Compare commits
537 Commits
openpam-20
...
main
Author | SHA1 | Date |
---|---|---|
Dag-Erling Smørgrav | d61017e615 | |
Dag-Erling Smørgrav | 41eb8b9f02 | |
Dag-Erling Smørgrav | 7da86c0c62 | |
Dag-Erling Smørgrav | 4b2e3c92df | |
Dag-Erling Smørgrav | cc0d61260e | |
Dag-Erling Smørgrav | f1871a7d9f | |
Dag-Erling Smørgrav | eed614622f | |
Dag-Erling Smørgrav | 29e80880cc | |
Dag-Erling Smørgrav | 64edbc294d | |
Dag-Erling Smørgrav | 1d9c829c40 | |
Dag-Erling Smørgrav | ef5e67748c | |
Dag-Erling Smørgrav | 05bd3febc0 | |
Dag-Erling Smørgrav | a967883b9c | |
Dag-Erling Smørgrav | e0e3406a78 | |
Dag-Erling Smørgrav | 6bf8cb1753 | |
Dag-Erling Smørgrav | bb68996306 | |
Dag-Erling Smørgrav | 9bdf428c5a | |
Dag-Erling Smørgrav | 1dce53245b | |
Dag-Erling Smørgrav | 251dac8e4a | |
Dag-Erling Smørgrav | a501f2af85 | |
Dag-Erling Smørgrav | 9cd25f7e7d | |
Dag-Erling Smørgrav | d061313188 | |
Dag-Erling Smørgrav | eefae6d5ef | |
Dag-Erling Smørgrav | 919a1250d4 | |
Dag-Erling Smørgrav | ddb34ad671 | |
Dag-Erling Smørgrav | 4876ee459d | |
Dag-Erling Smørgrav | 105d392c57 | |
Dag-Erling Smørgrav | 29c7f93598 | |
Dag-Erling Smørgrav | 0f7f351a10 | |
Dag-Erling Smørgrav | c87aee7c52 | |
Dag-Erling Smørgrav | 07daaf4bb2 | |
Dag-Erling Smørgrav | 3ebfd11150 | |
Dag-Erling Smørgrav | e7f32a97b0 | |
Dag-Erling Smørgrav | 812256e9d1 | |
Dag-Erling Smørgrav | 25bcbd2652 | |
Dag-Erling Smørgrav | a823b423ca | |
Dag-Erling Smørgrav | 890bea99e0 | |
Dag-Erling Smørgrav | 05afeb7a29 | |
Dag-Erling Smørgrav | f5a12fb24e | |
Dag-Erling Smørgrav | d9e44d146f | |
Dag-Erling Smørgrav | 2f340d61b5 | |
Dag-Erling Smørgrav | 82935b7d7a | |
Dag-Erling Smørgrav | 1e09705bd7 | |
Dag-Erling Smørgrav | c5a320988e | |
Dag-Erling Smørgrav | e936857588 | |
Dag-Erling Smørgrav | a18c87672e | |
Dag-Erling Smørgrav | 23cdf95099 | |
Dag-Erling Smørgrav | 3112c53799 | |
Dag-Erling Smørgrav | adb7175c42 | |
Dag-Erling Smørgrav | c75883564d | |
Dag-Erling Smørgrav | 3699596d18 | |
Dag-Erling Smørgrav | da26321ba8 | |
Dag-Erling Smørgrav | 26fbccde77 | |
Dag-Erling Smørgrav | b6605f9267 | |
Dag-Erling Smørgrav | aa6768d765 | |
Dag-Erling Smørgrav | c371da364c | |
Dag-Erling Smørgrav | 4a77e993a9 | |
Dag-Erling Smørgrav | d040ae3d29 | |
Dag-Erling Smørgrav | b1895baa2d | |
Dag-Erling Smørgrav | ddfa63ca38 | |
Dag-Erling Smørgrav | 41a50e0c57 | |
Dag-Erling Smørgrav | 9ff1a454ce | |
Dag-Erling Smørgrav | 310b5ee125 | |
Dag-Erling Smørgrav | a38c5db91b | |
Dag-Erling Smørgrav | f82c90afb6 | |
Dag-Erling Smørgrav | 4e92aa7e24 | |
Dag-Erling Smørgrav | 5b83650c3d | |
Dag-Erling Smørgrav | e89fab019e | |
Dag-Erling Smørgrav | d4aad88c97 | |
Dag-Erling Smørgrav | 17c3fff539 | |
Dag-Erling Smørgrav | f78c2be225 | |
Dag-Erling Smørgrav | b3cd4386fa | |
Dag-Erling Smørgrav | d30df17f67 | |
Dag-Erling Smørgrav | b149f4beed | |
Dag-Erling Smørgrav | 4a9cae719e | |
Dag-Erling Smørgrav | 75781c2e7c | |
Dag-Erling Smørgrav | 37b1f12e58 | |
Dag-Erling Smørgrav | 4ee61ea341 | |
