mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 14:25:15 +00:00
Code Issues Releases Wiki Activity

new shadow password scheme. Always include shadow support if the

Browse Source 
platform supports it and the user did not disable it via configure
This commit is contained in:
Todd C. Miller
1998-09-21 04:00:56 +00:00
parent 2de38e16c3
commit 1c66c857e4
8 changed files with 195 additions and 479 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
aclocal.m4 vendored
View File

@@ -147,99 +147,6 @@ else
fi fi
])dnl ])dnl
dnl
dnl check for shadow passwords
dnl NOTE: not verbose
dnl
AC_DEFUN(SUDO_CHECK_SHADOW_GENERIC, [
if test -z "$SHADOW_TYPE" -a -d /tcb/files/auth; then
AC_CHECK_FUNC(getprpwuid, SHADOW_TYPE="SPW_SECUREWARE")
fi
if test -z "$SHADOW_TYPE" -a -s /etc/shadow; then
AC_CHECK_FUNC(getspnam, SHADOW_TYPE="SPW_SVR4")
fi
if test -z "$SHADOW_TYPE" -a -s /etc/master.passwd; then
SHADOW_TYPE="SPW_BSD"
fi
if test -z "$SHADOW_TYPE"; then
SHADOW_TYPE="SPW_NONE"
$2
else
$1
fi
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
])
AC_DEFUN(SUDO_CHECK_SHADOW_SUNOS4, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/security/passwd.adjunct; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_ULTRIX4, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/auth.pag; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_BSD, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/master.passwd; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_HPUX9, [AC_MSG_CHECKING(for shadow passwords)
if test -s /.secure/etc/passwd; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_SVR4, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/shadow; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_SECUREWARE, [AC_MSG_CHECKING(for shadow passwords)
if test -d /tcb/files/auth; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_DUNIX, [AC_MSG_CHECKING(for shadow passwords)
if test "`. /etc/rc.config ; echo $SECURITY`" = "ENHANCED"; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
dnl dnl
dnl dnl
dnl check for fullly working void dnl check for fullly working void

