From owner-freebsd-ports Mon Sep 23 7:10:17 2002 Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92D5E37B401 for ; Mon, 23 Sep 2002 07:10:05 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F07D143E88 for ; Mon, 23 Sep 2002 07:10:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g8NEA2Co034576 for ; Mon, 23 Sep 2002 07:10:02 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g8NEA2x4034575; Mon, 23 Sep 2002 07:10:02 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CCA137B401 for ; Mon, 23 Sep 2002 07:08:10 -0700 (PDT) Received: from tradex.sk (tradex.sk [81.0.229.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id C85BA43E65 for ; Mon, 23 Sep 2002 07:08:08 -0700 (PDT) (envelope-from rebum@tradex.sk) Received: from tradex.sk (tradex [81.0.229.33]) by tradex.sk (8.12.3/8.12.3) with ESMTP id g8NE91Lh085006 for ; Mon, 23 Sep 2002 16:09:01 +0200 (CEST) (envelope-from rebum@tradex.sk) Received: (from rebum@localhost) by tradex.sk (8.12.3/8.12.3/Submit) id g8NE91VX085005; Mon, 23 Sep 2002 16:09:01 +0200 (CEST) (envelope-from rebum) Message-Id: <200209231409.g8NE91VX085005@tradex.sk> Date: Mon, 23 Sep 2002 16:09:01 +0200 (CEST) From: Martin Matuska To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/43286: Non-Maintainer Update: mail/poppassd Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 43286 >Category: ports >Synopsis: Non-Maintainer Update: mail/poppassd >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Sep 23 07:10:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Martin Matuska >Release: FreeBSD 4.6.2-RELEASE i386 >Organization: >Environment: System: FreeBSD tradex.sk 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #0: Mon Sep 2 16:58:43 CEST 2002 root@s1.serverdock.net:/usr/src/sys/compile/SERVERDOCK i386 >Description: The poppassd does not understand the current passwd reply format on success. Problem is in files/patch-ab, line 50 - the current passwd reply is not "\npasswd: rebuilding the database...\npasswd: done\n" but "\npasswd: updating the database...\npasswd: done\n" To remain compatibility a new line wiht the new reply is added to files/patch-ab (see Fix). >How-To-Repeat: If changing password via poppassd, the current reply on success is: "500 Unable to change password." >Fix: --- poppassd.orig/files/patch-ab Sat Jul 28 09:20:49 2001 +++ poppassd/files/patch-ab Sat Sep 21 09:57:25 2002 @@ -1,79 +1,139 @@ ---- poppassd.c.orig Mon Jun 7 19:34:23 1999 -+++ poppassd.c Mon Jun 7 19:40:00 1999 -@@ -13,11 +13,11 @@ +*** poppassd.c.orig Sat Sep 21 02:03:18 2002 +--- poppassd.c Sat Sep 21 02:04:10 2002 +*************** +*** 13,23 **** * * Doesn't actually change any passwords itself. It simply listens for * incoming requests, gathers the required information (user name, old -- * password, new password) and executes /bin/passwd, talking to it over -+ * password, new password) and executes /usr/bin/passwd, talking to it over +! * password, new password) and executes /bin/passwd, talking to it over * a pseudo-terminal pair. The advantage of this is that we don't need * to have any knowledge of either the password file format (which may * include dbx files that need to be rebuilt) or of any file locking -- * protocol /bin/passwd and cohorts may use (and which isn't documented). -+ * protocol /usr/bin/passwd and cohorts may use (and which isn't documented). +! * protocol /bin/passwd and cohorts may use (and which isn't documented). * * The current version has been tested at NU under SunOS release 4.1.2 * and 4.1.3, and under HP-UX 8.02 and 9.01. We have tested the server -@@ -29,7 +29,7 @@ +--- 13,23 ---- + * + * Doesn't actually change any passwords itself. It simply listens for + * incoming requests, gathers the required information (user name, old +! * password, new password) and executes /usr/bin/passwd, talking to it over + * a pseudo-terminal pair. The advantage of this is that we don't need + * to have any knowledge of either the