mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 14:25:15 +00:00
Code Issues Releases Wiki Activity

new shadow password scheme. Always include shadow support if the

Browse Source 
platform supports it and the user did not disable it via configure
This commit is contained in:
Todd C. Miller
1998-09-21 04:00:56 +00:00
parent 2de38e16c3
commit 1c66c857e4
8 changed files with 195 additions and 479 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
aclocal.m4 vendored
View File

@@ -147,99 +147,6 @@ else
fi
])dnl
dnl
dnl check for shadow passwords
dnl NOTE: not verbose
dnl
AC_DEFUN(SUDO_CHECK_SHADOW_GENERIC, [
if test -z "$SHADOW_TYPE" -a -d /tcb/files/auth; then
AC_CHECK_FUNC(getprpwuid, SHADOW_TYPE="SPW_SECUREWARE")
fi
if test -z "$SHADOW_TYPE" -a -s /etc/shadow; then
AC_CHECK_FUNC(getspnam, SHADOW_TYPE="SPW_SVR4")
fi
if test -z "$SHADOW_TYPE" -a -s /etc/master.passwd; then
SHADOW_TYPE="SPW_BSD"
fi
if test -z "$SHADOW_TYPE"; then
SHADOW_TYPE="SPW_NONE"
$2
else
$1
fi
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
])
AC_DEFUN(SUDO_CHECK_SHADOW_SUNOS4, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/security/passwd.adjunct; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_ULTRIX4, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/auth.pag; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_BSD, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/master.passwd; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_HPUX9, [AC_MSG_CHECKING(for shadow passwords)
if test -s /.secure/etc/passwd; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_SVR4, [AC_MSG_CHECKING(for shadow passwords)
if test -s /etc/shadow; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_SECUREWARE, [AC_MSG_CHECKING(for shadow passwords)
if test -d /tcb/files/auth; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
AC_DEFUN(SUDO_CHECK_SHADOW_DUNIX, [AC_MSG_CHECKING(for shadow passwords)
if test "`. /etc/rc.config ; echo $SECURITY`" = "ENHANCED"; then
AC_MSG_RESULT(yes)
[$1]
else
AC_MSG_RESULT(no)
[$2]
fi
])
dnl
dnl
dnl check for fullly working void

