Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180704233204.GC29590@altlinux.org>
Date: Thu, 5 Jul 2018 02:32:04 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: [PATCH 2/5] pam_tcb: drop obsolete nis/nis+ support

The GNU C library, starting with version 2.26, deprecated libnsl.
As result, pam_tcb no longer builds with modern versions of glibc
configured without --enable-obsolete-nsl option.

While glibc recommends to use replacement implementations based on
TIRPC, it's time to get rid of obsolete nis/nis+ support altogether.
---
 pam_tcb/Makefile          |   4 +-
 pam_tcb/pam_tcb.8         |  37 +--------------
 pam_tcb/pam_unix_passwd.c | 115 ----------------------------------------------
 pam_tcb/support.c         |  76 ------------------------------
 pam_tcb/support.h         |   3 --
 pam_tcb/yppasswd.h        |  50 --------------------
 pam_tcb/yppasswd_xdr.c    |  34 --------------
 progs/tcb_convert.8       |   2 +-
 8 files changed, 5 insertions(+), 316 deletions(-)
 delete mode 100644 pam_tcb/yppasswd.h
 delete mode 100644 pam_tcb/yppasswd_xdr.c

diff --git a/pam_tcb/Makefile b/pam_tcb/Makefile
index 56e0e24..78b32ad 100644
--- a/pam_tcb/Makefile
+++ b/pam_tcb/Makefile
@@ -5,7 +5,7 @@ PAM_MAP = pam_tcb.map
 
 LIBSRC = \
 	pam_unix_auth.c pam_unix_acct.c pam_unix_sess.c pam_unix_passwd.c \
-	support.c compat.c yppasswd_xdr.c
+	support.c compat.c
 
 LIBOBJ = $(LIBSRC:.c=.o)
 
@@ -13,7 +13,7 @@ all: $(PAM_TCB)
 
 $(PAM_TCB): $(LIBOBJ) $(PAM_MAP)
 	$(CC) $(LDFLAGS) -shared -o $@ -Wl,--version-script=$(PAM_MAP) \
-		$(LIBOBJ) -lnsl -lcrypt -lpam -ltcb
+		$(LIBOBJ) -lcrypt -lpam -ltcb
 
 .c.o:
 	$(CC) $(CFLAGS) -fPIC -c $< -o $@
diff --git a/pam_tcb/pam_tcb.8 b/pam_tcb/pam_tcb.8
index e02c2a2..38a338c 100644
--- a/pam_tcb/pam_tcb.8
+++ b/pam_tcb/pam_tcb.8
@@ -91,9 +91,7 @@ file, see
 .br
 .I /etc/tcb/
 directory structure, see
-.BR tcb (5);
-.br
-NIS and NIS+.
+.BR tcb (5).
 .SH OPTIONS
 Most of the options recognized by
 .B pam_unix
@@ -196,18 +194,11 @@ may use the second field of user's "shadow" entry (usually taken from
 or a tcb shadow file) as the password hash.
 See below for details.
 .TP
-.B nisplus
-If set,
-.B pam_tcb
-will acquire the user's EUID before obtaining the password hash.
-If you're using NIS+, you need to turn this on.
-See below for details.
-.TP
 .BR write_to =
 This option determines where
 .B pam_tcb
 should store new password hashes when changing passwords.
-Possible settings are: "passwd", "shadow", "tcb", and "nis".
+Possible settings are: "passwd", "shadow", and "tcb".
 The default is "shadow".
 .TP
 .B md5
@@ -288,30 +279,6 @@ field as the hash;
 .in -8
 .ti -4
 if
-.RB ( nisplus
-option is set) {
-.in +8
-.ti -4
-try to acquire EUID of the user; if unsuccessful, fail;
-.br
-.ti -4
-obtain the
-.B "struct spwd"
-for the user with
-.BR getspnam (3);
-.br
-.ti -4
-regain the previous EUID;
-.br
-.ti -4
-use
-.B sp_pwdp
-field as the hash;
-.in -8
-.ti -4
-}
-.ti -4
-if
 .RB ( shadow
 option is set and
 .B pw_passwd
diff --git a/pam_tcb/pam_unix_passwd.c b/pam_tcb/pam_unix_passwd.c
index cd22a12..ee99609 100644
--- a/pam_tcb/pam_unix_passwd.c
+++ b/pam_tcb/pam_unix_passwd.c
@@ -10,9 +10,6 @@
 #include <errno.h>
 #include <time.h>
 #include <sys/stat.h>
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
 
 #include <security/_pam_macros.h>
 #define PAM_SM_PASSWORD
@@ -25,12 +22,6 @@
 
 #include "attribute.h"
 #include "support.h"
-#include "yppasswd.h"
-
-#if !(((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 1)) || (__GLIBC__ > 2))
-extern int getrpcport(const char *host, unsigned long prognum,
-    unsigned long versnum, unsigned int proto);
-#endif
 