64
check.c
View File

@@ -67,14 +67,14 @@ static char rcsid[] = "$Id$";
#include <options.h> #include <options.h>
#include "insults.h" #include "insults.h"
#include "version.h" #include "version.h"
#if (SHADOW_TYPE == SPW_SECUREWARE) #ifdef HAVE_GETPRPWUID
# ifdef __hpux # ifdef __hpux
# include <hpsecurity.h> # include <hpsecurity.h>
# else # else
# include <sys/security.h> # include <sys/security.h>
# endif /* __hpux */ # endif /* __hpux */
# include <prot.h> # include <prot.h>
#endif /* SPW_SECUREWARE */ #endif /* HAVE_GETPRPWUID */
#ifdef HAVE_KERB4 #ifdef HAVE_KERB4
# include <krb.h> # include <krb.h>
#endif /* HAVE_KERB4 */ #endif /* HAVE_KERB4 */
@@ -141,9 +141,9 @@ struct skey skey;
#ifdef HAVE_OPIE #ifdef HAVE_OPIE
struct opie opie; struct opie opie;
#endif #endif
#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha) #if defined(HAVE_GETPRPWUID) && defined(__alpha)
extern uchar_t crypt_type; extern int crypt_type;
#endif /* SPW_SECUREWARE && __alpha */ #endif /* HAVE_GETPRPWUID && __alpha */
@@ -585,42 +585,44 @@ static void check_passwd()
/* /*
* If we use shadow passwords with a different crypt(3) * If we use shadow passwords with a different crypt(3)
* check that here, else use standard crypt(3). * check that here, else use standard crypt(3).
* XXX - break out into separate functions.
*/ */
# if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD) # ifdef HAVE_GETAUTHUID
# if (SHADOW_TYPE == SPW_ULTRIX4)
if (!strcmp(user_passwd, (char *) crypt16(pass, user_passwd))) if (!strcmp(user_passwd, (char *) crypt16(pass, user_passwd)))
return; /* if the passwd is correct return() */ return; /* if the passwd is correct return() */
# endif /* ULTRIX4 */ # endif /* HAVE_GETAUTHUID */
# if (SHADOW_TYPE == SPW_SECUREWARE) && !defined(__alpha) # ifdef HAVE_GETPRPWUID
# ifndef __alpha
# ifdef HAVE_BIGCRYPT # ifdef HAVE_BIGCRYPT
if (strcmp(user_passwd, (char *) bigcrypt(pass, user_passwd)) == 0) if (strcmp(user_passwd, (char *) bigcrypt(pass, user_passwd)) == 0)
return; /* if the passwd is correct return() */ return; /* if the passwd is correct return() */
# else
if (strcmp(user_passwd, crypt(pass, user_passwd)) == 0)
return; /* if the passwd is correct return() */
# endif /* HAVE_BIGCRYPT */ # endif /* HAVE_BIGCRYPT */
# endif /* SECUREWARE && !__alpha */ # else /* !__alpha */
# if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha) switch (crypt_type) {
if (crypt_type == AUTH_CRYPT_BIGCRYPT) { case AUTH_CRYPT_BIGCRYPT:
if (!strcmp(user_passwd, bigcrypt(pass, user_passwd))) if (!strcmp(user_passwd, bigcrypt(pass, user_passwd)))
return; /* if the passwd is correct return() */ return; /* if the passwd is correct return() */
} else if (crypt_type == AUTH_CRYPT_CRYPT16) { break;
if (!strcmp(user_passwd, crypt16(pass, user_passwd))) case AUTH_CRYPT_CRYPT16:
return; /* if the passwd is correct return() */ if (!strcmp(user_passwd, crypt16(pass, user_passwd)))
return; /* if the passwd is correct return() */
break;
# ifdef AUTH_CRYPT_OLDCRYPT # ifdef AUTH_CRYPT_OLDCRYPT
} else if (crypt_type == AUTH_CRYPT_OLDCRYPT || case AUTH_CRYPT_OLDCRYPT:
crypt_type == AUTH_CRYPT_C1CRYPT) { case AUTH_CRYPT_C1CRYPT:
if (!strcmp(user_passwd, crypt(pass, user_passwd)))
return; /* if the passwd is correct return() */
# endif # endif
} else { case -1:
(void) fprintf(stderr, if (!strcmp(user_passwd, crypt(pass, user_passwd)))
"%s: Sorry, I don't know how to deal with crypt type %d.\n", return; /* if the passwd is correct return() */
Argv[0], crypt_type); break;
exit(1); default:
(void) fprintf(stderr,
"%s: Sorry, I don't know how to deal with crypt type %d.\n",
Argv[0], crypt_type);
exit(1);
} }
# endif /* SECUREWARE && __alpha */ # endif /* __alpha */
# endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */ # endif /* HAVE_GETPRPWUID */
/* Normal UN*X password check */ /* Normal UN*X password check */
if (!strcmp(user_passwd, (char *) crypt(pass, user_passwd))) if (!strcmp(user_passwd, (char *) crypt(pass, user_passwd)))

4
compat.h
View File

@@ -100,7 +100,7 @@
# undef _PASSWD_LEN # undef _PASSWD_LEN
# define _PASSWD_LEN 256 # define _PASSWD_LEN 256
#else #else
# if (SHADOW_TYPE == SPW_SECUREWARE) # ifdef HAVE_GETPRPWUID
# undef _PASSWD_LEN # undef _PASSWD_LEN
# define _PASSWD_LEN AUTH_MAX_PASSWD_LENGTH # define _PASSWD_LEN AUTH_MAX_PASSWD_LENGTH
# else # else
@@ -116,7 +116,7 @@
# endif /* PASS_MAX */ # endif /* PASS_MAX */
# endif /* !_PASSWD_LEN */ # endif /* !_PASSWD_LEN */
# endif /* HAVE_KERB4 || HAVE_AFS || HAVE_DCE || HAVE_SKEY || HAVE_OPIE */ # endif /* HAVE_KERB4 || HAVE_AFS || HAVE_DCE || HAVE_SKEY || HAVE_OPIE */
#endif /* SPW_SECUREWARE */ #endif /* HAVE_GETPRPWUID */
/* /*
* Some OS's lack these * Some OS's lack these

