Accepting request 394329 from Linux-PAM

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/394329 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=83
2016-05-14 10:23:08 +00:00 · 2016-05-14 10:23:08 +00:00 · 27ac6246a2
commit 27ac6246a2
parent 59356c2ab7 7bd1cebe62
10 changed files with 516 additions and 40 deletions
--- a/Linux-PAM-1.2.1-docs.tar.bz2
+++ b/Linux-PAM-1.2.1-docs.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1f8860544d935f744546a4bb15167e3e42736c4e37756534117bdfaa822e6b25
-size 491551
--- a/Linux-PAM-1.2.1.tar.bz2
+++ b/Linux-PAM-1.2.1.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9
-size 1279523
--- a/Linux-PAM-1.3.0-docs.tar.bz2
+++ b/Linux-PAM-1.3.0-docs.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8610b48703f036f6755c1d2bd8bcdeaddd9d99a1631f2d7668ec69b444d972a0
+size 492805
--- a/Linux-PAM-1.3.0.tar.bz2
+++ b/Linux-PAM-1.3.0.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb
+size 1302820
--- a/common-account.pamd
+++ b/common-account.pamd
@ -1,8 +1,8 @@
 #
-# /etc/pam.d/common-account - authorization settings common to all services
+# /etc/pam.d/common-account - account settings common to all services
 #
 # This file is included from other service-specific PAM config files,
-# and should contain a list of the authorization modules that define
+# and should contain a list of the account modules that define
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired.
 #
--- a/encryption_method_nis.diff
+++ b/encryption_method_nis.diff
@ -1,8 +1,6 @@
-diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
-index 0cfc0f4..2239206 100644
--- a/modules/pam_unix/pam_unix_passwd.c
-+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+--- modules/pam_unix/pam_unix_passwd.c
+++ modules/pam_unix/pam_unix_passwd.c	2016/04/11 13:49:32
+@@ -840,6 +840,29 @@
 		 * rebuild the password database file.
 		 */
 
@ -32,13 +30,11 @@ index 0cfc0f4..2239206 100644
 		/*
 		 * First we encrypt the new password.
 		 */
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index 19d72e6..dafa9f0 100644
--- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -37,8 +37,8 @@
- #define SELINUX_ENABLED 0
- #endif
+--- modules/pam_unix/support.c
+++ modules/pam_unix/support.c	2016/04/11 13:49:32
+@@ -31,8 +31,8 @@
+ #include "support.h"
+ #include "passverify.h"
 
 -static char *
 -search_key (const char *key, const char *filename)
@ -47,7 +43,7 @@ index 19d72e6..dafa9f0 100644
 {
   FILE *fp;
   char *buf = NULL;
-@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+@@ -153,7 +153,7 @@
 	}
 
 	/* preset encryption method with value from /etc/login.defs */
@ -56,7 +52,7 @@ index 19d72e6..dafa9f0 100644
 	if (val) {
 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
 	    if (unix_args[j].token && unix_args[j].is_hash_algo
-@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+@@ -171,7 +171,7 @@
 
 	  /* read number of rounds for crypt algo */
 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
@ -65,11 +61,9 @@ index 19d72e6..dafa9f0 100644
 
 	    if (val) {
 	      *rounds = strtol(val, NULL, 10);
-diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
-index 6f5b2eb..a35a8a8 100644
--- a/modules/pam_unix/support.h
-+++ b/modules/pam_unix/support.h
-@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
+--- modules/pam_unix/support.h
+++ modules/pam_unix/support.h	2016/04/11 13:49:32
+@@ -174,4 +174,5 @@
 
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
 			unsigned int ctrl, const char *user, int *daysleft);
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,55 @@
+-------------------------------------------------------------------
+Mon May  2 10:44:38 CEST 2016 - kukuk@suse.de
+
+- Remove obsolete README.pam_tally [bsc#977973]
+
+-------------------------------------------------------------------
+Thu Apr 28 13:51:59 CEST 2016 - kukuk@suse.de
+
+- Update Linux-PAM to version 1.3.0
+- Rediff encryption_method_nis.diff
+- Link pam_unix against libtirpc and external libnsl to enable
+  IPv6 support.
+
+-------------------------------------------------------------------
+Thu Apr 14 14:06:18 CEST 2016 - kukuk@suse.de
+
+- Add /sbin/unix2_chkpwd (moved from pam-modules)
+
+-------------------------------------------------------------------
+Mon Apr 11 15:09:04 CEST 2016 - kukuk@suse.de
+
+- Remove (since accepted upstream):
+  - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
+  - 0002-Remove-enable-static-modules-option-and-support-from.patch
+  - 0003-fix-nis-checks.patch
+  - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
+  - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
+
+-------------------------------------------------------------------
+Fri Apr  1 15:32:37 CEST 2016 - kukuk@suse.de
+
+- Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
+  - Replace IPv4 only functions
+
+-------------------------------------------------------------------
+Fri Apr  1 10:37:58 CEST 2016 - kukuk@suse.de
+
+- Fix typo in common-account.pamd [bnc#959439]
+
+-------------------------------------------------------------------
+Tue Mar 29 14:25:02 CEST 2016 - kukuk@suse.de
+
+- Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
+  - readd PAM_EXTERN for external PAM modules
+
+-------------------------------------------------------------------
+Wed Mar 23 11:21:16 CET 2016 - kukuk@suse.de
+
+- Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
+- Add 0002-Remove-enable-static-modules-option-and-support-from.patch
+- Add 0003-fix-nis-checks.patch
+
 -------------------------------------------------------------------
 Sat Jul 25 16:03:33 UTC 2015 - joschibrauchle@gmx.de