Dag-Erling Smørgrav | a1e8de164e | |
Dag-Erling Smørgrav | 38c6ca93b2 | |
Dag-Erling Smørgrav | d84d7367fe | |
Dag-Erling Smørgrav | 653950434c | |
Dag-Erling Smørgrav | bf92462945 | |
Dag-Erling Smørgrav | 34ef29ccf8 | |
Dag-Erling Smørgrav | 737e1bef50 | |
Dag-Erling Smørgrav | a1f83b0b30 | |
Dag-Erling Smørgrav | ce014fab92 | |
Dag-Erling Smørgrav | 563ac2d4bb | |
Dag-Erling Smørgrav | 8a2e3ce9b6 | |
Dag-Erling Smørgrav | 00fb76245a | |
Dag-Erling Smørgrav | 1cffa76b4f | |
Dag-Erling Smørgrav | cec8549503 | |
Dag-Erling Smørgrav | e959d8c160 | |
Dag-Erling Smørgrav | 2f686b73cb | |
Dag-Erling Smørgrav | c7a5aa489f | |
Dag-Erling Smørgrav | e84c236ee9 | |
Dag-Erling Smørgrav | 8988b9122e | |
Dag-Erling Smørgrav | da2c1e7120 | |
Dag-Erling Smørgrav | 753721df82 | |
Dag-Erling Smørgrav | d130c0ec09 | |
Dag-Erling Smørgrav | fc5eeb8fd9 | |
Dag-Erling Smørgrav | f3fda3d07a | |
Dag-Erling Smørgrav | 4b2bc748fd | |
Dag-Erling Smørgrav | 273bae0b16 | |
Dag-Erling Smørgrav | 16ae1d5b87 | |
Dag-Erling Smørgrav | 1e3740645e | |
Dag-Erling Smørgrav | ac54af0d69 | |
Dag-Erling Smørgrav | 385dfb33cb | |
Dag-Erling Smørgrav | 37baf24e77 | |
Dag-Erling Smørgrav | 7ce556ed8d | |
Dag-Erling Smørgrav | e6dc9378f7 | |
Dag-Erling Smørgrav | e956efb61f | |
Dag-Erling Smørgrav | 9c55e81bbb | |
Dag-Erling Smørgrav | e5b05552fc | |
Dag-Erling Smørgrav | ce08052f96 | |
Dag-Erling Smørgrav | 2c148271ae | |
Dag-Erling Smørgrav | 623d9e7b2f | |
Dag-Erling Smørgrav | 561cd87dbe | |
Dag-Erling Smørgrav | 8ad7aa9039 | |
Dag-Erling Smørgrav | 37ff7929a0 | |
Dag-Erling Smørgrav | 5c8ea43402 | |
Dag-Erling Smørgrav | b94f9e7ce7 | |
Dag-Erling Smørgrav | 6846134790 | |
Dag-Erling Smørgrav | 1450290a72 | |
Dag-Erling Smørgrav | 95a55b95cf | |
Dag-Erling Smørgrav | 2ae3b8b727 | |
Dag-Erling Smørgrav | 547794d58e | |
Dag-Erling Smørgrav | 69b1a97268 | |
Dag-Erling Smørgrav | 131aba915f | |
Dag-Erling Smørgrav | 548c44573c | |
Dag-Erling Smørgrav | 05630b94be | |
Dag-Erling Smørgrav | 57429ccc0e | |
Dag-Erling Smørgrav | 7dbd5c38b7 | |
Dag-Erling Smørgrav | 1efe822057 | |
Dag-Erling Smørgrav | b61b6f9c74 | |
Dag-Erling Smørgrav | e58f05403e | |
Dag-Erling Smørgrav | 4614107c94 | |
Dag-Erling Smørgrav | f7e8328354 | |
Dag-Erling Smørgrav | 14d31b83e8 | |
Dag-Erling Smørgrav | a4ff6191f7 | |
Dag-Erling Smørgrav | 925436a04f | |
Dag-Erling Smørgrav | 078ac6bb4a | |
Dag-Erling Smørgrav | 6722d714f5 | |
Dag-Erling Smørgrav | 38622bad18 | |
Dag-Erling Smørgrav | ebdefa45ca | |
Dag-Erling Smørgrav | 7914208b2d | |
Dag-Erling Smørgrav | 9853f0d8d5 | |
Dag-Erling Smørgrav | 6243755aa2 | |
Dag-Erling Smørgrav | 5d59548018 | |
Dag-Erling Smørgrav | 6c087dd523 | |
Dag-Erling Smørgrav | 2efb7c4b01 | |
Dag-Erling Smørgrav | 75a6073d2c | |
Dag-Erling Smørgrav | d60017fe80 | |
Dag-Erling Smørgrav | 183cc6d511 | |
Dag-Erling Smørgrav | c5265319ff | |
Dag-Erling Smørgrav | 01809a1b48 | |
Dag-Erling Smørgrav | 17144e7a5f | |
Dag-Erling Smørgrav | 4645bc1762 | |
