Test for locked account in auth.c (bug #442).

Tue Jan 7 22:19:26 EST 2003

Darren Tucker wrote:
> Hi Damien,
> 	I noticed you merged a couple of ifdefs in the fix for bug #442. The
> cvs comment says "Fix Bug #442 for PAM case".  The code is now roughly:
> 
> #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
>     !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
>         spw = getspnam(pw->pw_name);
>         passwd = spw->sp_pwdp;
> #else
>         passwd = pw->pw_passwd;
> #endif
> 	[test for locked passwd entry]
> 
> 	If the platform is using PAM, /etc/passwd is checked regardless of
> whether or not it actually has /etc/shadow.
> 
> 	If the platform has /etc/shadow but doesn't have shadow expiry then the
> /etc/passwd entry will be checked rather than the /etc/shadow one.
> 
> 	Is this correct or have I overlooked something?

You are right, my fix introduced a new bug (though one could argue that 
it is PAM's responsibility to do this...).

How does the following look:

int
allowed_user(struct passwd * pw)
{
	struct stat st;
	const char *hostname = NULL, *ipaddr = NULL, *passwd;
	char *shell;
	int i;
#ifdef WITH_AIXAUTHENTICATE
	char *loginmsg;
#endif /* WITH_AIXAUTHENTICATE */
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	struct spwd *spw;
#endif

	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
	if (!pw || !pw->pw_name)
		return 0;

	/* Grab the password for locked account checking */
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	spw = getspnam(pw->pw_name);
	if (!spw)
		return 0;
	passwd = spw->sp_pwdp;
#else
	passwd = pw->pw_passwd;
#endif

	/* check for locked account */
	if (strcmp(passwd, "*LK*") == 0 || passwd[0] == '!') {
		log("User %.100s not allowed because account is locked",
		    pw->pw_name);
		return 0;
	}

#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
     !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
#define	DAY		(24L * 60 * 60) /* 1 day in seconds */
	time_t today = time(NULL) / DAY;
	debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
	    " sp_max %d", (int)today, (int)spw->sp_expire,
	    (int)spw->sp_lstchg, (int)spw->sp_max);

	/*
	 * We assume account and password expiration occurs the
	 * day after the day specified.
	 */
	if (spw->sp_expire != -1 && today > spw->sp_expire) {
		log("Account %.100s has expired", pw->pw_name);
		return 0;
	}

	if (spw->sp_lstchg == 0) {
		log("User %.100s password has expired (root forced)",
		    pw->pw_name);
		return 0;
	}

	if (spw->sp_max != -1 &&
	    today > spw->sp_lstchg + spw->sp_max) {
		log("User %.100s password has expired (password aged)",
		    pw->pw_name);
		return 0;
	}
#endif

	/*
	 * Get the shell from the password data.  An empty shell field is
	 * legal, and means /bin/sh.
	 */
	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;

	/* deny if shell does not exists or is not executable */
	if (stat(shell, &st) != 0) {
		log("User %.100s not allowed because shell %.100s does not exist",
		    pw->pw_name, shell);
		return 0;
	}
	if (S_ISREG(st.st_mode) == 0 ||
	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
		log("User %.100s not allowed because shell %.100s is not executable",
		    pw->pw_name, shell);
		return 0;
	}

(...)