From: Sami Kerola <kerolasa@iki.fi>
To: Karel Zak <kzak@redhat.com>
Cc: util-linux@vger.kernel.org
Subject: Re: [PATCH 05/17] newgrp: use xgetpass() and memset_s() to group password validation
Date: Tue, 16 Sep 2014 21:33:07 +0100 (BST) [thread overview]
Message-ID: <alpine.LNX.2.03.1409162127010.3712@kerolasa-home> (raw)
In-Reply-To: <20140912084451.GT21325@x2.net.home>
On Fri, 12 Sep 2014, Karel Zak wrote:
> On Sun, Sep 07, 2014 at 01:42:53PM +0100, Sami Kerola wrote:
>> Signed-off-by: Sami Kerola <kerolasa@iki.fi>
>> ---
>> login-utils/newgrp.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> If we really want to support passwords for groups then it would be
> better to add support for this to PAM. But it seems it's so crazy and
> unnecessary that nobody has been motivated to do this change in last
> 20 years.
>
> It would be better to remove support for /etc/gshadow from newgrp at
> all.
Either PAM does not support group passwords, or I misread docs & git
checkout. What comes to gshadow itself I do agree finding an example when
using them would be useful is hard. Then again the support for group
passwords has been around for long time and even opengroup mentions
authorizations.
http://pubs.opengroup.org/onlinepubs/009695299/utilities/newgrp.html
So that in mind I changed the newgrp change somewhat. Here is first
alteration.
--->8----
From: Sami Kerola <kerolasa@iki.fi>
Date: Sun, 14 Sep 2014 17:29:54 +0100
Subject: [PATCH 15/17] newgrp: use libc function to read gshadow if it is available
The glib versionf of getsgnam() is using /etc/nsswitch.conf, allowing the
group passwords to come from external database.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
---
configure.ac | 1 +
login-utils/newgrp.c | 11 +++++++++++
2 files changed, 12 insertions(+)
diff --git a/configure.ac b/configure.ac
index 5b558ec..c84814f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -302,6 +302,7 @@ AC_CHECK_FUNCS([ \
getexecname \
getmntinfo \
getrlimit \
+ getsgnam \
inotify_init \
inotify_init1 \
jrand48 \
diff --git a/login-utils/newgrp.c b/login-utils/newgrp.c
index 55dad1b..d492f23 100644
--- a/login-utils/newgrp.c
+++ b/login-utils/newgrp.c
@@ -28,6 +28,10 @@
# include <crypt.h>
#endif
+#ifdef HAVE_GETSGNAM
+# include <gshadow.h>
+#endif
+
#include "c.h"
#include "closestream.h"
#include "nls.h"
@@ -37,6 +41,12 @@
/* try to read password from gshadow */
static char *get_gshadow_pwd(char *groupname)
{
+#ifdef HAVE_GETSGNAM
+ struct sgrp *sgrp;
+
+ sgrp = getsgnam(groupname);
+ return sgrp ? xstrdup(sgrp->sg_passwd) : NULL;
+#else
char buf[BUFSIZ];
char *pwd = NULL;
FILE *f;
@@ -69,6 +79,7 @@ static char *get_gshadow_pwd(char *groupname)
}
fclose(f);
return pwd ? xstrdup(pwd) : NULL;
+#endif /* HAVE_GETSGNAM */
}
static int allow_setgid(struct passwd *pe, struct group *ge)
--
2.1.0
next prev parent reply other threads:[~2014-09-16 20:33 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-07 12:42 [PATCH 00/17] pull: miscellaneous changes Sami Kerola
2014-09-07 12:42 ` [PATCH 01/17] libuuid: add extern qualifiers to uuid/uuid.h system header Sami Kerola
2014-09-07 12:42 ` [PATCH 02/17] include: simplify fputc_careful() in carefulputc.h Sami Kerola
2014-09-07 12:42 ` [PATCH 03/17] lib: avoid use of obsolete getpass() function Sami Kerola
2014-09-12 8:31 ` Karel Zak
2014-09-07 12:42 ` [PATCH 04/17] lib: add function to remove string from memory Sami Kerola
2014-09-07 12:42 ` [PATCH 05/17] newgrp: use xgetpass() and memset_s() to group password validation Sami Kerola
2014-09-12 8:44 ` Karel Zak
2014-09-16 20:33 ` Sami Kerola [this message]
2014-09-07 12:42 ` [PATCH 06/17] last: make is_phantom() when kernel config does not include audit support Sami Kerola
2014-09-07 12:42 ` [PATCH 07/17] last: improve code readability by renaming variable names Sami Kerola
2014-09-07 12:42 ` [PATCH 08/17] zramctl: fix two format string warnings Sami Kerola
2014-09-07 12:42 ` [PATCH 09/17] mountpoint: add struct mountpoint_control Sami Kerola
2014-09-12 9:14 ` Karel Zak
2014-09-16 20:36 ` Sami Kerola
2014-09-07 12:42 ` [PATCH 10/17] mkfs.minix: fix couple compiler warnings Sami Kerola
2014-09-07 12:42 ` [PATCH 11/17] mountpoint: simplify if statement Sami Kerola
2014-09-07 12:43 ` [PATCH 12/17] eject: add struct eject_control to remove global variables Sami Kerola
2014-09-12 9:26 ` Karel Zak
2014-09-16 20:39 ` Sami Kerola
2014-09-07 12:43 ` [PATCH 13/17] eject: make open_device() and select_speed() to use struct eject_control Sami Kerola
2014-09-07 12:43 ` [PATCH 14/17] hwclock: remove referal to deprecated keyboard interface Sami Kerola
2014-09-07 12:43 ` [PATCH 15/17] setarch: reindent code Sami Kerola
2014-09-07 12:43 ` [PATCH 16/17] setarch: use personality() system call when it is available Sami Kerola
2014-09-07 12:43 ` [PATCH 17/17] setarch: remove unreachable code Sami Kerola
2014-09-12 9:50 ` Karel Zak
2014-09-16 20:50 ` Sami Kerola
2014-09-16 20:56 ` [PATCH 00/17] pull: miscellaneous changes Sami Kerola
2014-09-22 13:01 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.03.1409162127010.3712@kerolasa-home \
--to=kerolasa@iki.fi \
--cc=kzak@redhat.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox