in src/common/commonutils/PassUtils.c [393:565]
static int CheckRequirementsForCommonPassword(int retry, int minlen, int dcredit, int ucredit, int ocredit, int lcredit, char** reason, OsConfigLogHandle log)
{
const char* pamPwQualitySo = "pam_pwquality.so";
const char* pamCrackLibSo = "pam_cracklib.so";
const char* password = "password";
const char* requisite = "requisite";
int retryOption = 0;
int minlenOption = 0;
int dcreditOption = 0;
int ucreditOption = 0;
int ocreditOption = 0;
int lcreditOption = 0;
char commentCharacter = '#';
FILE* fileHandle = NULL;
char* line = NULL;
long lineMax = sysconf(_SC_LINE_MAX);
bool found = false;
int status = ENOENT;
if (false == FileExists(g_etcPamdCommonPassword))
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: '%s' does not exist", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "%s' does not exist", g_etcPamdCommonPassword);
return ENOENT;
}
else if (NULL == (line = malloc(lineMax + 1)))
{
OsConfigLogError(log, "CheckRequirementsForCommonPassword: out of memory");
return ENOMEM;
}
else
{
memset(line, 0, lineMax + 1);
}
if (NULL == (fileHandle = fopen(g_etcPamdCommonPassword, "r")))
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: cannot read from '%s'", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "Cannot read from '%s'", g_etcPamdCommonPassword);
status = EACCES;
}
else
{
status = ENOENT;
while (NULL != fgets(line, lineMax + 1, fileHandle))
{
// Example of valid line:
// 'password requisite pam_pwquality.so retry=3 minlen=14 lcredit=-1 ucredit=1 ocredit=-1 dcredit=-1'
if ((commentCharacter == line[0]) || (EOL == line[0]))
{
status = 0;
continue;
}
else if ((NULL != strstr(line, password)) && (NULL != strstr(line, requisite)) &&
((NULL != strstr(line, pamPwQualitySo)) || (NULL != strstr(line, pamCrackLibSo)) || (NULL != strstr(line, g_pamUnixSo))))
{
found = true;
if ((retry == (retryOption = GetIntegerOptionFromBuffer(line, "retry", '=', log))) &&
(minlen == (minlenOption = GetIntegerOptionFromBuffer(line, "minlen", '=', log))) &&
(dcredit == (dcreditOption = GetIntegerOptionFromBuffer(line, "dcredit", '=', log))) &&
(ucredit == (ucreditOption = GetIntegerOptionFromBuffer(line, "ucredit", '=', log))) &&
(ocredit == (ocreditOption = GetIntegerOptionFromBuffer(line, "ocredit", '=', log))) &&
(lcredit == (lcreditOption = GetIntegerOptionFromBuffer(line, "lcredit", '=', log))))
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: '%s' contains uncommented '%s %s' with "
"the expected password creation requirements (retry: %d, minlen: %d, dcredit: %d, ucredit: %d, ocredit: %d, lcredit: %d)",
g_etcPamdCommonPassword, password, requisite, retryOption, minlenOption, dcreditOption, ucreditOption, ocreditOption, lcreditOption);
OsConfigCaptureSuccessReason(reason, "'%s' contains uncommented '%s %s' with the expected password creation requirements "
"(retry: %d, minlen: %d, dcredit: %d, ucredit: %d, ocredit: %d, lcredit: %d)", g_etcPamdCommonPassword, password, requisite,
retryOption, minlenOption, dcreditOption, ucreditOption, ocreditOption, lcreditOption);
status = 0;
break;
}
else
{
if (INT_ENOENT == retryOption)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'retry' is missing", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "In '%s' 'retry' is missing", g_etcPamdCommonPassword);
}
else if (retryOption != retry)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'retry' is set to %d instead of %d",
g_etcPamdCommonPassword, retryOption, retry);
OsConfigCaptureReason(reason, "In '%s' 'retry' is set to %d instead of %d", g_etcPamdCommonPassword, retryOption, retry);
}
if (INT_ENOENT == minlenOption)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'minlen' is missing", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "In '%s' 'minlen' is missing", g_etcPamdCommonPassword);
}
else if (minlenOption != minlen)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'minlen' is set to %d instead of %d",
g_etcPamdCommonPassword, minlenOption, minlen);
OsConfigCaptureReason(reason, "In '%s' 'minlen' is set to %d instead of %d", g_etcPamdCommonPassword, minlenOption, minlen);
}
if (INT_ENOENT == dcreditOption)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'dcredit' is missing", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "In '%s' 'dcredit' is missing", g_etcPamdCommonPassword);
}
else if (dcreditOption != dcredit)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'dcredit' is set to '%d' instead of %d",
g_etcPamdCommonPassword, dcreditOption, dcredit);
OsConfigCaptureReason(reason, "In '%s' 'dcredit' is set to '%d' instead of %d", g_etcPamdCommonPassword, dcreditOption, dcredit);
}
if (INT_ENOENT == ucreditOption)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'ucredit' missing", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "In '%s' 'ucredit' missing", g_etcPamdCommonPassword);
}
else if (ucreditOption != ucredit)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'ucredit' set to '%d' instead of %d",
g_etcPamdCommonPassword, ucreditOption, ucredit);
OsConfigCaptureReason(reason, "In '%s' 'ucredit' set to '%d' instead of %d", g_etcPamdCommonPassword, ucreditOption, ucredit);
}
if (INT_ENOENT == ocreditOption)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'ocredit' missing", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "In '%s' 'ocredit' missing", g_etcPamdCommonPassword);
}
else if (ocreditOption != ocredit)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'ocredit' set to '%d' instead of %d",
g_etcPamdCommonPassword, ocreditOption, ocredit);
OsConfigCaptureReason(reason, "In '%s' 'ocredit' set to '%d' instead of %d", g_etcPamdCommonPassword, ocreditOption, ocredit);
}
if (INT_ENOENT == lcreditOption)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'lcredit' missing", g_etcPamdCommonPassword);
OsConfigCaptureReason(reason, "In '%s' 'lcredit' missing", g_etcPamdCommonPassword);
}
else if (lcreditOption != lcredit)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: in '%s' 'lcredit' set to '%d' instead of %d",
g_etcPamdCommonPassword, lcreditOption, lcredit);
OsConfigCaptureReason(reason, "In '%s' 'lcredit' set to '%d' instead of %d", g_etcPamdCommonPassword, lcreditOption, lcredit);
}
status = ENOENT;
break;
}
}
memset(line, 0, lineMax + 1);
}
fclose(fileHandle);
}
FREE_MEMORY(line);
if (false == found)
{
OsConfigLogInfo(log, "CheckRequirementsForCommonPassword: '%s' does not contain a line '%s %s' with retry, minlen, dcredit, ucredit, ocredit, lcredit password creation options",
g_etcPamdCommonPassword, password, requisite);
OsConfigCaptureReason(reason, "'%s' does not contain a line '%s %s' with retry, minlen, dcredit, ucredit, ocredit, lcredit password creation options",
g_etcPamdCommonPassword, password, requisite);
status = ENOENT;
}
return status;
}