"David W. Chapman Jr." wrote:
> > If it's allowed, it whould probably only be allowed in the
> > user name (i.e. the patch is wrong; it should probably add
> > another parameter to the allowable values of 'int gecos', and
> > change it to 'int checktype' or similar).
>
> I don't have a problem with this, but the patch I sent in is the
> extent of my abilities to give me desired results(making pw like
> samba)
See attached patch. It could still screw scripts (e.g. the perl
script version of "adduser") by allowing the "$" in the login
field, but at least it keeps it out of the login class and group
fields.
See below, though: I don't think '$' should be permitted.
> > It seems to me that another alternative is that all these
> > names end in '$'; therefore, when you are expecting one of
> > these names, you could imply a '$', without needing to actually
> > have it in the password file -- in other words, it's an
> > attribute, not really part of the account name.
> >
> > Will this open up a security hole for a nomal user account
> > being used to compromise the domain system security? Is it
> > absolutely necessary to use an in-band method to distinguish
> > these records from ordinary user accounts?
>
> I don't think the samba people would be willing to make this type of
> change just for FreeBSD since it works for most everyone else. I
> also don't think there is currently a way to store attributes about
> machines/users permanently in samba.
I think you misunderstand.
The intent is to allow accounts without "$" appended to be used
as machine logins. Samba would see the '$', remove it, and check
normally.
The potential problem is that normal user accounts could be used
in place of machines.
The proper "BSD way" to avoid this hack would be to add a login
class "samba_server" (or whatever), and make Samba permit this
type of check only if the user was in the correct login class.
-- Terry
Index: pw.h
===================================================================
RCS file: /cvs/src/usr.sbin/pw/pw.h,v
retrieving revision 1.13
diff -c -r1.13 pw.h
*** pw.h 5 Jul 2001 08:01:15 -0000 1.13
--- pw.h 27 Nov 2002 17:21:03 -0000
***************
*** 62,67 ****
--- 62,74 ----
W_NUM
};
+ enum _checktype
+ {
+ PWC_DEFAULT,
+ PWC_GECOS,
+ PWC_LOGIN
+ };
+
struct carg
{
int ch;
***************
*** 105,111 ****
int pw_user(struct userconf * cnf, int mode, struct cargs * _args);
int pw_group(struct userconf * cnf, int mode, struct cargs * _args);
! char *pw_checkname(u_char *name, int gecos);
int addpwent(struct passwd * pwd);
int delpwent(struct passwd * pwd);
--- 112,118 ----
int pw_user(struct userconf * cnf, int mode, struct cargs * _args);
int pw_group(struct userconf * cnf, int mode, struct cargs * _args);
! char *pw_checkname(u_char *name, enum _checktype checktype);
int addpwent(struct passwd * pwd);
int delpwent(struct passwd * pwd);
Index: pw_user.c
===================================================================
RCS file: /cvs/src/usr.sbin/pw/pw_user.c,v
retrieving revision 1.51
diff -c -r1.51 pw_user.c
*** pw_user.c 24 Jun 2002 11:33:17 -0000 1.51
--- pw_user.c 27 Nov 2002 17:30:43 -0000
***************
*** 231,237 ****
}
}
if ((arg = getarg(args, 'L')) != NULL)
! cnf->default_class = pw_checkname((u_char *)arg->val, 0);
if ((arg = getarg(args, 'G')) != NULL && arg->val) {
int i = 0;
--- 231,237 ----
}
}
if ((arg = getarg(args, 'L')) != NULL)
! cnf->default_class = pw_checkname((u_char *)arg->val, PWC_DEFAULT);
if ((arg = getarg(args, 'G')) != NULL && arg->val) {
int i = 0;
***************
*** 293,299 ****
}
if ((a_name = getarg(args, 'n')) != NULL)
! pwd = GETPWNAM(pw_checkname((u_char *)a_name->val, 0));
a_uid = getarg(args, 'u');
if (a_uid == NULL) {
--- 293,299 ----
}
if ((a_name = getarg(args, 'n')) != NULL)
! pwd = GETPWNAM(pw_checkname((u_char *)a_name->val, PWC_LOGIN));
a_uid = getarg(args, 'u');
if (a_uid == NULL) {
***************
*** 455,461 ****
if ((arg = getarg(args, 'l')) != NULL) {
if (strcmp(pwd->pw_name, "root") == 0)
errx(EX_DATAERR, "can't rename `root' account");
! pwd->pw_name = pw_checkname((u_char *)arg->val, 0);
edited = 1;
}
--- 455,461 ----
if ((arg = getarg(args, 'l')) != NULL) {
if (strcmp(pwd->pw_name, "root") == 0)
errx(EX_DATAERR, "can't rename `root' account");
! pwd->pw_name = pw_checkname((u_char *)arg->val, PWC_LOGIN);
edited = 1;
}
***************
*** 595,601 ****
* Shared add/edit code
*/
if ((arg = getarg(args, 'c')) != NULL) {
! char *gecos = pw_checkname((u_char *)arg->val, 1);
if (strcmp(pwd->pw_gecos, gecos) != 0) {
pwd->pw_gecos = gecos;
edited = 1;
--- 595,601 ----
* Shared add/edit code
*/
if ((arg = getarg(args, 'c')) != NULL) {
! char *gecos = pw_checkname((u_char *)arg->val, PWC_GECOS);
if (strcmp(pwd->pw_gecos, gecos) != 0) {
pwd->pw_gecos = gecos;
edited = 1;
***************
*** 1192,1201 ****
}
char *
! pw_checkname(u_char *name, int gecos)
{
int l = 0;
! char const *notch = gecos ? ":!@" : " ,\t:+&#%$^()!@~*?<>=|\\/\"";
while (name[l]) {
if (strchr(notch, name[l]) != NULL || name[l] < ' ' || name[l] == 127
||
--- 1192,1217 ----
}
char *
! pw_checkname(u_char *name, enum _checktype checktype)
{
int l = 0;
! char const *notch;
! int gecos = (checktype == PWC_GECOS);
!
! switch (checktype) {
! case PWC_GECOS:
! notch = ":!@";
! break;
!
! case PWC_LOGIN:
! notch = " ,\t:+&#%^()!@~*?<>=|\\/\"";
! break;
!
! case PWC_DEFAULT:
! default:
! notch = " ,\t:+&#%$^()!@~*?<>=|\\/\"";
! break;
! }
while (name[l]) {
if (strchr(notch, name[l]) != NULL || name[l] < ' ' || name[l] == 127
||