60
config.h.in
View File

@@ -201,6 +201,21 @@
/* Define if you have set_auth_parameters(3). */ /* Define if you have set_auth_parameters(3). */
#undef HAVE_SET_AUTH_PARAMETERS #undef HAVE_SET_AUTH_PARAMETERS
/* Define if you have getspnam(3). [SVR4-style shadow passwords] */
#undef HAVE_GETSPNAM
/* Define if you have getprpwuid(3). [SecureWare-style shadow passwords] */
#undef HAVE_GETPRPWUID
/* Define if you have getspwuid(3). [HP-UX <= 9.X shadow passwords] */
#undef HAVE_GETSPWUID
/* Define if you have getpwanam(3). [SunOS 4.x shadow passwords] */
#undef HAVE_GETPWANAM
/* Define if you have getauthuid(3). [ULTRIX 4.x shadow passwords] */
#undef HAVE_GETAUTHUID
/* Define if you have seteuid(3). */ /* Define if you have seteuid(3). */
#undef HAVE_SETEUID #undef HAVE_SETEUID
@@ -265,18 +280,6 @@
/* Define if your struct sockadr has an sa_len field. */ /* Define if your struct sockadr has an sa_len field. */
#undef HAVE_SA_LEN #undef HAVE_SA_LEN
/* Supported shadow password types */
#define SPW_NONE 0x00
#define SPW_SECUREWARE 0x01
#define SPW_HPUX9 0x02
#define SPW_SUNOS4 0x03
#define SPW_SVR4 0x04
#define SPW_ULTRIX4 0x05
#define SPW_BSD 0x06
/* Define to the variety of shadow passwords supported on your OS */
#undef SHADOW_TYPE
/* Define to void if your C compiler fully groks void, else char */ /* Define to void if your C compiler fully groks void, else char */
#undef VOID #undef VOID
@@ -303,36 +306,3 @@
/* Define if you want the log file line to be wrapped */ /* Define if you want the log file line to be wrapped */
#undef WRAP_LOG #undef WRAP_LOG
/*
* Paths to commands used by sudo. There are used by pathnames.h.
* If you want to override these values, do so in pathnames.h, not here!
*/
#ifndef _CONFIG_PATH_SENDMAIL
#undef _CONFIG_PATH_SENDMAIL
#endif /* _CONFIG_PATH_SENDMAIL */
#ifndef _CONFIG_PATH_VI
#undef _CONFIG_PATH_VI
#endif /* _CONFIG_PATH_VI */
#ifndef _CONFIG_PATH_PWD
#undef _CONFIG_PATH_PWD
#endif /* _CONFIG_PATH_PWD */
#ifndef _CONFIG_PATH_MV
#undef _CONFIG_PATH_MV
#endif /* _CONFIG_PATH_MV */
#ifndef _CONFIG_PATH_BSHELL
#undef _CONFIG_PATH_BSHELL
#endif /* _CONFIG_PATH_BSHELL */
#ifndef _CONFIG_PATH_LOGFILE
#undef _CONFIG_PATH_LOGFILE
#endif /* _CONFIG_PATH_LOGFILE */
#ifndef _CONFIG_PATH_TIMEDIR
#undef _CONFIG_PATH_TIMEDIR
#endif /* _CONFIG_PATH_TIMEDIR */

