* passwd.c (caller_is_admin): New function to test if calling user
is an administrator by inspecting user token. (main): Drop fetching caller info from logonserver. Only fetch server from environment when trying to change password for own account. Drop admin check entirely in case of doing account maintainance. Otherwise replace check for admin by result of caller_is_admin call.
This commit is contained in:
parent
7d2e8c04f2
commit
0e0f5748e0
|
@ -1,3 +1,13 @@
|
||||||
|
2009-03-23 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
|
* passwd.c (caller_is_admin): New function to test if calling user
|
||||||
|
is an administrator by inspecting user token.
|
||||||
|
(main): Drop fetching caller info from logonserver. Only fetch
|
||||||
|
server from environment when trying to change password for own
|
||||||
|
account. Drop admin check entirely in case of doing account
|
||||||
|
maintainance. Otherwise replace check for admin by result of
|
||||||
|
caller_is_admin call.
|
||||||
|
|
||||||
2009-03-22 Corinna Vinschen <corinna@vinschen.de>
|
2009-03-22 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
* passwd.c (main): Always get logonserver from environment and
|
* passwd.c (main): Always get logonserver from environment and
|
||||||
|
|
|
@ -303,6 +303,49 @@ usage (FILE * stream, int status)
|
||||||
exit (status);
|
exit (status);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
caller_is_admin ()
|
||||||
|
{
|
||||||
|
static int is_admin = -1;
|
||||||
|
HANDLE token;
|
||||||
|
DWORD size;
|
||||||
|
PTOKEN_GROUPS grps;
|
||||||
|
SID_IDENTIFIER_AUTHORITY nt_auth = {SECURITY_NT_AUTHORITY};
|
||||||
|
PSID admin_grp;
|
||||||
|
DWORD i;
|
||||||
|
|
||||||
|
if (is_admin == -1)
|
||||||
|
{
|
||||||
|
is_admin = 0;
|
||||||
|
if (OpenProcessToken (GetCurrentProcess (), TOKEN_READ, &token))
|
||||||
|
{
|
||||||
|
GetTokenInformation (token, TokenGroups, NULL, 0, &size);
|
||||||
|
grps = (PTOKEN_GROUPS) alloca (size);
|
||||||
|
if (!GetTokenInformation(token, TokenGroups, grps, size, &size)
|
||||||
|
|| !AllocateAndInitializeSid (&nt_auth, 2,
|
||||||
|
SECURITY_BUILTIN_DOMAIN_RID,
|
||||||
|
DOMAIN_ALIAS_RID_ADMINS,
|
||||||
|
0, 0, 0, 0, 0, 0, &admin_grp))
|
||||||
|
is_admin = 0;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
for (i = 0; i < grps->GroupCount; ++i)
|
||||||
|
if (EqualSid (admin_grp, grps->Groups[i].Sid)
|
||||||
|
&& (grps->Groups[i].Attributes
|
||||||
|
& (SE_GROUP_ENABLED | SE_GROUP_USE_FOR_DENY_ONLY))
|
||||||
|
== SE_GROUP_ENABLED)
|
||||||
|
{
|
||||||
|
is_admin = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
FreeSid (admin_grp);
|
||||||
|
}
|
||||||
|
CloseHandle (token);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return is_admin;
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
print_version ()
|
print_version ()
|
||||||
{
|
{
|
||||||
|
@ -348,8 +391,8 @@ main (int argc, char **argv)
|
||||||
int Popt = 0;
|
int Popt = 0;
|
||||||
int Sopt = 0;
|
int Sopt = 0;
|
||||||
int Ropt = 0;
|
int Ropt = 0;
|
||||||
PUSER_INFO_3 ui, li;
|
PUSER_INFO_3 ui;
|
||||||
LPWSTR my_server = NULL;
|
int myself = 0;
|
||||||
LPWSTR server = NULL;
|
LPWSTR server = NULL;
|
||||||
|
|
||||||
prog_name = strrchr (argv[0], '/');
|
prog_name = strrchr (argv[0], '/');
|
||||||
|
@ -518,16 +561,6 @@ main (int argc, char **argv)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((logonserver = getenv ("LOGONSERVER")))
|
|
||||||
{
|
|
||||||
size_t len = mbstowcs (NULL, logonserver, 0);
|
|
||||||
if (len > 0 && len != (size_t) -1)
|
|
||||||
mbstowcs (my_server = alloca ((len + 1) * sizeof (wchar_t)),
|
|
||||||
logonserver, len + 1);
|
|
||||||
if (!server)
|
|
||||||
server = my_server;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (Larg >= 0 || xarg >= 0 || narg >= 0 || iarg >= 0)
|
if (Larg >= 0 || xarg >= 0 || narg >= 0 || iarg >= 0)
|
||||||
{
|
{
|
||||||
if (optind < argc)
|
if (optind < argc)
|
||||||
|
@ -537,9 +570,18 @@ main (int argc, char **argv)
|
||||||
|
|
||||||
strcpy (user, optind >= argc ? getlogin () : argv[optind]);
|
strcpy (user, optind >= argc ? getlogin () : argv[optind]);
|
||||||
|
|
||||||
li = GetPW (getlogin (), 0, my_server);
|
/* Changing password for calling user? Use logonserver for user as well. */
|
||||||
if (! li)
|
if (!server && optind < argc)
|
||||||
return 1;
|
{
|
||||||
|
myself = 1;
|
||||||
|
if ((logonserver = getenv ("LOGONSERVER")))
|
||||||
|
{
|
||||||
|
size_t len = mbstowcs (NULL, logonserver, 0);
|
||||||
|
if (len > 0 && len != (size_t) -1)
|
||||||
|
mbstowcs (server = alloca ((len + 1) * sizeof (wchar_t)),
|
||||||
|
logonserver, len + 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ui = GetPW (user, 1, server);
|
ui = GetPW (user, 1, server);
|
||||||
if (! ui)
|
if (! ui)
|
||||||
|
@ -549,8 +591,6 @@ main (int argc, char **argv)
|
||||||
{
|
{
|
||||||
USER_INFO_1008 uif;
|
USER_INFO_1008 uif;
|
||||||
|
|
||||||
if (li->usri3_priv != USER_PRIV_ADMIN)
|
|
||||||
return eprint (0, "You have no maintenance privileges.");
|
|
||||||
uif.usri1008_flags = ui->usri3_flags;
|
uif.usri1008_flags = ui->usri3_flags;
|
||||||
if (lopt)
|
if (lopt)
|
||||||
{
|
{
|
||||||
|
@ -584,14 +624,14 @@ main (int argc, char **argv)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (li->usri3_priv != USER_PRIV_ADMIN && strcmp (getlogin (), user))
|
if (!caller_is_admin () && !myself)
|
||||||
return eprint (0, "You may not change the password for %s.", user);
|
return eprint (0, "You may not change the password for %s.", user);
|
||||||
|
|
||||||
eprint (0, "Enter the new password (minimum of 5, maximum of 8 characters).");
|
eprint (0, "Enter the new password (minimum of 5, maximum of 8 characters).");
|
||||||
eprint (0, "Please use a combination of upper and lower case letters and numbers.");
|
eprint (0, "Please use a combination of upper and lower case letters and numbers.");
|
||||||
|
|
||||||
oldpwd[0] = '\0';
|
oldpwd[0] = '\0';
|
||||||
if (li->usri3_priv != USER_PRIV_ADMIN)
|
if (!caller_is_admin ())
|
||||||
{
|
{
|
||||||
strcpy (oldpwd, getpass ("Old password: "));
|
strcpy (oldpwd, getpass ("Old password: "));
|
||||||
if (ChangePW (user, oldpwd, oldpwd, 1, server))
|
if (ChangePW (user, oldpwd, oldpwd, 1, server))
|
||||||
|
|
Loading…
Reference in New Issue