password file format (which may + * include dbx files that need to be rebuilt) or of any file locking +! * protocol /usr/bin/passwd and cohorts may use (and which isn't documented). + * + * The current version has been tested at NU under SunOS release 4.1.2 + * and 4.1.3, and under HP-UX 8.02 and 9.01. We have tested the server +*************** +*** 29,35 **** + * Note that unencrypted passwords are transmitted over the network. If + * this bothers you, think hard about whether you want to implement the + * password changing feature. On the other hand, it's no worse than what +! * happens when you run /bin/passwd while connected via telnet or rlogin. + * Well, maybe it is, since the use of a dedicated port makes it slightly + * easier for a network snooper to snarf passwords off the wire. + * +--- 29,35 ---- * Note that unencrypted passwords are transmitted over the network. If * this bothers you, think hard about whether you want to implement the * password changing feature. On the other hand, it's no worse than what -- * happens when you run /bin/passwd while connected via telnet or rlogin. -+ * happens when you run /usr/bin/passwd while connected via telnet or rlogin. +! * happens when you run /usr/bin/passwd while connected via telnet or rlogin. * Well, maybe it is, since the use of a dedicated port makes it slightly * easier for a network snooper to snarf passwords off the wire. * -@@ -47,7 +47,7 @@ +*************** +*** 47,53 **** * (which talks to /bin/password) is directly descended from Smith's * version, with changes for SunOS and HP-UX by Norstad (with help from * sample code in "Advanced Programming in the UNIX Environment" -- * by W. Richard Stevens). The code to report /bin/passwd error messages -+ * by W. Richard Stevens). The code to report /usr/bin/passwd error messages +! * by W. Richard Stevens). The code to report /bin/passwd error messages * back to the client in the final 500 response, and a new version of the * code to find the next free pty, is by Norstad. * -@@ -145,8 +145,9 @@ +--- 47,53 ---- + * (which talks to /bin/password) is directly descended from Smith's + * version, with changes for SunOS and HP-UX by Norstad (with help from + * sample code in "Advanced Programming in the UNIX Environment" +! * by W. Richard Stevens). The code to report /usr/bin/passwd error messages + * back to the client in the final 500 response, and a new version of the + * code to find the next free pty, is by Norstad. + * +*************** +*** 145,152 **** + static char *P1[] = + {"Old password:", + "Changing password for *.\nOld password:", + "Changing password for * on *.\nOld password:", +! "Changing NIS password for * on *.\nOld password:", + "Changing password for *\n*'s Old password:", + ""}; + +--- 145,153 ---- static char *P1[] = {"Old password:", "Changing password for *.\nOld password:", + "Changing local password for *.\nOld password:", "Changing password for * on *.\nOld password:", -- "Changing NIS password for * on *.\nOld password:", -+ "Changing NIS password for * on *.\nOld Password: ", +! "Changing NIS password for * on *.\nOld Password: ", "Changing password for *\n*'s Old password:", ""}; -@@ -165,7 +166,9 @@ +*************** +*** 165,171 **** +--- 166,175 ---- static char *P4[] = {"\n", ++ "\npasswd: updating the database...\npasswd: done\n", + "\npasswd: rebuilding the database...\npasswd: done\n", "NIS entry changed on *\n", + "\n\nNIS password has been changed on *.