[PATCH:xdm] Check for allowRootLogin on PAM and non-OpenBSD passwd authentication backends

Alan Coopersmith alan.coopersmith at sun.com
Tue Mar 16 17:01:22 PDT 2010 

http://bugs.freedesktop.org/show_bug.cgi?id=25112

Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>
---
 config/Xresources.cpp |    2 +-
 greeter/Login.c       |    6 +-----
 greeter/verify.c      |   12 +++++++++++-
 xdm.man.cpp           |    2 ++
 4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/config/Xresources.cpp b/config/Xresources.cpp
index 4e362df..f5866cf 100644
--- a/config/Xresources.cpp
+++ b/config/Xresources.cpp
@@ -23,7 +23,7 @@ xlogin*login.translations: #override BS
 
 xlogin*greeting: Welcome to CLIENTHOST
 xlogin*namePrompt: \040\040\040\040\040\040\040Login:
-xlogin*fail: Login incorrect
+xlogin*fail: Login incorrect or forbidden by policy
 
 XHASHif WIDTH > 800
 xlogin*greetFont: -adobe-helvetica-bold-o-normal--24-240-75-75-p-138-iso8859-1
diff --git a/greeter/Login.c b/greeter/Login.c
index 86e3d44..6ddb8df 100644
--- a/greeter/Login.c
+++ b/greeter/Login.c
@@ -197,11 +197,7 @@ static XtResource resources[] = {
 	offset(passwdPrompt), XtRString, "Password:  "},
     {XtNfail, XtCFail, XtRString, sizeof (char *),
 	offset(failMsg), XtRString,
-#if defined(sun) && defined(SVR4)
-     "Login incorrect or not on system console if root"
-#else
-     "Login incorrect"
-#endif
+	"Login incorrect or forbidden by policy"
     },
     {XtNchangePasswdMessage, XtCChangePasswdMessage, XtRString,
 	sizeof (char *), offset(passwdChangeMsg), XtRString,
diff --git a/greeter/verify.c b/greeter/verify.c
index 73493ca..6e3f14b 100644
--- a/greeter/verify.c
+++ b/greeter/verify.c
@@ -350,6 +350,16 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 		return 0;
 	}
 
+	/*
+	 * Only accept root logins if allowRootLogin resource is not false
+	 */
+	if ((p->pw_uid == 0) && !greet->allow_root_login) {
+		Debug("root logins not allowed\n");
+		if (greet->password != NULL)
+		    bzero(greet->password, strlen(greet->password));
+		return 0;
+	}
+
 # if defined(sun) && defined(SVR4)
 	/* Solaris: If CONSOLE is set to /dev/console in /etc/default/login,
 	   then root can only login on system console */
@@ -467,7 +477,6 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
 #  ifdef KERBEROS
 done:
 #  endif
-#  ifdef __OpenBSD__
 	/*
 	 * Only accept root logins if allowRootLogin resource is set
 	 */
@@ -476,6 +485,7 @@ done:
 		bzero(greet->password, strlen(greet->password));
 		return 0;
 	}
+#  ifdef __OpenBSD__
 	/*
 	 * Shell must be in /etc/shells
 	 */
diff --git a/xdm.man.cpp b/xdm.man.cpp
index 6b65694..011d8d1 100644
--- a/xdm.man.cpp
+++ b/xdm.man.cpp
@@ -1045,6 +1045,8 @@ drawn in hiColor and shdColor.
 If set to ``false'', don't allow root (and any other user with uid = 0) to
 log in directly.
 The default is ``true''.
+This setting is only checked by some of the authentication backends at this
+time.
 .IP "\fBxlogin.Login.allowNullPasswd\fP"
 If set to ``true'', allow an otherwise failing password match to succeed
 if the account does not require a password at all.
-- 
1.5.6.5

More information about the xorg-devel mailing list