[PATCH:xdm] Check for allowRootLogin on PAM and non-OpenBSD passwd authentication backends
Alan Coopersmith
alan.coopersmith at sun.com
Tue Mar 16 17:01:22 PDT 2010
http://bugs.freedesktop.org/show_bug.cgi?id=25112
Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>
---
config/Xresources.cpp | 2 +-
greeter/Login.c | 6 +-----
greeter/verify.c | 12 +++++++++++-
xdm.man.cpp | 2 ++
4 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/config/Xresources.cpp b/config/Xresources.cpp
index 4e362df..f5866cf 100644
--- a/config/Xresources.cpp
+++ b/config/Xresources.cpp
@@ -23,7 +23,7 @@ xlogin*login.translations: #override BS
xlogin*greeting: Welcome to CLIENTHOST
xlogin*namePrompt: \040\040\040\040\040\040\040Login:
-xlogin*fail: Login incorrect
+xlogin*fail: Login incorrect or forbidden by policy
XHASHif WIDTH > 800
xlogin*greetFont: -adobe-helvetica-bold-o-normal--24-240-75-75-p-138-iso8859-1
diff --git a/greeter/Login.c b/greeter/Login.c
index 86e3d44..6ddb8df 100644
--- a/greeter/Login.c
+++ b/greeter/Login.c
@@ -197,11 +197,7 @@ static XtResource resources[] = {
offset(passwdPrompt), XtRString, "Password: "},
{XtNfail, XtCFail, XtRString, sizeof (char *),
offset(failMsg), XtRString,
-#if defined(sun) && defined(SVR4)
- "Login incorrect or not on system console if root"
-#else
- "Login incorrect"
-#endif
+ "Login incorrect or forbidden by policy"
},
{XtNchangePasswdMessage, XtCChangePasswdMessage, XtRString,
sizeof (char *), offset(passwdChangeMsg), XtRString,
diff --git a/greeter/verify.c b/greeter/verify.c
index 73493ca..6e3f14b 100644
--- a/greeter/verify.c
+++ b/greeter/verify.c
@@ -350,6 +350,16 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
return 0;
}
+ /*
+ * Only accept root logins if allowRootLogin resource is not false
+ */
+ if ((p->pw_uid == 0) && !greet->allow_root_login) {
+ Debug("root logins not allowed\n");
+ if (greet->password != NULL)
+ bzero(greet->password, strlen(greet->password));
+ return 0;
+ }
+
# if defined(sun) && defined(SVR4)
/* Solaris: If CONSOLE is set to /dev/console in /etc/default/login,
then root can only login on system console */
@@ -467,7 +477,6 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
# ifdef KERBEROS
done:
# endif
-# ifdef __OpenBSD__
/*
* Only accept root logins if allowRootLogin resource is set
*/
@@ -476,6 +485,7 @@ done:
bzero(greet->password, strlen(greet->password));
return 0;
}
+# ifdef __OpenBSD__
/*
* Shell must be in /etc/shells
*/
diff --git a/xdm.man.cpp b/xdm.man.cpp
index 6b65694..011d8d1 100644
--- a/xdm.man.cpp
+++ b/xdm.man.cpp
@@ -1045,6 +1045,8 @@ drawn in hiColor and shdColor.
If set to ``false'', don't allow root (and any other user with uid = 0) to
log in directly.
The default is ``true''.
+This setting is only checked by some of the authentication backends at this
+time.
.IP "\fBxlogin.Login.allowNullPasswd\fP"
If set to ``true'', allow an otherwise failing password match to succeed
if the account does not require a password at all.
--
1.5.6.5
More information about the xorg-devel
mailing list