\n", ""}; -@@ -186,11 +189,7 @@ +*************** +*** 186,196 **** *user = *oldpass = *newpass = 0; -- if (openlog ("poppassd", LOG_PID, LOG_LOCAL2) < 0) -- { -- WriteToClient ("500 Can't open syslog."); -- exit (1); -- } -+ openlog ("poppassd", LOG_PID, LOG_LOCAL2); +! if (openlog ("poppassd", LOG_PID, LOG_LOCAL2) < 0) +! { +! WriteToClient ("500 Can't open syslog."); +! exit (1); +! } WriteToClient ("200 poppassd v%s hello, who are you?", VERSION); ReadFromClient (line); -@@ -212,12 +211,16 @@ +--- 190,196 ---- + + *user = *oldpass = *newpass = 0; + +! openlog ("poppassd", LOG_PID, LOG_LOCAL2); + + WriteToClient ("200 poppassd v%s hello, who are you?", VERSION); + ReadFromClient (line); +*************** +*** 212,223 **** if ((pw = getpwnam (user)) == NULL) { -- WriteToClient ("500 Unknown user, %s.", user); -+ syslog (LOG_ERR, "Unknown user, %s", user); -+ sleep (5); -+ WriteToClient ("500 Old password is incorrect."); +! WriteToClient ("500 Unknown user, %s.", user); + exit(1); + } + + if (chkPass (user, oldpass, pw) == FAILURE) + { + WriteToClient ("500 Old password is incorrect."); + exit(1); + } +--- 212,227 ---- + + if ((pw = getpwnam (user)) == NULL) + { +! syslog (LOG_ERR, "Unknown user, %s", user); +! sleep (5); +! WriteToClient ("500 Old password is incorrect."); exit(1); } @@ -84,80 +144,123 @@ WriteToClient ("500 Old password is incorrect."); exit(1); } -@@ -264,28 +267,28 @@ +*************** +*** 264,291 **** + + if ((wpid = waitpid (pid, &wstat, 0)) < 0) + { +! syslog (LOG_ERR, "wait for /bin/passwd child failed: %m"); + WriteToClient ("500 Server error (wait failed), get help!"); + exit (1); + } + + if (pid != wpid) + { +! syslog (LOG_ERR, "wrong child (/bin/passwd waited for!"); + WriteToClient ("500 Server error (wrong child), get help!"); + exit (1); + } + + if (WIFEXITED (wstat) == 0) + { +! syslog (LOG_ERR, "child (/bin/passwd) killed?"); + WriteToClient ("500 Server error (funny wstat), get help!"); + exit (1); + } + + if (WEXITSTATUS (wstat) != 0) + { +! syslog (LOG_ERR, "child (/bin/passwd) exited abnormally"); + WriteToClient ("500 Server error (abnormal exit), get help!"); + exit (1); + } +--- 268,295 ---- if ((wpid = waitpid (pid, &wstat, 0)) < 0) { -- syslog (LOG_ERR, "wait for /bin/passwd child failed: %m"); -+ syslog (LOG_ERR, "wait for /usr/bin/passwd child failed: %m"); +! syslog (LOG_ERR, "wait for /usr/bin/passwd child failed: %m"); WriteToClient ("500 Server error (wait failed), get help!"); exit (1); } if (pid != wpid) { -- syslog (LOG_ERR, "wrong child (/bin/passwd waited for!"); -+ syslog (LOG_ERR, "wrong child (/usr/bin/passwd) waited for!"); +! syslog (LOG_ERR, "wrong child (/usr/bin/passwd) waited for!"); WriteToClient ("500 Server error (wrong child), get help!"); exit (1); } if (WIFEXITED (wstat) == 0) { -- syslog (LOG_ERR, "child (/bin/passwd) killed?"); -+ syslog (LOG_ERR, "child (/usr/bin/passwd) killed?"); +! syslog (LOG_ERR, "child (/usr/bin/passwd) killed?"); WriteToClient ("500 Server error (funny wstat), get help!"); exit (1); } if (WEXITSTATUS (wstat) != 0) { -- syslog (LOG_ERR, "child (/bin/passwd) exited abnormally"); -+ syslog (LOG_ERR, "child (/usr/bin/passwd) exited abnormally"); +! syslog (LOG_ERR, "child (/usr/bin/passwd) exited abnormally"); WriteToClient ("500 Server error (abnormal exit), get help!"); exit (1); } -@@ -304,17 +307,19 @@ +*************** +*** 304,320 **** } else /* Child */ { -- /* -- * Become the user trying who's password is being changed. We're -- * about to exec /bin/passwd with is setuid root anyway, but this -- * way it looks to the child completely like it's being run by -- * the normal user, which makes it do its own password verification -- * before doing any thing. In theory, we've already verified the -- * password, but this extra level of checking doesn't hurt. Besides, -- * the way I do it here, if somebody manages to change somebody -- * else's password, you can complain to your vendor about security -- * holes, not to me! -- */ -+ /* Start new session - gets rid of controlling terminal. */ -+ -+ if (setsid() < 0) { -+ syslog(LOG_ERR, "setsid failed: %m"); -+ return(0); -+ } -+ -+ /* Set login name */ -+ -+ if (setlogin(user) < 0) { -+ syslog(LOG_ERR, "setlogin failed: %m"); -+ return(0); -+ } +! /* +! * Become the user trying who's password is being changed. We're +! * about to exec /bin/passwd with is setuid root anyway, but this +! * way it looks to the child completely