 #define DATA_OLD_AUTHTOK		"-UN*X-OLD-PASS"
 #define DATA_NEW_AUTHTOK		"-UN*X-NEW-PASS"
@@ -39,44 +30,6 @@ extern int getrpcport(const char *host, unsigned long prognum,
 
 #define TMP_SUFFIX			".tmp"
 
-static char *get_nis_server(pam_handle_t *pamh)
-{
-	char *master;
-	char *domain;
-	int port, result;
-
-	if ((result = yp_get_default_domain(&domain)) != 0) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "Unable to get local yp domain: %s",
-		    yperr_string(result));
-		return NULL;
-	}
-
-	if ((result = yp_master(domain, "passwd.byname", &master)) != 0) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "Unable to find the master yp server: %s",
-		    yperr_string(result));
-		return NULL;
-	}
-
-	port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE,
-	    IPPROTO_UDP);
-
-	if (port == 0) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "yppasswdd not running on NIS master host");
-		return NULL;
-	}
-
-	if (port >= IPPORT_RESERVED) {
-		pam_syslog(pamh, LOG_WARNING,
-		    "yppasswdd running on illegal port");
-		return NULL;
-	}
-
-	return master;
-}
-
 static int cpmod(const char *old, const char *new)
 {
 	struct stat st;
@@ -275,71 +228,6 @@ static int update_shadow(pam_handle_t *pamh, const char *forwho,
 	return retval;
 }
 
-static int update_nis(pam_handle_t *pamh, unused const char *forwho,
-    const char *fromwhat, char *towhat, struct passwd *pw)
-{
-	struct timeval timeout;
-	struct yppasswd yppw;
-	char *master;
-	CLIENT *client;
-	enum clnt_stat result;
-	int status;
-
-	D(("called"));
-
-	/* Make RPC call to NIS server */
-	master = get_nis_server(pamh);
-	if (!master)
-		return PAM_TRY_AGAIN;
-
-	/* Initialize password information */
-	yppw.newpw.pw_passwd = pw->pw_passwd;
-	yppw.newpw.pw_name = pw->pw_name;
-	yppw.newpw.pw_uid = pw->pw_uid;
-	yppw.newpw.pw_gid = pw->pw_gid;
-	yppw.newpw.pw_gecos = pw->pw_gecos;
-	yppw.newpw.pw_dir = pw->pw_dir;
-	yppw.newpw.pw_shell = pw->pw_shell;
-	yppw.oldpass = (char *)fromwhat;
-	yppw.newpw.pw_passwd = towhat;
-
-	D(("set password %s for %s", yppw.newpw.pw_passwd, forwho));
-
-	/*
-	 * The yppasswd.x file said `unix authentication required',
-	 * so I added it. This is the only reason it is in here.
-	 * My yppasswdd doesn't use it, but maybe some others out there
-	 * do.                                        --okir
-	 */
-	client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp");
-	client->cl_auth = authunix_create_default();
-	memset(&status, 0, sizeof(status));
-	timeout.tv_sec = 25;
-	timeout.tv_usec = 0;
-	result = clnt_call(client, YPPASSWDPROC_UPDATE,
-	    (xdrproc_t)xdr_yppasswd, (char *)&yppw,
-	    (xdrproc_t)xdr_int, (char *)&status, timeout);
-
-	status |= result;
-	if (status) {
-		pam_syslog(pamh, LOG_ERR,
-		    "Failed to change NIS password on %s%s%s",
-		    master,
-		    result ? ": " : "",
-		    result ? clnt_sperrno(result) : "");
-	}
-	pam_syslog(pamh, LOG_INFO, "Password%s changed on %s",
-	    status ? " not" : "", master);
-
-	auth_destroy(client->cl_auth);
-	clnt_destroy(client);
-
-	if (status)
-		return PAM_TRY_AGAIN;
-
-	return PAM_SUCCESS;
-}
-
 static char *get_pwfile(const char *forwho)
 {
 	char *file;
@@ -373,9 +261,6 @@ static int do_setpass(pam_handle_t *pamh, const char *forwho,
 	if (!pw)
 		return PAM_AUTHTOK_ERR;
 
-	if (pam_unix_param.write_to == WRITE_NIS)
-		return update_nis(pamh, forwho, fromwhat, towhat, pw);
-
 	file = get_pwfile(forwho);
 	if (!file) {
 		pam_syslog(pamh, LOG_CRIT, "Out of memory");
diff --git a/pam_tcb/support.c b/pam_tcb/support.c
index 7bfb97b..322d366 100644
--- a/pam_tcb/support.c
+++ b/pam_tcb/support.c
@@ -13,7 +13,6 @@
 #include <crypt.h>
 #include <sys/types.h>
 #include <sys/wait.h>
-#include <rpcsvc/ypclnt.h>
 
