[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 5 Jul 2018 02:32:04 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: [PATCH 2/5] pam_tcb: drop obsolete nis/nis+ support
The GNU C library, starting with version 2.26, deprecated libnsl.
As result, pam_tcb no longer builds with modern versions of glibc
configured without --enable-obsolete-nsl option.
While glibc recommends to use replacement implementations based on
TIRPC, it's time to get rid of obsolete nis/nis+ support altogether.
---
pam_tcb/Makefile | 4 +-
pam_tcb/pam_tcb.8 | 37 +--------------
pam_tcb/pam_unix_passwd.c | 115 ----------------------------------------------
pam_tcb/support.c | 76 ------------------------------
pam_tcb/support.h | 3 --
pam_tcb/yppasswd.h | 50 --------------------
pam_tcb/yppasswd_xdr.c | 34 --------------
progs/tcb_convert.8 | 2 +-
8 files changed, 5 insertions(+), 316 deletions(-)
delete mode 100644 pam_tcb/yppasswd.h
delete mode 100644 pam_tcb/yppasswd_xdr.c
diff --git a/pam_tcb/Makefile b/pam_tcb/Makefile
index 56e0e24..78b32ad 100644
--- a/pam_tcb/Makefile
+++ b/pam_tcb/Makefile
@@ -5,7 +5,7 @@ PAM_MAP = pam_tcb.map
LIBSRC = \
pam_unix_auth.c pam_unix_acct.c pam_unix_sess.c pam_unix_passwd.c \
- support.c compat.c yppasswd_xdr.c
+ support.c compat.c
LIBOBJ = $(LIBSRC:.c=.o)
@@ -13,7 +13,7 @@ all: $(PAM_TCB)
$(PAM_TCB): $(LIBOBJ) $(PAM_MAP)
$(CC) $(LDFLAGS) -shared -o $@ -Wl,--version-script=$(PAM_MAP) \
- $(LIBOBJ) -lnsl -lcrypt -lpam -ltcb
+ $(LIBOBJ) -lcrypt -lpam -ltcb
.c.o:
$(CC) $(CFLAGS) -fPIC -c $< -o $@
diff --git a/pam_tcb/pam_tcb.8 b/pam_tcb/pam_tcb.8
index e02c2a2..38a338c 100644
--- a/pam_tcb/pam_tcb.8
+++ b/pam_tcb/pam_tcb.8
@@ -91,9 +91,7 @@ file, see
.br
.I /etc/tcb/
directory structure, see
-.BR tcb (5);
-.br
-NIS and NIS+.
+.BR tcb (5).
.SH OPTIONS
Most of the options recognized by
.B pam_unix
@@ -196,18 +194,11 @@ may use the second field of user's "shadow" entry (usually taken from
or a tcb shadow file) as the password hash.
See below for details.
.TP
-.B nisplus
-If set,
-.B pam_tcb
-will acquire the user's EUID before obtaining the password hash.
-If you're using NIS+, you need to turn this on.
-See below for details.
-.TP
.BR write_to =
This option determines where
.B pam_tcb
should store new password hashes when changing passwords.
-Possible settings are: "passwd", "shadow", "tcb", and "nis".
+Possible settings are: "passwd", "shadow", and "tcb".
The default is "shadow".
.TP
.B md5
@@ -288,30 +279,6 @@ field as the hash;
.in -8
.ti -4
if
-.RB ( nisplus
-option is set) {
-.in +8
-.ti -4
-try to acquire EUID of the user; if unsuccessful, fail;
-.br
-.ti -4
-obtain the
-.B "struct spwd"
-for the user with
-.BR getspnam (3);
-.br
-.ti -4
-regain the previous EUID;
-.br
-.ti -4
-use
-.B sp_pwdp
-field as the hash;
-.in -8
-.ti -4
-}
-.ti -4
-if
.RB ( shadow
option is set and
.B pw_passwd
diff --git a/pam_tcb/pam_unix_passwd.c b/pam_tcb/pam_unix_passwd.c
index cd22a12..ee99609 100644
--- a/pam_tcb/pam_unix_passwd.c
+++ b/pam_tcb/pam_unix_passwd.c
@@ -10,9 +10,6 @@
#include <errno.h>
#include <time.h>
#include <sys/stat.h>
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
#include <security/_pam_macros.h>
#define PAM_SM_PASSWORD
@@ -25,12 +22,6 @@
#include "attribute.h"
#include "support.h"
-#include "yppasswd.h"
-
-#if !(((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1)) || (__GLIBC__ > 2))
-extern int getrpcport(const char *host, unsigned long prognum,
- unsigned long versnum, unsigned int proto);
-#endif
#define DATA_OLD_AUTHTOK "-UN*X-OLD-PASS"
#define DATA_NEW_AUTHTOK "-UN*X-NEW-PASS"
@@ -39,44 +30,6 @@ extern int getrpcport(const char *host, unsigned long prognum,
#define TMP_SUFFIX ".tmp"
-static char *get_nis_server(pam_handle_t *pamh)
-{
- char *master;
- char *domain;
- int port, result;
-
- if ((result = yp_get_default_domain(&domain)) != 0) {
- pam_syslog(pamh, LOG_WARNING,
- "Unable to get local yp domain: %s",
- yperr_string(result));
- return NULL;
- }
-
- if ((result = yp_master(domain, "passwd.byname", &master)) != 0) {
- pam_syslog(pamh, LOG_WARNING,
- "Unable to find the master yp server: %s",
- yperr_string(result));
- return NULL;
- }
-
- port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE,
- IPPROTO_UDP);
-
- if (port == 0) {
- pam_syslog(pamh, LOG_WARNING,
- "yppasswdd not running on NIS master host");
- return NULL;
- }
-
- if (port >= IPPORT_RESERVED) {
- pam_syslog(pamh, LOG_WARNING,
- "yppasswdd running on illegal port");
- return NULL;
- }
-
- return master;
-}
-
static int cpmod(const char *old, const char *new)
{
struct stat st;
@@ -275,71 +228,6 @@ static int update_shadow(pam_handle_t *pamh, const char *forwho,
return retval;
}
-static int update_nis(pam_handle_t *pamh, unused const char *forwho,
- const char *fromwhat, char *towhat, struct passwd *pw)
-{
- struct timeval timeout;
- struct yppasswd yppw;
- char *master;
- CLIENT *client;
- enum clnt_stat result;
- int status;
-
- D(("called"));
-
- /* Make RPC call to NIS server */
- master = get_nis_server(pamh);
- if (!master)
- return PAM_TRY_AGAIN;
-
- /* Initialize password information */
- yppw.newpw.pw_passwd = pw->pw_passwd;
- yppw.newpw.pw_name = pw->pw_name;
- yppw.newpw.pw_uid = pw->pw_uid;
- yppw.newpw.pw_gid = pw->pw_gid;
- yppw.newpw.pw_gecos = pw->pw_gecos;
- yppw.newpw.pw_dir = pw->pw_dir;
- yppw.newpw.pw_shell = pw->pw_shell;
- yppw.oldpass = (char *)fromwhat;
- yppw.newpw.pw_passwd = towhat;
-
- D(("set password %s for %s", yppw.newpw.pw_passwd, forwho));
-
- /*
- * The yppasswd.x file said `unix authentication required',
- * so I added it. This is the only reason it is in here.
- * My yppasswdd doesn't use it, but maybe some others out there
- * do. --okir
- */
- client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
- client->cl_auth = authunix_create_default();
- memset(&status, 0, sizeof(status));
- timeout.tv_sec = 25;
- timeout.tv_usec = 0;
- result = clnt_call(client, YPPASSWDPROC_UPDATE,
- (xdrproc_t)xdr_yppasswd, (char *)&yppw,
- (xdrproc_t)xdr_int, (char *)&status, timeout);
-
- status |= result;
- if (status) {
