[Pkg-shadow-devel] passwd: Drop root privileges if changing passwort of non-local user
Lukas Grässlin
lukas.graesslin at collax.com
Mon Sep 19 09:05:45 UTC 2011
Hi there,
I ran into following problem:
I am using the slapo-ppolicy overlay for openldap (where I store my
users) for password policies.
The problem when chaning passwords with 'passwd' is that the policies
are not enforced since 'passwd' is running as root. (setuid root)
My first 'solution' was to remove the 'rootbinddn' line from my
ldap.conf but that is _not_ the correct solution as it causes some other
problems.
So I thought the coolest would be that passwd drops its root privileges
if it is changing the passwort of an ldap user. (= a user which does not
exist in /etc/passwd).
So I hacked this into passwd.c:
----------------------------8<------------------------------
if (!spw_lock ()) {
fputs (_("Cannot lock the password file; try again later.\n"),
stderr);
SYSLOG ((LOG_WARN, "can't lock password file"));
exit (E_PWDBUSY);
}
if (!spw_open (O_RDONLY)) {
fputs (_("Cannot open the password file.\n"), stderr);
SYSLOG ((LOG_ERR, "can't open password file"));
fail_exit (E_FAILURE);
}
const struct spwd *sp = spw_locate(name);
if (sp == NULL) {
if (seteuid(getuid()) != 0) {
fputs (_("Cannot drop root privileges.\n"), stderr);
SYSLOG ((LOG_ERR, "Cannot drop root privileges"));
}
}
spw_close();
spw_unlock();
--------------------------->8-------------------------------
It checks with 'spw_locate(name)' if the user exists in /etc/passwd. If
not (= return null) it sets the euid to the uid. (which is the uid of
the user).
Therefore the policies are enforced for the users without any side
effects. Also root can still change every password without knowing the
old. (this was the problem when removing the 'roobtbinddn' from ldap.conf)
What do you think about that?
--
Lukas Grässlin
Software Developer
Collax GmbH . Basler Str. 115a . 79115 Freiburg . Germany
p: +49 (0) 89-990 157-23
Collax - Flexible IT.
Geschäftsführer: Bernd Bönte, Boris Nalbach
Amtsgericht München, HRB 173695
USt-ID: DE270819312
More information about the Pkg-shadow-devel
mailing list