diff options
Diffstat (limited to 'source3/pam_smbpass')
| -rw-r--r-- | source3/pam_smbpass/pam_smb_acct.c | 5 | ||||
| -rw-r--r-- | source3/pam_smbpass/pam_smb_auth.c | 8 | ||||
| -rw-r--r-- | source3/pam_smbpass/pam_smb_passwd.c | 5 |
3 files changed, 17 insertions, 1 deletions
diff --git a/source3/pam_smbpass/pam_smb_acct.c b/source3/pam_smbpass/pam_smb_acct.c index c7622fbaa2..59ed4eee8b 100644 --- a/source3/pam_smbpass/pam_smb_acct.c +++ b/source3/pam_smbpass/pam_smb_acct.c @@ -77,6 +77,11 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "acct: username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + return PAM_AUTHINFO_UNAVAIL; + } + /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 79856a111d..3a841adebd 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -108,6 +108,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err( LOG_DEBUG, "Cannot access samba password database, not running as root."); + retval = PAM_AUTHINFO_UNAVAIL; + AUTH_RETURN; + } + if (!initialize_password_db(True, NULL)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; @@ -136,7 +142,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, sampass = NULL; AUTH_RETURN; } - + /* if this user does not have a password... */ if (_smb_blankpasswd( ctrl, sampass )) { diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c index f0fa018217..de5310761f 100644 --- a/source3/pam_smbpass/pam_smb_passwd.c +++ b/source3/pam_smbpass/pam_smb_passwd.c @@ -129,6 +129,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", user ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + return PAM_AUTHINFO_UNAVAIL; + } + /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); |