isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

No need to look up shadow password unless we are doing password-style

Browse Source 
authentication.  This moves the shadow password lookup to the auth
functions that need it.
This commit is contained in:
Todd C. Miller
2010-08-06 13:55:33 -04:00
parent cb1848fab1
commit 96cb890d53
8 changed files with 60 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
plugins/sudoers/auth/passwd.c
View File

@@ -55,6 +55,9 @@ passwd_init(struct passwd *pw, char **promptp, sudo_auth *auth)
if (skeyaccess(pw, user_tty, NULL, NULL) == 0)
return(AUTH_FAILURE);
#endif
sudo_setspent();
auth->data = sudo_getepw(pw);
sudo_endspent();
return(AUTH_SUCCESS);
}
@@ -62,14 +65,15 @@ int
passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
char sav, *epass;
char *pw_epasswd = auth->data;
size_t pw_len;
int error;
pw_len = strlen(pw->pw_passwd);
pw_len = strlen(pw_epasswd);
#ifdef HAVE_GETAUTHUID
/* Ultrix shadow passwords may use crypt16() */
error = strcmp(pw->pw_passwd, (char *) crypt16(pass, pw->pw_passwd));
error = strcmp(pw_epasswd, (char *) crypt16(pass, pw_epasswd));
if (!error)
return(AUTH_SUCCESS);
#endif /* HAVE_GETAUTHUID */
@@ -79,7 +83,7 @@ passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
* If this turns out not to be safe we will have to use OS #ifdef's (sigh).
*/
sav = pass[8];
if (pw_len == DESLEN || HAS_AGEINFO(pw->pw_passwd, pw_len))
if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
pass[8] = '\0';
/*
@@ -87,12 +91,26 @@ passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth)
* HP-UX may add aging info (separated by a ',') at the end so
* only compare the first DESLEN characters in that case.
*/
epass = (char *) crypt(pass, pw->pw_passwd);
epass = (char *) crypt(pass, pw_epasswd);
pass[8] = sav;
if (HAS_AGEINFO(pw->pw_passwd, pw_len) && strlen(epass) == DESLEN)
error = strncmp(pw->pw_passwd, epass, DESLEN);
if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
error = strncmp(pw_epasswd, epass, DESLEN);
else
error = strcmp(pw->pw_passwd, epass);
error = strcmp(pw_epasswd, epass);
return(error ? AUTH_FAILURE : AUTH_SUCCESS);
}
int
passwd_cleanup(pw, auth)
struct passwd *pw;
sudo_auth *auth;
{
char *pw_epasswd = auth->data;
if (pw_epasswd != NULL) {
zero_bytes(pw_epasswd, strlen(pw_epasswd));
efree(pw_epasswd);
}
return(AUTH_SUCCESS);
}