logo

etc_portage

Unnamed repository; edit this file 'description' to name the repository. git clone https://hacktivis.me/git/etc_portage.git

0002-su-login-Introduce-PREVENT_NO_AUTH.patch (2939B)

    

  1. From b52ef69b3b8442a77eeb18b7bf8f9b47148d6c34 Mon Sep 17 00:00:00 2001

  2. From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>

  3. Date: Mon, 15 Mar 2021 10:25:50 +0100

  4. Subject: [PATCH 2/2] su & login: Introduce PREVENT_NO_AUTH

  5. 

  6. ---

  7.  etc/login.defs |  9 +++++++++

  8.  lib/getdef.c   |  1 +

  9.  src/login.c    | 13 +++++++++++--

  10.  src/su.c       | 20 +++++++++++++++-----

  11.  4 files changed, 36 insertions(+), 7 deletions(-)

  12. 

  13. diff --git a/etc/login.defs b/etc/login.defs

  14. index a2f8cd50..f6b613a1 100644

  15. --- a/etc/login.defs

  16. +++ b/etc/login.defs

  17. @@ -428,3 +428,12 @@ USERGROUPS_ENAB yes

  18.  # missing.

  19.  #

  20.  #FORCE_SHADOW    yes

  21. +

  22. +#

  23. +# Prevents an empty password field to be interpreted as "no authentication

  24. +# required".

  25. +# Set to "yes" to prevent for all accounts

  26. +# Set to "superuser" to prevent for UID 0 / root (default)

  27. +# Set to "no" to not prevent for any account (dangerous, historical default)

  28. +

  29. +PREVENT_NO_AUTH yes

  30. diff --git a/lib/getdef.c b/lib/getdef.c

  31. index 00f6abfe..d25d13f4 100644

  32. --- a/lib/getdef.c

  33. +++ b/lib/getdef.c

  34. @@ -149,6 +149,7 @@ static struct itemdef def_table[] = {

  35.  	{"USE_TCB", NULL},

  36.  #endif

  37.  	{"FORCE_SHADOW", NULL},

  38. +	{"PREVENT_NO_AUTH", NULL},

  39.  	{NULL, NULL}

  40.  };

  41.  

  42. diff --git a/src/login.c b/src/login.c

  43. index 0c0b5c86..be84a884 100644

  44. --- a/src/login.c

  45. +++ b/src/login.c

  46. @@ -978,9 +978,18 @@ int main (int argc, char **argv)

  47.  			    || ('*' == user_passwd[0])) {

  48.  				failed = true;

  49.  			}

  50. -			/* Treat empty password field as invalid */

  51. +

  52.  			if (strcmp (user_passwd, "") == 0) {

  53. -				failed = true;

  54. +				char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");

  55. +				if(prevent_no_auth == NULL) {

  56. +					prevent_no_auth = "superuser";

  57. +				}

  58. +				if(strcmp(prevent_no_auth, "yes") == 0) {

  59. +					failed = true;

  60. +				} else if( (pwd->pw_uid == 0)

  61. +					&& (strcmp(prevent_no_auth, "superuser") == 0)) {

  62. +					failed = true;

  63. +				}

  64.  			}

  65.  		}

  66.  

  67. diff --git a/src/su.c b/src/su.c

  68. index 638f533f..9cae4b2f 100644

  69. --- a/src/su.c

  70. +++ b/src/su.c

  71. @@ -499,15 +499,25 @@ static void check_perms_nopam (const struct passwd *pw)

  72.  	/*@observer@*/const char *password = pw->pw_passwd;

  73.  	RETSIGTYPE (*oldsig) (int);

  74.  

  75. -	if (strcmp (pw->pw_passwd, "") == 0) {

  76. -		fprintf(stderr, _("Password field is empty, this is invalid.\n"));

  77. -		exit(1);

  78. -	}

  79. -

  80.  	if (caller_is_root) {

  81.  		return;

  82.  	}

  83.  

  84. +	if (strcmp (pw->pw_passwd, "") == 0) {

  85. +		char *prevent_no_auth = getdef_str("PREVENT_NO_AUTH");

  86. +		if(prevent_no_auth == NULL) {

  87. +			prevent_no_auth = "superuser";

  88. +		}

  89. +		if(strcmp(prevent_no_auth, "yes") == 0) {

  90. +			fprintf(stderr, _("Password field is empty, this is forbidden for all accounts.\n"));

  91. +			exit(1);

  92. +		} else if( (pw->pw_uid == 0)

  93. +				&& (strcmp(prevent_no_auth, "superuser") == 0)) {

  94. +			fprintf(stderr, _("Password field is empty, this is forbidden for super-user.\n"));

  95. +			exit(1);

  96. +		}

  97. +	}

  98. +

  99.  	/*

  100.  	 * BSD systems only allow "wheel" to SU to root. USG systems don't,

  101.  	 * so we make this a configurable option.

  102. -- 

  103. 2.26.3

  104.