JHT ===> Fixed potential PAM Security hole and second chance syndrome

spurious warning message "Warning - no crypt available" (This used to be commit dc559428b85474ff4d80f37f421365a3910a8861)
author: Samba Release Account <samba-bugs@samba.org> 1997-02-04 10:35:38 +0000
committer: Samba Release Account <samba-bugs@samba.org> 1997-02-04 10:35:38 +0000
commit: cc55a88ddc9c08cc669da731e9f7aafc379680ee (patch)
tree: 7f6e15d85ff5c3b29cf48b17a94f83410a2a2286 /source3/smbd/password.c
parent: 1fe69a7dd9311e211f05ebba45ec574ded35ca89 (diff)
download: samba-cc55a88ddc9c08cc669da731e9f7aafc379680ee.tar.gz
samba-cc55a88ddc9c08cc669da731e9f7aafc379680ee.tar.bz2
samba-cc55a88ddc9c08cc669da731e9f7aafc379680ee.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 8c1a1026cc..3ccc1e4cfd 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -612,7 +612,16 @@ BOOL password_check(char *password)
 {
 
 #ifdef USE_PAM
+/* This falls through if the password check fails
+	- if NO_CRYPT is defined this causes an error msg
+		saying Warning - no crypt available
+	- if NO_CRYPT is NOT defined this is a potential security hole
+		as it may authenticate via the crypt call when PAM
+		settings say it should fail.
   if (pam_auth(this_user,password)) return(True);
+Hence we make a direct return to avoid a second chance!!!
+*/
+  return (pam_auth(this_user,password));
 #endif
 
 #ifdef AFS_AUTH
author	Samba Release Account <samba-bugs@samba.org>	1997-02-04 10:35:38 +0000
committer	Samba Release Account <samba-bugs@samba.org>	1997-02-04 10:35:38 +0000
commit	cc55a88ddc9c08cc669da731e9f7aafc379680ee (patch)
tree	7f6e15d85ff5c3b29cf48b17a94f83410a2a2286 /source3/smbd/password.c
parent	1fe69a7dd9311e211f05ebba45ec574ded35ca89 (diff)
download	samba-cc55a88ddc9c08cc669da731e9f7aafc379680ee.tar.gz samba-cc55a88ddc9c08cc669da731e9f7aafc379680ee.tar.bz2 samba-cc55a88ddc9c08cc669da731e9f7aafc379680ee.zip