265
configure.in
View File

@@ -40,6 +40,7 @@ MANTYPE="man"
AC_SUBST(MANTYPE)dnl AC_SUBST(MANTYPE)dnl
MAN_POSTINSTALL="" MAN_POSTINSTALL=""
AC_SUBST(MAN_POSTINSTALL)dnl AC_SUBST(MAN_POSTINSTALL)dnl
CHECKSHADOW="true"
dnl dnl
dnl Override default configure dirs... dnl Override default configure dirs...
@@ -53,6 +54,22 @@ dnl
dnl Options for --enable dnl Options for --enable
dnl dnl
AC_MSG_CHECKING(whether to disable shadow password support)
AC_ARG_ENABLE(tgetpass,
[ --enable-shadow Use shadow passwords if they exist (default)
--disable-shadow Never use shadow passwords],
[ case "$enableval" in
yes) AC_MSG_RESULT(no)
;;
no) AC_MSG_RESULT(yes)
CHECKSHADOW="false"
;;
*) AC_MSG_RESULT(no)
echo "Ignoring unknown argument to --enable-tgetpass: $enableval"
;;
esac
], AC_MSG_RESULT(no))
AC_MSG_CHECKING(whether to use the system getpass function) AC_MSG_CHECKING(whether to use the system getpass function)
AC_ARG_ENABLE(tgetpass, AC_ARG_ENABLE(tgetpass,
[ --enable-tgetpass Use sudo's getpass() that times out (default) [ --enable-tgetpass Use sudo's getpass() that times out (default)
@@ -376,24 +393,13 @@ case "$host" in
# getcwd(3) opens a pipe to getpwd(1)!?! # getcwd(3) opens a pipe to getpwd(1)!?!
BROKEN_GETCWD=1 BROKEN_GETCWD=1
if test -z "$with_C2"; then # check for password adjunct functions (shadow passwords)
SUDO_CHECK_SHADOW_SUNOS4(with_C2="yes") if test "$CHECKSHADOW" = "true"; then
fi AC_CHECK_FUNCS(getpwanam)
if test "$with_C2" = "yes"; then CHECKSHADOW="false"
SHADOW_TYPE="SPW_SUNOS4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
;; ;;
*-*-solaris2*) *-*-solaris2*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" != "no"; then
with_C2="yes"
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
# AFS support needs -lucb # AFS support needs -lucb
if test "$with_AFS" = "yes"; then if test "$with_AFS" = "yes"; then
AFS_LIBS="-lc -lucb" AFS_LIBS="-lc -lucb"
@@ -404,8 +410,9 @@ case "$host" in
SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp" SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
;; ;;
*-*-hiuxmpp*) *-*-hiuxmpp*)
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsec"], AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"]))
CHECKSHADOW="false"
fi fi
;; ;;
*-*-hpux1[[0-9]]*) *-*-hpux1[[0-9]]*)
@@ -413,14 +420,9 @@ case "$host" in
# (XXX - should be an option to configure) # (XXX - should be an option to configure)
#STATIC_SUDO=true #STATIC_SUDO=true
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsec"])
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
SUDO_LIBS="${SUDO_LIBS} -lsec"
LIBS="${LIBS} -lsec"
fi fi
if test -n "$STATIC_SUDO"; then if test -n "$STATIC_SUDO"; then
@@ -452,12 +454,9 @@ case "$host" in
AC_DEFINE(BROKEN_SYSLOG) AC_DEFINE(BROKEN_SYSLOG)
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_HPUX9(with_C2="yes") AC_CHECK_FUNCS(getspwuid)
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_HPUX9"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
if test -n "$STATIC_SUDO"; then if test -n "$STATIC_SUDO"; then
@@ -508,26 +507,12 @@ case "$host" in
# ignore envariables wrt dynamic lib path # ignore envariables wrt dynamic lib path
SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement" SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement"
# C2 security stuff if test "$CHECKSHADOW" = "true"; then
if test -z "$with_C2"; then AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"])
SUDO_CHECK_SHADOW_DUNIX(with_C2="yes") CHECKSHADOW="false"
fi
if test "$with_C2" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lsecurity -laud"
LIBS="${LIBS} -lsecurity -laud"
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
;; ;;
*-*-irix*) *-*-irix*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
# configure may not think irix has stdc headers # configure may not think irix has stdc headers
# but it's good enough for sudo # but it's good enough for sudo
AC_DEFINE(STDC_HEADERS) AC_DEFINE(STDC_HEADERS)
@@ -547,16 +532,10 @@ case "$host" in
fi fi
;; ;;
*-*-linux*) *-*-linux*)
if test -z "$with_C2"; then # Some Linux versions need to link with -lshadow
SUDO_CHECK_SHADOW_SVR4(with_C2="yes") if test "$CHECKSHADOW" = "true"; then
fi AC_CHECK_FUNC(getspnam, AC_DEFINE(HAVE_GETSPNAM), AC_CHECK_LIB(shadow, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lshadow"]))
if test "$with_C2" = "yes"; then CHECKSHADOW="false"
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
OSDEFS="${OSDEFS} -DSHADOW_PWD"
AC_CHECK_FUNC(getspnam, ,
SUDO_LIBS="${SUDO_LIBS} -lshadow"
LIBS="${LIBS} -lshadow")
fi fi
;; ;;
*-convex-bsd*) *-convex-bsd*)
@@ -565,38 +544,19 @@ case "$host" in
CFLAGS="${CFLAGS} -D__STDC__" CFLAGS="${CFLAGS} -D__STDC__"
fi fi
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lprot"; OSDEFS="${OSDEFS} -D_AUDIT -D_ACL -DSecureWare"])
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
OSDEFS="${OSDEFS} -D_AUDIT -D_ACL -DSecureWare"
SUDO_LIBS="${SUDO_LIBS} -lprot"
LIBS="${LIBS} -lprot"
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
;; ;;
*-*-ultrix*) *-*-ultrix*)
OS="ultrix" OS="ultrix"