46
check.c
View File

@@ -67,14 +67,14 @@ static char rcsid[] = "$Id$";
#include <options.h>
#include "insults.h"
#include "version.h"
#if (SHADOW_TYPE == SPW_SECUREWARE)
#ifdef HAVE_GETPRPWUID
# ifdef __hpux
# include <hpsecurity.h>
# else
# include <sys/security.h>
# endif /* __hpux */
# include <prot.h>
#endif /* SPW_SECUREWARE */
#endif /* HAVE_GETPRPWUID */
#ifdef HAVE_KERB4
# include <krb.h>
#endif /* HAVE_KERB4 */
@@ -141,9 +141,9 @@ struct skey skey;
#ifdef HAVE_OPIE
struct opie opie;
#endif
#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha)
extern uchar_t crypt_type;
#endif /* SPW_SECUREWARE && __alpha */
#if defined(HAVE_GETPRPWUID) && defined(__alpha)
extern int crypt_type;
#endif /* HAVE_GETPRPWUID && __alpha */
@@ -585,42 +585,44 @@ static void check_passwd()
/*
* If we use shadow passwords with a different crypt(3)
* check that here, else use standard crypt(3).
* XXX - break out into separate functions.
*/
# if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD)
# if (SHADOW_TYPE == SPW_ULTRIX4)
# ifdef HAVE_GETAUTHUID
if (!strcmp(user_passwd, (char *) crypt16(pass, user_passwd)))
return; /* if the passwd is correct return() */
# endif /* ULTRIX4 */
# if (SHADOW_TYPE == SPW_SECUREWARE) && !defined(__alpha)
# endif /* HAVE_GETAUTHUID */
# ifdef HAVE_GETPRPWUID
# ifndef __alpha
# ifdef HAVE_BIGCRYPT
if (strcmp(user_passwd, (char *) bigcrypt(pass, user_passwd)) == 0)
return; /* if the passwd is correct return() */
# else
if (strcmp(user_passwd, crypt(pass, user_passwd)) == 0)
return; /* if the passwd is correct return() */
# endif /* HAVE_BIGCRYPT */
# endif /* SECUREWARE && !__alpha */
# if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha)
if (crypt_type == AUTH_CRYPT_BIGCRYPT) {
# else /* !__alpha */
switch (crypt_type) {
case AUTH_CRYPT_BIGCRYPT:
if (!strcmp(user_passwd, bigcrypt(pass, user_passwd)))
return; /* if the passwd is correct return() */
} else if (crypt_type == AUTH_CRYPT_CRYPT16) {
break;
case AUTH_CRYPT_CRYPT16:
if (!strcmp(user_passwd, crypt16(pass, user_passwd)))
return; /* if the passwd is correct return() */
break;
# ifdef AUTH_CRYPT_OLDCRYPT
} else if (crypt_type == AUTH_CRYPT_OLDCRYPT ||
crypt_type == AUTH_CRYPT_C1CRYPT) {
case AUTH_CRYPT_OLDCRYPT:
case AUTH_CRYPT_C1CRYPT:
# endif
case -1:
if (!strcmp(user_passwd, crypt(pass, user_passwd)))
return; /* if the passwd is correct return() */
# endif
} else {
break;
default:
(void) fprintf(stderr,
"%s: Sorry, I don't know how to deal with crypt type %d.\n",
Argv[0], crypt_type);
exit(1);
}
# endif /* SECUREWARE && __alpha */
# endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */
# endif /* __alpha */
# endif /* HAVE_GETPRPWUID */
/* Normal UN*X password check */
if (!strcmp(user_passwd, (char *) crypt(pass, user_passwd)))

4
compat.h
View File

@@ -100,7 +100,7 @@
# undef _PASSWD_LEN
# define _PASSWD_LEN 256
#else
# if (SHADOW_TYPE == SPW_SECUREWARE)
# ifdef HAVE_GETPRPWUID
# undef _PASSWD_LEN
# define _PASSWD_LEN AUTH_MAX_PASSWD_LENGTH
# else
@@ -116,7 +116,7 @@
# endif /* PASS_MAX */
# endif /* !_PASSWD_LEN */
# endif /* HAVE_KERB4 || HAVE_AFS || HAVE_DCE || HAVE_SKEY || HAVE_OPIE */
#endif /* SPW_SECUREWARE */
#endif /* HAVE_GETPRPWUID */
/*
* Some OS's lack these

