summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/auth/auth_unix.c14
-rw-r--r--source3/auth/pass_check.c11
-rw-r--r--source3/passdb/pass_check.c11
-rw-r--r--source3/smbd/auth_unix.c14
-rw-r--r--source3/web/cgi.c71
5 files changed, 56 insertions, 65 deletions
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index ea32a65457..7c6c58cafa 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -71,13 +71,19 @@ in PLAIN TEXT
NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
{
NTSTATUS nt_status;
-
+ struct passwd *pass = NULL;
+
become_root();
- nt_status = (pass_check(user_info->unix_username.str,
- user_info->plaintext_password.str,
+
+ pass = Get_Pwnam(user_info->unix_username.str, False);
+
+ nt_status = (pass_check(pass,
+ user_info->unix_username.str,
+ user_info->plaintext_password.str,
user_info->plaintext_password.len,
lp_update_encrypted() ?
- update_smbpassword_file : NULL)
+ update_smbpassword_file : NULL,
+ True)
? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE);
unbecome_root();
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 59fc9e2eac..7426bfcbe3 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -682,12 +682,11 @@ match is found and is used to update the encrypted password file
return True on correct match, False otherwise
****************************************************************************/
-BOOL pass_check(char *user, char *password, int pwlen,
- BOOL (*fn) (char *, char *))
+BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen,
+ BOOL (*fn) (char *, char *), BOOL run_cracker)
{
pstring pass2;
int level = lp_passwordlevel();
- struct passwd *pass = NULL;
if (password)
password[pwlen] = 0;
@@ -702,8 +701,6 @@ BOOL pass_check(char *user, char *password, int pwlen,
if (((!*password) || (!pwlen)) && !lp_null_passwords())
return (False);
- pass = Get_Pwnam(user, True);
-
#ifdef WITH_PAM
/*
@@ -819,6 +816,10 @@ BOOL pass_check(char *user, char *password, int pwlen,
return (True);
}
+ if (!run_cracker) {
+ return False;
+ }
+
/* if the password was given to us with mixed case then we don't
need to proceed as we know it hasn't been case modified by the
client */
diff --git a/source3/passdb/pass_check.c b/source3/passdb/pass_check.c
index 59fc9e2eac..7426bfcbe3 100644
--- a/source3/passdb/pass_check.c
+++ b/source3/passdb/pass_check.c
@@ -682,12 +682,11 @@ match is found and is used to update the encrypted password file
return True on correct match, False otherwise
****************************************************************************/
-BOOL pass_check(char *user, char *password, int pwlen,
- BOOL (*fn) (char *, char *))
+BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen,
+ BOOL (*fn) (char *, char *), BOOL run_cracker)
{
pstring pass2;
int level = lp_passwordlevel();
- struct passwd *pass = NULL;
if (password)
password[pwlen] = 0;
@@ -702,8 +701,6 @@ BOOL pass_check(char *user, char *password, int pwlen,
if (((!*password) || (!pwlen)) && !lp_null_passwords())
return (False);
- pass = Get_Pwnam(user, True);
-
#ifdef WITH_PAM
/*
@@ -819,6 +816,10 @@ BOOL pass_check(char *user, char *password, int pwlen,
return (True);
}
+ if (!run_cracker) {
+ return False;
+ }
+
/* if the password was given to us with mixed case then we don't
need to proceed as we know it hasn't been case modified by the
client */
diff --git a/source3/smbd/auth_unix.c b/source3/smbd/auth_unix.c
index ea32a65457..7c6c58cafa 100644
--- a/source3/smbd/auth_unix.c
+++ b/source3/smbd/auth_unix.c
@@ -71,13 +71,19 @@ in PLAIN TEXT
NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
{
NTSTATUS nt_status;
-
+ struct passwd *pass = NULL;
+
become_root();
- nt_status = (pass_check(user_info->unix_username.str,
- user_info->plaintext_password.str,
+
+ pass = Get_Pwnam(user_info->unix_username.str, False);
+
+ nt_status = (pass_check(pass,
+ user_info->unix_username.str,
+ user_info->plaintext_password.str,
user_info->plaintext_password.len,
lp_update_encrypted() ?
- update_smbpassword_file : NULL)
+ update_smbpassword_file : NULL,
+ True)
? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE);
unbecome_root();
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 3547379084..b4356af46e 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -362,14 +362,6 @@ static BOOL cgi_handle_authorization(char *line)
{
char *p, *user, *user_pass;
struct passwd *pass = NULL;
- BOOL got_name = False;
- BOOL tested_pass = False;
- fstring default_user_lookup;
- fstring default_user_pass;
-
- /* Dummy user lookup to take the same time as a valid user. */
- fstrcpy(default_user_lookup, "zzzz bibble");
- fstrcpy(default_user_pass, "123456789");
if (strncasecmp(line,"Basic ", 6)) {
goto err;
@@ -387,55 +379,40 @@ static BOOL cgi_handle_authorization(char *line)
*p = 0;
user = line;
user_pass = p+1;
-
+
/*
* Try and get the user from the UNIX password file.
*/
-
- if(!(pass = Get_Pwnam(user,False))) {
- /*
- * Always give the same error so a cracker
- * cannot tell why we fail.
- */
- got_name = True;
- goto err;
- }
-
+
+ pass = sys_getpwnam(user);
+
/*
* Validate the password they have given.
*/
-
- tested_pass = True;
-
- if(pass_check(user, user_pass, strlen(user_pass), NULL) == True) {
-
- /*
- * Password was ok.
- */
-
- if(pass->pw_uid != 0) {
+
+ if (pass_check(pass, user, user_pass,
+ strlen(user_pass), NULL, False)) {
+
+ if (pass) {
/*
- * We have not authenticated as root,
- * become the user *permanently*.
+ * Password was ok.
*/
- become_user_permanently(pass->pw_uid, pass->pw_gid);
+
+ if(pass->pw_uid != 0) {
+ /*
+ * We have not authenticated as root,
+ * become the user *permanently*.
+ */
+ become_user_permanently(pass->pw_uid, pass->pw_gid);
+ }
+
+ /* Save the users name */
+ C_user = strdup(user);
+ return True;
}
-
- /* Save the users name */
- C_user = strdup(user);
- return True;
}
-
- err:
-
- /* Always take the same time. */
- if (!got_name)
- Get_Pwnam(default_user_lookup,False);
-
- if (!tested_pass)
- pass_check(default_user_lookup, default_user_pass,
- strlen(default_user_pass), NULL);
-
+
+err:
cgi_setup_error("401 Bad Authorization", "",
"username or password incorrect");