* configure.in: Added option --enable-account-tools-setuid to

enable/disable the usage of PAM to authenticate the callers of account management tools: chage, chgpasswd, chpasswd, groupadd, groupdel, groupmod, useradd, userdel, usermod. * src/Makefile.am: Do not link the above tools with libpam if account-tools-setuid is disabled. * src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c, src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c, src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID (--enable-account-tools-setuid). * etc/pam.d/Makefile.am: Install the pam service file for the above tools only when needed. * src/useradd.c, src/userdel.c, src/usermod.c: It is no more needed to initialize retval to PAM_SUCCESS.
2008-09-06 21:35:37 +00:00 · 2008-09-06 21:35:37 +00:00 · f8aef607ae
commit f8aef607ae
parent bbae92e76f
14 changed files with 129 additions and 28 deletions
--- a/17
+++ b/17
@ -1,3 +1,18 @@
+2008-09-06  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* configure.in: Added option --enable-account-tools-setuid to
+	enable/disable the usage of PAM to authenticate the callers of
+	account management tools: chage, chgpasswd, chpasswd, groupadd,
+	groupdel, groupmod, useradd, userdel, usermod.
+	* src/Makefile.am: Do not link the above tools with libpam if
+	account-tools-setuid is disabled.
+	* src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c,
+	src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c,
+	src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID
+	(--enable-account-tools-setuid).
+	* etc/pam.d/Makefile.am: Install the pam service file for the
+	above tools only when needed.
+
 2008-09-06  Nicolas François  <nicolas.francois@centraliens.net>

 	* libmisc/tz.c: tz() is only used when USE_PAM is not defined.
@ -32,6 +47,8 @@
 	src/chsh.c: Simplify the PAM error handling. Do not keep the pamh
 	handle, but terminate the PAM transaction as soon as possible if
 	there are no PAM session opened.
+	* src/useradd.c, src/userdel.c, src/usermod.c: It is no more
+	needed to initialize retval to PAM_SUCCESS.

 2008-09-06  Nicolas François  <nicolas.francois@centraliens.net>

--- a/configure.in
+++ b/configure.in
@ -219,6 +219,18 @@ AC_ARG_ENABLE(man,
 	[enable_man=no]
 )

+AC_ARG_ENABLE(account-tools-setuid,
+	[AC_HELP_STRING([--enable-account-tools-setuid],
+		[Install the user and group management tools setuid and authenticate the callers. This requires --with-pam.])],
+	[case "${enableval}" in
+	 yes) enable_acct_tools_setuid="yes" ;;
+	  no) enable_acct_tools_setuid="no" ;;
+	   *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid)
+	   ;;
+	 esac],
+	[enable_acct_tools_setuid="yes"]
+)
+
 AC_ARG_WITH(audit, 
 	[AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
 	[with_audit=$withval], [with_audit=maybe])
@ -417,6 +429,16 @@ else
 	AC_MSG_RESULT(yes)
 fi

+if test "$enable_acct_tools_setuid" = "yes"; then
+	if test "$with_libpam" != "yes"; then
+		AC_MSG_ERROR(PAM support is required for --enable-account-tools-setuid)
+	fi
+	AC_DEFINE(ACCT_TOOLS_SETUID,
+	          1,
+	          [Define if account management tools should be installed setuid and authenticate the callers])
+fi
+AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
+
 AC_SUBST(LIBSKEY)
 AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
@ -475,6 +497,9 @@ echo
 echo "	auditing support:		$with_audit"
 echo "	CrackLib support:		$with_libcrack"
 echo "	PAM support:			$with_libpam"
+if test "$with_libpam" = "yes"; then
+echo "	suid account management tools:	$enable_acct_tools_setuid"
+fi
 echo "	SELinux support:		$with_selinux"
 echo "	shadow group support:		$enable_shadowgrp"
 echo "	S/Key support:			$with_skey"
--- a/etc/pam.d/Makefile.am
+++ b/etc/pam.d/Makefile.am
@ -2,22 +2,26 @@
 # and also cooperate to make a distribution for `make dist'

 pamd_files = \
-	chage \
 	chfn \
+	chsh \
+	groupmems \
+	login \
+	passwd \
+	su
+
+if ACCT_TOOLS_SETUID
+pamd_files += \
+	chage \
 	chgpasswd \
 	chpasswd \
-	chsh \
 	groupadd \
 	groupdel \
-	groupmems \
 	groupmod \
-	login \
 	newusers \
-	passwd \
-	su \
 	useradd \
 	userdel \
 	usermod
+endif

 if USE_PAM
 pamddir = $(sysconfdir)/pam.d
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -49,22 +49,31 @@ noinst_PROGRAMS = id sulogin

 suidbins       = su
 suidubins      = chage chfn chsh expiry gpasswd newgrp passwd
+if ACCT_TOOLS_SETUID
+	suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
+endif

