diff --git a/include/security/openpam.h b/include/security/openpam.h index ea7e8b7..ebadb9f 100644 --- a/include/security/openpam.h +++ b/include/security/openpam.h @@ -55,20 +55,95 @@ void _openpam_log(int _level, const char *_fmt, ...); -#ifdef __GNUC__ +#if defined(__STDC__) && (__STDC_VERSION__ > 199901L) +#define openpam_log(lvl, fmt, ...) \ + _openpam_log((lvl), __func__, fmt, __VA_ARGS__) +#elif defined(__GNUC__) #define openpam_log(lvl, fmt...) \ _openpam_log((lvl), __func__, ##fmt) #else -#define openpam_log(lvl, fmt, ...) \ - _openpam_log((lvl), __func__, fmt, __VA_ARGS__) +extern openpam_log(int _level, const char *_format, ...); #endif /* * Generic conversation function */ +struct pam_message; +struct pam_response; int openpam_ttyconv(int _n, const struct pam_message **_msg, struct pam_response **_resp, void *_data); +/* + * PAM primitives + */ +enum { + PAM_SM_AUTHENTICATE, + PAM_SM_SETCRED, + PAM_SM_ACCT_MGMT, + PAM_SM_OPEN_SESSION, + PAM_SM_CLOSE_SESSION, + PAM_SM_CHAUTHTOK, + /* keep this last */ + PAM_NUM_PRIMITIVES +}; + +/* + * Dummy service module function + */ +#define PAM_SM_DUMMY(type) \ +PAM_EXTERN int \ +pam_sm_##type(pam_handle_t *pamh, int flags, \ + int argc, const char *argv[]) \ +{ \ + return (PAM_IGNORE); \ +} + +/* + * PAM service module functions match this typedef + */ +struct pam_handle; +typedef int (*pam_func_t)(struct pam_handle *, int, int, const char **); + +/* + * A struct that describes a module. + */ +typedef struct pam_module pam_module_t; +struct pam_module { + const char *path; + pam_func_t func[PAM_NUM_PRIMITIVES]; + void *dlh; + int refcount; + pam_module_t *prev; + pam_module_t *next; +}; + +/* + * Infrastructure for static modules using GCC linker sets. + * You are not expected to understand this. + */ +#if defined(__GNUC__) && !defined(__PIC__) +#if defined(__FreeBSD__) +#define PAM_SOEXT ".so" +#else +#error Static linking is not supported on your platform +#endif +/* gcc, static linking */ +#include +#include +#define OPENPAM_STATIC_MODULES +#define PAM_EXTERN static +#define PAM_MODULE_ENTRY(name) \ +static struct pam_module _pam_module = { name PAM_SOEXT, { \ + pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, \ + pam_sm_open_session, pam_sm_close_session, pam_sm_chauthtok }, \ + NULL, 0, NULL, NULL }; \ +DATA_SET(_openpam_modules, _pam_module) +#else +/* normal case */ +#define PAM_EXTERN +#define PAM_MODULE_ENTRY(name) +#endif + #endif diff --git a/include/security/pam_modules.h b/include/security/pam_modules.h index 3c75ca0..9340e77 100644 --- a/include/security/pam_modules.h +++ b/include/security/pam_modules.h @@ -39,42 +39,43 @@ #include #include +#include /* * XSSO 4.2.2, 6 */ -int +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *_pamh, int _flags, int _argc, const char **_argv); -int +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *_pamh, int _flags, int _argc, const char **_argv); -int +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *_pamh, int _flags, int _argc, const char **_argv); -int +PAM_EXTERN int pam_sm_close_session(pam_handle_t *_pamh, int _flags, int _args, const char **_argv); -int +PAM_EXTERN int pam_sm_open_session(pam_handle_t *_pamh, int _flags, int _argc, const char **_argv); -int +PAM_EXTERN int pam_sm_setcred(pam_handle_t *_pamh, int _flags, int _argc, @@ -84,7 +85,7 @@ pam_sm_setcred(pam_handle_t *_pamh, * Single Sign-On extensions */ #if 0 -int +PAM_EXTERN int pam_sm_authenticate_secondary(pam_handle_t *_pamh, char *_target_username, char *_target_module_type, @@ -95,7 +96,7 @@ pam_sm_authenticate_secondary(pam_handle_t *_pamh, int _argc, const char **_argv); -int +PAM_EXTERN int pam_sm_get_mapped_authtok(pam_handle_t *_pamh, char *_target_module_username, char *_target_module_type, @@ -105,7 +106,7 @@ pam_sm_get_mapped_authtok(pam_handle_t *_pamh, int _argc, char *_argv); -int +PAM_EXTERN int pam_sm_get_mapped_username(pam_handle_t *_pamh, char *_src_username, char *_src_module_type, @@ -116,7 +117,7 @@ pam_sm_get_mapped_username(pam_handle_t *_pamh, int _argc, const char **_argv); -int +PAM_EXTERN int pam_sm_set_mapped_authtok(pam_handle_t *_pamh, char *_target_module_username, size_t _target_authtok_len, @@ -126,7 +127,7 @@ pam_sm_set_mapped_authtok(pam_handle_t *_pamh, int _argc, const char *_argv); -int +PAM_EXTERN int pam_sm_set_mapped_username(pam_handle_t *_pamh, char *_target_module_username, char *_target_module_type, diff --git a/lib/openpam_dispatch.c b/lib/openpam_dispatch.c index f6d57b7..cbabb0e 100644 --- a/lib/openpam_dispatch.c +++ b/lib/openpam_dispatch.c @@ -55,7 +55,7 @@ openpam_dispatch(pam_handle_t *pamh, int primitive, int flags) { - pam_chain_t *module; + pam_chain_t *chain; int err, fail, r; if (pamh == NULL) @@ -69,41 +69,41 @@ openpam_dispatch(pam_handle_t *pamh, /* pick a chain */ switch (primitive) { - case PAM_AUTHENTICATE: - case PAM_SETCRED: - module = pamh->chains[PAM_AUTH]; + case PAM_SM_AUTHENTICATE: + case PAM_SM_SETCRED: + chain = pamh->chains[PAM_AUTH]; break; - case PAM_ACCT_MGMT: - module = pamh->chains[PAM_ACCOUNT]; + case PAM_SM_ACCT_MGMT: + chain = pamh->chains[PAM_ACCOUNT]; break; - case PAM_OPEN_SESSION: - case PAM_CLOSE_SESSION: - module = pamh->chains[PAM_SESSION]; + case PAM_SM_OPEN_SESSION: + case PAM_SM_CLOSE_SESSION: + chain = pamh->chains[PAM_SESSION]; break; - case PAM_CHAUTHTOK: - module = pamh->chains[PAM_PASSWORD]; + case PAM_SM_CHAUTHTOK: + chain = pamh->chains[PAM_PASSWORD]; break; default: return (PAM_SYSTEM_ERR); } /* fail if the chain is empty */ - if (module == NULL) + if (chain == NULL) return (PAM_SYSTEM_ERR); /* execute */ - for (err = fail = 0; module != NULL; module = module->next) { - if (module->primitive[primitive] == NULL) { + for (err = fail = 0; chain != NULL; chain = chain->next) { + if (chain->module->func[primitive] == NULL) { openpam_log(PAM_LOG_ERROR, "%s: no %s()", - module->modpath, _pam_sm_func_name[primitive]); + chain->module->path, _pam_sm_func_name[primitive]); r = PAM_SYMBOL_ERR; } else { - pamh->current = module; - r = (module->primitive[primitive])(pamh, flags, - module->optc, (const char **)module->optv); + pamh->current = chain; + r = (chain->module->func[primitive])(pamh, flags, + chain->optc, (const char **)chain->optv); pamh->current = NULL; openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s", - module->modpath, _pam_sm_func_name[primitive], + chain->module->path, _pam_sm_func_name[primitive], pam_strerror(pamh, r)); } @@ -118,8 +118,8 @@ openpam_dispatch(pam_handle_t *pamh, * the chain here if a required module has * previously failed. I'm not sure why. */ - if (module->flag == PAM_SUFFICIENT && - primitive != PAM_SETCRED) + if (chain->flag == PAM_SUFFICIENT && + primitive != PAM_SM_SETCRED) break; } @@ -132,7 +132,7 @@ openpam_dispatch(pam_handle_t *pamh, */ if (err == 0) err = r; - if (module->flag == PAM_REQUIRED && !fail) { + if (chain->flag == PAM_REQUIRED && !fail) { fail = 1; err = r; } @@ -141,7 +141,7 @@ openpam_dispatch(pam_handle_t *pamh, * If a requisite module fails, terminate the chain * immediately. */ - if (module->flag == PAM_REQUISITE) { + if (chain->flag == PAM_REQUISITE) { fail = 1; break; } @@ -164,7 +164,7 @@ _openpam_check_error_code(int primitive, int r) /* specific error codes */ switch (primitive) { - case PAM_AUTHENTICATE: + case PAM_SM_AUTHENTICATE: if (r == PAM_AUTH_ERR || r == PAM_CRED_INSUFFICIENT || r == PAM_AUTHINFO_UNAVAIL || @@ -172,26 +172,26 @@ _openpam_check_error_code(int primitive, int r) r == PAM_MAXTRIES) return; break; - case PAM_SETCRED: + case PAM_SM_SETCRED: if (r == PAM_CRED_UNAVAIL || r == PAM_CRED_EXPIRED || r == PAM_USER_UNKNOWN || r == PAM_CRED_ERR) return; break; - case PAM_ACCT_MGMT: + case PAM_SM_ACCT_MGMT: if (r == PAM_USER_UNKNOWN || r == PAM_AUTH_ERR || r == PAM_NEW_AUTHTOK_REQD || r == PAM_ACCT_EXPIRED) return; break; - case PAM_OPEN_SESSION: - case PAM_CLOSE_SESSION: + case PAM_SM_OPEN_SESSION: + case PAM_SM_CLOSE_SESSION: if (r == PAM_SESSION_ERR) return; break; - case PAM_CHAUTHTOK: + case PAM_SM_CHAUTHTOK: if (r == PAM_PERM_DENIED || r == PAM_AUTHTOK_ERR || r == PAM_AUTHTOK_RECOVERY_ERR || diff --git a/lib/openpam_impl.h b/lib/openpam_impl.h index a346fbc..5988628 100644 --- a/lib/openpam_impl.h +++ b/lib/openpam_impl.h @@ -39,6 +39,8 @@ #include +extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES]; + /* * Control flags */ @@ -57,27 +59,13 @@ #define PAM_PASSWORD 3 #define PAM_NUM_CHAINS 4 -#define PAM_ACCT_MGMT 0 -#define PAM_AUTHENTICATE 1 -#define PAM_CHAUTHTOK 2 -#define PAM_CLOSE_SESSION 3 -#define PAM_OPEN_SESSION 4 -#define PAM_SETCRED 5 -#define PAM_NUM_PRIMITIVES 6 - -extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES]; - -typedef int (*pam_func_t)(pam_handle_t *, int, int, const char **); - typedef struct pam_chain pam_chain_t; struct pam_chain { + pam_module_t *module; int flag; - char *modpath; int optc; char **optv; pam_chain_t *next; - void *dlh; - pam_func_t primitive[PAM_NUM_PRIMITIVES]; }; #define PAM_NUM_ITEMS 10 diff --git a/lib/openpam_load.c b/lib/openpam_load.c index 9a4eedd..4d17383 100644 --- a/lib/openpam_load.c +++ b/lib/openpam_load.c @@ -42,6 +42,10 @@ #include "openpam_impl.h" +#ifdef OPENPAM_STATIC_MODULES +SET_DECLARE(_openpam_modules, pam_module_t); +#endif + const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = { "pam_sm_acct_mgmt", "pam_sm_authenticate", @@ -51,18 +55,122 @@ const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = { "pam_sm_setcred" }; -static void -openpam_destroy_module(pam_chain_t *module) +static pam_module_t *modules; + +/* + * Load a dynamic module, or locate a static one. Keep a list of + * previously found modules to speed up the process. + */ + +static pam_module_t * +openpam_load_module(const char *path) { - if (module->dlh != NULL) - dlclose(module->dlh); - while (module->optc--) - free(module->optv[module->optc]); - free(module->optv); - free(module->modpath); + pam_module_t *module; + void *dlh; + + /* check cache first */ + for (module = modules; module != NULL; module = module->next) + if (strcmp(module->path, path) == 0) + goto found; + + /* nope; try to load */ + if ((dlh = dlopen(path, RTLD_NOW)) == NULL) { + openpam_log(PAM_LOG_ERROR, "dlopen(): %s", dlerror()); + } else { + if ((module = calloc(1, sizeof *module)) == NULL) + goto buf_err; + if ((module->path = strdup(path)) == NULL) + goto buf_err; + module->dlh = dlh; + } + openpam_log(PAM_LOG_DEBUG, "%s dynamic %s", + (module == NULL) ? "no" : "using", path); + +#ifdef OPENPAM_STATIC_MODULES + /* look for a static module */ + if (module == NULL && strchr(path, '/') == NULL) { + pam_module_t **modp; + + SET_FOREACH(modp, _openpam_modules) { + if (strcmp((*modp)->path, path) == 0) { + module = *modp; + break; + } + } + openpam_log(PAM_LOG_DEBUG, "%s static %s", + (module == NULL) ? "no" : "using", path); + } +#endif + if (module == NULL) + return (NULL); + module->next = modules; + module->prev = NULL; + modules = module; + found: + ++module->refcount; + return (module); + buf_err: + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); + dlclose(dlh); + free(module); + return (NULL); +} + + +/* + * Release a module. + * XXX highly thread-unsafe + */ + +static void +openpam_release_module(pam_module_t *module) +{ + if (module == NULL) + return; + --module->refcount; + if (module->refcount > 0) + /* still in use */ + return; + if (module->refcount < 0) { + openpam_log(PAM_LOG_ERROR, "module %s has negative refcount", + module->path); + module->refcount = 0; + } + if (module->dlh == NULL) + /* static module */ + return; + dlclose(module->dlh); + if (module->prev != NULL) + module->prev->next = module->next; + if (module->next != NULL) + module->next->prev = module->prev; free(module); } + +/* + * Destroy a chain, freeing all its links and releasing the modules + * they point to. + */ + +static void +openpam_destroy_chain(pam_chain_t *chain) +{ + if (chain == NULL) + return; + openpam_destroy_chain(chain->next); + chain->next = NULL; + while (chain->optc--) + free(chain->optv[chain->optc]); + free(chain->optv); + openpam_release_module(chain->module); + free(chain); +} + +/* + * Add a module to a chain. + */ + int openpam_add_module(pam_handle_t *pamh, int chain, @@ -71,58 +179,37 @@ openpam_add_module(pam_handle_t *pamh, int optc, const char *optv[]) { - pam_chain_t *module, *iterator; - int i; + pam_chain_t *new, *iterator; - /* fill in configuration data */ - if ((module = calloc(1, sizeof(*module))) == NULL) + if ((new = calloc(1, sizeof(*new))) == NULL) goto buf_err; - if ((module->modpath = strdup(modpath)) == NULL) - goto buf_err; - if ((module->optv = malloc(sizeof(char *) * (optc + 1))) == NULL) + if ((new->optv = malloc(sizeof(char *) * (optc + 1))) == NULL) goto buf_err; while (optc--) - if ((module->optv[module->optc++] = strdup(*optv++)) == NULL) + if ((new->optv[new->optc++] = strdup(*optv++)) == NULL) goto buf_err; - module->optv[module->optc] = NULL; - module->flag = flag; - module->next = NULL; - - /* load module and resolve symbols */ - /* - * Each module is dlopen()'d once for evey time it occurs in - * any chain. While the linker is smart enough to not load - * the same module more than once, it does waste space in the - * form of linker handles and pam_func structs. - * - * TODO: implement a central module cache and replace the - * array of pam_func structs in struct pam_chain with pointers - * to the appropriate entry in the module cache. - */ - if ((module->dlh = dlopen(modpath, RTLD_NOW)) == NULL) { - openpam_log(PAM_LOG_ERROR, "dlopen(): %s", dlerror()); - openpam_destroy_module(module); + new->optv[new->optc] = NULL; + new->flag = flag; + if ((new->module = openpam_load_module(modpath)) == NULL) { + openpam_destroy_chain(new); return (PAM_OPEN_ERR); } - for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) - module->primitive[i] = - dlsym(module->dlh, _pam_sm_func_name[i]); - if ((iterator = pamh->chains[chain]) != NULL) { while (iterator->next != NULL) iterator = iterator->next; - iterator->next = module; + iterator->next = new; } else { - pamh->chains[chain] = module; + pamh->chains[chain] = new; } return (PAM_SUCCESS); buf_err: openpam_log(PAM_LOG_ERROR, "%m"); - openpam_destroy_module(module); + openpam_destroy_chain(new); return (PAM_BUF_ERR); } + /* * Clear the chains and release the modules */ @@ -130,14 +217,8 @@ openpam_add_module(pam_handle_t *pamh, void openpam_clear_chains(pam_handle_t *pamh) { - pam_chain_t *module; int i; - for (i = 0; i < PAM_NUM_CHAINS; ++i) { - while (pamh->chains[i] != NULL) { - module = pamh->chains[i]; - pamh->chains[i] = module->next; - openpam_destroy_module(module); - } - } + for (i = 0; i < PAM_NUM_CHAINS; ++i) + openpam_destroy_chain(pamh->chains[i]); } diff --git a/lib/pam_acct_mgmt.c b/lib/pam_acct_mgmt.c index ad1f107..d88a24e 100644 --- a/lib/pam_acct_mgmt.c +++ b/lib/pam_acct_mgmt.c @@ -52,5 +52,5 @@ pam_acct_mgmt(pam_handle_t *pamh, int flags) { - return (openpam_dispatch(pamh, PAM_ACCT_MGMT, flags)); + return (openpam_dispatch(pamh, PAM_SM_ACCT_MGMT, flags)); } diff --git a/lib/pam_authenticate.c b/lib/pam_authenticate.c index 9d1cab6..d98d1df 100644 --- a/lib/pam_authenticate.c +++ b/lib/pam_authenticate.c @@ -52,5 +52,5 @@ pam_authenticate(pam_handle_t *pamh, int flags) { - return (openpam_dispatch(pamh, PAM_AUTHENTICATE, flags)); + return (openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags)); } diff --git a/lib/pam_chauthtok.c b/lib/pam_chauthtok.c index 16fc56b..c35ed49 100644 --- a/lib/pam_chauthtok.c +++ b/lib/pam_chauthtok.c @@ -52,5 +52,5 @@ pam_chauthtok(pam_handle_t *pamh, int flags) { - return (openpam_dispatch(pamh, PAM_CHAUTHTOK, flags)); + return (openpam_dispatch(pamh, PAM_SM_CHAUTHTOK, flags)); } diff --git a/lib/pam_close_session.c b/lib/pam_close_session.c index 3d6fe7e..9b2a1ae 100644 --- a/lib/pam_close_session.c +++ b/lib/pam_close_session.c @@ -52,5 +52,5 @@ pam_close_session(pam_handle_t *pamh, int flags) { - return (openpam_dispatch(pamh, PAM_CLOSE_SESSION, flags)); + return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags)); } diff --git a/lib/pam_open_session.c b/lib/pam_open_session.c index c172118..dcbf2b8 100644 --- a/lib/pam_open_session.c +++ b/lib/pam_open_session.c @@ -52,5 +52,5 @@ pam_open_session(pam_handle_t *pamh, int flags) { - return (openpam_dispatch(pamh, PAM_OPEN_SESSION, flags)); + return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags)); } diff --git a/lib/pam_setcred.c b/lib/pam_setcred.c index d8757ee..0ea10ff 100644 --- a/lib/pam_setcred.c +++ b/lib/pam_setcred.c @@ -52,5 +52,5 @@ pam_setcred(pam_handle_t *pamh, int flags) { - return (openpam_dispatch(pamh, PAM_SETCRED, flags)); + return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags)); } diff --git a/modules/Makefile b/modules/Makefile index 8a12e35..006a229 100644 --- a/modules/Makefile +++ b/modules/Makefile @@ -36,6 +36,7 @@ SUBDIR = SUBDIR += pam_deny +SUBDIR += pam_dummy SUBDIR += pam_permit .include diff --git a/modules/pam_deny/pam_deny.c b/modules/pam_deny/pam_deny.c index 42c24d0..2a219de 100644 --- a/modules/pam_deny/pam_deny.c +++ b/modules/pam_deny/pam_deny.c @@ -34,9 +34,11 @@ * $FreeBSD$ */ +#include + #include -int +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -44,7 +46,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, return (PAM_AUTH_ERR); } -int +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -52,7 +54,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, return (PAM_PERM_DENIED); } -int +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -60,7 +62,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, return (PAM_AUTH_ERR); } -int +PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -68,7 +70,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, return (PAM_SESSION_ERR); } -int +PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -76,10 +78,12 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, return (PAM_SESSION_ERR); } -int +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { return (PAM_PERM_DENIED); } + +PAM_MODULE_ENTRY("pam_deny"); diff --git a/modules/pam_dummy/Makefile b/modules/pam_dummy/Makefile new file mode 100644 index 0000000..144828c --- /dev/null +++ b/modules/pam_dummy/Makefile @@ -0,0 +1,42 @@ +#- +# Copyright (c) 2002 Networks Associates Technologies, Inc. +# All rights reserved. +# +# This software was developed for the FreeBSD Project by ThinkSec AS and +# NAI Labs, the Security Research Division of Network Associates, Inc. +# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +# DARPA CHATS research program. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. The name of the author may not be used to endorse or promote +# products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +LIB = pam_dummy +SHLIB_NAME = pam_dummy.so +SRCS = pam_dummy.c +CFLAGS += -I${.CURDIR}/../../include + +.include diff --git a/modules/pam_dummy/pam_dummy.c b/modules/pam_dummy/pam_dummy.c new file mode 100644 index 0000000..9d98f37 --- /dev/null +++ b/modules/pam_dummy/pam_dummy.c @@ -0,0 +1,48 @@ +/*- + * Copyright (c) 2002 Networks Associates Technologies, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include + +#include + +PAM_SM_DUMMY(authenticate); +PAM_SM_DUMMY(setcred); +PAM_SM_DUMMY(acct_mgmt); +PAM_SM_DUMMY(open_session); +PAM_SM_DUMMY(close_session); +PAM_SM_DUMMY(chauthtok); + +PAM_MODULE_ENTRY("pam_deny"); diff --git a/modules/pam_permit/pam_permit.c b/modules/pam_permit/pam_permit.c index ecdbd98..856fb45 100644 --- a/modules/pam_permit/pam_permit.c +++ b/modules/pam_permit/pam_permit.c @@ -34,9 +34,11 @@ * $FreeBSD$ */ +#include + #include -int +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -44,7 +46,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, return (PAM_SUCCESS); } -int +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -52,7 +54,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, return (PAM_SUCCESS); } -int +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -60,7 +62,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, return (PAM_SUCCESS); } -int +PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -68,7 +70,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, return (PAM_SUCCESS); } -int +PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { @@ -76,10 +78,12 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, return (PAM_SUCCESS); } -int +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { return (PAM_SUCCESS); } + +PAM_MODULE_ENTRY("pam_permit");