Date: Thu, 7 Apr 2005 10:43:12 +0200 From: Stefan Farfeleder <stefanf@FreeBSD.org> To: Jacques Vidrine <nectar@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/libexec/rexecd rexecd.c Message-ID: <20050407084309.GF644@wombat.fafoe.narf.at> In-Reply-To: <200504051455.j35EtXfw046906@repoman.freebsd.org> References: <200504051455.j35EtXfw046906@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 05, 2005 at 02:55:33PM +0000, Jacques Vidrine wrote:
> nectar 2005-04-05 14:55:33 UTC
>
> FreeBSD src repository
>
> Modified files:
> libexec/rexecd rexecd.c
> Log:
> DES pointed out that the PAM layer may change the target user name
> during authentication. Thus we need to call getpwnam *after* the user
> has been authenticated. Colin mentioned that we should also move the
> check for root in that case.
static void
doit(struct sockaddr *fromp)
{
char *cmdbuf, *cp;
int maxcmdlen;
char user[16], pass[16];
...
if (!pam_ok(pam_start("rexecd", user, &pamc, &pamh)) ||
!pam_ok(pam_set_item(pamh, PAM_RHOST, remote)) ||
!pam_ok(pam_set_item(pamh, PAM_AUTHTOK, pass)) ||
!pam_ok(pam_authenticate(pamh, pam_flags)) ||
!pam_ok(pam_acct_mgmt(pamh, pam_flags)) ||
!pam_ok(pam_get_item(pamh, PAM_USER, (const void **)&user)) ||
I don't know anything about PAM, but apparently pam_get_item() stores a pointer
into *item. Here the pointer value is written into the first few bytes of the
array `user' (assuming it is correctly aligned).
Stefan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050407084309.GF644>