Dag-Erling Smørgrav | 576e1e6b1c | |
Dag-Erling Smørgrav | 56f7cf21f5 | |
Dag-Erling Smørgrav | 03207fcd61 | |
Dag-Erling Smørgrav | 3dab19018f | |
Dag-Erling Smørgrav | 9f84c11072 | |
Dag-Erling Smørgrav | 46df1b1050 | |
Dag-Erling Smørgrav | 5fadc4abb8 | |
Dag-Erling Smørgrav | c7457cff15 | |
Dag-Erling Smørgrav | 58921adbab | |
Dag-Erling Smørgrav | 9e9207fd5d | |
Dag-Erling Smørgrav | 3d0d4da447 | |
Dag-Erling Smørgrav | aec3988b2f | |
Dag-Erling Smørgrav | 59313f56a4 | |
Dag-Erling Smørgrav | e8cd86aade | |
Dag-Erling Smørgrav | 11a8c730d2 | |
Dag-Erling Smørgrav | 9c592d628c | |
Dag-Erling Smørgrav | aa338bce81 | |
Dag-Erling Smørgrav | df95e0530d | |
Dag-Erling Smørgrav | d68deb210c | |
Dag-Erling Smørgrav | d9f3164b53 | |
Dag-Erling Smørgrav | e2375b0d73 | |
Dag-Erling Smørgrav | 7b4ce30d8e | |
Dag-Erling Smørgrav | cf0612ac98 | |
Dag-Erling Smørgrav | 914a5b3708 | |
Dag-Erling Smørgrav | 4dbe28d092 | |
Dag-Erling Smørgrav | 2e6439e932 | |
Dag-Erling Smørgrav | 8568521d18 | |
Dag-Erling Smørgrav | 3bc114befa | |
Dag-Erling Smørgrav | 7eacdef3fd | |
Dag-Erling Smørgrav | d4f3382050 | |
Dag-Erling Smørgrav | ac8841d2bd | |
Dag-Erling Smørgrav | 0446934acb | |
Dag-Erling Smørgrav | 2cc13d4b85 | |
Dag-Erling Smørgrav | e565eb6258 | |
Dag-Erling Smørgrav | 3b992508b8 | |
Dag-Erling Smørgrav | 01d54c2924 | |
Dag-Erling Smørgrav | df82cbb560 | |
Dag-Erling Smørgrav | d216fb463e | |
Dag-Erling Smørgrav | 95539e42cf | |
Dag-Erling Smørgrav | 84543123ea | |
Dag-Erling Smørgrav | 3b1c7851e6 | |
Dag-Erling Smørgrav | 56dd3d8d03 | |
Dag-Erling Smørgrav | 10e70f48b8 | |
Dag-Erling Smørgrav | f69d77aaed | |
Dag-Erling Smørgrav | 1b1f9c46e4 | |
Dag-Erling Smørgrav | bcafac75c2 | |
Dag-Erling Smørgrav | 1f9f093691 | |
Dag-Erling Smørgrav | 6b2927cfc5 | |
Dag-Erling Smørgrav | fa62c8c348 | |
Dag-Erling Smørgrav | 4264bfb000 | |
Dag-Erling Smørgrav | 90715a13d4 | |
Dag-Erling Smørgrav | a03bbedb50 | |
Dag-Erling Smørgrav | b9ec47c689 | |
Dag-Erling Smørgrav | 0c4d5add5f | |
Dag-Erling Smørgrav | d34ad5ab09 | |
Dag-Erling Smørgrav | efa93c4a5f | |
Dag-Erling Smørgrav | a02762c066 | |
Dag-Erling Smørgrav | b8ec0155ab | |
Dag-Erling Smørgrav | d3f359e2df | |
Dag-Erling Smørgrav | 929ddb1bc3 | |
Dag-Erling Smørgrav | 0c34187244 | |
Dag-Erling Smørgrav | 880bd5c2d4 | |
Dag-Erling Smørgrav | fe081dbbfc | |
Dag-Erling Smørgrav | dfe04a59e4 | |
Dag-Erling Smørgrav | 88a91c2d02 | |
Dag-Erling Smørgrav | 066e2b91ff | |
Dag-Erling Smørgrav | b578b6a715 | |
Dag-Erling Smørgrav | efe4bec74a | |
Dag-Erling Smørgrav | 5847a34802 | |
Dag-Erling Smørgrav | c9387115d9 | |
Dag-Erling Smørgrav | c05b6dd046 | |
Dag-Erling Smørgrav | 93d104bfd6 | |
Dag-Erling Smørgrav | 3a53d5117b | |
Dag-Erling Smørgrav | 6950b99458 | |
Dag-Erling Smørgrav | 3ab09a4f26 | |
Dag-Erling Smørgrav | a43b9256fc | |
Dag-Erling Smørgrav | 70d5d18643 | |
Dag-Erling Smørgrav | 2fc7038ca4 | |
Dag-Erling Smørgrav | 9f0aba7d25 | |
Dag-Erling Smørgrav | 9f6bdd74f4 | |
