Date: Wed, 27 Nov 2002 13:37:05 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: "David W. Chapman Jr." <dwcjr@inethouston.net> Cc: current@freebsd.org Subject: Re: pw_user.c change for samba Message-ID: <3DE53B01.BC819662@mindspring.com> References: <20021127192126.GA31706@leviathan.inethouston.net> <3DE52B70.44402B98@mindspring.com> <20021127203401.GA35573@leviathan.inethouston.net> <3DE5315A.FC6D59B@mindspring.com> <20021127210640.GA36331@leviathan.inethouston.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------7CA3AA564B88E43F55451EE3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit "David W. Chapman Jr." wrote: > > If it's allowed, it whould probably only be allowed in the > > user name (i.e. the patch is wrong; it should probably add > > another parameter to the allowable values of 'int gecos', and > > change it to 'int checktype' or similar). > > I don't have a problem with this, but the patch I sent in is the > extent of my abilities to give me desired results(making pw like > samba) See attached patch. It could still screw scripts (e.g. the perl script version of "adduser") by allowing the "$" in the login field, but at least it keeps it out of the login class and group fields. See below, though: I don't think '$' should be permitted. > > It seems to me that another alternative is that all these > > names end in '$'; therefore, when you are expecting one of > > these names, you could imply a '$', without needing to actually > > have it in the password file -- in other words, it's an > > attribute, not really part of the account name. > > > > Will this open up a security hole for a nomal user account > > being used to compromise the domain system security? Is it > > absolutely necessary to use an in-band method to distinguish > > these records from ordinary user accounts? > > I don't think the samba people would be willing to make this type of > change just for FreeBSD since it works for most everyone else. I > also don't think there is currently a way to store attributes about > machines/users permanently in samba. I think you misunderstand. The intent is to allow accounts without "$" appended to be used as machine logins. Samba would see the '$', remove it, and check normally. The potential problem is that normal user accounts could be used in place of machines. The proper "BSD way" to avoid this hack would be to add a login class "samba_server" (or whatever), and make Samba permit this type of check only if the user was in the correct login class. -- Terry --------------7CA3AA564B88E43F55451EE3 Content-Type: text/plain; charset=us-ascii; name="pwcheck.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pwcheck.diff" Index: pw.h =================================================================== RCS file: /cvs/src/usr.sbin/pw/pw.h,v retrieving revision 1.13 diff -c -r1.13 pw.h *** pw.h 5 Jul 2001 08:01:15 -0000 1.13 --- pw.h 27 Nov 2002 17:21:03 -0000 *************** *** 62,67 **** --- 62,74 ---- W_NUM }; + enum _checktype + { + PWC_DEFAULT, + PWC_GECOS, + PWC_LOGIN + }; + struct carg { int ch; *************** *** 105,111 **** int pw_user(struct userconf * cnf, int mode, struct cargs * _args); int pw_group(struct userconf * cnf, int mode, struct cargs * _args); ! char *pw_checkname(u_char *name, int gecos); int addpwent(struct passwd * pwd); int delpwent(struct passwd * pwd); --- 112,118 ---- int pw_user(struct userconf * cnf, int mode, struct cargs * _args); int pw_group(struct userconf * cnf, int mode, struct cargs * _args); ! char *pw_checkname(u_char *name, enum _checktype checktype); int addpwent(struct passwd * pwd); int delpwent(struct passwd * pwd); Index: pw_user.c =================================================================== RCS file: /cvs/src/usr.sbin/pw/pw_user.c,v retrieving revision 1.51 diff -c -r1.51 pw_user.c *** pw_user.c 24 Jun 2002 11:33:17 -0000 1.51 --- pw_user.c 27 Nov 2002 17:30:43 -0000 *************** *** 231,237 **** } } if ((arg = getarg(args, 'L')) != NULL) ! cnf->default_class = pw_checkname((u_char *)arg->val, 0); if ((arg = getarg(args, 'G')) != NULL && arg->val) { int i = 0; --- 231,237 ---- } } if ((arg = getarg(args, 'L')) != NULL) ! cnf->default_class = pw_checkname((u_char *)arg->val, PWC_DEFAULT); if ((arg = getarg(args, 'G')) != NULL && arg->val) { int i = 0; *************** *** 293,299 **** } if ((a_name = getarg(args, 'n')) != NULL) ! pwd = GETPWNAM(pw_checkname((u_char *)a_name->val, 0)); a_uid = getarg(args, 'u'); if (a_uid == NULL) { --- 293,299 ---- } if ((a_name = getarg(args, 'n')) != NULL) ! pwd = GETPWNAM(pw_checkname((u_char *)a_name->val, PWC_LOGIN)); a_uid = getarg(args, 'u'); if (a_uid == NULL) { *************** *** 455,461 **** if ((arg = getarg(args, 'l')) != NULL) { if (strcmp(pwd->pw_name, "root") == 0) errx(EX_DATAERR, "can't rename `root' account"); ! pwd->pw_name = pw_checkname((u_char *)arg->val, 0); edited = 1; } --- 455,461 ---- if ((arg = getarg(args, 'l')) != NULL) { if (strcmp(pwd->pw_name, "root") == 0) errx(EX_DATAERR, "can't rename `root' account"); ! pwd->pw_name = pw_checkname((u_char *)arg->val, PWC_LOGIN); edited = 1; } *************** *** 595,601 **** * Shared add/edit code */ if ((arg = getarg(args, 'c')) != NULL) { ! char *gecos = pw_checkname((u_char *)arg->val, 1); if (strcmp(pwd->pw_gecos, gecos) != 0) { pwd->pw_gecos = gecos; edited = 1; --- 595,601 ---- * Shared add/edit code */ if ((arg = getarg(args, 'c')) != NULL) { ! char *gecos = pw_checkname((u_char *)arg->val, PWC_GECOS); if (strcmp(pwd->pw_gecos, gecos) != 0) { pwd->pw_gecos = gecos; edited = 1; *************** *** 1192,1201 **** } char * ! pw_checkname(u_char *name, int gecos) { int l = 0; ! char const *notch = gecos ? ":!@" : " ,\t:+&#%$^()!@~*?<>=|\\/\""; while (name[l]) { if (strchr(notch, name[l]) != NULL || name[l] < ' ' || name[l] == 127 || --- 1192,1217 ---- } char * ! pw_checkname(u_char *name, enum _checktype checktype) { int l = 0; ! char const *notch; ! int gecos = (checktype == PWC_GECOS); ! ! switch (checktype) { ! case PWC_GECOS: ! notch = ":!@"; ! break; ! ! case PWC_LOGIN: ! notch = " ,\t:+&#%^()!@~*?<>=|\\/\""; ! break; ! ! case PWC_DEFAULT: ! default: ! notch = " ,\t:+&#%$^()!@~*?<>=|\\/\""; ! break; ! } while (name[l]) { if (strchr(notch, name[l]) != NULL || name[l] < ' ' || name[l] == 127 || --------------7CA3AA564B88E43F55451EE3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DE53B01.BC819662>