struct termios stermios;
gid_t gid;
uid_t uid;
+ char * const eptrs[1] = { NULL };
if (pass == NULL)
{
passwordprogram));
/* execl() password-change application */
- if (execl("/bin/sh", "sh", "-c", passwordprogram, NULL) < 0)
+ if (execle("/bin/sh", "sh", "-c", passwordprogram, NULL, eptrs) < 0)
{
DEBUG(3, ("Bad status returned from %s\n", passwordprogram));
return (False);
if (lp_passwd_chat_debug())
DEBUG(100, ("expect: sending [%s]\n", issue));
- if ((len = write(master, issue, strlen(issue))) != strlen(issue)) {
+ if ((len = sys_write(master, issue, strlen(issue))) != strlen(issue)) {
DEBUG(2,("expect: (short) write returned %d\n", len ));
return False;
}
/* CHILD */
/*
- * Lose any oplock capabilities.
+ * Lose any elevated privileges.
*/
- oplock_set_capability(False, False);
+ drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+ drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
/* make sure it doesn't freeze */
alarm(20);
#ifdef WITH_PAM
if (lp_pam_password_change()) {
BOOL ret;
+#ifdef HAVE_SETLOCALE
+ char *prevlocale = setlocale(LC_MESSAGES, "C");
+#endif
if (as_root)
become_root();
if (as_root)
unbecome_root();
+#ifdef HAVE_SETLOCALE
+ setlocale(LC_MESSAGES, prevlocale);
+#endif
+
return ret;
}
#endif
uchar unenc_new_pw[16];
uchar unenc_old_pw[16];
struct samu *sampass = NULL;
- uint16 acct_ctrl;
+ uint32 acct_ctrl;
const uint8 *lanman_pw;
BOOL ret;
+
+ if ( !(sampass = samu_new(NULL)) ) {
+ DEBUG(0, ("samu_new() failed!\n"));
+ return False;
+ }
become_root();
ret = pdb_getsampwnam(sampass, user);
static uchar null_pw[16];
uchar unenc_new_pw[16];
BOOL ret;
- uint16 acct_ctrl;
+ uint32 acct_ctrl;
const uint8 *pwd;
if (sampass == NULL) {
return False; /* We lose the NT hash. Sorry. */
}
- if (!pdb_set_pass_changed_now (sampass)) {
+ if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) {
TALLOC_FREE(sampass);
/* Not quite sure what this one qualifies as, but this will do */
return False;
uint8 *password_encrypted;
const uint8 *encryption_key;
const uint8 *lanman_pw, *nt_pw;
- uint16 acct_ctrl;
+ uint32 acct_ctrl;
uint32 new_pw_len;
uchar new_nt_hash[16];
uchar new_lm_hash[16];
NTSTATUS change_oem_password(struct samu *hnd, char *old_passwd, char *new_passwd, BOOL as_root, uint32 *samr_reject_reason)
{
- uint32 min_len, min_age;
+ uint32 min_len;
struct passwd *pass = NULL;
const char *username = pdb_get_username(hnd);
- time_t last_change_time = pdb_get_pass_last_set_time(hnd);
time_t can_change_time = pdb_get_pass_can_change_time(hnd);
if (samr_reject_reason) {
*samr_reject_reason = Undefined;
}
- if (pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age)) {
- /*
- * Windows calculates the minimum password age check
- * dynamically, it basically ignores the pwdcanchange
- * timestamp. Do likewise.
- */
- if (last_change_time + min_age > time(NULL)) {
- DEBUG(1, ("user %s cannot change password now, must "
- "wait until %s\n", username,
- http_timestring(last_change_time+min_age)));
- if (samr_reject_reason) {
- *samr_reject_reason = REJECT_REASON_OTHER;
- }
- return NT_STATUS_ACCOUNT_RESTRICTION;
+ /* check to see if the secdesc has previously been set to disallow */
+ if (!pdb_get_pass_can_change(hnd)) {
+ DEBUG(1, ("user %s does not have permissions to change password\n", username));
+ if (samr_reject_reason) {
+ *samr_reject_reason = REJECT_REASON_OTHER;
}
- } else {
- if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
- DEBUG(1, ("user %s cannot change password now, must "
- "wait until %s\n", username,
- http_timestring(can_change_time)));
- if (samr_reject_reason) {
- *samr_reject_reason = REJECT_REASON_OTHER;
- }
- return NT_STATUS_ACCOUNT_RESTRICTION;
+ return NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+
+ /* removed calculation here, becuase passdb now calculates
+ based on policy. jmcd */
+ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
+ DEBUG(1, ("user %s cannot change password now, must "
+ "wait until %s\n", username,
+ http_timestring(can_change_time)));
+ if (samr_reject_reason) {
+ *samr_reject_reason = REJECT_REASON_OTHER;
}
+ return NT_STATUS_ACCOUNT_RESTRICTION;
}
if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {