Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 5 Jul 2018 02:32:04 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: [PATCH 2/5] pam_tcb: drop obsolete nis/nis+ support

The GNU C library, starting with version 2.26, deprecated libnsl.
As result, pam_tcb no longer builds with modern versions of glibc
configured without --enable-obsolete-nsl option.

While glibc recommends to use replacement implementations based on
TIRPC, it's time to get rid of obsolete nis/nis+ support altogether.
---
 pam_tcb/Makefile          |   4 +-
 pam_tcb/pam_tcb.8         |  37 +--------------
 pam_tcb/pam_unix_passwd.c | 115 ----------------------------------------------
 pam_tcb/support.c         |  76 ------------------------------
 pam_tcb/support.h         |   3 --
 pam_tcb/yppasswd.h        |  50 --------------------
 pam_tcb/yppasswd_xdr.c    |  34 --------------
 progs/tcb_convert.8       |   2 +-
 8 files changed, 5 insertions(+), 316 deletions(-)
 delete mode 100644 pam_tcb/yppasswd.h
 delete mode 100644 pam_tcb/yppasswd_xdr.c

diff --git a/pam_tcb/Makefile b/pam_tcb/Makefile
index 56e0e24..78b32ad 100644
--- a/pam_tcb/Makefile
+++ b/pam_tcb/Makefile
@@ -5,7 +5,7 @@ PAM_MAP = pam_tcb.map
 
 LIBSRC = \
 	pam_unix_auth.c pam_unix_acct.c pam_unix_sess.c pam_unix_passwd.c \
-	support.c compat.c yppasswd_xdr.c
+	support.c compat.c
 
 LIBOBJ = $(LIBSRC:.c=.o)
 
@@ -13,7 +13,7 @@ all: $(PAM_TCB)
 
 $(PAM_TCB): $(LIBOBJ) $(PAM_MAP)
 	$(CC) $(LDFLAGS) -shared -o $@ -Wl,--version-script=$(PAM_MAP) \
-		$(LIBOBJ) -lnsl -lcrypt -lpam -ltcb
+		$(LIBOBJ) -lcrypt -lpam -ltcb
 
 .c.o:
 	$(CC) $(CFLAGS) -fPIC -c $< -o $@
diff --git a/pam_tcb/pam_tcb.8 b/pam_tcb/pam_tcb.8
index e02c2a2..38a338c 100644
--- a/pam_tcb/pam_tcb.8
+++ b/pam_tcb/pam_tcb.8
@@ -91,9 +91,7 @@ file, see
 .br
 .I /etc/tcb/
 directory structure, see
-.BR tcb (5);
-.br
-NIS and NIS+.
+.BR tcb (5).
 .SH OPTIONS
 Most of the options recognized by
 .B pam_unix
@@ -196,18 +194,11 @@ may use the second field of user's "shadow" entry (usually taken from
 or a tcb shadow file) as the password hash.
 See below for details.
 .TP
-.B nisplus
-If set,
-.B pam_tcb
-will acquire the user's EUID before obtaining the password hash.
-If you're using NIS+, you need to turn this on.
-See below for details.
-.TP
 .BR write_to =
 This option determines where
 .B pam_tcb
 should store new password hashes when changing passwords.
-Possible settings are: "passwd", "shadow", "tcb", and "nis".
+Possible settings are: "passwd", "shadow", and "tcb".
 The default is "shadow".
 .TP
 .B md5
@@ -288,30 +279,6 @@ field as the hash;
 .in -8
 .ti -4
 if
-.RB ( nisplus
-option is set) {
-.in +8
-.ti -4
-try to acquire EUID of the user; if unsuccessful, fail;
-.br
-.ti -4
-obtain the
-.B "struct spwd"
-for the user with
-.BR getspnam (3);
-.br
-.ti -4
-regain the previous EUID;
-.br
-.ti -4
-use
-.B sp_pwdp
-field as the hash;
-.in -8
-.ti -4
-}
-.ti -4
-if
 .RB ( shadow
 option is set and
 .B pw_passwd
diff --git a/pam_tcb/pam_unix_passwd.c b/pam_tcb/pam_unix_passwd.c
index cd22a12..ee99609 100644
--- a/pam_tcb/pam_unix_passwd.c
+++ b/pam_tcb/pam_unix_passwd.c
@@ -10,9 +10,6 @@
 #include <errno.h>
 #include <time.h>
 #include <sys/stat.h>
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
 
 #include <security/_pam_macros.h>
 #define PAM_SM_PASSWORD
@@ -25,12 +22,6 @@
 
 #include "attribute.h"
 #include "support.h"
-#include "yppasswd.h"
-
-#if !(((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1)) || (__GLIBC__ > 2))
-extern int getrpcport(const char *host, unsigned long prognum,
-    unsigned long versnum, unsigned int proto);
-#endif
 
 #define DATA_OLD_AUTHTOK		"-UN*X-OLD-PASS"
 #define DATA_NEW_AUTHTOK		"-UN*X-NEW-PASS"
@@ -39,44 +30,6 @@ extern int getrpcport(const char *host, unsigned long prognum,
 
 #define TMP_SUFFIX			".tmp"
 
-static char *get_nis_server(pam_handle_t *pamh)
-{
-	char *master;
-	char *domain;
-	int port, result;
-
-	if ((result = yp_get_default_domain(&domain)) != 0) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "Unable to get local yp domain: %s",
-		    yperr_string(result));
-		return NULL;
-	}
-
-	if ((result = yp_master(domain, "passwd.byname", &master)) != 0) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "Unable to find the master yp server: %s",
-		    yperr_string(result));
-		return NULL;
-	}
-
-	port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE,
-	    IPPROTO_UDP);
-
-	if (port == 0) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "yppasswdd not running on NIS master host");
-		return NULL;
-	}
-
-	if (port >= IPPORT_RESERVED) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "yppasswdd running on illegal port");
-		return NULL;
-	}
-
-	return master;
-}
-
 static int cpmod(const char *old, const char *new)
 {
 	struct stat st;
@@ -275,71 +228,6 @@ static int update_shadow(pam_handle_t *pamh, const char *forwho,
 	return retval;
 }
 
-static int update_nis(pam_handle_t *pamh, unused const char *forwho,
-    const char *fromwhat, char *towhat, struct passwd *pw)
-{
-	struct timeval timeout;
-	struct yppasswd yppw;
-	char *master;
-	CLIENT *client;
-	enum clnt_stat result;
-	int status;
-
-	D(("called"));
-
-	/* Make RPC call to NIS server */
-	master = get_nis_server(pamh);
-	if (!master)
-		return PAM_TRY_AGAIN;
-
-	/* Initialize password information */
-	yppw.newpw.pw_passwd = pw->pw_passwd;
-	yppw.newpw.pw_name = pw->pw_name;
-	yppw.newpw.pw_uid = pw->pw_uid;
-	yppw.newpw.pw_gid = pw->pw_gid;
-	yppw.newpw.pw_gecos = pw->pw_gecos;
-	yppw.newpw.pw_dir = pw->pw_dir;
-	yppw.newpw.pw_shell = pw->pw_shell;
-	yppw.oldpass = (char *)fromwhat;
-	yppw.newpw.pw_passwd = towhat;
-
-	D(("set password %s for %s", yppw.newpw.pw_passwd, forwho));
-
-	/*
-	 * The yppasswd.x file said `unix authentication required',
-	 * so I added it. This is the only reason it is in here.
-	 * My yppasswdd doesn't use it, but maybe some others out there
-	 * do.                                        --okir
-	 */
-	client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
-	client->cl_auth = authunix_create_default();
-	memset(&status, 0, sizeof(status));
-	timeout.tv_sec = 25;
-	timeout.tv_usec = 0;
-	result = clnt_call(client, YPPASSWDPROC_UPDATE,
-	    (xdrproc_t)xdr_yppasswd, (char *)&yppw,
-	    (xdrproc_t)xdr_int, (char *)&status, timeout);
-
-	status |= result;
-	if (status) {
-		pam_syslog(pamh, LOG_ERR,
-		    "Failed to change NIS password on %s%s%s",
-		    master,
-		    result ? ": " : "",
-		    result ? clnt_sperrno(result) : "");
-	}
-	pam_syslog(pamh, LOG_INFO, "Password%s changed on %s",
-	    status ? " not" : "", master);
-
-	auth_destroy(client->cl_auth);
-	clnt_destroy(client);
-
-	if (status)
-		return PAM_TRY_AGAIN;
-
-	return PAM_SUCCESS;
-}
-
 static char *get_pwfile(const char *forwho)
 {
 	char *file;
@@ -373,9 +261,6 @@ static int do_setpass(pam_handle_t *pamh, const char *forwho,
 	if (!pw)
 		return PAM_AUTHTOK_ERR;
 
-	if (pam_unix_param.write_to == WRITE_NIS)
-		return update_nis(pamh, forwho, fromwhat, towhat, pw);
-
 	file = get_pwfile(forwho);
 	if (!file) {
 		pam_syslog(pamh, LOG_CRIT, "Out of memory");
diff --git a/pam_tcb/support.c b/pam_tcb/support.c
index 7bfb97b..322d366 100644
--- a/pam_tcb/support.c
+++ b/pam_tcb/support.c
@@ -13,7 +13,6 @@
 #include <crypt.h>
 #include <sys/types.h>
 #include <sys/wait.h>
-#include <rpcsvc/ypclnt.h>
 
 #include <security/_pam_macros.h>
 #include <security/pam_modules.h>
@@ -39,49 +38,11 @@ static void data_cleanup(unused pam_handle_t *pamh, void *data,
 	_pam_delete(data);
 }
 
-static int nis_getspnam(struct spwd **spw, const struct passwd *pw)
-{
-	uid_t old_euid, old_uid;
-
-	D(("called"));
-
-	old_euid = geteuid();
-	old_uid = getuid();
-	if (old_uid == pw->pw_uid)
-		setreuid(old_euid, old_uid);
-	else {
-		setreuid(0, -1);
-		if (setreuid(-1, pw->pw_uid) == -1) {
-			setreuid(-1, 0);
-			setreuid(0, -1);
-			if (setreuid(-1, pw->pw_uid) == -1)
-				return -1;
-		}
-	}
-
-	*spw = getspnam(pw->pw_name);
-	endspent();
-	if (old_uid == pw->pw_uid)
-		setreuid(old_uid, old_euid);
-	else {
-		if (setreuid(-1, 0) == -1)
-			setreuid(old_uid, -1);
-		setreuid(-1, old_euid);
-	}
-
-	return 0;
-}
-
 int unix_getspnam(struct spwd **spw, const struct passwd *pw)
 {
 	D(("called"));
 
-	if (on(UNIX_NISPLUS) && !strcmp(pw->pw_passwd, "*NP*") &&
-	    !nis_getspnam(spw, pw))
-		return 0;
-
 	if (on(UNIX_SHADOW)) {
-		D(("in non-NIS shadow"));
 		*spw = getspnam(pw->pw_name);
 		endspent();
 		return 0;
@@ -234,42 +195,8 @@ static int user_in_file(pam_handle_t *pamh, const char *file,
 	return 1;
 }
 
-static int user_in_nisdb(const char *user, char *hash)
-{
-	char *userinfo = NULL, *domain = NULL, *colon;
-	int len, i;
-
-	len = yp_get_default_domain(&domain);
-	if (len != YPERR_SUCCESS)
-		return 0;
-
-	len = yp_bind(domain);
-	if (len != YPERR_SUCCESS)
-		return 0;
-	i = yp_match(domain, "passwd.byname", user, strlen(user),
-	    &userinfo, &len);
-	yp_unbind(domain);
-	if (i != YPERR_SUCCESS)
-		return 0;
-
-	colon = strchr(userinfo, ':');
-	if (!colon) {
-		free(userinfo);
-		return 0;
-	}
-
-	*hash = 0;
-	strncat(hash, colon + 1, HASH_PREFIX_SIZE - 1);
-
-	free(userinfo);
-	return 1;
-}
-
 int _unix_user_in_db(pam_handle_t *pamh, const char *user, char *hash)
 {
-	if (pam_unix_param.write_to == WRITE_NIS)
-		return user_in_nisdb(user, hash);
-
 	if (pam_unix_param.write_to == WRITE_PASSWD)
 		return user_in_file(pamh, PASSWD_FILE, user, hash);
 
@@ -900,7 +827,6 @@ static struct bool_names {
 	{"not_set_pass", UNIX_NOT_SET_PASS, 0},
 	{"use_authtok", UNIX_USE_AUTHTOK, 0},
 	{"shadow", UNIX_SHADOW, 0},
-	{"nisplus", UNIX_NISPLUS, 0},
 	{"passwd", UNIX_PASSWD, 0},
 	{"openlog", UNIX_OPENLOG, 0},
 	{"noopenlog", UNIX_OPENLOG, 1},
@@ -1068,8 +994,6 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			pam_unix_param.write_to = WRITE_SHADOW;
 		else if (!strcmp(param, "tcb"))
 			pam_unix_param.write_to = WRITE_TCB;
-		else if (!strcmp(param, "nis"))
-			pam_unix_param.write_to = WRITE_NIS;
 		else {
 			pam_syslog(pamh, LOG_ERR,
 			    "Invalid write_to argument: %s", param);
diff --git a/pam_tcb/support.h b/pam_tcb/support.h
index 661e4af..f2cf89e 100644
--- a/pam_tcb/support.h
+++ b/pam_tcb/support.h
@@ -79,7 +79,6 @@ enum {
 	UNIX_USE_AUTHTOK,	/* insist on reading PAM_AUTHTOK */
 
 	UNIX_SHADOW,		/* use shadow for auth */
-	UNIX_NISPLUS,		/* wish to use NIS+ for auth */
 	UNIX_PASSWD,		/* retr hashes from /etc/passwd for auth */
 
 	UNIX_OPENLOG,		/* use openlog(3)/closelog(3) calls */
@@ -110,7 +109,6 @@ enum {
 enum {
 	WRITE_PASSWD = 0,	/* write changed password to /etc/passwd */
 	WRITE_SHADOW,		/* write changed password to /etc/shadow */
-	WRITE_NIS,		/* write changed password via NIS */
 	WRITE_TCB		/* write changed password to /etc/tcb/ */
 };
 
@@ -182,7 +180,6 @@ typedef int (*cb_func) (pam_handle_t *, const void *);
 extern int _unix_fork(pam_handle_t *, cb_func, const void *);
 
 extern int _set_ctrl(pam_handle_t *, int flags, int argc, const char **argv);
-extern int _unix_comesfromsource(const char *user, int files, int nis);
 extern int _unix_blankpasswd(pam_handle_t *, const char *user);
 extern int _unix_verify_password(pam_handle_t *, const char *, const char *);
 extern int _unix_read_password(pam_handle_t *, const char *comment,
diff --git a/pam_tcb/yppasswd.h b/pam_tcb/yppasswd.h
deleted file mode 100644
index 6cc466a..0000000
--- a/pam_tcb/yppasswd.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir at monad.swb.de>
- *
- * This program is covered by the GNU General Public License, version 2.
- * It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * edited manually.
- */
-
-#ifndef _YPPASSWD_H
-#define _YPPASSWD_H
-
-#define YPPASSWDPROG ((u_long)100009)
-#define YPPASSWDVERS ((u_long)1)
-#define YPPASSWDPROC_UPDATE ((u_long)1)
-
-/*
- * The password struct passed by the update call. I renamed it to
- * xpasswd to avoid a type clash with the one defined in <pwd.h>.
- */
-#ifndef __sgi
-typedef struct xpasswd {
-	char *pw_name;
-	char *pw_passwd;
-	int pw_uid;
-	int pw_gid;
-	char *pw_gecos;
-	char *pw_dir;
-	char *pw_shell;
-} xpasswd;
-#else
-#include <pwd.h>
-typedef struct xpasswd xpasswd;
-#endif
-
-/* The updated password information, plus the old password.
- */
-typedef struct yppasswd {
-	char *oldpass;
-	xpasswd newpw;
-} yppasswd;
-
-/* XDR encoding/decoding routines */
-bool_t xdr_xpasswd(XDR *xdrs, xpasswd *objp);
-bool_t xdr_yppasswd(XDR *xdrs, yppasswd *objp);
-
-#endif
diff --git a/pam_tcb/yppasswd_xdr.c b/pam_tcb/yppasswd_xdr.c
deleted file mode 100644
index 7e0ed49..0000000
--- a/pam_tcb/yppasswd_xdr.c
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir at monad.swb.de>
- *
- * This program is covered by the GNU General Public License, version 2.
- * It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * editied manually.
- */
-
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include "yppasswd.h"
-
-bool_t xdr_xpasswd(XDR *xdrs, xpasswd *objp)
-{
-	return xdr_string(xdrs, &objp->pw_name, ~0) &&
-	    xdr_string(xdrs, &objp->pw_passwd, ~0) &&
-	    xdr_int(xdrs, &objp->pw_uid) &&
-	    xdr_int(xdrs, &objp->pw_gid) &&
-	    xdr_string(xdrs, &objp->pw_gecos, ~0) &&
-	    xdr_string(xdrs, &objp->pw_dir, ~0) &&
-	    xdr_string(xdrs, &objp->pw_shell, ~0);
-}
-
-bool_t xdr_yppasswd(XDR *xdrs, yppasswd *objp)
-{
-	return xdr_string(xdrs, &objp->oldpass, ~0) &&
-	    xdr_xpasswd(xdrs, &objp->newpw);
-}
diff --git a/progs/tcb_convert.8 b/progs/tcb_convert.8
index fda02a6..4114fb8 100644
--- a/progs/tcb_convert.8
+++ b/progs/tcb_convert.8
@@ -65,7 +65,7 @@ find the "shadow" entry and replace the "files" method with "tcb"; the
 edited line should look like this:
 .sp
 .ad l
-shadow: tcb nisplus nis
+shadow: tcb
 .ad b
 .TP
 6.
-- 
ldv

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.