Dag-Erling Smørgrav | 7da9af6602 | |
Dag-Erling Smørgrav | f3f8ccc9c3 | |
Dag-Erling Smørgrav | 496bd4632b | |
Dag-Erling Smørgrav | 2be62b5732 | |
Dag-Erling Smørgrav | c1df418c6f | |
Dag-Erling Smørgrav | 422a3ccd39 | |
Dag-Erling Smørgrav | 794601a544 | |
Dag-Erling Smørgrav | 4f9b0f6342 | |
Dag-Erling Smørgrav | d4ab77b35c | |
Dag-Erling Smørgrav | 30f65f8a44 | |
Dag-Erling Smørgrav | bcebdf0ea8 | |
Dag-Erling Smørgrav | 32d5e093bd | |
Dag-Erling Smørgrav | 3353ad06ce | |
Dag-Erling Smørgrav | 2dd5f46e84 | |
Dag-Erling Smørgrav | 0f25be4e42 | |
Dag-Erling Smørgrav | b501509854 | |
Dag-Erling Smørgrav | 567ecaa2af | |
Dag-Erling Smørgrav | 2b8f7a6154 | |
Dag-Erling Smørgrav | fe2e691204 | |
Dag-Erling Smørgrav | 785bc19867 | |
Dag-Erling Smørgrav | 429089e868 | |
Dag-Erling Smørgrav | 26d543d484 | |
Dag-Erling Smørgrav | efe65a2cab | |
Dag-Erling Smørgrav | 7bcd5bb700 | |
Dag-Erling Smørgrav | 93a9982d45 | |
Dag-Erling Smørgrav | 0ba869e872 | |
Dag-Erling Smørgrav | a810f26399 | |
Dag-Erling Smørgrav | 7ab83ce826 | |
Dag-Erling Smørgrav | e6ad0c668c | |
Dag-Erling Smørgrav | 0da2f07cfb | |
Dag-Erling Smørgrav | f6205baa20 | |
Dag-Erling Smørgrav | d3b7a7843e | |
Dag-Erling Smørgrav | a9a5497d3f | |
Dag-Erling Smørgrav | 374a1769ca | |
Dag-Erling Smørgrav | bbcd45ace7 | |
Dag-Erling Smørgrav | e39d0abb85 | |
Dag-Erling Smørgrav | 2fe7fdd088 | |
Dag-Erling Smørgrav | a263be7c26 | |
Dag-Erling Smørgrav | a9c6523c52 | |
Dag-Erling Smørgrav | 9187daa2ac | |
Dag-Erling Smørgrav | 2ec4f668a9 | |
Dag-Erling Smørgrav | a1ee57dd24 | |
Dag-Erling Smørgrav | f8a727ec0c | |
Dag-Erling Smørgrav | 75420a1e07 | |
Dag-Erling Smørgrav | 54d9167cea | |
Dag-Erling Smørgrav | b21442245a | |
Dag-Erling Smørgrav | 1a070e2544 | |
Dag-Erling Smørgrav | 08f35bc290 | |
Dag-Erling Smørgrav | ff9ea1145d | |
Dag-Erling Smørgrav | 16a29af819 | |
Dag-Erling Smørgrav | 92d483a21a | |
Dag-Erling Smørgrav | 16e805fc4c | |
Dag-Erling Smørgrav | 3d15ee7552 | |
Dag-Erling Smørgrav | a37ffba3b8 | |
Dag-Erling Smørgrav | 772c94fdee | |
Dag-Erling Smørgrav | 2546d3cf58 | |
Dag-Erling Smørgrav | 4978bcf862 | |
Dag-Erling Smørgrav | 515667a9c5 | |
Dag-Erling Smørgrav | f70250359e | |
Dag-Erling Smørgrav | e15ecfaa9c | |
Dag-Erling Smørgrav | 35310aef5b | |
Dag-Erling Smørgrav | 9914cc8c45 | |
Dag-Erling Smørgrav | 2b555bb3d3 | |
Dag-Erling Smørgrav | 709f28793c | |
Dag-Erling Smørgrav | c0a7737a9b | |
Dag-Erling Smørgrav | 0869153c0b | |
Dag-Erling Smørgrav | d4aebe2ae9 | |
Dag-Erling Smørgrav | 42f7e1bd47 | |
Dag-Erling Smørgrav | 2a194a26ca | |
Dag-Erling Smørgrav | 78ab63e094 | |
Dag-Erling Smørgrav | fe17647fb8 | |
Dag-Erling Smørgrav | 6d3ad38b26 | |
Dag-Erling Smørgrav | fcce2d8609 | |
Dag-Erling Smørgrav | 383544e1e9 | |
Dag-Erling Smørgrav | be8d8c6c7b | |
Dag-Erling Smørgrav | 56adeeabf3 | |
Dag-Erling Smørgrav | 7ca68ffaec | |
Dag-Erling Smørgrav | aa1f7162f1 | |
Dag-Erling Smørgrav | 1c59e86945 | |
Dag-Erling Smørgrav | 1ca33ae86f | |
Dag-Erling Smørgrav | cf9114a400 | |
