From 9373e1ea90c088b4a1156554efb9e1da1738a8d3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 12 Dec 2007 17:26:49 -0800 Subject: Fix bug #3727 with patch from Steve Langasek Jeremy. (This used to be commit 0723760ba47a465d2ff5a22a680f1b5196eca7d8) --- source3/pam_smbpass/pam_smb_acct.c | 5 +++++ source3/pam_smbpass/pam_smb_auth.c | 8 +++++++- source3/pam_smbpass/pam_smb_passwd.c | 5 +++++ source3/utils/smbpasswd.c | 4 ++++ 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/source3/pam_smbpass/pam_smb_acct.c b/source3/pam_smbpass/pam_smb_acct.c index c7622fbaa2..59ed4eee8b 100644 --- a/source3/pam_smbpass/pam_smb_acct.c +++ b/source3/pam_smbpass/pam_smb_acct.c @@ -77,6 +77,11 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "acct: username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + return PAM_AUTHINFO_UNAVAIL; + } + /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); diff --git a/source3/pam_smbpass/pam_smb_auth.c b/source3/pam_smbpass/pam_smb_auth.c index 79856a111d..3a841adebd 100644 --- a/source3/pam_smbpass/pam_smb_auth.c +++ b/source3/pam_smbpass/pam_smb_auth.c @@ -108,6 +108,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", name ); } + if (geteuid() != 0) { + _log_err( LOG_DEBUG, "Cannot access samba password database, not running as root."); + retval = PAM_AUTHINFO_UNAVAIL; + AUTH_RETURN; + } + if (!initialize_password_db(True, NULL)) { _log_err( LOG_ALERT, "Cannot access samba password database" ); retval = PAM_AUTHINFO_UNAVAIL; @@ -136,7 +142,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, sampass = NULL; AUTH_RETURN; } - + /* if this user does not have a password... */ if (_smb_blankpasswd( ctrl, sampass )) { diff --git a/source3/pam_smbpass/pam_smb_passwd.c b/source3/pam_smbpass/pam_smb_passwd.c index f0fa018217..de5310761f 100644 --- a/source3/pam_smbpass/pam_smb_passwd.c +++ b/source3/pam_smbpass/pam_smb_passwd.c @@ -129,6 +129,11 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags, _log_err( LOG_DEBUG, "username [%s] obtained", user ); } + if (geteuid() != 0) { + _log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root."); + return PAM_AUTHINFO_UNAVAIL; + } + /* Getting into places that might use LDAP -- protect the app from a SIGPIPE it's not expecting */ oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index ea3bb38dc4..deed08fea3 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -94,6 +94,10 @@ static int process_options(int argc, char **argv, int local_flags) while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { switch(ch) { case 'L': + if (getuid() != 0) { + fprintf(stderr, "smbpasswd -L can only be used by root.\n"); + exit(1); + } local_flags |= LOCAL_AM_ROOT; break; case 'c': -- cgit