This repository has been archived by the owner on Nov 11, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
757b9633.patch
119 lines (108 loc) · 3.5 KB
/
757b9633.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
From 757b9633191eafa32a86ab8ec032e743d0227093 Mon Sep 17 00:00:00 2001
From: TJ Saunders <[email protected]>
Date: Wed, 5 Jul 2017 23:33:16 -0700
Subject: [PATCH] Bug#4308: When authorizing a user, check for any shadow
information for that user, and use such information as part of the
authorization check.
---
modules/mod_auth_unix.c | 67 +++++++++++++++++++++++++++++++++++++++----------
1 file changed, 54 insertions(+), 13 deletions(-)
diff --git a/modules/mod_auth_unix.c b/modules/mod_auth_unix.c
index 788b4c549..7d7a994d7 100644
--- a/modules/mod_auth_unix.c
+++ b/modules/mod_auth_unix.c
@@ -715,34 +715,40 @@ static char *get_pwd_info(pool *p, const char *u, time_t *lstchg, time_t *min,
MODRET pw_auth(cmd_rec *cmd) {
int res;
time_t now;
- char *cpw;
- time_t lstchg = -1, max = -1, inact = -1, disable = -1;
+ char *cleartxt_passwd;
+ time_t lstchg = -1, max = -1, inact = -1, expire = -1;
const char *name;
+ size_t cleartxt_passwdlen;
name = cmd->argv[0];
- time(&now);
- cpw = get_pwd_info(cmd->tmp_pool, name, &lstchg, NULL, &max, NULL, &inact,
- &disable);
- if (cpw == NULL) {
+ cleartxt_passwd = get_pwd_info(cmd->tmp_pool, name, &lstchg, NULL, &max,
+ NULL, &inact, &expire);
+ if (cleartxt_passwd == NULL) {
return PR_DECLINED(cmd);
}
- res = pr_auth_check(cmd->tmp_pool, cpw, cmd->argv[0], cmd->argv[1]);
+ res = pr_auth_check(cmd->tmp_pool, cleartxt_passwd, cmd->argv[0],
+ cmd->argv[1]);
+ cleartxt_passwdlen = strlen(cleartxt_passwd);
+ pr_memscrub(cleartxt_passwd, cleartxt_passwdlen);
+
if (res < PR_AUTH_OK) {
return PR_ERROR_INT(cmd, res);
}
+ time(&now);
+
if (lstchg > (time_t) 0 &&
max > (time_t) 0 &&
inact > (time_t) 0) {
- if (now > lstchg + max + inact) {
+ if (now > (lstchg + max + inact)) {
return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD);
}
}
- if (disable > (time_t) 0 &&
- now > disable) {
+ if (expire > (time_t) 0 &&
+ now > expire) {
return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD);
}
@@ -751,14 +757,49 @@ MODRET pw_auth(cmd_rec *cmd) {
}
MODRET pw_authz(cmd_rec *cmd) {
+ time_t now;
+ char *user, *cleartxt_passwd;
+ time_t lstchg = -1, max = -1, inact = -1, expire = -1;
+ size_t cleartxt_passwdlen;
+
+ user = cmd->argv[0];
+
+ cleartxt_passwd = get_pwd_info(cmd->tmp_pool, user, &lstchg, NULL, &max,
+ NULL, &inact, &expire);
+ if (cleartxt_passwd == NULL) {
+ pr_log_auth(LOG_WARNING, "no password information found for user '%.100s'",
+ user);
+ return PR_ERROR_INT(cmd, PR_AUTH_NOPWD);
+ }
+
+ cleartxt_passwdlen = strlen(cleartxt_passwd);
+ pr_memscrub(cleartxt_passwd, cleartxt_passwdlen);
+
+ time(&now);
+
+ if (lstchg > (time_t) 0 &&
+ max > (time_t) 0 &&
+ inact > (time_t) 0) {
+ if (now > (lstchg + max + inact)) {
+ pr_log_auth(LOG_WARNING,
+ "account for user '%.100s' disabled due to inactivity", user);
+ return PR_ERROR_INT(cmd, PR_AUTH_AGEPWD);
+ }
+ }
+
+ if (expire > (time_t) 0 &&
+ now > expire) {
+ pr_log_auth(LOG_WARNING,
+ "account for user '%.100s' disabled due to password expiration", user);
+ return PR_ERROR_INT(cmd, PR_AUTH_DISABLEDPWD);
+ }
+
/* XXX Any other implementations here? */
#ifdef HAVE_LOGINRESTRICTIONS
if (!(auth_unix_opts & AUTH_UNIX_OPT_AIX_NO_RLOGIN)) {
int res, xerrno, code = 0;
- char *user = NULL, *reason = NULL;
-
- user = cmd->argv[0];
+ char *reason = NULL;
/* Check for account login restrictions and such using AIX-specific
* functions.