- pam_syslog(pamh, LOG_ERR,
- "Failed to change NIS password on %s%s%s",
- master,
- result ? ": " : "",
- result ? clnt_sperrno(result) : "");
- }
- pam_syslog(pamh, LOG_INFO, "Password%s changed on %s",
- status ? " not" : "", master);
-
- auth_destroy(client->cl_auth);
- clnt_destroy(client);
-
- if (status)
- return PAM_TRY_AGAIN;
-
- return PAM_SUCCESS;
-}
-
static char *get_pwfile(const char *forwho)
{
char *file;
@@ -373,9 +261,6 @@ static int do_setpass(pam_handle_t *pamh, const char *forwho,
if (!pw)
return PAM_AUTHTOK_ERR;
- if (pam_unix_param.write_to == WRITE_NIS)
- return update_nis(pamh, forwho, fromwhat, towhat, pw);
-
file = get_pwfile(forwho);
if (!file) {
pam_syslog(pamh, LOG_CRIT, "Out of memory");
diff --git a/pam_tcb/support.c b/pam_tcb/support.c
index 7bfb97b..322d366 100644
--- a/pam_tcb/support.c
+++ b/pam_tcb/support.c
@@ -13,7 +13,6 @@
#include <crypt.h>
#include <sys/types.h>
#include <sys/wait.h>
-#include <rpcsvc/ypclnt.h>
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
@@ -39,49 +38,11 @@ static void data_cleanup(unused pam_handle_t *pamh, void *data,
_pam_delete(data);
}
-static int nis_getspnam(struct spwd **spw, const struct passwd *pw)
-{
- uid_t old_euid, old_uid;
-
- D(("called"));
-
- old_euid = geteuid();
- old_uid = getuid();
- if (old_uid == pw->pw_uid)
- setreuid(old_euid, old_uid);
- else {
- setreuid(0, -1);
- if (setreuid(-1, pw->pw_uid) == -1) {
- setreuid(-1, 0);
- setreuid(0, -1);
- if (setreuid(-1, pw->pw_uid) == -1)
- return -1;
- }
- }
-
- *spw = getspnam(pw->pw_name);
- endspent();
- if (old_uid == pw->pw_uid)
- setreuid(old_uid, old_euid);
- else {
- if (setreuid(-1, 0) == -1)
- setreuid(old_uid, -1);
- setreuid(-1, old_euid);
- }
-
- return 0;
-}
-
int unix_getspnam(struct spwd **spw, const struct passwd *pw)
{
D(("called"));
- if (on(UNIX_NISPLUS) && !strcmp(pw->pw_passwd, "*NP*") &&
- !nis_getspnam(spw, pw))
- return 0;
-
if (on(UNIX_SHADOW)) {
- D(("in non-NIS shadow"));
*spw = getspnam(pw->pw_name);
endspent();
return 0;
@@ -234,42 +195,8 @@ static int user_in_file(pam_handle_t *pamh, const char *file,
return 1;
}
-static int user_in_nisdb(const char *user, char *hash)
-{
- char *userinfo = NULL, *domain = NULL, *colon;
- int len, i;
-
- len = yp_get_default_domain(&domain);
- if (len != YPERR_SUCCESS)
- return 0;
-
- len = yp_bind(domain);
- if (len != YPERR_SUCCESS)
- return 0;
- i = yp_match(domain, "passwd.byname", user, strlen(user),
- &userinfo, &len);
- yp_unbind(domain);
- if (i != YPERR_SUCCESS)
- return 0;
-
- colon = strchr(userinfo, ':');
- if (!colon) {
- free(userinfo);
- return 0;
- }
-
- *hash = 0;
- strncat(hash, colon + 1, HASH_PREFIX_SIZE - 1);
-
- free(userinfo);
- return 1;
-}
-
int _unix_user_in_db(pam_handle_t *pamh, const char *user, char *hash)
{
- if (pam_unix_param.write_to == WRITE_NIS)
- return user_in_nisdb(user, hash);
-
if (pam_unix_param.write_to == WRITE_PASSWD)
return user_in_file(pamh, PASSWD_FILE, user, hash);
@@ -900,7 +827,6 @@ static struct bool_names {
{"not_set_pass", UNIX_NOT_SET_PASS, 0},
{"use_authtok", UNIX_USE_AUTHTOK, 0},
{"shadow", UNIX_SHADOW, 0},
- {"nisplus", UNIX_NISPLUS, 0},
{"passwd", UNIX_PASSWD, 0},
{"openlog", UNIX_OPENLOG, 0},
{"noopenlog", UNIX_OPENLOG, 1},
@@ -1068,8 +994,6 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int argc, const char **argv)
pam_unix_param.write_to = WRITE_SHADOW;
else if (!strcmp(param, "tcb"))
pam_unix_param.write_to = WRITE_TCB;
- else if (!strcmp(param, "nis"))
- pam_unix_param.write_to = WRITE_NIS;
else {
pam_syslog(pamh, LOG_ERR,
"Invalid write_to argument: %s", param);
diff --git a/pam_tcb/support.h b/pam_tcb/support.h
