 0
|
||||
/*
|
||||
* You can use code similar to the following to run this program.
|
||||
* Return values: >=0 - program exit status (use the <sys/wait.h>
|
||||
* macros to get the exit code, it is shifted left by 8 bits),
|
||||
* -1 - check errno.
|
||||
*/
|
||||
int
|
||||
verify_password(const char *username, const char *password)
|
||||
{
|
||||
int pipe_fd[2];
|
||||
int pid, wpid, status;
|
||||
|
||||
if (pipe(pipe_fd))
|
||||
return -1;
|
||||
|
||||
if ((pid = fork()) == 0) {
|
||||
char *arg[3];
|
||||
char *env[1];
|
||||
|
||||
/* child */
|
||||
close(pipe_fd[1]);
|
||||
if (pipe_fd[0] != 0) {
|
||||
if (dup2(pipe_fd[0], 0) != 0)
|
||||
_exit(127);
|
||||
close(pipe_fd[0]);
|
||||
}
|
||||
arg[0] = "/usr/bin/pwdauth";
|
||||
arg[1] = username;
|
||||
arg[2] = NULL;
|
||||
env[0] = NULL;
|
||||
execve(arg[0], arg, env);
|
||||
_exit(127);
|
||||
} else if (pid == -1) {
|
||||
/* error */
|
||||
close(pipe_fd[0]);
|
||||
close(pipe_fd[1]);
|
||||
return -1;
|
||||
}
|
||||
/* parent */
|
||||
close(pipe_fd[0]);
|
||||
write(pipe_fd[1], password, strlen(password));
|
||||
write(pipe_fd[1], "\n", 1);
|
||||
close(pipe_fd[1]);
|
||||
|
||||
while ((wpid = wait(&status)) != pid) {
|
||||
if (wpid == -1)
|
||||
return -1;
|
||||
}
|
||||
return status;
|
||||
}
|
||||
#endif
|
||||
Loading…
Reference in New Issue
Block a user