summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Shumaker <lukeshu@sbcglobal.net>2016-06-17 22:29:02 -0400
committerLuke Shumaker <lukeshu@sbcglobal.net>2016-06-17 22:29:02 -0400
commit374539da4c9e1b4ea5ca889771ce89b27b119f48 (patch)
tree188ccdb1b2939850adaa655960a310274c885033
parentbdcbbb3d9d9c4d0d318bbd68d3fe39389d70bfe5 (diff)
PAM: don't trust AsRoot
-rw-r--r--go/parabola_hackers/nslcd_backend/db_pam.go10
1 files changed, 3 insertions, 7 deletions
diff --git a/go/parabola_hackers/nslcd_backend/db_pam.go b/go/parabola_hackers/nslcd_backend/db_pam.go
index 353fe5e..607c550 100644
--- a/go/parabola_hackers/nslcd_backend/db_pam.go
+++ b/go/parabola_hackers/nslcd_backend/db_pam.go
@@ -137,8 +137,9 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
user := o.users[uid]
// Check the OldPassword
- switch req.AsRoot {
- case 0: /* user password */
+ if req.AsRoot == 1 && cred.Uid == 0 {
+ // bypass the password check
+ } else {
if !checkPassword(req.OldPassword, user.Passwd.PwHash) {
ret <- p.PAM_PwMod{
Result: p.NSLCD_PAM_PERM_DENIED,
@@ -146,11 +147,6 @@ func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_
}
return
}
- case 1: /* root password */
- // do nothing
- default:
- logger.Info("Invalid AsRoot value in PwMod request: %d", req.AsRoot)
- return
}
// Update the PwHash in memory