Date: Thu, 7 Apr 2005 10:43:12 +0200 From: Stefan Farfeleder <stefanf@FreeBSD.org> To: Jacques Vidrine <nectar@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/libexec/rexecd rexecd.c Message-ID: <20050407084309.GF644@wombat.fafoe.narf.at> In-Reply-To: <200504051455.j35EtXfw046906@repoman.freebsd.org> References: <200504051455.j35EtXfw046906@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 05, 2005 at 02:55:33PM +0000, Jacques Vidrine wrote: > nectar 2005-04-05 14:55:33 UTC > > FreeBSD src repository > > Modified files: > libexec/rexecd rexecd.c > Log: > DES pointed out that the PAM layer may change the target user name > during authentication. Thus we need to call getpwnam *after* the user > has been authenticated. Colin mentioned that we should also move the > check for root in that case. static void doit(struct sockaddr *fromp) { char *cmdbuf, *cp; int maxcmdlen; char user[16], pass[16]; ... if (!pam_ok(pam_start("rexecd", user, &pamc, &pamh)) || !pam_ok(pam_set_item(pamh, PAM_RHOST, remote)) || !pam_ok(pam_set_item(pamh, PAM_AUTHTOK, pass)) || !pam_ok(pam_authenticate(pamh, pam_flags)) || !pam_ok(pam_acct_mgmt(pamh, pam_flags)) || !pam_ok(pam_get_item(pamh, PAM_USER, (const void **)&user)) || I don't know anything about PAM, but apparently pam_get_item() stores a pointer into *item. Here the pointer value is written into the first few bytes of the array `user' (assuming it is correctly aligned). Stefan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050407084309.GF644>