From 1dce4ebed861a6dfbd19da20601d92bc9be3484a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 Jan 2004 17:34:41 +0000 Subject: revert the cracklib changes until post 3.0.2 (This used to be commit 6202e0fa727a4307f51bf42f5ced401a7c7b8214) --- source3/configure.in | 58 ---------------------------- source3/param/loadparm.c | 4 -- source3/rpc_server/srv_samr_nt.c | 17 ++------- source3/smbd/chgpasswd.c | 81 ++++++++++++---------------------------- 4 files changed, 26 insertions(+), 134 deletions(-) diff --git a/source3/configure.in b/source3/configure.in index 375eed06ab..7a844c337d 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -2961,64 +2961,6 @@ if test x"$samba_cv_HAVE_TRUNCATED_SALT" = x"yes"; then fi fi - -dictpath="/usr/lib/cracklib_dict" - -############################################### -# test for where we get FaciestCheck from -AC_MSG_CHECKING(where to use cracklib from (default=$dictpath)) -AC_ARG_WITH(cracklib, -[ --with-cracklib[=DIR] Look for cracklib dictionary in this location ], -[ case "$withval" in - yes) - AC_MSG_RESULT(${dictpath}) - ;; - no) - AC_MSG_RESULT(no) - dictpath="" - ;; - *) - dictpath="$withval" - AC_MSG_RESULT(${dictpath}) - ;; - esac ], - dictpath="" - AC_MSG_RESULT(no) -) - -if test x$dictpath != x""; then - AC_SEARCH_LIBS(FascistCheck, [crack], - [test "$ac_cv_search_crack" = "none required" || samba_cv_found_crack="yes" - AC_DEFINE(HAVE_CRACK,1,[Whether the system has the FaciestCheck function from cracklib])]) - - crack_saved_libs=$LIBS; - - if test x$samba_cv_found_crack=x"yes"; then - AC_SEARCH_LIBS(CRACKLIB_DICTPATH, [crypt], - AC_DEFINE(HAVE_CRACKLIB_DICTPATH, 1, [Whether we have given a CRACKLIB_DICTPATH in our headers]) - ) - - AC_DEFINE_UNQUOTED(SAMBA_CRACKLIB_DICTPATH, "$dictpath", [Where the cracklib dictionay is]) - AC_MSG_CHECKING(Whether we have a working cracklib) - AC_TRY_RUN([ - #include "${srcdir-.}/tests/crack.c"], - AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_WORKING_CRACKLIB,1,[Whether we have a working cracklib]) - AUTH_LIBS="-lcrack $AUTH_LIBS", - - AC_MSG_RESULT(no) - AC_MSG_WARN(cracklib exists - but does not function correctly), - - AC_MSG_RESULT(no) - AC_MSG_WARN(cannot test-run when cross-compiling) - ) - else - AC_MSG_CHECKING(Whether we have cracklib) - AC_MSG_RESULT(no) - fi - LIBS=$crack_saved_libs -fi - ######################################################################################## ## ## TESTS FOR SAM BACKENDS. KEEP THESE GROUPED TOGETHER diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 8004d25c12..f944a47891 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -215,7 +215,6 @@ typedef struct int change_notify_timeout; int map_to_guest; int min_passwd_length; - BOOL use_cracklib; int oplock_break_wait_time; int winbind_cache_time; int iLockSpinCount; @@ -788,7 +787,6 @@ static struct parm_struct parm_table[] = { {"hosts equiv", P_STRING, P_GLOBAL, &Globals.szHostsEquiv, NULL, NULL, FLAG_ADVANCED}, {"min passwd length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED}, {"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED}, - {"use cracklib", P_BOOL, P_GLOBAL, &Globals.use_cracklib, NULL, NULL, FLAG_ADVANCED}, {"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, FLAG_ADVANCED}, {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, FLAG_ADVANCED}, {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, FLAG_ADVANCED}, @@ -1439,7 +1437,6 @@ static void init_globals(void) Globals.map_to_guest = 0; /* By Default, "Never" */ Globals.min_passwd_length = MINPASSWDLENGTH; /* By Default, 5. */ - Globals.use_cracklib = False; Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ Globals.enhanced_browsing = True; Globals.iLockSpinCount = 3; /* Try 3 times. */ @@ -1791,7 +1788,6 @@ FN_GLOBAL_INTEGER(lp_machine_password_timeout, &Globals.machine_password_timeout FN_GLOBAL_INTEGER(lp_change_notify_timeout, &Globals.change_notify_timeout) FN_GLOBAL_INTEGER(lp_map_to_guest, &Globals.map_to_guest) FN_GLOBAL_INTEGER(lp_min_passwd_length, &Globals.min_passwd_length) -FN_GLOBAL_BOOL(lp_use_cracklib, &Globals.use_cracklib) FN_GLOBAL_INTEGER(lp_oplock_break_wait_time, &Globals.oplock_break_wait_time) FN_GLOBAL_INTEGER(lp_lock_spin_count, &Globals.iLockSpinCount) FN_GLOBAL_INTEGER(lp_lock_sleep_time, &Globals.iLockSpinTime) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 7edd34c8dd..b9974cba8a 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2834,17 +2834,11 @@ static BOOL set_user_info_23(SAM_USER_INFO_23 *id23, DOM_SID *sid) DEBUG(5, ("Changing trust account or non-unix-user password, not updating /etc/passwd\n")); } else { /* update the UNIX password */ - if (lp_unix_password_sync() ) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { - DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); - } - - if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { + if (lp_unix_password_sync() ) + if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } - } } ZERO_STRUCT(plaintext_buf); @@ -2905,12 +2899,7 @@ static BOOL set_user_info_pw(char *pass, DOM_SID *sid) } else { /* update the UNIX password */ if (lp_unix_password_sync()) { - struct passwd *passwd = Get_Pwnam(pdb_get_username(pwd)); - if (!passwd) { - DEBUG(1, ("chgpasswd: Username does not exist in system !?!