 LDADD          = $(INTLLIBS) \
 		 $(top_builddir)/libmisc/libmisc.a \
 		 $(top_builddir)/lib/libshadow.la
 AM_CPPFLAGS    = -DLOCALEDIR=\"$(datadir)/locale\"

-chage_LDADD    = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+if ACCT_TOOLS_SETUID
+LIBPAM_SUID  = $(LIBPAM)
+else
+LIBPAM_SUID  =
+endif
+
+chage_LDADD    = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 chfn_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
-chgpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 chsh_LDADD     = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
-chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+chpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 gpasswd_LDADD  = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
-groupadd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
-groupdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX)
-groupmod_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 grpck_LDADD    = $(LDADD) $(LIBSELINUX)
 grpconv_LDADD  = $(LDADD) $(LIBSELINUX)
 grpunconv_LDADD = $(LDADD) $(LIBSELINUX)
@ -73,7 +82,7 @@ login_SOURCES  = \
 	login_nopam.c
 login_LDADD    = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
 newgrp_LDADD   = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT)
-newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
+newusers_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
 nologin_LDADD  =
 passwd_LDADD   = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
 pwck_LDADD     = $(LDADD) $(LIBSELINUX)
@ -84,9 +93,9 @@ su_SOURCES     = \
 	suauth.c
 su_LDADD       = $(LDADD) $(LIBPAM) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
 sulogin_LDADD  = $(LDADD) $(LIBCRYPT)
-useradd_LDADD  = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
-userdel_LDADD  = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
-usermod_LDADD  = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX)
+useradd_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+userdel_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
+usermod_LDADD  = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 vipw_LDADD     = $(LDADD) $(LIBSELINUX)

 install-am: all-am
--- a/src/chage.c
+++ b/src/chage.c
@ -42,9 +42,11 @@
 #include <stdlib.h>
 #include <sys/types.h>
 #include <time.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include <pwd.h>
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
@ -484,11 +486,13 @@ static void check_flags (int argc, int opt_index)
 */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	struct passwd *pampw;
 	int retval;
-#endif
+#endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 	/*
 	 * An unprivileged user can ask for their own aging information, but
@ -501,6 +505,7 @@ static void check_perms (void)
 		fail_exit (E_NOPERM);
 	}

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
 	if (NULL == pampw) {
@ -525,6 +530,7 @@ static void check_perms (void)
 		fail_exit (E_NOPERM);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 }

 /*
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@ -39,9 +39,11 @@
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "exitcodes.h"
 #include "nscd.h"
@ -246,6 +248,7 @@ static void check_flags (void)
 */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
@ -274,6 +277,7 @@ static void check_perms (void)
 		exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 }

 /*
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@ -39,9 +39,11 @@
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "exitcodes.h"
 #include "nscd.h"
@ -240,6 +242,7 @@ static void check_flags (void)
 */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
@ -268,6 +271,7 @@ static void check_perms (void)
 		exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 }

 /*
--- a/src/groupadd.c
+++ b/src/groupadd.c
@ -41,10 +41,12 @@
 #include <grp.h>
 #include <stdio.h>
 #include <sys/types.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #include <pwd.h>
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include "chkname.h"
 #include "defines.h"
 #include "getdef.h"
@ -565,6 +567,7 @@ static void check_flags (void)
 */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
@ -593,6 +596,7 @@ static void check_perms (void)
 		exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 }

 /*
--- a/src/groupdel.c
+++ b/src/groupdel.c
@ -38,9 +38,11 @@
 #include <fcntl.h>
 #include <grp.h>
 #include <pwd.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/types.h>
 #include "defines.h"
@ -309,10 +311,12 @@ static void group_busy (gid_t gid)

