Fix compiler warnings:
* libmisc/audit_help.c: Include prototypes.h to get the prototype of audit_help_open. * libmisc/salt.c: Use booleans instead of negating integers. * src/passwd.c: Declare the check_selinux_access prototype and avoid name clashes (change_user -> changed_user; change_uid -> changed_uid; access -> requested_access)
This commit is contained in:
parent
eeb9592ded
commit
d99423405c
10
ChangeLog
10
ChangeLog
@ -1,3 +1,13 @@
|
|||||||
|
2008-05-24 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
Fix compiler warnings:
|
||||||
|
* libmisc/audit_help.c: Include prototypes.h to get the prototype
|
||||||
|
of audit_help_open.
|
||||||
|
* libmisc/salt.c: Use booleans instead of negating integers.
|
||||||
|
* src/passwd.c: Declare the check_selinux_access prototype and
|
||||||
|
avoid name clashes (change_user -> changed_user; change_uid ->
|
||||||
|
changed_uid; access -> requested_access)
|
||||||
|
|
||||||
2008-05-23 Nicolas François <nicolas.francois@centraliens.net>
|
2008-05-23 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
* libmisc/pam_pass.c: Use fputs rather than fprintf for constant
|
* libmisc/pam_pass.c: Use fputs rather than fprintf for constant
|
||||||
|
@ -44,6 +44,7 @@
|
|||||||
#include <libaudit.h>
|
#include <libaudit.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
#include "prototypes.h"
|
||||||
int audit_fd;
|
int audit_fd;
|
||||||
|
|
||||||
void audit_help_open (void)
|
void audit_help_open (void)
|
||||||
|
@ -220,14 +220,14 @@ char *crypt_make_salt (const char *meth, void *arg)
|
|||||||
method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES";
|
method = getdef_bool ("MD5_CRYPT_ENAB") ? "MD5" : "DES";
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!strcmp (method, "MD5")) {
|
if (0 == strcmp (method, "MD5")) {
|
||||||
MAGNUM(result, '1');
|
MAGNUM(result, '1');
|
||||||
#ifdef USE_SHA_CRYPT
|
#ifdef USE_SHA_CRYPT
|
||||||
} else if (!strcmp (method, "SHA256")) {
|
} else if (0 == strcmp (method, "SHA256")) {
|
||||||
MAGNUM(result, '5');
|
MAGNUM(result, '5');
|
||||||
strcat(result, SHA_salt_rounds((int *)arg));
|
strcat(result, SHA_salt_rounds((int *)arg));
|
||||||
salt_len = SHA_salt_size();
|
salt_len = SHA_salt_size();
|
||||||
} else if (!strcmp (method, "SHA512")) {
|
} else if (0 == strcmp (method, "SHA512")) {
|
||||||
MAGNUM(result, '6');
|
MAGNUM(result, '6');
|
||||||
strcat(result, SHA_salt_rounds((int *)arg));
|
strcat(result, SHA_salt_rounds((int *)arg));
|
||||||
salt_len = SHA_salt_size();
|
salt_len = SHA_salt_size();
|
||||||
|
31
src/passwd.c
31
src/passwd.c
@ -142,6 +142,11 @@ static void update_noshadow (void);
|
|||||||
|
|
||||||
static void update_shadow (void);
|
static void update_shadow (void);
|
||||||
static long getnumber (const char *);
|
static long getnumber (const char *);
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
static int check_selinux_access (const char *changed_user,
|
||||||
|
uid_t changed_uid,
|
||||||
|
access_vector_t requested_access);
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* usage - print command usage and exit
|
* usage - print command usage and exit
|
||||||
@ -619,8 +624,9 @@ static long getnumber (const char *numstr)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
int
|
static int check_selinux_access (const char *changed_user,
|
||||||
check_selinux_access(const char *change_user, int change_uid, unsigned int access)
|
uid_t changed_uid,
|
||||||
|
access_vector_t requested_access)
|
||||||
{
|
{
|
||||||
int status = -1;
|
int status = -1;
|
||||||
security_context_t user_context;
|
security_context_t user_context;
|
||||||
@ -642,15 +648,18 @@ check_selinux_access(const char *change_user, int change_uid, unsigned int acces
|
|||||||
|
|
||||||
/* if changing a password for an account with UID==0 or for an account
|
/* if changing a password for an account with UID==0 or for an account
|
||||||
where the identity matches then return success */
|
where the identity matches then return success */
|
||||||
if (change_uid != 0 && strcmp(change_user, user) == 0) {
|
if (changed_uid != 0 && strcmp(changed_user, user) == 0) {
|
||||||
status = 0;
|
status = 0;
|
||||||
} else {
|
} else {
|
||||||
struct av_decision avd;
|
struct av_decision avd;
|
||||||
int retval;
|
int retval;
|
||||||
retval = security_compute_av(user_context, user_context,
|
retval = security_compute_av(user_context,
|
||||||
SECCLASS_PASSWD, access, &avd);
|
user_context,
|
||||||
|
SECCLASS_PASSWD,
|
||||||
|
requested_access,
|
||||||
|
&avd);
|
||||||
if ((retval == 0) &&
|
if ((retval == 0) &&
|
||||||
((access & avd.allowed) == access)) {
|
((requested_access & avd.allowed) == requested_access)) {
|
||||||
status = 0;
|
status = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -897,8 +906,7 @@ int main (int argc, char **argv)
|
|||||||
/* only do this check when getuid()==0 because it's a pre-condition for
|
/* only do this check when getuid()==0 because it's a pre-condition for
|
||||||
changing a password without entering the old one */
|
changing a password without entering the old one */
|
||||||
if ((is_selinux_enabled() > 0) && (getuid() == 0) &&
|
if ((is_selinux_enabled() > 0) && (getuid() == 0) &&
|
||||||
(check_selinux_access(name, pw->pw_uid, PASSWD__PASSWD) != 0))
|
(check_selinux_access (name, pw->pw_uid, PASSWD__PASSWD) != 0)) {
|
||||||
{
|
|
||||||
security_context_t user_context;
|
security_context_t user_context;
|
||||||
if (getprevcon(&user_context) < 0) {
|
if (getprevcon(&user_context) < 0) {
|
||||||
user_context = strdup("Unknown user context");
|
user_context = strdup("Unknown user context");
|
||||||
@ -906,14 +914,13 @@ int main (int argc, char **argv)
|
|||||||
syslog(LOG_ALERT,
|
syslog(LOG_ALERT,
|
||||||
"%s is not authorized to change the password of %s",
|
"%s is not authorized to change the password of %s",
|
||||||
user_context, name);
|
user_context, name);
|
||||||
fprintf(stderr, _("%s: %s is not authorized to change the "
|
fprintf(stderr,
|
||||||
"password of %s\n"),
|
_("%s: %s is not authorized to change the password of %s\n"),
|
||||||
Prog, user_context, name);
|
Prog, user_context, name);
|
||||||
freecon(user_context);
|
freecon(user_context);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
#endif /* WITH_SELINUX */
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If the UID of the user does not match the current real UID,
|
* If the UID of the user does not match the current real UID,
|
||||||
|
Loading…
x
Reference in New Issue
Block a user