From dc4654dacddedd9ec66ac6b02247676af768d083 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Tue, 16 Mar 2010 16:56:56 -0700 Subject: [PATCH:xdm] Check for allowRootLogin on PAM and non-OpenBSD passwd authentication backends http://bugs.freedesktop.org/show_bug.cgi?id=25112 Signed-off-by: Alan Coopersmith --- config/Xresources.cpp | 2 +- greeter/Login.c | 6 +----- greeter/verify.c | 12 +++++++++++- xdm.man.cpp | 2 ++ 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/config/Xresources.cpp b/config/Xresources.cpp index 4e362df..f5866cf 100644 --- a/config/Xresources.cpp +++ b/config/Xresources.cpp @@ -23,7 +23,7 @@ xlogin*login.translations: #override BS xlogin*greeting: Welcome to CLIENTHOST xlogin*namePrompt: \040\040\040\040\040\040\040Login: -xlogin*fail: Login incorrect +xlogin*fail: Login incorrect or forbidden by policy XHASHif WIDTH > 800 xlogin*greetFont: -adobe-helvetica-bold-o-normal--24-240-75-75-p-138-iso8859-1 diff --git a/greeter/Login.c b/greeter/Login.c index 86e3d44..6ddb8df 100644 --- a/greeter/Login.c +++ b/greeter/Login.c @@ -197,11 +197,7 @@ static XtResource resources[] = { offset(passwdPrompt), XtRString, "Password: "}, {XtNfail, XtCFail, XtRString, sizeof (char *), offset(failMsg), XtRString, -#if defined(sun) && defined(SVR4) - "Login incorrect or not on system console if root" -#else - "Login incorrect" -#endif + "Login incorrect or forbidden by policy" }, {XtNchangePasswdMessage, XtCChangePasswdMessage, XtRString, sizeof (char *), offset(passwdChangeMsg), XtRString, diff --git a/greeter/verify.c b/greeter/verify.c index 73493ca..6e3f14b 100644 --- a/greeter/verify.c +++ b/greeter/verify.c @@ -350,6 +350,16 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) return 0; } + /* + * Only accept root logins if allowRootLogin resource is not false + */ + if ((p->pw_uid == 0) && !greet->allow_root_login) { + Debug("root logins not allowed\n"); + if (greet->password != NULL) + bzero(greet->password, strlen(greet->password)); + return 0; + } + # if defined(sun) && defined(SVR4) /* Solaris: If CONSOLE is set to /dev/console in /etc/default/login, then root can only login on system console */ @@ -467,7 +477,6 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) # ifdef KERBEROS done: # endif -# ifdef __OpenBSD__ /* * Only accept root logins if allowRootLogin resource is set */ @@ -476,6 +485,7 @@ done: bzero(greet->password, strlen(greet->password)); return 0; } +# ifdef __OpenBSD__ /* * Shell must be in /etc/shells */ diff --git a/xdm.man.cpp b/xdm.man.cpp index 6b65694..011d8d1 100644 --- a/xdm.man.cpp +++ b/xdm.man.cpp @@ -1045,6 +1045,8 @@ drawn in hiColor and shdColor. If set to ``false'', don't allow root (and any other user with uid = 0) to log in directly. The default is ``true''. +This setting is only checked by some of the authentication backends at this +time. .IP "\fBxlogin.Login.allowNullPasswd\fP" If set to ``true'', allow an otherwise failing password match to succeed if the account does not require a password at all. -- 1.5.6.5