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_ULTRIX4(with_C2="yes") AC_CHECK_LIB(auth, getauthuid, AC_DEFINE(HAVE_GETAUTHUID) [SUDO_LIBS="${SUDO_LIBS} -lauth"])
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lauth"
LIBS="${LIBS} -lauth"
SHADOW_TYPE="SPW_ULTRIX4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
;; ;;
*-*-riscos*) *-*-riscos*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
SUDO_LIBS="${SUDO_LIBS} -lsun -lbsd" SUDO_LIBS="${SUDO_LIBS} -lsun -lbsd"
LIBS="${LIBS} -lsun -lbsd" LIBS="${LIBS} -lsun -lbsd"
CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd" CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd"
@@ -608,25 +568,15 @@ case "$host" in
SUDO_LIBS="${SUDO_LIBS} -lcrypt" SUDO_LIBS="${SUDO_LIBS} -lcrypt"
LIBS="${LIBS} -lcrypt" LIBS="${LIBS} -lcrypt"
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes") AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"])
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lsec"
LIBS="${LIBS} -lsec"
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
;; ;;
*-*-sco*) *-*-sco*)
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes") AC_CHECK_LIB(prot, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lprot -lx"])
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
SUDO_LIBS="${SUDO_LIBS} -lprot -lx"
LIBS="${LIBS} -lprot -lx"
fi fi
;; ;;
*-*-unicos*) *-*-unicos*)
@@ -638,14 +588,9 @@ case "$host" in
# we don't want -linet # we don't want -linet
LIB_INET=0 LIB_INET=0
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes") AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"])
fi CHECKSHADOW="false"
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
SUDO_LIBS="${SUDO_LIBS} -lsec"
LIBS="${LIBS} -lsec"
fi fi
;; ;;
*-ccur-sysv4|*-ccur-sysvr4) *-ccur-sysv4|*-ccur-sysvr4)
@@ -653,14 +598,6 @@ case "$host" in
SUDO_LIBS="${SUDO_LIBS} -lgen -lsocket -lnsl" SUDO_LIBS="${SUDO_LIBS} -lgen -lsocket -lnsl"
LIB_SOCKET=1 LIB_SOCKET=1
LIB_NSL=1 LIB_NSL=1
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;; ;;
*-*-bsdi*) *-*-bsdi*)
# Use shlicc for BSD/OS 2.x unless asked to do otherwise # Use shlicc for BSD/OS 2.x unless asked to do otherwise
@@ -670,23 +607,10 @@ case "$host" in
ac_cv_prog_CC=shlicc ac_cv_prog_CC=shlicc
CC="$ac_cv_prog_CC" CC="$ac_cv_prog_CC"
fi fi
# This should always be true but why not be careful...
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_BSD(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_BSD"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;; ;;
*-*-*bsd*) *-*-*bsd*)
if test -z "$with_C2"; then if test "$CHECKSHADOW" = "true"; then
SUDO_CHECK_SHADOW_BSD(with_C2="yes") CHECKSHADOW="false"
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_BSD"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
;; ;;
*-*-svr4*|*-*-sysv4*) *-*-svr4*|*-*-sysv4*)
@@ -694,85 +618,18 @@ case "$host" in
SUDO_LIBS="${SUDO_LIBS} -lsocket -lnsl" SUDO_LIBS="${SUDO_LIBS} -lsocket -lnsl"
LIB_SOCKET=1 LIB_SOCKET=1
LIB_NSL=1 LIB_NSL=1
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
*-*-sysv*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
*)
if test -z "$host"; then
echo "Unable to guess system type, you may need to specify on the command line."
fi
dnl
dnl Is this OS using shadow passwords?
dnl Just check the most common schemes.
dnl
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_GENERIC(with_C2="yes")
AC_MSG_CHECKING(for shadow passwords and type)
case "$SHADOW_TYPE" in
"SPW_SVR4")
echo "SVR4"
;;
"SPW_BSD")
echo "BSD"
;;
"SPW_SECUREWARE")
echo "SecureWare"
SUDO_LIBS="${SUDO_LIBS} -lprot -lx"
LIBS="${LIBS} -lprot -lx"
;;
"SPW_NONE")
echo "none"
esac
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;; ;;
esac esac
dnl dnl
dnl Guess shadow password type unless we already know it. dnl Check for shadow password routines if we have not already done so.
dnl This is used when the user specified --with-C2 option. dnl We check for SVR4-style first and then SecureWare-style.
dnl dnl
if test "$with_C2" = "yes" -a -z "$SHADOW_TYPE"; then if test "$CHECKSHADOW" = "true"; then
AC_CHECK_FUNC(getprpwuid, SHADOW_TYPE="SPW_SECUREWARE", [AC_CHECK_FUNC(getspnam, SHADOW_TYPE="SPW_SVR4", [test -f /etc/master.passwd && SHADOW_TYPE="SPW_BSD"])]) AC_CHECK_FUNC(getspnam, AC_DEFINE(HAVE_GETSPNAM) [CHECKSHADOW="false"])
AC_MSG_CHECKING(for shadow password type) fi
case "$SHADOW_TYPE" in if test "$CHECKSHADOW" = "true"; then
"SPW_SVR4") AC_CHECK_FUNC(getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"], AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lsec"], AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lsecurity"], AC_CHECK_LIB(prot, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lprot"]))))
echo "SVR4"
;;
"SPW_BSD")
echo "BSD"
;;
"SPW_SECUREWARE")
echo "SecureWare"
SUDO_LIBS="${SUDO_LIBS} -lprot -lx"
LIBS="${LIBS} -lprot -lx"
;;
*)
SHADOW_TYPE="SPW_NONE"
echo "unknown"
echo "Unable to determine shadow passwd type, sudo may not be able to verify passwords"
;;
esac
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
elif test -z "$SHADOW_TYPE"; then
SHADOW_TYPE="SPW_NONE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi fi
dnl dnl

