X-Git-Url: http://git.samba.org/?p=samba.git;a=blobdiff_plain;f=source3%2Fpam_smbpass%2Fpam_smb_acct.c;h=bd4615f646e7f6517521acdaa781ef480c97db5f;hp=909585bcebf720e53cc2f1b374c75df4a4d62981;hb=f15d10df29285024eae75eb83e03ff14d22524e6;hpb=153cfb9c83534b09f15cc16205d7adb19b394928 diff --git a/source3/pam_smbpass/pam_smb_acct.c b/source3/pam_smbpass/pam_smb_acct.c index 909585bcebf..bd4615f646e 100644 --- a/source3/pam_smbpass/pam_smb_acct.c +++ b/source3/pam_smbpass/pam_smb_acct.c @@ -55,73 +55,84 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, const char *name; struct samu *sampass = NULL; void (*oldsig_handler)(int); - extern BOOL in_client; + TALLOC_CTX *frame = talloc_stackframe(); /* Samba initialization. */ - load_case_tables(); - setup_logging( "pam_smbpass", False ); - in_client = True; + load_case_tables_library(); - ctrl = set_ctrl( flags, argc, argv ); + ctrl = set_ctrl(pamh, flags, argc, argv ); /* get the username */ retval = pam_get_user( pamh, &name, "Username: " ); if (retval != PAM_SUCCESS) { if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_DEBUG, "acct: could not identify user" ); + _log_err(pamh, LOG_DEBUG, "acct: could not identify user" ); } + TALLOC_FREE(frame); return retval; } if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_DEBUG, "acct: username [%s] obtained", name ); + _log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name ); + } + + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + TALLOC_FREE(frame); + return PAM_AUTHINFO_UNAVAIL; } /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ - oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); + oldsig_handler = CatchSignal(SIGPIPE, SIG_IGN); if (!initialize_password_db(True, NULL)) { - _log_err( LOG_ALERT, "Cannot access samba password database" ); - CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); + _log_err(pamh, LOG_ALERT, "Cannot access samba password database" ); + CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_AUTHINFO_UNAVAIL; } /* Get the user's record. */ if (!(sampass = samu_new( NULL ))) { - CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); + CatchSignal(SIGPIPE, oldsig_handler); /* malloc fail. */ + TALLOC_FREE(frame); return nt_status_to_pam(NT_STATUS_NO_MEMORY); } if (!pdb_getsampwnam(sampass, name )) { - _log_err( LOG_DEBUG, "acct: could not identify user" ); - CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); + _log_err(pamh, LOG_DEBUG, "acct: could not identify user"); + CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_USER_UNKNOWN; } /* check for lookup failure */ if (!strlen(pdb_get_username(sampass)) ) { - CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); + CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_USER_UNKNOWN; } if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_DEBUG - , "acct: account %s is administratively disabled", name ); + _log_err(pamh, LOG_DEBUG, + "acct: account %s is administratively disabled", name); } make_remark( pamh, ctrl, PAM_ERROR_MSG , "Your account has been disabled; " "please see your system administrator." ); - CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); + CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_ACCT_EXPIRED; } /* TODO: support for expired passwords. */ - CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); + CatchSignal(SIGPIPE, oldsig_handler); + TALLOC_FREE(frame); return PAM_SUCCESS; }