Dag-Erling Smørgrav | d4b138c0e3 | |
Dag-Erling Smørgrav | 312b5753a5 | |
Dag-Erling Smørgrav | b28d2d21ed | |
Dag-Erling Smørgrav | c23f34271d | |
Dag-Erling Smørgrav | 9b129a8850 | |
Dag-Erling Smørgrav | 2eb15b15cc | |
Dag-Erling Smørgrav | 1f79315d9e | |
Dag-Erling Smørgrav | 4c8082f73d | |
Dag-Erling Smørgrav | f0d658d97d | |
Dag-Erling Smørgrav | d9ae0b5836 | |
Dag-Erling Smørgrav | 8c5bc6cb91 | |
Dag-Erling Smørgrav | 53544bd288 | |
Dag-Erling Smørgrav | 4c0e839be3 | |
Dag-Erling Smørgrav | c02ad56e43 | |
Dag-Erling Smørgrav | 5cb6cd19f3 | |
Dag-Erling Smørgrav | 364f3b0753 | |
Dag-Erling Smørgrav | 3fdf34619c | |
Dag-Erling Smørgrav | 1db36adb17 | |
Dag-Erling Smørgrav | cbfada51e9 | |
Dag-Erling Smørgrav | aa04edbebb | |
Dag-Erling Smørgrav | 37f6b5bcc9 | |
Dag-Erling Smørgrav | 487cc6afcb | |
Dag-Erling Smørgrav | 8435fe3eca | |
Dag-Erling Smørgrav | 519086d0cb | |
Dag-Erling Smørgrav | 3a0280a4cb | |
Dag-Erling Smørgrav | 03ef7cd64d | |
Dag-Erling Smørgrav | eea3231ee1 | |
Dag-Erling Smørgrav | 89e4f8a9e7 | |
Dag-Erling Smørgrav | 3cba749dfe | |
Dag-Erling Smørgrav | 1a3013376f | |
Dag-Erling Smørgrav | 03c07732a6 | |
Dag-Erling Smørgrav | 8e1af43b32 | |
Dag-Erling Smørgrav | 4ee06f968e | |
Dag-Erling Smørgrav | 4063fef039 | |
Dag-Erling Smørgrav | ba1a5551d6 | |
Dag-Erling Smørgrav | 73a3b34f32 | |
Dag-Erling Smørgrav | b99998da9c | |
Dag-Erling Smørgrav | 28f7487e06 | |
Dag-Erling Smørgrav | 94876a3695 | |
Dag-Erling Smørgrav | e9c697feb5 | |
Dag-Erling Smørgrav | 3a2fec89e2 | |
Dag-Erling Smørgrav | 31950458f5 | |
Dag-Erling Smørgrav | 3052dea7c0 | |
Dag-Erling Smørgrav | 9a14604cd2 | |
Dag-Erling Smørgrav | 81455d2603 | |
Dag-Erling Smørgrav | 49a4c1509e | |
Dag-Erling Smørgrav | d7708b3ae5 | |
Dag-Erling Smørgrav | 2baadb71ee | |
Dag-Erling Smørgrav | 96357f3c52 | |
Dag-Erling Smørgrav | 54b6b546dd | |
Dag-Erling Smørgrav | 8121567cf6 | |
Dag-Erling Smørgrav | d619fcb520 | |
Dag-Erling Smørgrav | e29b3b276f | |
Dag-Erling Smørgrav | 9857b1c9ea | |
Dag-Erling Smørgrav | 10215cdd1e | |
Dag-Erling Smørgrav | 98687ed638 | |
Dag-Erling Smørgrav | f163a4b9df | |
Dag-Erling Smørgrav | 103857f3c9 | |
Dag-Erling Smørgrav | 783a383e4b | |
Dag-Erling Smørgrav | 74c787f664 | |
Dag-Erling Smørgrav | 8e881dbdd7 | |
Dag-Erling Smørgrav | a7c9ef9a05 | |
Dag-Erling Smørgrav | be3bfed604 | |
Dag-Erling Smørgrav | b3a9a4792f | |
Dag-Erling Smørgrav | 2e479f3c12 | |
Dag-Erling Smørgrav | 7d5093463e | |
Dag-Erling Smørgrav | aa8e257838 | |
Dag-Erling Smørgrav | 42651f8d9b | |
Dag-Erling Smørgrav | 7d5d2733f5 | |
Dag-Erling Smørgrav | 0a4f5e9af7 | |
Dag-Erling Smørgrav | cf0963e668 | |
Dag-Erling Smørgrav | c3d9f63b55 | |
Dag-Erling Smørgrav | 88a6cda1a1 | |
Dag-Erling Smørgrav | b616ada557 | |
Dag-Erling Smørgrav | df3d585d08 | |
Dag-Erling Smørgrav | 34c9fb6fd3 | |
Dag-Erling Smørgrav | 31e9142afc | |
Dag-Erling Smørgrav | 407565fc1d | |
Dag-Erling Smørgrav | 255c7f6727 | |
Dag-Erling Smørgrav | 8c2f4c74b7 | |