--- a/pam.spec
+++ b/pam.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,15 +25,18 @@ BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
 BuildRequires:  flex
-#BuildRequires:  pkgconfig(libtirpc)
+%if 0%{?suse_version} > 1320
+BuildRequires:  pkgconfig(libnsl)
+BuildRequires:  pkgconfig(libtirpc)
+%endif
 %if %{enable_selinux}
 BuildRequires:  libselinux-devel
 %endif
-%define libpam_so_version 0.84.1
+%define libpam_so_version 0.84.2
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
 #
-Version:        1.2.1
+Version:        1.3.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0+ or BSD-3-Clause
@ -51,6 +54,8 @@ Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source8:        etc.environment
 Source9:        baselibs.conf
+Source10:       unix2_chkpwd.c
+Source11:       unix2_chkpwd.8
 Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch3:         encryption_method_nis.diff
@ -103,7 +108,7 @@ building both PAM-aware applications and modules for use with PAM.
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p1
 %patch2 -p1
-%patch3 -p1
+%patch3 -p0

 %build
 autoreconf -fiv
@ -117,7 +122,8 @@ export CFLAGS="%optflags -DNDEBUG"
        --libdir=/%{_lib} \
 	--enable-isadir=../../%{_lib}/security \
        --enable-securedir=/%{_lib}/security
-make %{?_smp_mflags};
+make %{?_smp_mflags}
+%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam

 %check
 make %{?_smp_mflags} check
@ -170,12 +176,6 @@ for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
  ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
 done
 #
-# pam_tally is deprecated since ages
-#
-rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
-rm -f $RPM_BUILD_ROOT/sbin/pam_tally
-rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
-#
 # Install READMEs of PAM modules
 #
 DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
@ -187,18 +187,30 @@ mkdir -p $DOC/modules
  done
 )
 #
-# Install misc docu and md5.config
+# pam_tally is deprecated since ages
+#
+rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
+rm -f $RPM_BUILD_ROOT/sbin/pam_tally
+rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
+rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
+#
+# Install misc docu
 #
 install -m 644 NEWS COPYING $DOC
+# Install unix2_chkpwd
+install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
+install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
 # Create filelist with translatins
 %{find_lang} Linux-PAM

 %verifyscript
 %verify_permissions -e /sbin/unix_chkpwd
+%verify_permissions -e /sbin/unix2_chkpwd

 %post
 /sbin/ldconfig
 %set_permissions /sbin/unix_chkpwd
+%set_permissions /sbin/unix2_chkpwd

 %postun -p /sbin/ldconfig

@ -223,6 +235,7 @@ install -m 644 NEWS COPYING $DOC
 %config(noreplace) %{_sysconfdir}/security/namespace.init
 %doc %{_defaultdocdir}/pam/NEWS
 %doc %{_defaultdocdir}/pam/COPYING
+%doc %{_mandir}/man5/environment.5*
 %doc %{_mandir}/man5/*.conf.5*
 %doc %{_mandir}/man5/pam.d.5*
 %doc %{_mandir}/man8/*
@ -288,6 +301,7 @@ install -m 644 NEWS COPYING $DOC
 /sbin/pam_tally2
 /sbin/pam_timestamp_check
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
+%verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
 %attr(0700,root,root) /sbin/unix_update

 %files doc
--- a/unix2_chkpwd.8
+++ b/unix2_chkpwd.8
@ -0,0 +1,79 @@
+.\" Copyright (C) 2003 International Business Machines Corporation
+.\" This file is distributed according to the GNU General Public License.
+.\" See the file COPYING in the top level source directory for details.
+.\"
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
+.SH NAME
+unix2_chkpwd \- helper binary that verifies the password of the current user
+.SH "SYNOPSIS"
+.ad l
+.hy 0
+
+/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
+.sp
+.ad
+.hy
+.SH "DESCRIPTION"
+.PP
+\fBunix2_chkpwd\fR is a helper program for applications that verifies 
+the password of the current user.  It is not intended to be run directly from 
+the command line and logs a security violation if done so. 
+
+It is typically installed setuid root or setgid shadow and called by
+applications, which only wishes to do an user authentification and
+nothing more.
+
+.SH "OPTIONS"
+.PP
+unix2_chkpwd requires the following arguments:
+.TP
+\fIpam_service\fR
+The name of the service using unix2_chkpwd. This is required to be one of
+the services in /etc/pam.d
+.TP
+\fIusername\fR
+The name of the user whose password you want to verify.
+
+.SH "INPUTS"
+.PP
+unix2_chkpwd expects the password via stdin.
+
+.SH "RETURN CODES"
+.PP
+\fBunix2_chkpwd\fR has the following return codes:
+.TP
+1
+unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
+
+.TP
+0
+The password is correct.
+
+.SH "HISTORY"
+Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
+
+.SH "SEE ALSO"
+
+.PP
+\fBpam\fR(8)
+
+.SH AUTHOR
+Emily Ratliff.
--- a/unix2_chkpwd.c
+++ b/unix2_chkpwd.c
@ -0,0 +1,337 @@
+/*
+ * Set*id helper program for PAM authentication.
+ *
+ * It is supposed to be called from pam_unix2's
+ * pam_sm_authenticate function if the function notices
+ * that it's unable to get the password from the shadow file
+ * because it doesn't have sufficient permissions.
+ *
+ * Copyright (C) 2002 SuSE Linux AG
+ *
+ * Written by okir@suse.de, loosely based on unix_chkpwd
+ * by Andrew Morgan.
+ */
+
+#include <security/pam_appl.h>
+#include <security/_pam_macros.h>
+
+#include <sys/types.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <errno.h>
+
+#define BUFLEN	1024
+#ifndef LOGINDEFS
+#define LOGINDEFS	"/etc/login.defs"
+#endif
+#define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
+#define DEFAULT_FAIL_DELAY_S	10
+
+#define PASSWD_CRACKER_DELAY_MS	100
+
+enum {
+	UNIX_PASSED = 0,
+	UNIX_FAILED = 1
+};
+
+static char *	program_name;
+static char	pass[64];
+static int	npass = -1;
+
+/*
+ * Log error messages
+ */
+static void
+_log_err(int err, const char *format,...)
+{
+	va_list args;
+
+	va_start(args, format);
+	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
+	vsyslog(err, format, args);
+	va_end(args);
+	closelog();
+}
+
+static void
+su_sighandler(int sig)
+{
+	if (sig > 0) {
+		_log_err(LOG_NOTICE, "caught signal %d.", sig);
+		exit(sig);
+	}
+}
+
+/*
+ * Setup signal handlers
+ */
+static void
+setup_signals(void)
+{
+	struct sigaction action;
+
+	memset((void *) &action, 0, sizeof(action));
+	action.sa_handler = su_sighandler;
+	action.sa_flags = SA_RESETHAND;
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGTRAP, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	sigaction(SIGSEGV, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	action.sa_flags = 0;
+	sigaction(SIGTERM, &action, NULL);
+	sigaction(SIGHUP, &action, NULL);
+	sigaction(SIGINT, &action, NULL);
+	sigaction(SIGQUIT, &action, NULL);
+	sigaction(SIGALRM, &action, NULL);
+}
+
+static int
+_converse(int num_msg, const struct pam_message **msg,
+		struct pam_response **resp, void *appdata_ptr)
+{
+	struct	pam_response *reply;
+	int	num;
+
+	if (!(reply = malloc(sizeof(*reply) * num_msg)))
+		return PAM_CONV_ERR;
+
+	for (num = 0; num < num_msg; num++) {
+		reply[num].resp_retcode = PAM_SUCCESS;
+		reply[num].resp = NULL;
+		switch (msg[num]->msg_style) {
+		case PAM_PROMPT_ECHO_ON:
+			return PAM_CONV_ERR;
+		case PAM_PROMPT_ECHO_OFF:
+			/* read the password from stdin */
+			if (npass < 0) {
+				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
+				if (npass < 0) {
+					_log_err(LOG_DEBUG, "error reading password");
+					return UNIX_FAILED;
+				}
+				pass[npass] = '\0';
+			}
+			reply[num].resp = strdup(pass);
+			break;
+		case PAM_TEXT_INFO:
+		case PAM_ERROR_MSG:
+			/* ignored */
+			break;
+		default:
+			/* Must be an error of some sort... */
+			return PAM_CONV_ERR;
+		}
+	}
+
+	*resp = reply;
+	return PAM_SUCCESS;
+}
+
+static int
+_authenticate(const char *service, const char *user)
+{
+	struct pam_conv conv = { _converse, NULL };
+	pam_handle_t	*pamh;
+	int		err;
+
+	err = pam_start(service, user, &conv, &pamh);
+	if (err != PAM_SUCCESS) {
+		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
+				service, user, err);
+		return UNIX_FAILED;
+	}
+	
+	err = pam_authenticate(pamh, 0);
+	if (err != PAM_SUCCESS)
+		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
+				service, user,
+				pam_strerror(pamh, err));
+
+	if (err == PAM_SUCCESS)
+	{
+		err = pam_acct_mgmt(pamh, 0);
+		if (err == PAM_SUCCESS)
+ 		{
+			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
+			if (err2 != PAM_SUCCESS)
+				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
+					service, user,
+					pam_strerror(pamh, err2));
+				/*
+				 * ignore errors on refresh credentials.
+				 * If this did not work we use the old once.
+				 */
+		} else {
+			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
+				service, user,
+				pam_strerror(pamh, err));
+		}
+	}
+	
+	pam_end(pamh, err);
+
+	if (err != PAM_SUCCESS)
+		return UNIX_FAILED;
+	return UNIX_PASSED;
+}
+
+static char *
+getuidname(uid_t uid)
+{
+	struct passwd *pw;
+	static char username[32];
+
+	pw = getpwuid(uid);
+	if (pw == NULL)
+		return NULL;
+
+	strncpy(username, pw->pw_name, sizeof(username));
+	username[sizeof(username) - 1] = '\0';
+	
+	endpwent();
+	return username;
+}
+
+static int
+sane_pam_service(const char *name)
+{
+	const char *sp;
+	char	path[128];
+
+	if (strlen(name) > 32)
+		return 0;
+	for (sp = name; *sp; sp++) {
+		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
+			return 0;
+	}
+
+	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
+	return access(path, R_OK) == 0;
+}
+
+static int
+get_system_fail_delay (void)
+{
+	FILE *fs;
+	char buf[BUFLEN];
+	long int delay = -1;
+	char *s;
+	int l;
+
+	fs = fopen(LOGINDEFS, "r");
+	if (NULL == fs) {
+		goto bail_out;
+	}
+
+	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
+		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
+			continue;
+		}
+		s = buf + strspn(buf, " \t");
+		l = strcspn(s, " \t");
+		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
+			continue;
+		}
+		s += l;
+		s += strspn(s, " \t");
+		errno = 0;
+		delay = strtol(s, NULL, 10);
+		if (errno) {
+			delay = -1;
+		}
+		break;
+	}
+	fclose (fs);
+bail_out:
+	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
+	return (int)delay;
+}
+
+int
+main(int argc, char *argv[])
+{
+	const char *program_name;
+	char	*service, *user;
+	int	fd;
+	int result = UNIX_FAILED;
+	uid_t	uid;
+
+	uid = getuid();
+
+	/*
+	 * Make sure standard file descriptors are connected.
+	 */
+	while ((fd = open("/dev/null", O_RDWR)) <= 2)
+		;
+	close(fd);
+
+	/*
+	 * Get the program name
+	 */
+	if (argc == 0)
+		program_name = "unix2_chkpwd";
+	else if ((program_name = strrchr(argv[0], '/')) != NULL)
+		program_name++;
+	else
+		program_name = argv[0];
+
+	/*
+	 * Catch or ignore as many signal as possible.
+	 */
+	setup_signals();
+
+	/*
+	 * Check argument list
+	 */
+	if (argc < 2 || argc > 3) {
+		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
+		return UNIX_FAILED;
+	}
+
+	/*
+	 * Get the service name and do some sanity checks on it
+	 */
+	service = argv[1];
+	if (!sane_pam_service(service)) {
+		_log_err(LOG_ERR, "Illegal service name '%s'", service);
+		return UNIX_FAILED;
+	}
+
+	/*
+	 * Discourage users messing around (fat chance)
+	 */
+	if (isatty(STDIN_FILENO) && uid != 0) {
+		_log_err(LOG_NOTICE,
+			"Inappropriate use of Unix helper binary [UID=%d]",
+			 uid);
+		fprintf(stderr,
+			"This binary is not designed for running in this way\n"
+			"-- the system administrator has been informed\n");
+		sleep(10);	/* this should discourage/annoy the user */
+		return UNIX_FAILED;
+	}
+
+	/*
+	 * determine the caller's user name
+	 */
+	user = getuidname(uid);
+	if (argc == 3 && strcmp(user, argv[2])) {
+		user = argv[2];
+	}
+	result = _authenticate(service, user);
+	/* Discourage use of this program as a
+	 * password cracker */
+	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
+	if (result != UNIX_PASSED && uid != 0)
+		sleep(get_system_fail_delay());
+	return result;
+}