Fix bug #3727 with patch from Steve Langasek <vorlon@debian.org>
authorJeremy Allison <jra@samba.org>
Thu, 13 Dec 2007 01:26:45 +0000 (17:26 -0800)
committerJeremy Allison <jra@samba.org>
Thu, 13 Dec 2007 01:26:45 +0000 (17:26 -0800)
Jeremy.

source/pam_smbpass/pam_smb_acct.c
source/pam_smbpass/pam_smb_auth.c
source/pam_smbpass/pam_smb_passwd.c
source/utils/smbpasswd.c

index 47bf0594798578e7b29c1d79e9e0fb66d9565dae..b5dbd9ca6cd0b37234423643ee07429b324bd3fa 100644 (file)
@@ -70,6 +70,11 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
                _log_err( LOG_DEBUG, "acct: username [%s] obtained", name );
        }
 
+       if (geteuid() != 0) {
+               _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
+               return PAM_AUTHINFO_UNAVAIL;
+       }
+
        /* Getting into places that might use LDAP -- protect the app
                from a SIGPIPE it's not expecting */
        oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
index df6d20e01ab5d53b250fd7443ea027738e02d891..2b0735f2fb1f2c2bf792d130d0ec8fff636d1a5d 100644 (file)
@@ -101,6 +101,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
                _log_err( LOG_DEBUG, "username [%s] obtained", name );
        }
 
+       if (geteuid() != 0) {
+               _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
+               retval = PAM_AUTHINFO_UNAVAIL;
+               AUTH_RETURN;
+       }
+
        if (!initialize_password_db(True)) {
                _log_err( LOG_ALERT, "Cannot access samba password database" );
                retval = PAM_AUTHINFO_UNAVAIL;
index 79bcfb6ff0f8f57536585ac330216599fdfbf205..62c056ba015f2c3145f9a072da207c3cc6afd98f 100644 (file)
@@ -125,6 +125,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
         _log_err( LOG_DEBUG, "username [%s] obtained", user );
     }
 
+    if (geteuid() != 0) {
+       _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
+       return PAM_AUTHINFO_UNAVAIL;
+    }
+
     /* Getting into places that might use LDAP -- protect the app
        from a SIGPIPE it's not expecting */
     oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
index 746066244128a7083444a2b3e4fe0633f3c33a7a..d4cacfbb6eded582491d63fbf2a674710a863090 100644 (file)
@@ -96,6 +96,10 @@ static int process_options(int argc, char **argv, int local_flags)
        while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
                switch(ch) {
                case 'L':
+                       if (getuid() != 0) {
+                               fprintf(stderr, "smbpasswd -L can only be used by root.\n");
+                               exit(1);
+                       }
                        local_flags |= LOCAL_AM_ROOT;
                        break;
                case 'c':