index 661e4af..f2cf89e 100644
--- a/pam_tcb/support.h
+++ b/pam_tcb/support.h
@@ -79,7 +79,6 @@ enum {
UNIX_USE_AUTHTOK, /* insist on reading PAM_AUTHTOK */
UNIX_SHADOW, /* use shadow for auth */
- UNIX_NISPLUS, /* wish to use NIS+ for auth */
UNIX_PASSWD, /* retr hashes from /etc/passwd for auth */
UNIX_OPENLOG, /* use openlog(3)/closelog(3) calls */
@@ -110,7 +109,6 @@ enum {
enum {
WRITE_PASSWD = 0, /* write changed password to /etc/passwd */
WRITE_SHADOW, /* write changed password to /etc/shadow */
- WRITE_NIS, /* write changed password via NIS */
WRITE_TCB /* write changed password to /etc/tcb/ */
};
@@ -182,7 +180,6 @@ typedef int (*cb_func) (pam_handle_t *, const void *);
extern int _unix_fork(pam_handle_t *, cb_func, const void *);
extern int _set_ctrl(pam_handle_t *, int flags, int argc, const char **argv);
-extern int _unix_comesfromsource(const char *user, int files, int nis);
extern int _unix_blankpasswd(pam_handle_t *, const char *user);
extern int _unix_verify_password(pam_handle_t *, const char *, const char *);
extern int _unix_read_password(pam_handle_t *, const char *comment,
diff --git a/pam_tcb/yppasswd.h b/pam_tcb/yppasswd.h
deleted file mode 100644
index 6cc466a..0000000
--- a/pam_tcb/yppasswd.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir at monad.swb.de>
- *
- * This program is covered by the GNU General Public License, version 2.
- * It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * edited manually.
- */
-
-#ifndef _YPPASSWD_H
-#define _YPPASSWD_H
-
-#define YPPASSWDPROG ((u_long)100009)
-#define YPPASSWDVERS ((u_long)1)
-#define YPPASSWDPROC_UPDATE ((u_long)1)
-
-/*
- * The password struct passed by the update call. I renamed it to
- * xpasswd to avoid a type clash with the one defined in <pwd.h>.
- */
-#ifndef __sgi
-typedef struct xpasswd {
- char *pw_name;
- char *pw_passwd;
- int pw_uid;
- int pw_gid;
- char *pw_gecos;
- char *pw_dir;
- char *pw_shell;
-} xpasswd;
-#else
-#include <pwd.h>
-typedef struct xpasswd xpasswd;
-#endif
-
-/* The updated password information, plus the old password.
- */
-typedef struct yppasswd {
- char *oldpass;
- xpasswd newpw;
-} yppasswd;
-
-/* XDR encoding/decoding routines */
-bool_t xdr_xpasswd(XDR *xdrs, xpasswd *objp);
-bool_t xdr_yppasswd(XDR *xdrs, yppasswd *objp);
-
-#endif
diff --git a/pam_tcb/yppasswd_xdr.c b/pam_tcb/yppasswd_xdr.c
deleted file mode 100644
index 7e0ed49..0000000
--- a/pam_tcb/yppasswd_xdr.c
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir at monad.swb.de>
- *
- * This program is covered by the GNU General Public License, version 2.
- * It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * editied manually.
- */
-
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include "yppasswd.h"
-
-bool_t xdr_xpasswd(XDR *xdrs, xpasswd *objp)
-{
- return xdr_string(xdrs, &objp->pw_name, ~0) &&
- xdr_string(xdrs, &objp->pw_passwd, ~0) &&
- xdr_int(xdrs, &objp->pw_uid) &&
- xdr_int(xdrs, &objp->pw_gid) &&
- xdr_string(xdrs, &objp->pw_gecos, ~0) &&
- xdr_string(xdrs, &objp->pw_dir, ~0) &&
- xdr_string(xdrs, &objp->pw_shell, ~0);
-}
-
-bool_t xdr_yppasswd(XDR *xdrs, yppasswd *objp)
-{
- return xdr_string(xdrs, &objp->oldpass, ~0) &&
- xdr_xpasswd(xdrs, &objp->newpw);
-}
diff --git a/progs/tcb_convert.8 b/progs/tcb_convert.8
index fda02a6..4114fb8 100644
--- a/progs/tcb_convert.8
+++ b/progs/tcb_convert.8
@@ -65,7 +65,7 @@ find the "shadow" entry and replace the "files" method with "tcb"; the
edited line should look like this:
.sp
.ad l
-shadow: tcb nisplus nis
+shadow: tcb
.ad b
.TP
6.
--
ldv
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
