Lines 466-478
Link Here
|
466 |
} |
466 |
} |
467 |
|
467 |
|
468 |
/* |
468 |
/* |
469 |
* determine the current user's name is. |
469 |
* Determine what the current user's name is. |
470 |
* On a SELinux enabled system, policy will prevent third parties from using |
470 |
* On a SELinux enabled system with a strict policy leaving the |
471 |
* unix_chkpwd as a password guesser. Leaving the existing check prevents |
471 |
* existing check prevents shadow password authentication from working. |
472 |
* su from working, Since the current uid is the users and the password is |
472 |
* We must thus skip the check if the real uid is 0. |
473 |
* for root. |
|
|
474 |
*/ |
473 |
*/ |
475 |
if (SELINUX_ENABLED) { |
474 |
if (SELINUX_ENABLED && getuid() == 0) { |
476 |
user=argv[1]; |
475 |
user=argv[1]; |
477 |
} |
476 |
} |
478 |
else { |
477 |
else { |
Lines 534-539
Link Here
|
534 |
/* return pass or fail */ |
533 |
/* return pass or fail */ |
535 |
|
534 |
|
536 |
if ((retval != PAM_SUCCESS) || force_failure) { |
535 |
if ((retval != PAM_SUCCESS) || force_failure) { |
|
|
536 |
_log_err(LOG_NOTICE, "password check failed for user (%s)", user); |
537 |
return PAM_AUTH_ERR; |
537 |
return PAM_AUTH_ERR; |
538 |
} else { |
538 |
} else { |
539 |
return PAM_SUCCESS; |
539 |
return PAM_SUCCESS; |