\n")); - } - - if(!chgpasswd(pdb_get_username(pwd), passwd, "", plaintext_buf, True)) { + if(!chgpasswd(pdb_get_username(pwd), "", plaintext_buf, True)) { pdb_free_sam(&pwd); return False; } diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 692e82680d..e6117245e7 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -49,16 +49,6 @@ #include "includes.h" -#ifdef HAVE_WORKING_CRACKLIB -#include - -#ifndef HAVE_CRACKLIB_DICTPATH -#ifndef CRACKLIB_DICTPATH -#define CRACKLIB_DICTPATH SAMBA_CRACKLIB_DICTPATH -#endif -#endif -#endif - extern struct passdb_ops pdb_ops; static NTSTATUS check_oem_password(const char *user, @@ -451,14 +441,25 @@ while we were waiting\n", WTERMSIG(wstat))); return (chstat); } -BOOL chgpasswd(const char *name, const struct passwd *pass, - const char *oldpass, const char *newpass, BOOL as_root) +BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL as_root) { pstring passwordprogram; pstring chatsequence; size_t i; size_t len; + struct passwd *pass; + + if (!name) { + DEBUG(1, ("chgpasswd: NULL username specfied !\n")); + } + + pass = Get_Pwnam(name); + if (!pass) { + DEBUG(1, ("chgpasswd: Username does not exist in system !\n")); + return False; + } + if (!oldpass) { oldpass = ""; } @@ -470,6 +471,13 @@ BOOL chgpasswd(const char *name, const struct passwd *pass, #endif /* Take the passed information and test it for minimum criteria */ + /* Minimum password length */ + if (strlen(newpass) < lp_min_passwd_length()) { + /* too short, must be at least MINPASSWDLENGTH */ + DEBUG(0, ("chgpasswd: Password Change: user %s, New password is shorter than minimum password length = %d\n", + name, lp_min_passwd_length())); + return (False); /* inform the user */ + } /* Password is same as old password */ if (strcmp(oldpass, newpass) == 0) { @@ -562,8 +570,7 @@ the string %%u, and the given string %s does not.\n", passwordprogram )); #else /* ALLOW_CHANGE_PASSWORD */ -BOOL chgpasswd(const char *name, const struct passwd *pass, - const char *oldpass, const char *newpass, BOOL as_root) +BOOL chgpasswd(const char *name, const char *oldpass, const char *newpass, BOOL as_root) { DEBUG(0, ("chgpasswd: Password changing not compiled in (user=%s)\n", name)); return (False); @@ -902,8 +909,6 @@ static NTSTATUS check_oem_password(const char *user, NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passwd, BOOL as_root) { - struct passwd *pass; - BOOL ret; uint32 min_len; @@ -931,47 +936,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw /* return NT_STATUS_PWD_TOO_SHORT; */ } - pass = Get_Pwnam(pdb_get_username(hnd)); - if (!pass) { - DEBUG(1, ("check_oem_password: Username does not exist in system !?!\n")); - } - -#ifdef HAVE_WORKING_CRACKLIB - if (pass) { - /* if we can, become the user to overcome internal cracklib sillyness */ - if (!push_sec_ctx()) - return NT_STATUS_UNSUCCESSFUL; - - set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL); - set_re_uid(); - } - - if (lp_use_cracklib()) { - const char *crack_check_reason; - DEBUG(4, ("change_oem_password: Checking password for user [%s]" - " against cracklib. \n", pdb_get_username(hnd))); - DEBUGADD(4, ("If this is your last message, then something is " - "wrong with cracklib, it might be missing it's " - "dictionaries at %s\n", - CRACKLIB_DICTPATH)); - dbgflush(); - - crack_check_reason = FascistCheck(new_passwd, (char *)CRACKLIB_DICTPATH); - if (crack_check_reason) { - DEBUG(1, ("Password Change: user [%s], " - "New password failed cracklib test - %s\n", - pdb_get_username(hnd), crack_check_reason)); - - /* get back to where we should be */ - if (pass) - pop_sec_ctx(); - return NT_STATUS_PASSWORD_RESTRICTION; - } - } - - if (pass) - pop_sec_ctx(); -#endif + /* TODO: Add cracklib support here */ /* * If unix password sync was requested, attempt to change @@ -986,7 +951,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw */ if(lp_unix_password_sync() && - !chgpasswd(pdb_get_username(hnd), pass, old_passwd, new_passwd, as_root)) { + !chgpasswd(pdb_get_username(hnd), old_passwd, new_passwd, as_root)) { return NT_STATUS_ACCESS_DENIED; } -- cgit