int use_first_pass = 0;
int try_first_pass = 0;
int ignore_root = 0;
+ int trust_root = 0;
+ int catch_su = 0;
int set_expires = 0; /* This option is only used in pam_set_cred() */
int got_authtok = 0; /* got PAM_AUTHTOK upon entry */
int nouser = 0;
try_first_pass = 1;
} else if (strcasecmp(argv[i], "ignore_root" ) == 0) {
ignore_root = 1;
+ } else if (strcasecmp(argv[i], "trust_root" ) == 0) {
+ trust_root = 1;
+ } else if (strcasecmp(argv[i], "catch_su" ) == 0) {
+ catch_su = 1;
} else if (strcasecmp(argv[i], "setenv_password_expires") == 0) {
set_expires = 1;
} else {
RET(PAM_USER_UNKNOWN);
}
+ if ((!strncmp ("root", user, 4)) && trust_root) {
+ pam_afs_syslog(LOG_INFO, PAMAFS_TRUSTROOT, user);
+ RET(PAM_SUCCESS);
+ }
+
pam_afs_syslog(LOG_DEBUG, PAMAFS_USERNAMEDEBUG, user);
/*
#else
upwd = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf));
#endif
- if (ignore_root && upwd != NULL && upwd->pw_uid == 0) {
- pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user);
- RET(PAM_AUTH_ERR);
+ if (upwd != NULL && upwd->pw_uid == 0) {
+ if (ignore_root) {
+ pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user);
+ RET(PAM_AUTH_ERR);
+ } else if (trust_root && !catch_su) {
+ pam_afs_syslog(LOG_INFO, PAMAFS_TRUSTROOT, user);
+ RET(PAM_SUCCESS);
+ }
}
#endif
errcode = pam_get_item(pamh, PAM_AUTHTOK, (void **) &password);
"AFS ReInitializing creds for user %s\n", /* 31: REINITCRED */
"AFS Failed to set PASSWORD_EXPIRES for user %s\n",
/* 32: PASSEXPFAIL */
+ "",
+ /* 33: */
+ "",
+ /* 34: */
+ "AFS blindly trusting user %s\n",
+ /* 35: TRUSTROOT */
};
static int num_fallbacks = sizeof(fallback_messages)/sizeof(char *);
#define PAMAFS_PASSEXPFAIL 32 /* "Failed to set PASSWORD_EXPIRES" */
#define PAMAFS_CHOWNKRB 33 /* "Failed to chown krb ticketfile" */
#define PAMAFS_KRBFAIL 34 /* "Failed to set KRBTKTFILE" */
+#define PAMAFS_TRUSTROOT 35 /* "Ignoring superuser %s" */
char *pam_afs_message(int msgnum, int *freeit);
int try_first_pass = 0;
int got_authtok = 0;
int ignore_root = 0;
+ int trust_root = 0;
int set_expires = 0; /* the default is to not to set the env variable */
int i;
struct pam_conv *pam_convp = NULL;
try_first_pass = 1;
} else if (strcasecmp(argv[i], "ignore_root" ) == 0) {
ignore_root = 1;
+ } else if (strcasecmp(argv[i], "trust_root" ) == 0) {
+ trust_root = 1;
+ } else if (strcasecmp(argv[i], "catch_su" ) == 0) {
+ use_first_pass = 0;
} else if (strcasecmp(argv[i], "setenv_password_expires")==0) {
set_expires = 1;
} else {
#else
upwd = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf));
#endif
- if (ignore_root && upwd != NULL && upwd->pw_uid == 0) {
- pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user);
- RET(PAM_AUTH_ERR);
+ if (upwd != NULL && upwd->pw_uid == 0) {
+ if (ignore_root) {
+ pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user);
+ RET(PAM_AUTH_ERR);
+ } else if (trust_root) {
+ pam_afs_syslog(LOG_INFO, PAMAFS_TRUSTROOT, user);
+ RET(PAM_SUCCESS);
+ }
}
#endif
projects / packages / o / openafs.git / commitdiff