Dag-Erling Smørgrav | 8f8a8584fc | |
Dag-Erling Smørgrav | ca0b4cb0c7 | |
Dag-Erling Smørgrav | fb9c3dcdf5 | |
Dag-Erling Smørgrav | 41bb288744 | |
Dag-Erling Smørgrav | 596b3af085 | |
Dag-Erling Smørgrav | 8ec4a16273 | |
Dag-Erling Smørgrav | 8372b71ce1 | |
Dag-Erling Smørgrav | e630a92713 | |
Dag-Erling Smørgrav | 59dc4aa601 | |
Dag-Erling Smørgrav | 3f02bd9df6 | |
Dag-Erling Smørgrav | 4aca0ed827 | |
Dag-Erling Smørgrav | 95ed7f5d0c | |
Dag-Erling Smørgrav | dd498bc7ad | |
Dag-Erling Smørgrav | 996a845863 | |
Dag-Erling Smørgrav | 229c006c86 | |
Dag-Erling Smørgrav | 1a4edb80d7 | |
Dag-Erling Smørgrav | 2b025676c7 | |
Dag-Erling Smørgrav | b9f0b632da | |
Dag-Erling Smørgrav | 026c898ec5 | |
Dag-Erling Smørgrav | 0e65fdb799 | |
Dag-Erling Smørgrav | d9f7580763 | |
Dag-Erling Smørgrav | d98f755c25 | |
Dag-Erling Smørgrav | b011e58526 | |
Dag-Erling Smørgrav | 6a92548403 | |
Dag-Erling Smørgrav | ff73a20a84 | |
Dag-Erling Smørgrav | e8522c7fcc | |
Dag-Erling Smørgrav | c86a681052 | |
Dag-Erling Smørgrav | 2603985187 | |
Dag-Erling Smørgrav | 8b3eca4161 | |
Dag-Erling Smørgrav | ba7de9c9c6 | |
Dag-Erling Smørgrav | 493804d19b | |
Dag-Erling Smørgrav | 6835696a2a | |
Dag-Erling Smørgrav | c16faba34e | |
Dag-Erling Smørgrav | 28c2e4049f | |
Dag-Erling Smørgrav | b373991f87 | |
Dag-Erling Smørgrav | 55f6a50684 | |
Dag-Erling Smørgrav | 11b10d0991 | |
Dag-Erling Smørgrav | d40a8fb860 | |
Dag-Erling Smørgrav | 9b234e1f88 | |
Dag-Erling Smørgrav | f229d69d05 | |
Dag-Erling Smørgrav | ebccc4d687 | |
Dag-Erling Smørgrav | c20b753856 | |
Dag-Erling Smørgrav | 94ca0f4d08 | |
Dag-Erling Smørgrav | f0280932cb | |
Dag-Erling Smørgrav | a3fc39b15b | |
Dag-Erling Smørgrav | e6545c355d | |
Dag-Erling Smørgrav | e53b12a47e | |
Dag-Erling Smørgrav | dd2c21f7b6 | |
Dag-Erling Smørgrav | eed493316e | |
Dag-Erling Smørgrav | 85ca38e143 | |
Dag-Erling Smørgrav | fa542b0736 | |
Dag-Erling Smørgrav | 956ef0df60 | |
Dag-Erling Smørgrav | a1be39bf2d | |
Dag-Erling Smørgrav | 0eae3f21c1 | |
Dag-Erling Smørgrav | 8799ff11b9 | |
Dag-Erling Smørgrav | 2d1f74e6da | |
Dag-Erling Smørgrav | c8b7ea4e00 | |
Dag-Erling Smørgrav | 49380d6d5e | |
Dag-Erling Smørgrav | 81b5c45be2 | |
Dag-Erling Smørgrav | 8b88ff5959 | |
Dag-Erling Smørgrav | da5d5b1268 | |
Dag-Erling Smørgrav | bb74f213ce | |
Dag-Erling Smørgrav | a4a1255043 | |
Dag-Erling Smørgrav | 7bc7f1a720 | |
Dag-Erling Smørgrav | a381eb16c8 | |
Dag-Erling Smørgrav | 059a8e0d08 | |
Dag-Erling Smørgrav | b66176bb02 | |
Dag-Erling Smørgrav | 54374d2c36 | |
Dag-Erling Smørgrav | ebd4f02f4b | |
Dag-Erling Smørgrav | 874f75e8f4 | |
Dag-Erling Smørgrav | 6970f8c093 | |
Dag-Erling Smørgrav | 3f2d2b26cd | |
Dag-Erling Smørgrav | 16844f8456 | |
Dag-Erling Smørgrav | ea1dca11d4 | |
Dag-Erling Smørgrav | b4871fa6dc | |
Dag-Erling Smørgrav | bbf803304d | |
Dag-Erling Smørgrav | 385eb53d63 | |
Dag-Erling Smørgrav | d62a8932a7 | |
Dag-Erling Smørgrav | e68b52afcd | |
Dag-Erling Smørgrav | ac220324b2 | |