162
getspwuid.c
View File

@@ -52,27 +52,27 @@ static char rcsid[] = "$Id$";
#include <pwd.h> #include <pwd.h>
#include "sudo.h" #include "sudo.h"
#include <options.h> #include <options.h>
#if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD)
# if (SHADOW_TYPE == SPW_SVR4) /* Shadow password includes */
# include <shadow.h> #ifdef HAVE_GETSPNAM
# endif /* SVR4 */ # include <shadow.h>
# if (SHADOW_TYPE == SPW_SECUREWARE) #endif /* HAVE_GETSPNAM */
# ifdef __hpux #ifdef HAVE_GETPRPWUID
# include <hpsecurity.h> # ifdef __hpux
# else # include <hpsecurity.h>
# include <sys/security.h> # else
# endif /* __hpux */ # include <sys/security.h>
# include <prot.h> # endif /* __hpux */
# endif /* SECUREWARE */ # include <prot.h>
# if (SHADOW_TYPE == SPW_ULTRIX4) #endif /* HAVE_GETPRPWUID */
# include <auth.h> #ifdef HAVE_GETPWANAM
# endif /* ULTRIX4 */ # include <sys/label.h>
# if (SHADOW_TYPE == SPW_SUNOS4) # include <sys/audit.h>
# include <sys/label.h> # include <pwdadj.h>
# include <sys/audit.h> #endif /* HAVE_GETPWANAM */
# include <pwdadj.h> #ifdef HAVE_GETAUTHUID
# endif /* SUNOS4 */ # include <auth.h>
#endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */ #endif /* HAVE_GETAUTHUID */
#ifndef STDC_HEADERS #ifndef STDC_HEADERS
#ifndef __GNUC__ /* gcc has its own malloc */ #ifndef __GNUC__ /* gcc has its own malloc */
@@ -87,16 +87,16 @@ extern char *strdup __P((const char *));
/* /*
* Global variables (yuck) * Global variables (yuck)
*/ */
#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha) #if defined(HAVE_GETPRPWUID) && defined(__alpha)
uchar_t crypt_type; int crypt_type = -1;
#endif /* SPW_SECUREWARE && __alpha */ #endif /* HAVE_GETPRPWUID && __alpha */
/* /*
* Local functions not visible outside getspwuid.c * Local functions not visible outside getspwuid.c
*/ */
static char *sudo_getshell __P((struct passwd *)); static char *sudo_getshell __P((struct passwd *));
static char *sudo_getspwd __P((struct passwd *)); static char *sudo_getepw __P((struct passwd *));
@@ -128,78 +128,68 @@ static char *sudo_getshell(pw_ent)
/********************************************************************** /**********************************************************************
* *
* sudo_getspwd() * sudo_getepw()
* *
* This function returns the shadow password for the user described * This function returns the encrypted password for the user described
* by pw_ent. If there is no shadow password the normal UN*X password * by pw_ent. If there is a shadow password it is returned, else the
* is returned instead. * normal UN*X password is returned instead.
*/ */
static char *sudo_getspwd(pw_ent) static char *sudo_getepw(pw_ent)
struct passwd *pw_ent; struct passwd *pw_ent;
#if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD)
# if (SHADOW_TYPE == SPW_SVR4)
{ {
struct spwd *spw_ent; #ifdef HAVE_GETPRPWUID
{
struct pr_passwd *spw_ent;
if ((spw_ent = getspnam(pw_ent -> pw_name)) && spw_ent -> sp_pwdp) spw_ent = getprpwuid(pw_ent->pw_uid);
