[PATCH:xdm] Check for allowRootLogin on PAM and non-OpenBSD passwd authentication backends

Julien Cristau jcristau at debian.org
Wed Mar 17 18:08:29 PDT 2010


On Tue, Mar 16, 2010 at 17:01:22 -0700, Alan Coopersmith wrote:

> diff --git a/greeter/verify.c b/greeter/verify.c
> index 73493ca..6e3f14b 100644
> --- a/greeter/verify.c
> +++ b/greeter/verify.c
> @@ -350,6 +350,16 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify)
>  		return 0;
>  	}
>  
> +	/*
> +	 * Only accept root logins if allowRootLogin resource is not false
> +	 */
> +	if ((p->pw_uid == 0) && !greet->allow_root_login) {
> +		Debug("root logins not allowed\n");
> +		if (greet->password != NULL)
> +		    bzero(greet->password, strlen(greet->password));
> +		return 0;
> +	}
> +

I guess there's no way to avoid having that code twice in Verify()?

On a related note, the /etc/shells check is also restricted to OpenBSD,
although it looks like it makes sense for more than that.  Likewise for
the expired password check, I guess.  Then again, PAM can check that for
me, so meh.

Cheers,
Julien


More information about the xorg-devel mailing list