60
config.h.in
View File

@@ -201,6 +201,21 @@
/* Define if you have set_auth_parameters(3). */
#undef HAVE_SET_AUTH_PARAMETERS
/* Define if you have getspnam(3). [SVR4-style shadow passwords] */
#undef HAVE_GETSPNAM
/* Define if you have getprpwuid(3). [SecureWare-style shadow passwords] */
#undef HAVE_GETPRPWUID
/* Define if you have getspwuid(3). [HP-UX <= 9.X shadow passwords] */
#undef HAVE_GETSPWUID
/* Define if you have getpwanam(3). [SunOS 4.x shadow passwords] */
#undef HAVE_GETPWANAM
/* Define if you have getauthuid(3). [ULTRIX 4.x shadow passwords] */
#undef HAVE_GETAUTHUID
/* Define if you have seteuid(3). */
#undef HAVE_SETEUID
@@ -265,18 +280,6 @@
/* Define if your struct sockadr has an sa_len field. */
#undef HAVE_SA_LEN
/* Supported shadow password types */
#define SPW_NONE 0x00
#define SPW_SECUREWARE 0x01
#define SPW_HPUX9 0x02
#define SPW_SUNOS4 0x03
#define SPW_SVR4 0x04
#define SPW_ULTRIX4 0x05
#define SPW_BSD 0x06
/* Define to the variety of shadow passwords supported on your OS */
#undef SHADOW_TYPE
/* Define to void if your C compiler fully groks void, else char */
#undef VOID
@@ -303,36 +306,3 @@
/* Define if you want the log file line to be wrapped */
#undef WRAP_LOG
/*
* Paths to commands used by sudo. There are used by pathnames.h.
* If you want to override these values, do so in pathnames.h, not here!
*/
#ifndef _CONFIG_PATH_SENDMAIL
#undef _CONFIG_PATH_SENDMAIL
#endif /* _CONFIG_PATH_SENDMAIL */
#ifndef _CONFIG_PATH_VI
#undef _CONFIG_PATH_VI
#endif /* _CONFIG_PATH_VI */
#ifndef _CONFIG_PATH_PWD
#undef _CONFIG_PATH_PWD
#endif /* _CONFIG_PATH_PWD */
#ifndef _CONFIG_PATH_MV
#undef _CONFIG_PATH_MV
#endif /* _CONFIG_PATH_MV */
#ifndef _CONFIG_PATH_BSHELL
#undef _CONFIG_PATH_BSHELL
#endif /* _CONFIG_PATH_BSHELL */
#ifndef _CONFIG_PATH_LOGFILE
#undef _CONFIG_PATH_LOGFILE
#endif /* _CONFIG_PATH_LOGFILE */
#ifndef _CONFIG_PATH_TIMEDIR
#undef _CONFIG_PATH_TIMEDIR
#endif /* _CONFIG_PATH_TIMEDIR */

265
configure.in
View File

@@ -40,6 +40,7 @@ MANTYPE="man"
AC_SUBST(MANTYPE)dnl
MAN_POSTINSTALL=""
AC_SUBST(MAN_POSTINSTALL)dnl
CHECKSHADOW="true"
dnl
dnl Override default configure dirs...
@@ -53,6 +54,22 @@ dnl
dnl Options for --enable
dnl
AC_MSG_CHECKING(whether to disable shadow password support)
AC_ARG_ENABLE(tgetpass,
[ --enable-shadow Use shadow passwords if they exist (default)
--disable-shadow Never use shadow passwords],
[ case "$enableval" in
yes) AC_MSG_RESULT(no)
;;
no) AC_MSG_RESULT(yes)
CHECKSHADOW="false"
;;
*) AC_MSG_RESULT(no)
echo "Ignoring unknown argument to --enable-tgetpass: $enableval"
;;
esac
], AC_MSG_RESULT(no))
AC_MSG_CHECKING(whether to use the system getpass function)
AC_ARG_ENABLE(tgetpass,
[ --enable-tgetpass Use sudo's getpass() that times out (default)
@@ -376,24 +393,13 @@ case "$host" in
# getcwd(3) opens a pipe to getpwd(1)!?!
BROKEN_GETCWD=1
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SUNOS4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SUNOS4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
# check for password adjunct functions (shadow passwords)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_FUNCS(getpwanam)
CHECKSHADOW="false"
fi
;;
*-*-solaris2*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" != "no"; then
with_C2="yes"
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
# AFS support needs -lucb
if test "$with_AFS" = "yes"; then
AFS_LIBS="-lc -lucb"
@@ -404,8 +410,9 @@ case "$host" in
SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-bI:\$(srcdir)/aixcrypt.exp"
;;
*-*-hiuxmpp*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes")
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsec"], AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"]))
CHECKSHADOW="false"
fi
;;
*-*-hpux1[[0-9]]*)
@@ -413,14 +420,9 @@ case "$host" in
# (XXX - should be an option to configure)
#STATIC_SUDO=true
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
SUDO_LIBS="${SUDO_LIBS} -lsec"
LIBS="${LIBS} -lsec"
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsec"])
CHECKSHADOW="false"
fi
if test -n "$STATIC_SUDO"; then
@@ -452,12 +454,9 @@ case "$host" in
AC_DEFINE(BROKEN_SYSLOG)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_HPUX9(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_HPUX9"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_FUNCS(getspwuid)
CHECKSHADOW="false"
fi
if test -n "$STATIC_SUDO"; then
@@ -508,26 +507,12 @@ case "$host" in
# ignore envariables wrt dynamic lib path
SUDO_LDFLAGS="${SUDO_LDFLAGS} -Wl,-no_library_replacement"
# C2 security stuff
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_DUNIX(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lsecurity -laud"
LIBS="${LIBS} -lsecurity -laud"
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lsecurity"])
CHECKSHADOW="false"
fi
;;
*-*-irix*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
# configure may not think irix has stdc headers
# but it's good enough for sudo
AC_DEFINE(STDC_HEADERS)
@@ -547,16 +532,10 @@ case "$host" in
fi
;;
*-*-linux*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
OSDEFS="${OSDEFS} -DSHADOW_PWD"
AC_CHECK_FUNC(getspnam, ,
SUDO_LIBS="${SUDO_LIBS} -lshadow"
LIBS="${LIBS} -lshadow")
# Some Linux versions need to link with -lshadow
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_FUNC(getspnam, AC_DEFINE(HAVE_GETSPNAM), AC_CHECK_LIB(shadow, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lshadow"]))
CHECKSHADOW="false"
fi
;;
*-convex-bsd*)
@@ -565,38 +544,19 @@ case "$host" in
CFLAGS="${CFLAGS} -D__STDC__"
fi
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
OSDEFS="${OSDEFS} -D_AUDIT -D_ACL -DSecureWare"
SUDO_LIBS="${SUDO_LIBS} -lprot"
LIBS="${LIBS} -lprot"
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lprot"; OSDEFS="${OSDEFS} -D_AUDIT -D_ACL -DSecureWare"])
CHECKSHADOW="false"
fi
;;
*-*-ultrix*)
OS="ultrix"
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_ULTRIX4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lauth"
LIBS="${LIBS} -lauth"
SHADOW_TYPE="SPW_ULTRIX4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(auth, getauthuid, AC_DEFINE(HAVE_GETAUTHUID) [SUDO_LIBS="${SUDO_LIBS} -lauth"])
CHECKSHADOW="false"
fi
;;
*-*-riscos*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
SUDO_LIBS="${SUDO_LIBS} -lsun -lbsd"
LIBS="${LIBS} -lsun -lbsd"
CPPFLAGS="${CPPFLAGS} -I/usr/include -I/usr/include/bsd"
@@ -608,25 +568,15 @@ case "$host" in
SUDO_LIBS="${SUDO_LIBS} -lcrypt"
LIBS="${LIBS} -lcrypt"
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lsec"
LIBS="${LIBS} -lsec"
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"])
CHECKSHADOW="false"
fi
;;
*-*-sco*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SECUREWARE(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SECUREWARE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
SUDO_LIBS="${SUDO_LIBS} -lprot -lx"
LIBS="${LIBS} -lprot -lx"
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(prot, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [SUDO_LIBS="${SUDO_LIBS} -lprot -lx"])
CHECKSHADOW="false"
fi
;;
*-*-unicos*)
@@ -638,14 +588,9 @@ case "$host" in
# we don't want -linet
LIB_INET=0
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
SUDO_LIBS="${SUDO_LIBS} -lsec"
LIBS="${LIBS} -lsec"
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_LIB(sec, getspnam, AC_DEFINE(HAVE_GETSPNAM) [SUDO_LIBS="${SUDO_LIBS} -lsec"])
CHECKSHADOW="false"
fi
;;
*-ccur-sysv4|*-ccur-sysvr4)
@@ -653,14 +598,6 @@ case "$host" in
SUDO_LIBS="${SUDO_LIBS} -lgen -lsocket -lnsl"
LIB_SOCKET=1
LIB_NSL=1
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
*-*-bsdi*)
# Use shlicc for BSD/OS 2.x unless asked to do otherwise
@@ -670,23 +607,10 @@ case "$host" in
ac_cv_prog_CC=shlicc
CC="$ac_cv_prog_CC"
fi
# This should always be true but why not be careful...
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_BSD(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_BSD"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
*-*-*bsd*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_BSD(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_BSD"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
CHECKSHADOW="false"
fi
;;
*-*-svr4*|*-*-sysv4*)
@@ -694,85 +618,18 @@ case "$host" in
SUDO_LIBS="${SUDO_LIBS} -lsocket -lnsl"
LIB_SOCKET=1
LIB_NSL=1
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
*-*-sysv*)
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_SVR4(with_C2="yes")
fi
if test "$with_C2" = "yes"; then
SHADOW_TYPE="SPW_SVR4"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
*)
if test -z "$host"; then
echo "Unable to guess system type, you may need to specify on the command line."
fi
dnl
dnl Is this OS using shadow passwords?
dnl Just check the most common schemes.
dnl
if test -z "$with_C2"; then
SUDO_CHECK_SHADOW_GENERIC(with_C2="yes")
AC_MSG_CHECKING(for shadow passwords and type)
case "$SHADOW_TYPE" in
"SPW_SVR4")
echo "SVR4"
;;
"SPW_BSD")
echo "BSD"
;;
"SPW_SECUREWARE")
echo "SecureWare"
SUDO_LIBS="${SUDO_LIBS} -lprot -lx"
LIBS="${LIBS} -lprot -lx"
;;
"SPW_NONE")
echo "none"
esac
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
fi
;;
esac
dnl
dnl Guess shadow password type unless we already know it.
dnl This is used when the user specified --with-C2 option.
dnl Check for shadow password routines if we have not already done so.
dnl We check for SVR4-style first and then SecureWare-style.
dnl
if test "$with_C2" = "yes" -a -z "$SHADOW_TYPE"; then
AC_CHECK_FUNC(getprpwuid, SHADOW_TYPE="SPW_SECUREWARE", [AC_CHECK_FUNC(getspnam, SHADOW_TYPE="SPW_SVR4", [test -f /etc/master.passwd && SHADOW_TYPE="SPW_BSD"])])
AC_MSG_CHECKING(for shadow password type)
case "$SHADOW_TYPE" in
"SPW_SVR4")
echo "SVR4"
;;
"SPW_BSD")
echo "BSD"
;;
"SPW_SECUREWARE")
echo "SecureWare"
SUDO_LIBS="${SUDO_LIBS} -lprot -lx"
LIBS="${LIBS} -lprot -lx"
;;
*)
SHADOW_TYPE="SPW_NONE"
echo "unknown"
echo "Unable to determine shadow passwd type, sudo may not be able to verify passwords"
;;
esac
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
elif test -z "$SHADOW_TYPE"; then
SHADOW_TYPE="SPW_NONE"
AC_DEFINE_UNQUOTED(SHADOW_TYPE, $SHADOW_TYPE)
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_FUNC(getspnam, AC_DEFINE(HAVE_GETSPNAM) [CHECKSHADOW="false"])
fi
if test "$CHECKSHADOW" = "true"; then
AC_CHECK_FUNC(getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"], AC_CHECK_LIB(sec, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lsec"], AC_CHECK_LIB(security, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lsecurity"], AC_CHECK_LIB(prot, getprpwuid, AC_DEFINE(HAVE_GETPRPWUID) [CHECKSHADOW="false"; SUDO_LIBS="${SUDO_LIBS} -lprot"]))))
fi
dnl

104
getspwuid.c
View File

@@ -52,27 +52,27 @@ static char rcsid[] = "$Id$";
#include <pwd.h>
#include "sudo.h"
#include <options.h>
#if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD)
# if (SHADOW_TYPE == SPW_SVR4)
/* Shadow password includes */
#ifdef HAVE_GETSPNAM
# include <shadow.h>
# endif /* SVR4 */
# if (SHADOW_TYPE == SPW_SECUREWARE)
#endif /* HAVE_GETSPNAM */
#ifdef HAVE_GETPRPWUID
# ifdef __hpux
# include <hpsecurity.h>
# else
# include <sys/security.h>
# endif /* __hpux */
# include <prot.h>
# endif /* SECUREWARE */
# if (SHADOW_TYPE == SPW_ULTRIX4)
# include <auth.h>
# endif /* ULTRIX4 */
# if (SHADOW_TYPE == SPW_SUNOS4)
#endif /* HAVE_GETPRPWUID */
#ifdef HAVE_GETPWANAM
# include <sys/label.h>
# include <sys/audit.h>
# include <pwdadj.h>
# endif /* SUNOS4 */
#endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */
#endif /* HAVE_GETPWANAM */
#ifdef HAVE_GETAUTHUID
# include <auth.h>
#endif /* HAVE_GETAUTHUID */
#ifndef STDC_HEADERS
#ifndef __GNUC__ /* gcc has its own malloc */
@@ -87,16 +87,16 @@ extern char *strdup __P((const char *));
/*
* Global variables (yuck)
*/
#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(__alpha)
uchar_t crypt_type;
#endif /* SPW_SECUREWARE && __alpha */
#if defined(HAVE_GETPRPWUID) && defined(__alpha)
int crypt_type = -1;
#endif /* HAVE_GETPRPWUID && __alpha */
/*
* Local functions not visible outside getspwuid.c
*/
static char *sudo_getshell __P((struct passwd *));
static char *sudo_getspwd __P((struct passwd *));
static char *sudo_getepw __P((struct passwd *));
@@ -128,78 +128,68 @@ static char *sudo_getshell(pw_ent)
/**********************************************************************
*
* sudo_getspwd()
* sudo_getepw()
*
* This function returns the shadow password for the user described
* by pw_ent. If there is no shadow password the normal UN*X password
* is returned instead.
* This function returns the encrypted password for the user described
* by pw_ent. If there is a shadow password it is returned, else the
* normal UN*X password is returned instead.
*/
static char *sudo_getspwd(pw_ent)
static char *sudo_getepw(pw_ent)
struct passwd *pw_ent;
#if (SHADOW_TYPE != SPW_NONE) && (SHADOW_TYPE != SPW_BSD)
# if (SHADOW_TYPE == SPW_SVR4)
{
#ifdef HAVE_GETPRPWUID
{
struct pr_passwd *spw_ent;
spw_ent = getprpwuid(pw_ent->pw_uid);
if (spw_ent != NULL && spw_ent->ufld.fd_encrypt != NULL) {
# ifdef __alpha
crypt_type = spw_ent -> ufld.fd_oldcrypt;
# ifdef AUTH_CRYPT_C1CRYPT
if (crypt_type != AUTH_CRYPT_C1CRYPT)
# endif /* AUTH_CRYPT_C1CRYPT */
# endif /* __alpha */
return(spw_ent -> ufld.fd_encrypt);
}
}
#endif /* HAVE_GETPRPWUID */
#ifdef HAVE_GETSPNAM
{
struct spwd *spw_ent;
if ((spw_ent = getspnam(pw_ent -> pw_name)) && spw_ent -> sp_pwdp)
return(spw_ent -> sp_pwdp);
else
return(pw_ent -> pw_passwd);
}
# endif /* SVR4 */
# if (SHADOW_TYPE == SPW_HPUX9)
#endif /* HAVE_GETSPNAM */
#ifdef HAVE_GETSPWUID
{
struct s_passwd *spw_ent;
if ((spw_ent = getspwuid(pw_ent -> pw_uid)) && spw_ent -> pw_passwd)
return(spw_ent -> pw_passwd);
else
return(pw_ent -> pw_passwd);
}
# endif /* HPUX9 */
# if (SHADOW_TYPE == SPW_SUNOS4)
#endif /* HAVE_GETSPWUID */
#ifdef HAVE_GETPWANAM
{
struct passwd_adjunct *spw_ent;
if ((spw_ent = getpwanam(pw_ent -> pw_name)) && spw_ent -> pwa_passwd)
return(spw_ent -> pwa_passwd);
else
return(pw_ent -> pw_passwd);
}
# endif /* SUNOS4 */
# if (SHADOW_TYPE == SPW_ULTRIX4)
#endif /* HAVE_GETPWANAM */
#ifdef HAVE_GETAUTHUID
{
AUTHORIZATION *spw_ent;
if ((spw_ent = getauthuid(pw_ent -> pw_uid)) && spw_ent -> a_password)
return(spw_ent -> a_password);
else
return(pw_ent -> pw_passwd);
}
# endif /* ULTRIX4 */
# if (SHADOW_TYPE == SPW_SECUREWARE)
{
struct pr_passwd *spw_ent;
#endif /* HAVE_GETAUTHUID */
if ((spw_ent = getprpwuid(pw_ent->pw_uid)) && spw_ent->ufld.fd_encrypt) {
# ifdef __alpha
crypt_type = spw_ent -> ufld.fd_oldcrypt;
# ifdef AUTH_CRYPT_C1CRYPT
if (crypt_type == AUTH_CRYPT_C1CRYPT)
return(pw_ent -> pw_passwd);
# endif /* AUTH_CRYPT_C1CRYPT */
# endif /* __alpha */
return(spw_ent -> ufld.fd_encrypt);
} else
/* Fall back on normal passwd */
return(pw_ent->pw_passwd);
}
# endif /* SECUREWARE */
#else
{
return(pw_ent->pw_passwd);
}
#endif /* SHADOW_TYPE != SPW_NONE && SHADOW_TYPE != SPW_BSD */
/**********************************************************************
@@ -255,7 +245,7 @@ struct passwd *sudo_getpwuid(uid)
}
/* pw_passwd gets a shadow password if applicable */
local_pw_ent->pw_passwd = (char *) strdup(sudo_getspwd(pw_ent));
local_pw_ent->pw_passwd = (char *) strdup(sudo_getepw(pw_ent));
if (local_pw_ent->pw_passwd == NULL) {
perror("malloc");
(void) fprintf(stderr, "%s: cannot allocate memory!\n", Argv[0]);