like it's being run by +! * the normal user, which makes it do its own password verification +! * before doing any thing. In theory, we've already verified the +! * password, but this extra level of checking doesn't hurt. Besides, +! * the way I do it here, if somebody manages to change somebody +! * else's password, you can complain to your vendor about security +! * holes, not to me! +! */ + setuid (pw->pw_uid); + setgid (pw->pw_gid); + dochild (master, slavedev, user); +--- 308,326 ---- + } + else /* Child */ + { +! /* Start new session - gets rid of controlling terminal. */ +! +! if (setsid() < 0) { +! syslog(LOG_ERR, "setsid failed: %m"); +! return(0); +! } +! +! /* Set login name */ +! +! if (setlogin(user) < 0) { +! syslog(LOG_ERR, "setlogin failed: %m"); +! return(0); +! } setuid (pw->pw_uid); setgid (pw->pw_gid); dochild (master, slavedev, user); -@@ -324,7 +329,7 @@ +*************** +*** 324,330 **** /* * dochild * -- * Do child stuff - set up slave pty and execl /bin/passwd. -+ * Do child stuff - set up slave pty and execl /usr/bin/passwd. +! * Do child stuff - set up slave pty and execl /bin/passwd. * * Code adapted from "Advanced Programming in the UNIX Environment" * by W. Richard Stevens. -@@ -338,13 +343,6 @@ +--- 330,336 ---- + /* + * dochild + * +! * Do child stuff - set up slave pty and execl /usr/bin/passwd. + * + * Code adapted from "Advanced Programming in the UNIX Environment" + * by W. Richard Stevens. +*************** +*** 338,350 **** int slave; struct termios stermios; @@ -171,21 +274,48 @@ /* Open slave pty and acquire as new controlling terminal. */ if ((slave = open(slavedev, O_RDWR)) < 0) { -@@ -387,10 +385,10 @@ +--- 344,349 ---- +*************** +*** 387,396 **** + return(0); + } + +! /* Fork /bin/passwd. */ + +! if (execl("/bin/passwd", "passwd", user, (char*)0) < 0) { +! syslog(LOG_ERR, "can't exec /bin/passwd: %m"); + return(0); + } + } +--- 386,395 ---- return(0); } -- /* Fork /bin/passwd. */ -+ /* Fork /usr/bin/passwd. */ +! /* Fork /usr/bin/passwd. */ -- if (execl("/bin/passwd", "passwd", user, (char*)0) < 0) { -- syslog(LOG_ERR, "can't exec /bin/passwd: %m"); -+ if (execl("/usr/bin/passwd", "passwd", user, (char*)0) < 0) { -+ syslog(LOG_ERR, "can't exec /usr/bin/passwd: %m"); +! if (execl("/usr/bin/passwd", "passwd", user, (char*)0) < 0) { +! syslog(LOG_ERR, "can't exec /usr/bin/passwd: %m"); return(0); } } -@@ -408,15 +406,20 @@ +*************** +*** 408,422 **** + * + * Modified by Norstad to remove assumptions about number of pty's allocated + * on this UNIX box. + */ + findpty (slave) + char **slave; + { + int master; +! static char *line = "/dev/ptyXX"; + DIR *dirp; + struct dirent *dp; + + dirp = opendir("/dev"); + while ((dp = readdir(dirp)) != NULL) { + if (strncmp(dp->d_name, "pty", 3) == 0 && strlen(dp->d_name) == 5) { +--- 407,426 ---- * * Modified by Norstad to remove assumptions about number of pty's allocated * on this UNIX box. @@ -198,8 +328,7 @@ char **slave; { int master; -- static char *line = "/dev/ptyXX"; -+ static char line[11]; +! static char line[11]; DIR *dirp; struct dirent *dp; @@ -207,12 +336,22 @@ dirp = opendir("/dev"); while ((dp = readdir(dirp)) != NULL) { if (strncmp(dp->d_name, "pty", 3) == 0 && strlen(dp->d_name) == 5) { -@@ -485,9 +488,11 @@ +*************** +*** 485,493 **** } writestring(master, pswd); -- -+ sleep(2); +! + if (!expect(master, P4, buf)) return FAILURE; + + return SUCCESS; + } + +--- 489,499 ---- + } + + writestring(master, pswd); +! sleep(2); if (!expect(master, P4, buf)) return FAILURE; + close(master); @@ -220,11 +359,13 @@ return SUCCESS; } -@@ -566,6 +571,7 @@ +*************** +*** 566,571 **** +--- 572,578 ---- } n += m; buf[n] = 0; -+/* syslog(LOG_ERR, "read from child: %s",buf); */ ++ /* syslog(LOG_ERR, "read from child: %s",buf); */ initialSegment = 0; for (s = expected; **s != 0; s++) { result = match(buf, *s); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message