diff options
-rw-r--r-- | source3/auth/auth_unix.c | 14 | ||||
-rw-r--r-- | source3/auth/pass_check.c | 11 | ||||
-rw-r--r-- | source3/passdb/pass_check.c | 11 | ||||
-rw-r--r-- | source3/smbd/auth_unix.c | 14 | ||||
-rw-r--r-- | source3/web/cgi.c | 71 |
5 files changed, 56 insertions, 65 deletions
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index ea32a65457..7c6c58cafa 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -71,13 +71,19 @@ in PLAIN TEXT NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { NTSTATUS nt_status; - + struct passwd *pass = NULL; + become_root(); - nt_status = (pass_check(user_info->unix_username.str, - user_info->plaintext_password.str, + + pass = Get_Pwnam(user_info->unix_username.str, False); + + nt_status = (pass_check(pass, + user_info->unix_username.str, + user_info->plaintext_password.str, user_info->plaintext_password.len, lp_update_encrypted() ? - update_smbpassword_file : NULL) + update_smbpassword_file : NULL, + True) ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 59fc9e2eac..7426bfcbe3 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -682,12 +682,11 @@ match is found and is used to update the encrypted password file return True on correct match, False otherwise ****************************************************************************/ -BOOL pass_check(char *user, char *password, int pwlen, - BOOL (*fn) (char *, char *)) +BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, + BOOL (*fn) (char *, char *), BOOL run_cracker) { pstring pass2; int level = lp_passwordlevel(); - struct passwd *pass = NULL; if (password) password[pwlen] = 0; @@ -702,8 +701,6 @@ BOOL pass_check(char *user, char *password, int pwlen, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return (False); - pass = Get_Pwnam(user, True); - #ifdef WITH_PAM /* @@ -819,6 +816,10 @@ BOOL pass_check(char *user, char *password, int pwlen, return (True); } + if (!run_cracker) { + return False; + } + /* if the password was given to us with mixed case then we don't need to proceed as we know it hasn't been case modified by the client */ diff --git a/source3/passdb/pass_check.c b/source3/passdb/pass_check.c index 59fc9e2eac..7426bfcbe3 100644 --- a/source3/passdb/pass_check.c +++ b/source3/passdb/pass_check.c @@ -682,12 +682,11 @@ match is found and is used to update the encrypted password file return True on correct match, False otherwise ****************************************************************************/ -BOOL pass_check(char *user, char *password, int pwlen, - BOOL (*fn) (char *, char *)) +BOOL pass_check(struct passwd *pass, char *user, char *password, int pwlen, + BOOL (*fn) (char *, char *), BOOL run_cracker) { pstring pass2; int level = lp_passwordlevel(); - struct passwd *pass = NULL; if (password) password[pwlen] = 0; @@ -702,8 +701,6 @@ BOOL pass_check(char *user, char *password, int pwlen, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return (False); - pass = Get_Pwnam(user, True); - #ifdef WITH_PAM /* @@ -819,6 +816,10 @@ BOOL pass_check(char *user, char *password, int pwlen, return (True); } + if (!run_cracker) { + return False; + } + /* if the password was given to us with mixed case then we don't need to proceed as we know it hasn't been case modified by the client */ diff --git a/source3/smbd/auth_unix.c b/source3/smbd/auth_unix.c index ea32a65457..7c6c58cafa 100644 --- a/source3/smbd/auth_unix.c +++ b/source3/smbd/auth_unix.c @@ -71,13 +71,19 @@ in PLAIN TEXT NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { NTSTATUS nt_status; - + struct passwd *pass = NULL; + become_root(); - nt_status = (pass_check(user_info->unix_username.str, - user_info->plaintext_password.str, + + pass = Get_Pwnam(user_info->unix_username.str, False); + + nt_status = (pass_check(pass, + user_info->unix_username.str, + user_info->plaintext_password.str, user_info->plaintext_password.len, lp_update_encrypted() ? - update_smbpassword_file : NULL) + update_smbpassword_file : NULL, + True) ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); diff --git a/source3/web/cgi.c b/source3/web/cgi.c index 3547379084..b4356af46e 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -362,14 +362,6 @@ static BOOL cgi_handle_authorization(char *line) { char *p, *user, *user_pass; struct passwd *pass = NULL; - BOOL got_name = False; - BOOL tested_pass = False; - fstring default_user_lookup; - fstring default_user_pass; - - /* Dummy user lookup to take the same time as a valid user. */ - fstrcpy(default_user_lookup, "zzzz bibble"); - fstrcpy(default_user_pass, "123456789"); if (strncasecmp(line,"Basic ", 6)) { goto err; @@ -387,55 +379,40 @@ static BOOL cgi_handle_authorization(char *line) *p = 0; user = line; user_pass = p+1; - + /* * Try and get the user from the UNIX password file. */ - - if(!(pass = Get_Pwnam(user,False))) { - /* - * Always give the same error so a cracker - * cannot tell why we fail. - */ - got_name = True; - goto err; - } - + + pass = sys_getpwnam(user); + /* * Validate the password they have given. */ - - tested_pass = True; - - if(pass_check(user, user_pass, strlen(user_pass), NULL) == True) { - - /* - * Password was ok. - */ - - if(pass->pw_uid != 0) { + + if (pass_check(pass, user, user_pass, + strlen(user_pass), NULL, False)) { + + if (pass) { /* - * We have not authenticated as root, - * become the user *permanently*. + * Password was ok. */ - become_user_permanently(pass->pw_uid, pass->pw_gid); + + if(pass->pw_uid != 0) { + /* + * We have not authenticated as root, + * become the user *permanently*. + */ + become_user_permanently(pass->pw_uid, pass->pw_gid); + } + + /* Save the users name */ + C_user = strdup(user); + return True; } - - /* Save the users name */ - C_user = strdup(user); - return True; } - - err: - - /* Always take the same time. */ - if (!got_name) - Get_Pwnam(default_user_lookup,False); - - if (!tested_pass) - pass_check(default_user_lookup, default_user_pass, - strlen(default_user_pass), NULL); - + +err: cgi_setup_error("401 Bad Authorization", "", "username or password incorrect"); |