diff options
author | Karel Zak | 2013-02-13 13:44:34 +0100 |
---|---|---|
committer | Karel Zak | 2013-02-13 13:44:34 +0100 |
commit | d86918b6eb854de38a6e02b81466fcc0419cef98 (patch) | |
tree | cd3c94684bbe241411918306bbfb76b2af7d9cc8 | |
parent | libmount: correctly propagate ambivalent blkid probing results (diff) | |
download | kernel-qcow2-util-linux-d86918b6eb854de38a6e02b81466fcc0419cef98.tar.gz kernel-qcow2-util-linux-d86918b6eb854de38a6e02b81466fcc0419cef98.tar.xz kernel-qcow2-util-linux-d86918b6eb854de38a6e02b81466fcc0419cef98.zip |
chsh-chfn: fix bugs, improve compilation
* rename --disable-require-password to --disable-chsh-chfn-password
* is_local() is really unnecessary when linked with libuser
* fix set_value_libuser() returns codes
* fix chfn.c, there is no 'pw', but oldf.pw
* don't link with PAM when--disable-chsh-chfn-password
Signed-off-by: Karel Zak <kzak@redhat.com>
-rw-r--r-- | configure.ac | 48 | ||||
-rw-r--r-- | login-utils/Makemodule.am | 23 | ||||
-rw-r--r-- | login-utils/auth.c | 6 | ||||
-rw-r--r-- | login-utils/chfn.c | 18 | ||||
-rw-r--r-- | login-utils/chsh.c | 11 | ||||
-rw-r--r-- | login-utils/libuser.c | 7 |
6 files changed, 61 insertions, 52 deletions
diff --git a/configure.ac b/configure.ac index cf6e92210..4a7979510 100644 --- a/configure.ac +++ b/configure.ac @@ -1113,23 +1113,9 @@ UL_BUILD_INIT([newgrp]) AM_CONDITIONAL(BUILD_NEWGRP, test "x$build_newgrp" = xyes) -AC_ARG_ENABLE([chfn-chsh], - AS_HELP_STRING([--enable-chfn-chsh], [build chfn and chsh]), - [], enable_chfn_chsh=no -) -UL_BUILD_INIT([chfn_chsh]) -UL_REQUIRES_HAVE([chfn_chsh], [security_pam_misc_h], [PAM header file]) -AM_CONDITIONAL(BUILD_CHFN_CHSH, test "x$build_chfn_chsh" = xyes) - -AC_ARG_ENABLE([chsh-only-listed], -AS_HELP_STRING([--disable-chsh-only-listed], [chsh: allow shells not in /etc/shells]), -[], enable_chsh_only_listed=yes -) - -AC_ARG_WITH([libuser], AS_HELP_STRING([--without-libuser], [compile without libuser (remote chsh)]), +AC_ARG_WITH([user], AS_HELP_STRING([--without-user], [compile without libuser (remote chsh)]), [], with_user=auto ) - if test "x$with_user" = xno; then AM_CONDITIONAL(HAVE_USER, false) else @@ -1142,6 +1128,28 @@ else esac fi +AC_ARG_ENABLE([chfn-chsh-password], + AS_HELP_STRING([--disable-chfn-chsh-password], [do not require the user to enter the password in chfn and chsh]), + [], enable_chfn_chsh_password=yes +) + +AC_ARG_ENABLE([chfn-chsh], + AS_HELP_STRING([--enable-chfn-chsh], [build chfn and chsh]), + [], enable_chfn_chsh=no +) +UL_BUILD_INIT([chfn_chsh]) + +if test "x$enable_chfn_chsh_password" = xyes -o "x$have_user" = xyes; then + UL_REQUIRES_HAVE([chfn_chsh], [security_pam_misc_h], [PAM header file]) + AC_DEFINE(CHFN_CHSH_PASSWORD, 1, [Should chfn and chsh require the user to enter the password?]) +fi +AM_CONDITIONAL(BUILD_CHFN_CHSH, test "x$build_chfn_chsh" = xyes) +AM_CONDITIONAL(CHFN_CHSH_PASSWORD, test "x$enable_chfn_chsh_password" = xyes) + +AC_ARG_ENABLE([chsh-only-listed], +AS_HELP_STRING([--disable-chsh-only-listed], [chsh: allow shells not in /etc/shells]), +[], enable_chsh_only_listed=yes +) if test "x$enable_chsh_only_listed" = xyes; then AC_DEFINE(ONLY_LISTED_SHELLS, 1, [Should chsh allow only shells in /etc/shells?]) @@ -1333,16 +1341,6 @@ if test "x$enable_pg_bell" = xyes; then fi -AC_ARG_ENABLE([require-password], - AS_HELP_STRING([--disable-require-password], [do not require the user to enter the password in chfn and chsh]), - [], enable_require_password=yes -) - -if test "x$enable_require_password" = xyes; then - AC_DEFINE(REQUIRE_PASSWORD, 1, [Should chfn and chsh require the user to enter the password?]) -fi - - AC_DEFUN([FS_PATHS_DEFAULT], [/sbin:/sbin/fs.d:/sbin/fs]) AC_ARG_ENABLE([fs-paths-default], AS_HELP_STRING([--enable-fs-paths-default=paths], [default search path for fs helpers @<:@FS_PATHS_DEFAULT@:>@]), diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am index 0c5711841..8283935f9 100644 --- a/login-utils/Makemodule.am +++ b/login-utils/Makemodule.am @@ -59,16 +59,17 @@ dist_man_MANS += \ login-utils/chfn.1 \ login-utils/chsh.1 -chfn_chsh_sources = \ - login-utils/islocal.c \ - login-utils/islocal.h \ - login-utils/auth.c \ - login-utils/auth.h \ - login-utils/setpwnam.c \ - login-utils/setpwnam.h +chfn_chsh_sources = chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS) chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS) -chfn_chsh_ldadd = libcommon.la -lpam -lpam_misc +chfn_chsh_ldadd = libcommon.la + +if CHFN_CHSH_PASSWORD +chfn_chsh_ldadd += -lpam -lpam_misc +chfn_chsh_sources += \ + login-utils/auth.c \ + login-utils/auth.h +endif if HAVE_USER chfn_chsh_ldflags += $(LIBUSER_LIBS) @@ -76,6 +77,12 @@ chfn_chsh_cflags += $(LIBUSER_CFLAGS) chfn_chsh_sources+= \ login-utils/libuser.c \ login-utils/libuser.h +else +chfn_chsh_sources += \ + login-utils/islocal.c \ + login-utils/islocal.h \ + login-utils/setpwnam.c \ + login-utils/setpwnam.h endif if HAVE_SELINUX diff --git a/login-utils/auth.c b/login-utils/auth.c index 373bd22c1..18312d4f1 100644 --- a/login-utils/auth.c +++ b/login-utils/auth.c @@ -9,11 +9,10 @@ */ #include "auth.h" - #include "pamfail.h" -int auth_pam(const char *service_name, uid_t uid, const char *username) { -#ifdef REQUIRE_PASSWORD +int auth_pam(const char *service_name, uid_t uid, const char *username) +{ if (uid != 0) { pam_handle_t *pamh = NULL; struct pam_conv conv = { misc_conv, NULL }; @@ -43,5 +42,4 @@ int auth_pam(const char *service_name, uid_t uid, const char *username) { * session-oriented activity... */ } return TRUE; -#endif /* REQUIRE_PASSWORD */ } diff --git a/login-utils/chfn.c b/login-utils/chfn.c index 7ea3f3e3b..95e8d9d59 100644 --- a/login-utils/chfn.c +++ b/login-utils/chfn.c @@ -50,7 +50,7 @@ #ifdef HAVE_LIBUSER # include <libuser/user.h> # include "libuser.h" -#else +#elif CHFN_CHSH_PASSWORD # include "auth.h" #endif @@ -133,8 +133,10 @@ int main(int argc, char **argv) newf.username); } +#ifndef HAVE_LIBUSER if (!(is_local(oldf.username))) errx(EXIT_FAILURE, _("can only change local entries")); +#endif #ifdef HAVE_LIBSELINUX if (is_selinux_enabled() > 0) { @@ -158,18 +160,18 @@ int main(int argc, char **argv) #ifdef HAVE_LIBUSER /* If we're setuid and not really root, disallow the password change. */ - if (geteuid() != getuid() && uid != pw->pw_uid) { + if (geteuid() != getuid() && uid != oldf.pw->pw_uid) { #else - if (uid != 0 && uid != pw->pw_uid) { + if (uid != 0 && uid != oldf.pw->pw_uid) { #endif errno = EACCES; err(EXIT_FAILURE, _("running UID doesn't match UID of user we're " - "altering, change denied"));); + "altering, change denied")); } printf(_("Changing finger information for %s.