 #include <security/_pam_macros.h>
 #include <security/pam_modules.h>
@@ -39,49 +38,11 @@ static void data_cleanup(unused pam_handle_t *pamh, void *data,
 	_pam_delete(data);
 }
 
-static int nis_getspnam(struct spwd **spw, const struct passwd *pw)
-{
-	uid_t old_euid, old_uid;
-
-	D(("called"));
-
-	old_euid = geteuid();
-	old_uid = getuid();
-	if (old_uid == pw->pw_uid)
-		setreuid(old_euid, old_uid);
-	else {
-		setreuid(0, -1);
-		if (setreuid(-1, pw->pw_uid) == -1) {
-			setreuid(-1, 0);
-			setreuid(0, -1);
-			if (setreuid(-1, pw->pw_uid) == -1)
-				return -1;
-		}
-	}
-
-	*spw = getspnam(pw->pw_name);
-	endspent();
-	if (old_uid == pw->pw_uid)
-		setreuid(old_uid, old_euid);
-	else {
-		if (setreuid(-1, 0) == -1)
-			setreuid(old_uid, -1);
-		setreuid(-1, old_euid);
-	}
-
-	return 0;
-}
-
 int unix_getspnam(struct spwd **spw, const struct passwd *pw)
 {
 	D(("called"));
 
-	if (on(UNIX_NISPLUS) && !strcmp(pw->pw_passwd, "*NP*") &&
-	    !nis_getspnam(spw, pw))
-		return 0;
-
 	if (on(UNIX_SHADOW)) {
-		D(("in non-NIS shadow"));
 		*spw = getspnam(pw->pw_name);
 		endspent();
 		return 0;
@@ -234,42 +195,8 @@ static int user_in_file(pam_handle_t *pamh, const char *file,
 	return 1;
 }
 
-static int user_in_nisdb(const char *user, char *hash)
-{
-	char *userinfo = NULL, *domain = NULL, *colon;
-	int len, i;
-
-	len = yp_get_default_domain(&domain);
-	if (len != YPERR_SUCCESS)
-		return 0;
-
-	len = yp_bind(domain);
-	if (len != YPERR_SUCCESS)
-		return 0;
-	i = yp_match(domain, "passwd.byname", user, strlen(user),
-	    &userinfo, &len);
-	yp_unbind(domain);
-	if (i != YPERR_SUCCESS)
-		return 0;
-
-	colon = strchr(userinfo, ':');
-	if (!colon) {
-		free(userinfo);
-		return 0;
-	}
-
-	*hash = 0;
-	strncat(hash, colon + 1, HASH_PREFIX_SIZE - 1);
-
-	free(userinfo);
-	return 1;
-}
-
 int _unix_user_in_db(pam_handle_t *pamh, const char *user, char *hash)
 {
-	if (pam_unix_param.write_to == WRITE_NIS)
-		return user_in_nisdb(user, hash);
-
 	if (pam_unix_param.write_to == WRITE_PASSWD)
 		return user_in_file(pamh, PASSWD_FILE, user, hash);
 
@@ -900,7 +827,6 @@ static struct bool_names {
 	{"not_set_pass", UNIX_NOT_SET_PASS, 0},
 	{"use_authtok", UNIX_USE_AUTHTOK, 0},
 	{"shadow", UNIX_SHADOW, 0},
-	{"nisplus", UNIX_NISPLUS, 0},
 	{"passwd", UNIX_PASSWD, 0},
 	{"openlog", UNIX_OPENLOG, 0},
 	{"noopenlog", UNIX_OPENLOG, 1},
@@ -1068,8 +994,6 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			pam_unix_param.write_to = WRITE_SHADOW;
 		else if (!strcmp(param, "tcb"))
 			pam_unix_param.write_to = WRITE_TCB;
-		else if (!strcmp(param, "nis"))
-			pam_unix_param.write_to = WRITE_NIS;
 		else {
 			pam_syslog(pamh, LOG_ERR,
 			    "Invalid write_to argument: %s", param);
diff --git a/pam_tcb/support.h b/pam_tcb/support.h
index 661e4af..f2cf89e 100644
--- a/pam_tcb/support.h
+++ b/pam_tcb/support.h
@@ -79,7 +79,6 @@ enum {
 	UNIX_USE_AUTHTOK,	/* insist on reading PAM_AUTHTOK */
 
