int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user, const char *pass_new )
{
int retval;
- pstring err_str;
- pstring msg_str;
+ char *err_str = NULL;
+ char *msg_str = NULL;
- err_str[0] = '\0';
- msg_str[0] = '\0';
-
- retval = NT_STATUS_IS_OK(local_password_change( user, LOCAL_SET_PASSWORD, pass_new,
- err_str, sizeof(err_str),
- msg_str, sizeof(msg_str) ));
+ retval = NT_STATUS_IS_OK(local_password_change(user, LOCAL_SET_PASSWORD, pass_new,
+ &err_str,
+ &msg_str));
if (!retval) {
- if (*err_str) {
- err_str[PSTRING_LEN-1] = '\0';
- make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str );
+ if (err_str) {
+ make_remark(pamh, ctrl, PAM_ERROR_MSG, err_str );
}
/* FIXME: what value is appropriate here? */
retval = PAM_AUTHTOK_ERR;
} else {
- if (*msg_str) {
- msg_str[PSTRING_LEN-1] = '\0';
- make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str );
+ if (msg_str) {
+ make_remark(pamh, ctrl, PAM_TEXT_INFO, msg_str );
}
retval = PAM_SUCCESS;
}
+ SAFE_FREE(err_str);
+ SAFE_FREE(msg_str);
return retval;
}
unsigned int ctrl;
int retval;
- extern bool in_client;
-
struct samu *sampass = NULL;
void (*oldsig_handler)(int);
const char *user;
/* Samba initialization. */
load_case_tables();
- setup_logging( "pam_smbpass", False );
- in_client = True;
+ lp_set_in_client(True);
- ctrl = set_ctrl(flags, argc, argv);
+ ctrl = set_ctrl(pamh, flags, argc, argv);
/*
* First get the name of a user. No need to do anything if we can't
retval = pam_get_user( pamh, &user, "Username: " );
if (retval != PAM_SUCCESS) {
if (on( SMB_DEBUG, ctrl )) {
- _log_err( LOG_DEBUG, "password: could not identify user" );
+ _log_err(pamh, LOG_DEBUG, "password: could not identify user");
}
return retval;
}
if (on( SMB_DEBUG, ctrl )) {
- _log_err( LOG_DEBUG, "username [%s] obtained", user );
+ _log_err(pamh, LOG_DEBUG, "username [%s] obtained", user);
+ }
+
+ if (geteuid() != 0) {
+ _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
+ return PAM_AUTHINFO_UNAVAIL;
}
/* Getting into places that might use LDAP -- protect the app
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
if (!initialize_password_db(False, NULL)) {
- _log_err( LOG_ALERT, "Cannot access samba password database" );
+ _log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
return PAM_AUTHINFO_UNAVAIL;
}
}
if (!pdb_getsampwnam(sampass,user)) {
- _log_err( LOG_ALERT, "Failed to find entry for user %s.", user );
+ _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user);
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
return PAM_USER_UNKNOWN;
}
if (on( SMB_DEBUG, ctrl )) {
- _log_err( LOG_DEBUG, "Located account for %s", user );
+ _log_err(pamh, LOG_DEBUG, "Located account for %s", user);
}
if (flags & PAM_PRELIM_CHECK) {
#define greeting "Changing password for "
Announce = SMB_MALLOC_ARRAY(char, sizeof(greeting)+strlen(user));
if (Announce == NULL) {
- _log_err(LOG_CRIT, "password: out of memory");
+ _log_err(pamh, LOG_CRIT, "password: out of memory");
TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
return PAM_BUF_ERR;
SAFE_FREE( Announce );
if (retval != PAM_SUCCESS) {
- _log_err( LOG_NOTICE
- , "password - (old) token not obtained" );
+ _log_err(pamh, LOG_NOTICE,
+ "password - (old) token not obtained");
TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
return retval;
*/
if (off( SMB_NOT_SET_PASS, ctrl )) {
- retval = pam_get_item( pamh, PAM_OLDAUTHTOK,
- (const void **)&pass_old );
+ retval = _pam_get_item( pamh, PAM_OLDAUTHTOK,
+ &pass_old );
} else {
- retval = pam_get_data( pamh, _SMB_OLD_AUTHTOK,
- (const void **)&pass_old );
+ retval = _pam_get_data( pamh, _SMB_OLD_AUTHTOK,
+ &pass_old );
if (retval == PAM_NO_MODULE_DATA) {
pass_old = NULL;
retval = PAM_SUCCESS;
}
if (retval != PAM_SUCCESS) {
- _log_err( LOG_NOTICE, "password: user not authenticated" );
+ _log_err(pamh, LOG_NOTICE, "password: user not authenticated");
TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
return retval;
if (retval != PAM_SUCCESS) {
if (on( SMB_DEBUG, ctrl )) {
- _log_err( LOG_ALERT
- , "password: new password not obtained" );
+ _log_err(pamh, LOG_ALERT,
+ "password: new password not obtained");
}
pass_old = NULL; /* tidy up */
TALLOC_FREE(sampass);
retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new);
if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "new password not acceptable");
+ _log_err(pamh, LOG_NOTICE, "new password not acceptable");
pass_new = pass_old = NULL; /* tidy up */
TALLOC_FREE(sampass);
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
/* password updated */
if (!sid_to_uid(pdb_get_user_sid(sampass), &uid)) {
- _log_err( LOG_NOTICE, "Unable to get uid for user %s",
+ _log_err(pamh, LOG_NOTICE,
+ "Unable to get uid for user %s",
pdb_get_username(sampass));
- _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)",
+ _log_err(pamh, LOG_NOTICE, "password for (%s) changed by (%s/%d)",
user, uidtoname(getuid()), getuid());
} else {
- _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
+ _log_err(pamh, LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
user, uid, uidtoname(getuid()), getuid());
}
} else {
- _log_err( LOG_ERR, "password change failed for user %s", user);
+ _log_err(pamh, LOG_ERR, "password change failed for user %s", user);
}
pass_old = pass_new = NULL;
} else { /* something has broken with the library */
- _log_err( LOG_ALERT, "password received unknown request" );
+ _log_err(pamh, LOG_ALERT, "password received unknown request");
retval = PAM_ABORT;
}