return(spw_ent -> sp_pwdp); if (spw_ent != NULL && spw_ent->ufld.fd_encrypt != NULL) {
else # ifdef __alpha
return(pw_ent -> pw_passwd); crypt_type = spw_ent -> ufld.fd_oldcrypt;
} # ifdef AUTH_CRYPT_C1CRYPT
# endif /* SVR4 */ if (crypt_type != AUTH_CRYPT_C1CRYPT)
# if (SHADOW_TYPE == SPW_HPUX9) # endif /* AUTH_CRYPT_C1CRYPT */
{ # endif /* __alpha */
struct s_passwd *spw_ent; return(spw_ent -> ufld.fd_encrypt);
}
}
#endif /* HAVE_GETPRPWUID */
#ifdef HAVE_GETSPNAM
{
struct spwd *spw_ent;
if ((spw_ent = getspwuid(pw_ent -> pw_uid)) && spw_ent -> pw_passwd) if ((spw_ent = getspnam(pw_ent -> pw_name)) && spw_ent -> sp_pwdp)
return(spw_ent -> pw_passwd); return(spw_ent -> sp_pwdp);
else }
return(pw_ent -> pw_passwd); #endif /* HAVE_GETSPNAM */
} #ifdef HAVE_GETSPWUID
# endif /* HPUX9 */ {
# if (SHADOW_TYPE == SPW_SUNOS4) struct s_passwd *spw_ent;
{
struct passwd_adjunct *spw_ent;
if ((spw_ent = getpwanam(pw_ent -> pw_name)) && spw_ent -> pwa_passwd) if ((spw_ent = getspwuid(pw_ent -> pw_uid)) && spw_ent -> pw_passwd)
return(spw_ent -> pwa_passwd); return(spw_ent -> pw_passwd);
else }
return(pw_ent -> pw_passwd); #endif /* HAVE_GETSPWUID */
} #ifdef HAVE_GETPWANAM
# endif /* SUNOS4 */ {
# if (SHADOW_TYPE == SPW_ULTRIX4) struct passwd_adjunct *spw_ent;
{
AUTHORIZATION *spw_ent;
if ((spw_ent = getauthuid(pw_ent -> pw_uid)) && spw_ent -> a_password) if ((spw_ent = getpwanam(pw_ent -> pw_name)) && spw_ent -> pwa_passwd)
return(spw_ent -> a_password); return(spw_ent -> pwa_passwd);
else }
return(pw_ent -> pw_passwd); #endif /* HAVE_GETPWANAM */
} #ifdef HAVE_GETAUTHUID
# endif /* ULTRIX4 */ {
# if (SHADOW_TYPE == SPW_SECUREWARE) AUTHORIZATION *spw_ent;
{
struct pr_passwd *spw_ent;
if ((spw_ent = getprpwuid(pw_ent->pw_uid)) && spw_ent->ufld.fd_encrypt) { if ((spw_ent = getauthuid(pw_ent -> pw_uid)) && spw_ent -> a_password)
# ifdef __alpha return(spw_ent -> a_password);
crypt_type = spw_ent -> ufld.fd_oldcrypt; }
# ifdef AUTH_CRYPT_C1CRYPT #endif /* HAVE_GETAUTHUID */
if (crypt_type == AUTH_CRYPT_C1CRYPT)
return(pw_ent -> pw_passwd); /* Fall back on normal passwd */
# endif /* AUTH_CRYPT_C1CRYPT */
# endif /* __alpha */
return(spw_ent -> ufld.fd_encrypt);
} else
return(pw_ent -> pw_passwd);
}
# endif /* SECUREWARE */
#else
{
return(pw_ent->pw_passwd); return(pw_ent->pw_passwd);
} }
#endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */
/********************************************************************** /**********************************************************************
@@ -255,7 +245,7 @@ struct passwd *sudo_getpwuid(uid)
} }
/* pw_passwd gets a shadow password if applicable */ /* pw_passwd gets a shadow password if applicable */
local_pw_ent->pw_passwd = (char *) strdup(sudo_getspwd(pw_ent)); local_pw_ent->pw_passwd = (char *) strdup(sudo_getepw(pw_ent));
if (local_pw_ent->pw_passwd == NULL) { if (local_pw_ent->pw_passwd == NULL) {
perror("malloc"); perror("malloc");
(void) fprintf(stderr, "%s: cannot allocate memory!\n", Argv[0]); (void) fprintf(stderr, "%s: cannot allocate memory!\n", Argv[0]);