Dag-Erling Smørgrav | 2a4b841f25 | |
Dag-Erling Smørgrav | 1ab226e06a | |
Dag-Erling Smørgrav | 45c15a555d | |
Dag-Erling Smørgrav | 0726eb9f8e | |
Dag-Erling Smørgrav | 7a473a8f14 | |
Dag-Erling Smørgrav | e4bbcb1549 | |
Dag-Erling Smørgrav | 1f70254313 | |
Dag-Erling Smørgrav | e9776bfa73 | |
Dag-Erling Smørgrav | fe7a24df15 | |
Dag-Erling Smørgrav | 5a523baf2b | |
Dag-Erling Smørgrav | d8194fe11a | |
Dag-Erling Smørgrav | bc44ba0ac2 | |
Dag-Erling Smørgrav | 9f0d6d6267 | |
Dag-Erling Smørgrav | ba75190ad0 | |
Dag-Erling Smørgrav | d0bf52fbb1 | |
Dag-Erling Smørgrav | 8865782b1d | |
Dag-Erling Smørgrav | e42d5a34a3 | |
Dag-Erling Smørgrav | 6be3c3717e | |
Dag-Erling Smørgrav | f79742eaab | |
Dag-Erling Smørgrav | fd5e5d917d | |
Dag-Erling Smørgrav | 9b648b6f6c | |
Dag-Erling Smørgrav | 17826ec6d9 | |
Dag-Erling Smørgrav | 876e12a0c0 | |
Dag-Erling Smørgrav | a369352a23 | |
Dag-Erling Smørgrav | 911d657644 | |
Dag-Erling Smørgrav | 637fafa964 | |
Dag-Erling Smørgrav | e725df8bb1 | |
Dag-Erling Smørgrav | e484c931ae | |
Dag-Erling Smørgrav | 31b627f215 | |
Dag-Erling Smørgrav | adf5356fcc | |
Dag-Erling Smørgrav | 119471eac7 | |
Dag-Erling Smørgrav | 613f93be19 | |
Dag-Erling Smørgrav | 05e64f87cd | |
Dag-Erling Smørgrav | b091d056d7 | |
Dag-Erling Smørgrav | 57aa7fdfae | |
Dag-Erling Smørgrav | 9686238642 | |
Dag-Erling Smørgrav | f2b670bc68 | |
Dag-Erling Smørgrav | b6d17997e9 | |
Dag-Erling Smørgrav | eb6069eaf7 | |
Dag-Erling Smørgrav | f380fbbf22 | |
Dag-Erling Smørgrav | 4183fc1989 | |
Dag-Erling Smørgrav | b307f0a81a | |
Dag-Erling Smørgrav | b158155823 | |
Dag-Erling Smørgrav | 2e1db320ba | |
Dag-Erling Smørgrav | b40540ed26 | |
Dag-Erling Smørgrav | bce6b0d2a5 | |
Dag-Erling Smørgrav | 9a4dc99d0b | |
Dag-Erling Smørgrav | 1cde223f6d | |
Dag-Erling Smørgrav | dd10e4a93a | |
Dag-Erling Smørgrav | 5309d41e27 | |
Dag-Erling Smørgrav | ce5921ba4c | |
Dag-Erling Smørgrav | c6c07709ad | |
Dag-Erling Smørgrav | 4243d0384f | |
Dag-Erling Smørgrav | 842343cb04 | |
Dag-Erling Smørgrav | 72ece08193 | |
Dag-Erling Smørgrav | 096a13afac | |
Dag-Erling Smørgrav | 7073261c71 | |
Dag-Erling Smørgrav | 4a9cf27365 |
|
@ -0,0 +1,30 @@
|
|||
/aclocal.m4
|
||||
/autom4te.cache
|
||||
/compile
|
||||
/config.guess
|
||||
/config.h.in
|
||||
/config.h
|
||||
/config.log
|
||||
/config.status
|
||||
/config.sub
|
||||
/configure
|
||||
/cov
|
||||
/depcomp
|
||||
/install-sh
|
||||
/libtool
|
||||
/ltmain.sh
|
||||
/missing
|
||||
/stamp-h1
|
||||
/test-driver
|
||||
*~
|
||||
.deps
|
||||
.libs
|
||||
*.a
|
||||
*.la
|
||||
*.lo
|
||||
*.log
|
||||
*.o
|
||||
*.pc
|
||||
*.profraw
|
||||
Makefile
|
||||
Makefile.in
|
30
CHECKLIST
30
CHECKLIST
|
@ -1,30 +0,0 @@
|
|||
|
||||
Release checklist
|
||||
=================
|
||||
|
||||
0) Find a code name for the release
|
||||
|
||||
1) Update configure.ac and include/security/openpam_version.h
|
||||
|
||||
2) Read through the diffs from the last release, and update the change
|
||||
log.