 	UNIX_SHADOW,		/* use shadow for auth */
-	UNIX_NISPLUS,		/* wish to use NIS+ for auth */
 	UNIX_PASSWD,		/* retr hashes from /etc/passwd for auth */
 
 	UNIX_OPENLOG,		/* use openlog(3)/closelog(3) calls */
@@ -110,7 +109,6 @@ enum {
 enum {
 	WRITE_PASSWD = 0,	/* write changed password to /etc/passwd */
 	WRITE_SHADOW,		/* write changed password to /etc/shadow */
-	WRITE_NIS,		/* write changed password via NIS */
 	WRITE_TCB		/* write changed password to /etc/tcb/ */
 };
 
@@ -182,7 +180,6 @@ typedef int (*cb_func) (pam_handle_t *, const void *);
 extern int _unix_fork(pam_handle_t *, cb_func, const void *);
 
 extern int _set_ctrl(pam_handle_t *, int flags, int argc, const char **argv);
-extern int _unix_comesfromsource(const char *user, int files, int nis);
 extern int _unix_blankpasswd(pam_handle_t *, const char *user);
 extern int _unix_verify_password(pam_handle_t *, const char *, const char *);
 extern int _unix_read_password(pam_handle_t *, const char *comment,
diff --git a/pam_tcb/yppasswd.h b/pam_tcb/yppasswd.h
deleted file mode 100644
index 6cc466a..0000000
--- a/pam_tcb/yppasswd.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir at monad.swb.de>
- *
- * This program is covered by the GNU General Public License, version 2.
- * It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * edited manually.
- */
-
-#ifndef _YPPASSWD_H
-#define _YPPASSWD_H
-
-#define YPPASSWDPROG ((u_long)100009)
-#define YPPASSWDVERS ((u_long)1)
-#define YPPASSWDPROC_UPDATE ((u_long)1)
-
-/*
- * The password struct passed by the update call. I renamed it to
- * xpasswd to avoid a type clash with the one defined in <pwd.h>.
- */
-#ifndef __sgi
-typedef struct xpasswd {
-	char *pw_name;
-	char *pw_passwd;
-	int pw_uid;
-	int pw_gid;
-	char *pw_gecos;
-	char *pw_dir;
-	char *pw_shell;
-} xpasswd;
-#else
-#include <pwd.h>
-typedef struct xpasswd xpasswd;
-#endif
-
-/* The updated password information, plus the old password.
- */
-typedef struct yppasswd {
-	char *oldpass;
-	xpasswd newpw;
-} yppasswd;
-
-/* XDR encoding/decoding routines */
-bool_t xdr_xpasswd(XDR *xdrs, xpasswd *objp);
-bool_t xdr_yppasswd(XDR *xdrs, yppasswd *objp);
-
-#endif
diff --git a/pam_tcb/yppasswd_xdr.c b/pam_tcb/yppasswd_xdr.c
deleted file mode 100644
index 7e0ed49..0000000
--- a/pam_tcb/yppasswd_xdr.c
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * yppasswdd
- * Copyright 1994, 1995, 1996 Olaf Kirch, <okir at monad.swb.de>
- *
- * This program is covered by the GNU General Public License, version 2.
- * It is provided in the hope that it is useful. However, the author
- * disclaims ALL WARRANTIES, expressed or implied. See the GPL for details.
- *
- * This file was generated automatically by rpcgen from yppasswd.x, and
- * editied manually.
- */
-
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include "yppasswd.h"
-
-bool_t xdr_xpasswd(XDR *xdrs, xpasswd *objp)
-{
-	return xdr_string(xdrs, &objp->pw_name, ~0) &&
-	    xdr_string(xdrs, &objp->pw_passwd, ~0) &&
-	    xdr_int(xdrs, &objp->pw_uid) &&
-	    xdr_int(xdrs, &objp->pw_gid) &&
-	    xdr_string(xdrs, &objp->pw_gecos, ~0) &&
-	    xdr_string(xdrs, &objp->pw_dir, ~0) &&
-	    xdr_string(xdrs, &objp->pw_shell, ~0);
-}
-
-bool_t xdr_yppasswd(XDR *xdrs, yppasswd *objp)
-{
-	return xdr_string(xdrs, &objp->oldpass, ~0) &&
-	    xdr_xpasswd(xdrs, &objp->newpw);
-}
diff --git a/progs/tcb_convert.8 b/progs/tcb_convert.8
index fda02a6..4114fb8 100644
--- a/progs/tcb_convert.8
+++ b/progs/tcb_convert.8
@@ -65,7 +65,7 @@ find the "shadow" entry and replace the "files" method with "tcb"; the
 edited line should look like this:
 .sp
 .ad l
-shadow: tcb nisplus nis
+shadow: tcb
 .ad b
 .TP
 6.
-- 
ldv

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.