\n"), oldf.username); -#ifndef HAVE_LIBUSER +#if !defined(HAVE_LIBUSER) && defined(CHFN_CHSH_PASSWORD) if(!auth_pam("chfn", uid, oldf.username)) { return EXIT_FAILURE; } @@ -460,14 +462,14 @@ static int save_new_data(struct finfo *pinfo) } #ifdef HAVE_LIBUSER - if(set_value_libuser("chfn", pinfo->pw->pw_name, pinfo->pw->pw_uid, - LU_GECOS, gecos)) { + if (set_value_libuser("chfn", pinfo->pw->pw_name, pinfo->pw->pw_uid, + LU_GECOS, gecos) < 0) { #else /* HAVE_LIBUSER */ /* write the new struct passwd to the passwd file. */ pinfo->pw->pw_gecos = gecos; if (setpwnam(pinfo->pw) < 0) { + warn("setpwnam failed"); #endif - warn("setpwnam"); printf(_ ("Finger information *NOT* changed. Try again later.\n")); return -1; diff --git a/login-utils/chsh.c b/login-utils/chsh.c index 66800ca94..e14efe088 100644 --- a/login-utils/chsh.c +++ b/login-utils/chsh.c @@ -52,7 +52,7 @@ #ifdef HAVE_LIBUSER # include <libuser/user.h> # include "libuser.h" -#else +#elif CHFN_CHSH_PASSWORD # include "auth.h" #endif @@ -110,8 +110,10 @@ int main(int argc, char **argv) info.username); } +#ifndef HAVE_LIBUSER if (!(is_local(pw->pw_name))) errx(EXIT_FAILURE, _("can only change local entries.")); +#endif #ifdef HAVE_LIBSELINUX if (is_selinux_enabled() > 0) { @@ -160,12 +162,11 @@ int main(int argc, char **argv) printf(_("Changing shell for %s.\n"), pw->pw_name); -#ifndef HAVE_LIBUSER +#if !defined(HAVE_LIBUSER) && defined(CHFN_CHSH_PASSWORD) if(!auth_pam("chsh", uid, pw->pw_name)) { return EXIT_FAILURE; } #endif - if (!shell) { shell = prompt(_("New shell"), oldshell); if (!shell) @@ -179,7 +180,9 @@ int main(int argc, char **argv) errx(EXIT_SUCCESS, _("Shell not changed.")); #ifdef HAVE_LIBUSER - set_value_libuser("chsh", pw->pw_name, uid, LU_LOGINSHELL, shell); + if (set_value_libuser("chsh", pw->pw_name, uid, + LU_LOGINSHELL, shell) < 0) + errx(EXIT_FAILURE, _("Shell *NOT* changed. Try again later.")); #else pw->pw_shell = shell; if (setpwnam(pw) < 0) diff --git a/login-utils/libuser.c b/login-utils/libuser.c index 53c7ac9e2..b11fadc1c 100644 --- a/login-utils/libuser.c +++ b/login-utils/libuser.c @@ -23,7 +23,7 @@ static int auth_lu(const char *service_name, struct lu_context *ctx, uid_t uid, static int auth_lu(const char *service_name, struct lu_context *ctx, uid_t uid, const char *username) { - if(!lu_uses_elevated_privileges(ctx)) { + if (!lu_uses_elevated_privileges(ctx)) { /* Drop privileges */ if (setegid(getgid()) == -1) err(EXIT_FAILURE, _("Couldn't drop group privileges")); @@ -47,7 +47,7 @@ int set_value_libuser(const char *service_name, const char *username, uid_t uid, errx(EXIT_FAILURE, _("libuser initialization failed: %s."), lu_strerror(error)); - if(!auth_lu(service_name, ctx, uid, username)) { + if (!auth_lu(service_name, ctx, uid, username)) { errno = EACCES; err(EXIT_FAILURE, _("changing user attribute failed")); } @@ -67,5 +67,6 @@ int set_value_libuser(const char *service_name, const char *username, uid_t uid, } lu_ent_free(ent); lu_end(ctx); - return TRUE; + + return 0; } |