From 1cabd594f224825bd0eae543216d87801091c33c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 23 Apr 2009 16:33:39 +0200
Subject: fix for pam proxy chauthtok

When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.

If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
---
 server/providers/proxy.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

(limited to 'server/providers/proxy.c')

diff --git a/server/providers/proxy.c b/server/providers/proxy.c
index 907f044e..0fea89df 100644
--- a/server/providers/proxy.c
+++ b/server/providers/proxy.c
@@ -66,8 +66,8 @@ struct proxy_auth_ctx {
 };
 
 struct authtok_conv {
-    char *authtok;
-    char *oldauthtok;
+    uint32_t authtok_size;
+    uint8_t *authtok;
 };
 
 static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
@@ -90,7 +90,11 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm,
             case PAM_PROMPT_ECHO_OFF:
                 DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg));
                 reply[i].resp_retcode = 0;
-                reply[i].resp = strdup(auth_data->authtok);
+                reply[i].resp = calloc(auth_data->authtok_size + 1,
+                                       sizeof(char));
+                if (reply[i].resp == NULL) goto failed;
+                memcpy(reply[i].resp, auth_data->authtok, auth_data->authtok_size);
+
                 break;
             default:
                 DEBUG(1, ("Conversation style %d not supported.\n",
@@ -142,9 +146,8 @@ static void proxy_pam_handler(struct be_req *req) {
         }
         switch (pd->cmd) {
             case SSS_PAM_AUTHENTICATE:
-/* FIXME: \0 missing at the end */
-                auth_data->authtok=(char *) pd->authtok;
-                auth_data->oldauthtok=NULL;
+                auth_data->authtok_size = pd->authtok_size;
+                auth_data->authtok = pd->authtok;
                 pam_status=pam_authenticate(pamh, 0);
                 break;
             case SSS_PAM_SETCRED:
@@ -160,9 +163,14 @@ static void proxy_pam_handler(struct be_req *req) {
                 pam_status=pam_close_session(pamh, 0);
                 break;
             case SSS_PAM_CHAUTHTOK:
-/* FIXME: \0 missing at the end */
-                auth_data->authtok=(char *) pd->newauthtok;
-                auth_data->oldauthtok=(char *) pd->authtok;
+                if (pd->priv != 1) {
+                    auth_data->authtok_size = pd->authtok_size;
+                    auth_data->authtok = pd->authtok;
+                    pam_status=pam_authenticate(pamh, 0);
+                    if (pam_status != PAM_SUCCESS) break;
+                }
+                auth_data->authtok_size = pd->newauthtok_size;
+                auth_data->authtok = pd->newauthtok;
                 pam_status=pam_chauthtok(pamh, 0);
                 break;
             default:
-- 
cgit