 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
-#endif
+#endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef WITH_AUDIT
 	audit_help_open ();
@ -336,6 +340,7 @@ int main (int argc, char **argv)

 	OPENLOG ("groupdel");

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	{
 		struct passwd *pampw;
@ -364,6 +369,7 @@ int main (int argc, char **argv)
 		exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
--- a/src/groupmod.c
+++ b/src/groupmod.c
@ -40,10 +40,12 @@
 #include <grp.h>
 #include <stdio.h>
 #include <sys/types.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #include <pwd.h>
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include "chkname.h"
 #include "defines.h"
 #include "groupio.h"
@ -679,10 +681,12 @@ void update_primary_groups (gid_t ogid, gid_t ngid)
 */
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
-#endif
+#endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef WITH_AUDIT
 	audit_help_open ();
@ -701,6 +705,7 @@ int main (int argc, char **argv)

 	OPENLOG ("groupmod");

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	{
 		struct passwd *pampw;
@ -729,6 +734,7 @@ int main (int argc, char **argv)
 		fail_exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
--- a/src/newusers.c
+++ b/src/newusers.c
@ -50,9 +50,11 @@
 #include <fcntl.h>
 #include <getopt.h>
 #include <ctype.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include "prototypes.h"
 #include "defines.h"
 #include "getdef.h"
@ -561,6 +563,7 @@ static void check_flags (void)
 */
 static void check_perms (void)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
@ -589,6 +592,7 @@ static void check_perms (void)
 		fail_exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 }

 /*
--- a/src/useradd.c
+++ b/src/useradd.c
@ -42,9 +42,11 @@
 #include <grp.h>
 #include <lastlog.h>
 #include <pwd.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@ -1748,10 +1750,12 @@ static void create_mail (void)
 */
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
-#endif
+#endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef WITH_AUDIT
 	audit_help_open ();
@ -1785,9 +1789,8 @@ int main (int argc, char **argv)

 	process_flags (argc, argv);

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
-	retval = PAM_SUCCESS;
-
 	{
 		struct passwd *pampw;
 		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
@ -1815,6 +1818,7 @@ int main (int argc, char **argv)
 		fail_exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 	/*
 	 * See if we are messing with the defaults file, or creating
--- a/src/userdel.c
+++ b/src/userdel.c
@ -43,9 +43,11 @@
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/stat.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include "defines.h"
 #include "getdef.h"
 #include "groupio.h"
@ -781,10 +783,12 @@ int main (int argc, char **argv)
 {
 	int errors = 0; /* Error in the removal of the home directory */

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
-#endif
+#endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef WITH_AUDIT
 	audit_help_open ();
@ -830,9 +834,8 @@ int main (int argc, char **argv)

 	OPENLOG ("userdel");

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
-	retval = PAM_SUCCESS;
-
 	{
 		struct passwd *pampw;
 		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
@ -860,6 +863,7 @@ int main (int argc, char **argv)
 		exit (E_PW_UPDATE);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 	is_shadow_pwd = spw_file_present ();
 #ifdef SHADOWGRP
--- a/src/usermod.c
+++ b/src/usermod.c
@ -41,9 +41,11 @@
 #include <grp.h>
 #include <lastlog.h>
 #include <pwd.h>
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */
 #include <stdio.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@ -1620,10 +1622,12 @@ static void move_mailbox (void)
 */
 int main (int argc, char **argv)
 {
+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
 	pam_handle_t *pamh = NULL;
 	int retval;
-#endif
+#endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 #ifdef WITH_AUDIT
 	audit_help_open ();
@ -1651,9 +1655,8 @@ int main (int argc, char **argv)

 	process_flags (argc, argv);

+#ifdef ACCT_TOOLS_SETUID
 #ifdef USE_PAM
-	retval = PAM_SUCCESS;
-
 	{
 		struct passwd *pampw;
 		pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */
@ -1681,6 +1684,7 @@ int main (int argc, char **argv)
 		exit (1);
 	}
 #endif				/* USE_PAM */
+#endif				/* ACCT_TOOLS_SETUID */

 	/*
 	 * Do the hard stuff - open the files, change the user entries,