From e45674ae8026b9399fc0778a7e964efbcd093689 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:17:51 +1100 Subject: [PATCH] - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore previous authdb setting after auth calls. Fixes problems with setpcred failing on accounts that use AFS or NIS password registries. --- ChangeLog | 5 ++++- openbsd-compat/port-aix.c | 44 +++++++++++++++++++++++++++++---------- openbsd-compat/port-aix.h | 11 +++++++++- 3 files changed, 47 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4db097614..8d9a94651 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ required, please report them. ok djm@ - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent accidentally inheriting from root's environment. ok djm@ + - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore + previous authdb setting after auth calls. Fixes problems with setpcred + failing on accounts that use AFS or NIS password registries. 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1794,4 +1797,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3209 2004/02/06 05:04:08 dtucker Exp $ +$Id: ChangeLog,v 1.3210 2004/02/06 05:17:51 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a9cbf49b0..6fc2ef771 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -39,6 +39,10 @@ extern ServerOptions options; extern Buffer loginmsg; +# ifdef HAVE_SETAUTHDB +static char old_registry[REGISTRY_SIZE] = ""; +# endif + /* * AIX has a "usrinfo" area where logname and other stuff is stored - * a few applications actually use this and die if it's not set @@ -119,6 +123,7 @@ aix_authenticate(const char *name, const char *password, const char *host) xfree(msg); } } + aix_restoreauthdb(); } if (authmsg != NULL) @@ -145,22 +150,21 @@ record_failed_login(const char *user, const char *ttyname) # else loginfailed((char *)user, hostname, (char *)ttyname); # endif + aix_restoreauthdb(); } # endif /* CUSTOM_FAILED_LOGIN */ /* * If we have setauthdb, retrieve the password registry for the user's - * account then feed it to setauthdb. This may load registry-specific method - * code. If we don't have setauthdb or have already called it this is a no-op. + * account then feed it to setauthdb. This will mean that subsequent AIX auth + * functions will only use the specified loadable module. If we don't have + * setauthdb this is a no-op. */ void aix_setauthdb(const char *user) { # ifdef HAVE_SETAUTHDB - static char *registry = NULL; - - if (registry != NULL) /* have already done setauthdb */ - return; + char *registry; if (setuserdb(S_READ) == -1) { debug3("%s: Could not open userdb to read", __func__); @@ -168,12 +172,11 @@ aix_setauthdb(const char *user) } if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { - if (setauthdb(registry, NULL) == 0) - debug3("%s: AIX/setauthdb set registry %s", __func__, - registry); + if (setauthdb(registry, old_registry) == 0) + debug3("AIX/setauthdb set registry '%s'", registry); else - debug3("%s: AIX/setauthdb set registry %s failed: %s", - __func__, registry, strerror(errno)); + debug3("AIX/setauthdb set registry '%s' failed: %s", + registry, strerror(errno)); } else debug3("%s: Could not read S_REGISTRY for user: %s", __func__, strerror(errno)); @@ -181,6 +184,25 @@ aix_setauthdb(const char *user) # endif /* HAVE_SETAUTHDB */ } +/* + * Restore the user's registry settings from old_registry. + * Note that if the first aix_setauthdb fails, setauthdb("") is still safe + * (it restores the system default behaviour). If we don't have setauthdb, + * this is a no-op. + */ +void +aix_restoreauthdb(void) +{ +# ifdef HAVE_SETAUTHDB + if (setauthdb(old_registry, NULL) == 0) + debug3("%s: restoring old registry '%s'", __func__, + old_registry); + else + debug3("%s: failed to restore old registry %s", __func__, + old_registry); +# endif /* HAVE_SETAUTHDB */ +} + # endif /* WITH_AIXAUTHENTICATE */ #endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 975cdf051..930b3f248 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */ /* * @@ -51,6 +51,14 @@ # include #endif +/* + * According to the setauthdb man page, AIX password registries must be 15 + * chars or less plus terminating NUL. + */ +#ifdef HAVE_SETAUTHDB +# define REGISTRY_SIZE 16 +#endif + void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE @@ -60,5 +68,6 @@ void record_failed_login(const char *, const char *); int aix_authenticate(const char *, const char *, const char *); void aix_setauthdb(const char *); +void aix_restoreauthdb(void); void aix_remove_embedded_newlines(char *); #endif /* _AIX */