diff --git a/ChangeLog b/ChangeLog index 3e402217..0c2afdc8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2008-09-06 Nicolas François + + * configure.in: Added option --enable-account-tools-setuid to + enable/disable the usage of PAM to authenticate the callers of + account management tools: chage, chgpasswd, chpasswd, groupadd, + groupdel, groupmod, useradd, userdel, usermod. + * src/Makefile.am: Do not link the above tools with libpam if + account-tools-setuid is disabled. + * src/userdel.c, src/newusers.c, src/chpasswd.c, src/usermod.c, + src/groupdel.c, src/chgpasswd.c, src/useradd.c, src/groupmod.c, + src/groupadd.c, src/chage.c: Implement ACCT_TOOLS_SETUID + (--enable-account-tools-setuid). + * etc/pam.d/Makefile.am: Install the pam service file for the + above tools only when needed. + 2008-09-06 Nicolas François * libmisc/tz.c: tz() is only used when USE_PAM is not defined. @@ -32,6 +47,8 @@ src/chsh.c: Simplify the PAM error handling. Do not keep the pamh handle, but terminate the PAM transaction as soon as possible if there are no PAM session opened. + * src/useradd.c, src/userdel.c, src/usermod.c: It is no more + needed to initialize retval to PAM_SUCCESS. 2008-09-06 Nicolas François diff --git a/configure.in b/configure.in index fd2bba70..ebbb6d5c 100644 --- a/configure.in +++ b/configure.in @@ -219,6 +219,18 @@ AC_ARG_ENABLE(man, [enable_man=no] ) +AC_ARG_ENABLE(account-tools-setuid, + [AC_HELP_STRING([--enable-account-tools-setuid], + [Install the user and group management tools setuid and authenticate the callers. This requires --with-pam.])], + [case "${enableval}" in + yes) enable_acct_tools_setuid="yes" ;; + no) enable_acct_tools_setuid="no" ;; + *) AC_MSG_ERROR(bad value ${enableval} for --enable-account-tools-setuid) + ;; + esac], + [enable_acct_tools_setuid="yes"] +) + AC_ARG_WITH(audit, [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], [with_audit=$withval], [with_audit=maybe]) @@ -417,6 +429,16 @@ else AC_MSG_RESULT(yes) fi +if test "$enable_acct_tools_setuid" = "yes"; then + if test "$with_libpam" != "yes"; then + AC_MSG_ERROR(PAM support is required for --enable-account-tools-setuid) + fi + AC_DEFINE(ACCT_TOOLS_SETUID, + 1, + [Define if account management tools should be installed setuid and authenticate the callers]) +fi +AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes") + AC_SUBST(LIBSKEY) AC_SUBST(LIBMD) if test "$with_skey" = "yes"; then @@ -475,6 +497,9 @@ echo echo " auditing support: $with_audit" echo " CrackLib support: $with_libcrack" echo " PAM support: $with_libpam" +if test "$with_libpam" = "yes"; then +echo " suid account management tools: $enable_acct_tools_setuid" +fi echo " SELinux support: $with_selinux" echo " shadow group support: $enable_shadowgrp" echo " S/Key support: $with_skey" diff --git a/etc/pam.d/Makefile.am b/etc/pam.d/Makefile.am index 44deb6f7..293c1e50 100644 --- a/etc/pam.d/Makefile.am +++ b/etc/pam.d/Makefile.am @@ -2,22 +2,26 @@ # and also cooperate to make a distribution for `make dist' pamd_files = \ - chage \ chfn \ + chsh \ + groupmems \ + login \ + passwd \ + su + +if ACCT_TOOLS_SETUID +pamd_files += \ + chage \ chgpasswd \ chpasswd \ - chsh \ groupadd \ groupdel \ - groupmems \ groupmod \ - login \ newusers \ - passwd \ - su \ useradd \ userdel \ usermod +endif if USE_PAM pamddir = $(sysconfdir)/pam.d diff --git a/src/Makefile.am b/src/Makefile.am index e827fe09..6cf8867d 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -49,22 +49,31 @@ noinst_PROGRAMS = id sulogin suidbins = su suidubins = chage chfn chsh expiry gpasswd newgrp passwd +if ACCT_TOOLS_SETUID + suidubins += chage chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod +endif LDADD = $(INTLLIBS) \ $(top_builddir)/libmisc/libmisc.a \ $(top_builddir)/lib/libshadow.la AM_CPPFLAGS = -DLOCALEDIR=\"$(datadir)/locale\" -chage_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) +if ACCT_TOOLS_SETUID +LIBPAM_SUID = $(LIBPAM) +else +LIBPAM_SUID = +endif + +chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) chfn_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) -chgpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) +chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) -chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) +chpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) -groupadd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -groupdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) +groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) groupmems_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) -groupmod_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) +groupmod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) grpck_LDADD = $(LDADD) $(LIBSELINUX) grpconv_LDADD = $(LDADD) $(LIBSELINUX) grpunconv_LDADD = $(LDADD) $(LIBSELINUX) @@ -73,7 +82,7 @@ login_SOURCES = \ login_nopam.c login_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) newgrp_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBCRYPT) -newusers_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) +newusers_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) nologin_LDADD = passwd_LDADD = $(LDADD) $(LIBPAM) $(LIBCRACK) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) pwck_LDADD = $(LDADD) $(LIBSELINUX) @@ -84,9 +93,9 @@ su_SOURCES = \ suauth.c su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) sulogin_LDADD = $(LDADD) $(LIBCRYPT) -useradd_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -userdel_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) -usermod_LDADD = $(LDADD) $(LIBPAM) $(LIBAUDIT) $(LIBSELINUX) +useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) +usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) vipw_LDADD = $(LDADD) $(LIBSELINUX) install-am: all-am diff --git a/src/chage.c b/src/chage.c index 5766e0ab..680b57d9 100644 --- a/src/chage.c +++ b/src/chage.c @@ -42,9 +42,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include #ifdef WITH_SELINUX #include @@ -484,11 +486,13 @@ static void check_flags (int argc, int opt_index) */ static void check_perms (void) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; struct passwd *pampw; int retval; -#endif +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ /* * An unprivileged user can ask for their own aging information, but @@ -501,6 +505,7 @@ static void check_perms (void) fail_exit (E_NOPERM); } +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ if (NULL == pampw) { @@ -525,6 +530,7 @@ static void check_perms (void) fail_exit (E_NOPERM); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ } /* diff --git a/src/chgpasswd.c b/src/chgpasswd.c index aaa39e1c..011c009f 100644 --- a/src/chgpasswd.c +++ b/src/chgpasswd.c @@ -39,9 +39,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include "defines.h" #include "exitcodes.h" #include "nscd.h" @@ -246,6 +248,7 @@ static void check_flags (void) */ static void check_perms (void) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; @@ -274,6 +277,7 @@ static void check_perms (void) exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ } /* diff --git a/src/chpasswd.c b/src/chpasswd.c index 99093ffa..014a25ae 100644 --- a/src/chpasswd.c +++ b/src/chpasswd.c @@ -39,9 +39,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include "defines.h" #include "exitcodes.h" #include "nscd.h" @@ -240,6 +242,7 @@ static void check_flags (void) */ static void check_perms (void) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; @@ -268,6 +271,7 @@ static void check_perms (void) exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ } /* diff --git a/src/groupadd.c b/src/groupadd.c index f6ff4079..c7c7c28c 100644 --- a/src/groupadd.c +++ b/src/groupadd.c @@ -41,10 +41,12 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #include #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include "chkname.h" #include "defines.h" #include "getdef.h" @@ -565,6 +567,7 @@ static void check_flags (void) */ static void check_perms (void) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; @@ -593,6 +596,7 @@ static void check_perms (void) exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ } /* diff --git a/src/groupdel.c b/src/groupdel.c index 1981ab19..c1245e1a 100644 --- a/src/groupdel.c +++ b/src/groupdel.c @@ -38,9 +38,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include #include #include "defines.h" @@ -309,10 +311,12 @@ static void group_busy (gid_t gid) int main (int argc, char **argv) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; -#endif +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef WITH_AUDIT audit_help_open (); @@ -336,6 +340,7 @@ int main (int argc, char **argv) OPENLOG ("groupdel"); +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM { struct passwd *pampw; @@ -364,6 +369,7 @@ int main (int argc, char **argv) exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); diff --git a/src/groupmod.c b/src/groupmod.c index 6d09d2b6..13362b15 100644 --- a/src/groupmod.c +++ b/src/groupmod.c @@ -40,10 +40,12 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #include #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include "chkname.h" #include "defines.h" #include "groupio.h" @@ -679,10 +681,12 @@ void update_primary_groups (gid_t ogid, gid_t ngid) */ int main (int argc, char **argv) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; -#endif +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef WITH_AUDIT audit_help_open (); @@ -701,6 +705,7 @@ int main (int argc, char **argv) OPENLOG ("groupmod"); +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM { struct passwd *pampw; @@ -729,6 +734,7 @@ int main (int argc, char **argv) fail_exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); diff --git a/src/newusers.c b/src/newusers.c index e30a159b..1eefb7e2 100644 --- a/src/newusers.c +++ b/src/newusers.c @@ -50,9 +50,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include "prototypes.h" #include "defines.h" #include "getdef.h" @@ -561,6 +563,7 @@ static void check_flags (void) */ static void check_perms (void) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; @@ -589,6 +592,7 @@ static void check_perms (void) fail_exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ } /* diff --git a/src/useradd.c b/src/useradd.c index 40421c39..dba04f0c 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -42,9 +42,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include #include #include @@ -1748,10 +1750,12 @@ static void create_mail (void) */ int main (int argc, char **argv) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; -#endif +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef WITH_AUDIT audit_help_open (); @@ -1785,9 +1789,8 @@ int main (int argc, char **argv) process_flags (argc, argv); +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM - retval = PAM_SUCCESS; - { struct passwd *pampw; pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ @@ -1815,6 +1818,7 @@ int main (int argc, char **argv) fail_exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ /* * See if we are messing with the defaults file, or creating diff --git a/src/userdel.c b/src/userdel.c index 13dc8cac..6559785b 100644 --- a/src/userdel.c +++ b/src/userdel.c @@ -43,9 +43,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include "defines.h" #include "getdef.h" #include "groupio.h" @@ -781,10 +783,12 @@ int main (int argc, char **argv) { int errors = 0; /* Error in the removal of the home directory */ +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; -#endif +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef WITH_AUDIT audit_help_open (); @@ -830,9 +834,8 @@ int main (int argc, char **argv) OPENLOG ("userdel"); +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM - retval = PAM_SUCCESS; - { struct passwd *pampw; pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ @@ -860,6 +863,7 @@ int main (int argc, char **argv) exit (E_PW_UPDATE); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ is_shadow_pwd = spw_file_present (); #ifdef SHADOWGRP diff --git a/src/usermod.c b/src/usermod.c index 1ca0afd3..709e2984 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -41,9 +41,11 @@ #include #include #include +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM #include "pam_defs.h" #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #include #include #include @@ -1620,10 +1622,12 @@ static void move_mailbox (void) */ int main (int argc, char **argv) { +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM pam_handle_t *pamh = NULL; int retval; -#endif +#endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ #ifdef WITH_AUDIT audit_help_open (); @@ -1651,9 +1655,8 @@ int main (int argc, char **argv) process_flags (argc, argv); +#ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM - retval = PAM_SUCCESS; - { struct passwd *pampw; pampw = getpwuid (getuid ()); /* local, no need for xgetpwuid */ @@ -1681,6 +1684,7 @@ int main (int argc, char **argv) exit (1); } #endif /* USE_PAM */ +#endif /* ACCT_TOOLS_SETUID */ /* * Do the hard stuff - open the files, change the user entries,