From owner-cvs-src@FreeBSD.ORG  Thu Apr  7 09:01:57 2005
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0AD6016A4CE; Thu,  7 Apr 2005 09:01:57 +0000 (GMT)
Received: from fafoe.narf.at (chello213047085026.6.14.vie.surfer.at
	[213.47.85.26])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6E21B43D45; Thu,  7 Apr 2005 09:01:56 +0000 (GMT)
	(envelope-from stefan@fafoe.narf.at)
Received: from wombat.fafoe.narf.at (wombat.fafoe.narf.at [192.168.1.42])
	by fafoe.narf.at (Postfix) with ESMTP id 4464340BE;
	Thu,  7 Apr 2005 11:01:51 +0200 (CEST)
Received: by wombat.fafoe.narf.at (Postfix, from userid 1001)
	id 27505FC; Thu,  7 Apr 2005 10:43:13 +0200 (CEST)
Date: Thu, 7 Apr 2005 10:43:12 +0200
From: Stefan Farfeleder <stefanf@FreeBSD.org>
To: Jacques Vidrine <nectar@FreeBSD.org>
Message-ID: <20050407084309.GF644@wombat.fafoe.narf.at>
References: <200504051455.j35EtXfw046906@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200504051455.j35EtXfw046906@repoman.freebsd.org>
User-Agent: Mutt/1.5.9i
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: des@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/libexec/rexecd rexecd.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2005 09:01:57 -0000

On Tue, Apr 05, 2005 at 02:55:33PM +0000, Jacques Vidrine wrote:
> nectar      2005-04-05 14:55:33 UTC
> 
>   FreeBSD src repository
> 
>   Modified files:
>     libexec/rexecd       rexecd.c 
>   Log:
>   DES pointed out that the PAM layer may change the target user name
>   during authentication.  Thus we need to call getpwnam *after* the user
>   has been authenticated.  Colin mentioned that we should also move the
>   check for root in that case.

static void
doit(struct sockaddr *fromp)
{
        char *cmdbuf, *cp;
        int maxcmdlen;
        char user[16], pass[16];

...

        if (!pam_ok(pam_start("rexecd", user, &pamc, &pamh)) ||
            !pam_ok(pam_set_item(pamh, PAM_RHOST, remote)) ||
            !pam_ok(pam_set_item(pamh, PAM_AUTHTOK, pass)) ||
            !pam_ok(pam_authenticate(pamh, pam_flags)) ||
            !pam_ok(pam_acct_mgmt(pamh, pam_flags)) ||
            !pam_ok(pam_get_item(pamh, PAM_USER, (const void **)&user)) ||

I don't know anything about PAM, but apparently pam_get_item() stores a pointer
into *item.  Here the pointer value is written into the first few bytes of the
array `user' (assuming it is correctly aligned).

Stefan