15
sudo.c
View File

@@ -83,14 +83,9 @@ static char rcsid[] = "$Id$";
#include <sys/param.h> #include <sys/param.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <netdb.h> #include <netdb.h>
#if (SHADOW_TYPE == SPW_SECUREWARE) #ifdef HAVE_GETPRPWUID
# ifdef __hpux #include <prot.h>
# include <hpsecurity.h> #endif /* HAVE_GETPRPWUID */
# else
# include <sys/security.h>
# endif /* __hpux */
# include <prot.h>
#endif /* SPW_SECUREWARE */
#ifdef HAVE_DCE #ifdef HAVE_DCE
#include <pthread.h> #include <pthread.h>
#endif /* HAVE_DCE */ #endif /* HAVE_DCE */
@@ -193,9 +188,9 @@ int main(argc, argv)
int sudo_mode = MODE_RUN; int sudo_mode = MODE_RUN;
extern char ** environ; extern char ** environ;
#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(HAVE_SET_AUTH_PARAMETERS) #if defined(HAVE_GETPRPWUID) && defined(HAVE_SET_AUTH_PARAMETERS)
(void) set_auth_parameters(argc, argv); (void) set_auth_parameters(argc, argv);
#endif /* SPW_SECUREWARE */ #endif /* HAVE_GETPRPWUID && HAVE_SET_AUTH_PARAMETERS */
Argv = argv; Argv = argv;
Argc = argc; Argc = argc;

11
tgetpass.c
View File

@@ -68,14 +68,9 @@ static char rcsid[] = "$Id$";
#include <sys/ioctl.h> #include <sys/ioctl.h>
#endif /* HAVE_TERMIO_H */ #endif /* HAVE_TERMIO_H */
#endif /* HAVE_TERMIOS_H */ #endif /* HAVE_TERMIOS_H */
#if (SHADOW_TYPE == SPW_SECUREWARE) #ifdef HAVE_GETPRPWUID
# ifdef __hpux #include <prot.h> /* for AUTH_MAX_PASSWD_LENGTH */
# include <hpsecurity.h> #endif /* HAVE_GETPRPWUID */
# else
# include <sys/security.h>
# endif /* __hpux */
# include <prot.h>
#endif /* SPW_SECUREWARE */
#include <pathnames.h> #include <pathnames.h>
#include "compat.h" #include "compat.h"