Description: Return partial shadow information to non-root users This also returns everything except the password hash from the shadow database to non-root users (nothing was returned before). This allows non-root users to do PAM authentication in some configurations. . On some systems there is a setgid executable that is allowed to read /etc/shadow for authentication by e.g. screensavers. Returning no shadow information will cause pam_unix to deny authorisation in common configurations. Origin: backport, commit:d58f163b5aceb570aa7bd41b2c8edb3307a3a980 Author: Arthur de Jong Bug-Debian: http://bugs.debian.org/706913 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1314095 Applied-Upstream: 0.9.1 Last-Update: 2015-02-12 Index: nss-pam-ldapd-0.8.13/nslcd/common.h =================================================================== --- nss-pam-ldapd-0.8.13.orig/nslcd/common.h 2015-02-12 10:36:57.945109531 -0800 +++ nss-pam-ldapd-0.8.13/nslcd/common.h 2015-02-12 10:39:12.309113398 -0800 @@ -215,8 +215,8 @@ int nslcd_service_byname(TFILE *fp,MYLDAP_SESSION *session); int nslcd_service_bynumber(TFILE *fp,MYLDAP_SESSION *session); int nslcd_service_all(TFILE *fp,MYLDAP_SESSION *session); -int nslcd_shadow_byname(TFILE *fp,MYLDAP_SESSION *session); -int nslcd_shadow_all(TFILE *fp,MYLDAP_SESSION *session); +int nslcd_shadow_byname(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid); +int nslcd_shadow_all(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid); int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid); int nslcd_pam_authz(TFILE *fp,MYLDAP_SESSION *session); int nslcd_pam_sess_o(TFILE *fp,MYLDAP_SESSION *session); Index: nss-pam-ldapd-0.8.13/nslcd/nslcd.c =================================================================== --- nss-pam-ldapd-0.8.13.orig/nslcd/nslcd.c 2015-02-12 10:36:57.945109531 -0800 +++ nss-pam-ldapd-0.8.13/nslcd/nslcd.c 2015-02-12 10:38:57.545112973 -0800 @@ -459,10 +459,8 @@ case NSLCD_ACTION_SERVICE_BYNAME: (void)nslcd_service_byname(fp,session); break; case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp,session); break; case NSLCD_ACTION_SERVICE_ALL: (void)nslcd_service_all(fp,session); break; - case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nslcd_shadow_byname(fp,session); - else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break; - case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nslcd_shadow_all(fp,session); - else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break; + case NSLCD_ACTION_SHADOW_BYNAME: (void)nslcd_shadow_byname(fp,session,uid); break; + case NSLCD_ACTION_SHADOW_ALL: (void)nslcd_shadow_all(fp,session,uid); break; case NSLCD_ACTION_PAM_AUTHC: (void)nslcd_pam_authc(fp,session,uid); break; case NSLCD_ACTION_PAM_AUTHZ: (void)nslcd_pam_authz(fp,session); break; case NSLCD_ACTION_PAM_SESS_O: (void)nslcd_pam_sess_o(fp,session); break; Index: nss-pam-ldapd-0.8.13/nslcd/shadow.c =================================================================== --- nss-pam-ldapd-0.8.13.orig/nslcd/shadow.c 2015-02-12 10:36:57.945109531 -0800 +++ nss-pam-ldapd-0.8.13/nslcd/shadow.c 2015-02-12 10:41:12.829116868 -0800 @@ -281,7 +281,8 @@ return rc; } -static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser) +static int write_shadow(TFILE *fp,MYLDAP_ENTRY *entry,const char *requser, + uid_t calleruid) { int32_t tmpint32; const char **usernames; @@ -305,7 +306,7 @@ } /* get password */ passwd=get_userpassword(entry,attmap_shadow_userPassword,passbuffer,sizeof(passbuffer)); - if (passwd==NULL) + if ((passwd == NULL) || (calleruid != 0)) passwd=default_shadow_userPassword; /* get expiry properties */ get_shadow_properties(entry,&lastchangedate,&mindays,&maxdays,&warndays, @@ -362,7 +363,7 @@ return NULL; } -NSLCD_HANDLE( +NSLCD_HANDLE_UID( shadow,byname, char name[256]; char filter[4096]; @@ -370,14 +371,14 @@ log_setrequest("shadow=\"%s\"",name);, NSLCD_ACTION_SHADOW_BYNAME, mkfilter_shadow_byname(name,filter,sizeof(filter)), - write_shadow(fp,entry,name) + write_shadow(fp,entry,name,calleruid) ) -NSLCD_HANDLE( +NSLCD_HANDLE_UID( shadow,all, const char *filter; log_setrequest("shadow(all)");, NSLCD_ACTION_SHADOW_ALL, (filter=shadow_filter,0), - write_shadow(fp,entry,NULL) + write_shadow(fp,entry,NULL,calleruid) )