13
sudo.c
View File

@@ -83,14 +83,9 @@ static char rcsid[] = "$Id$";
#include <sys/param.h>
#include <netinet/in.h>
#include <netdb.h>
#if (SHADOW_TYPE == SPW_SECUREWARE)
# ifdef __hpux
# include <hpsecurity.h>
# else
# include <sys/security.h>
# endif /* __hpux */
#ifdef HAVE_GETPRPWUID
#include <prot.h>
#endif /* SPW_SECUREWARE */
#endif /* HAVE_GETPRPWUID */
#ifdef HAVE_DCE
#include <pthread.h>
#endif /* HAVE_DCE */
@@ -193,9 +188,9 @@ int main(argc, argv)
int sudo_mode = MODE_RUN;
extern char ** environ;
#if (SHADOW_TYPE == SPW_SECUREWARE) && defined(HAVE_SET_AUTH_PARAMETERS)
#if defined(HAVE_GETPRPWUID) && defined(HAVE_SET_AUTH_PARAMETERS)
(void) set_auth_parameters(argc, argv);
#endif /* SPW_SECUREWARE */
#endif /* HAVE_GETPRPWUID && HAVE_SET_AUTH_PARAMETERS */
Argv = argv;
Argc = argc;

11
tgetpass.c
View File

@@ -68,14 +68,9 @@ static char rcsid[] = "$Id$";
#include <sys/ioctl.h>
#endif /* HAVE_TERMIO_H */
#endif /* HAVE_TERMIOS_H */
#if (SHADOW_TYPE == SPW_SECUREWARE)
# ifdef __hpux
# include <hpsecurity.h>
# else
# include <sys/security.h>
# endif /* __hpux */
# include <prot.h>
#endif /* SPW_SECUREWARE */
#ifdef HAVE_GETPRPWUID
#include <prot.h> /* for AUTH_MAX_PASSWD_LENGTH */
#endif /* HAVE_GETPRPWUID */
#include <pathnames.h>
#include "compat.h"