|
||||
|
||||
3) Update the release notes.
|
||||
|
||||
4) If any files have been added, update the manifest.
|
||||
|
||||
5) Run dist.sh to generate a tarball.
|
||||
|
||||
6) Unpack the tarball somewhere safe and build everything.
|
||||
|
||||
7) Fix any problems.
|
||||
|
||||
8) Submit.
|
||||
|
||||
9) Re-run dist.sh to roll the actual release.
|
||||
|
||||
A) Publish the tarball on SourceForge.
|
||||
|
||||
B) Update the website.
|
||||
|
||||
$P4: //depot/projects/openpam/CHECKLIST#2 $
|
42
CREDITS
42
CREDITS
|
@ -1,4 +1,6 @@
|
|||
|
||||
_Ἀπόδοτε οὖν τὰ Καίσαρος Καίσαρι καὶ τὰ τοῦ Θεοῦ τῷ Θεῷ_
|
||||
|
||||
The OpenPAM library was developed for the FreeBSD Project by ThinkSec AS
|
||||
and Network Associates Laboratories, the Security Research Division of
|
||||
Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
|
@ -6,29 +8,49 @@ Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
|||
|
||||
Principal design and development by:
|
||||
|
||||
Dag-Erling Smørgrav <des@freebsd.org>
|
||||
Dag-Erling Smørgrav <des@des.no>
|
||||
|
||||
The following persons (in no particular order) have contributed, directly
|
||||
or indirectly, with patches, criticism, suggestions, or ideas:
|
||||
The following persons (in alphabetical order) have contributed,
|
||||
directly or indirectly, with patches, criticism, suggestions, or
|
||||
ideas:
|
||||
|
||||
Andrew Morgan <morgan@transmeta.com>
|
||||
Ankita Pal <pal.ankita.ankita@gmail.com>
|
||||
Baptiste Daroussin <bapt@freebsd.org>
|
||||
Brian Fundakowski Feldman <green@freebsd.org>
|
||||
Brooks Davis <brooks@freebsd.org>
|
||||
Christos Zoulas <christos@netbsd.org>
|
||||
Darren J. Moffat <Darren.Moffat@sun.com>
|
||||
Daniel Richard G. <skunk@iskunk.org>
|
||||
Darren J. Moffat <darren.moffat@sun.com>
|
||||
Dimitry Andric <dim@freebsd.org>
|
||||
Dmitry V. Levin <ldv@altlinux.org>
|
||||
Don Lewis <truckman@freebsd.org>
|
||||
Emmanuel Dreyfus <manu@netbsd.org>
|
||||
Eric Melville <eric@freebsd.org>
|
||||
Gary Winiger <Gary.Winiger@sun.com>
|
||||
Joe Marcus Clarke <marcus@freebsd.org>
|
||||
Juli Mallett <jmallett@freebsd.org>
|
||||
Espen Grøndahl <espegro@usit.uio.no>
|
||||
Gary Winiger <gary.winiger@sun.com>
|
||||
Gavin Atkinson <gavin@freebsd.org>
|
||||
Gleb Smirnoff <glebius@freebsd.org>
|
||||
Hubert Feyrer <hubert@feyrer.de>
|
||||
Jason Evans <jasone@freebsd.org>
|
||||
Joe Marcus Clarke <marcus@freebsd.org>
|
||||
Jörg Sonnenberger <joerg@britannica.bec.de>
|
||||
Juli Mallett <jmallett@freebsd.org>
|
||||
Larry Baird <lab@gta.com>
|
||||
Maëlle Lesage <lesage.maelle@gmail.com>
|
||||
Mark Murray <markm@freebsd.org>
|
||||
Matthias Drochner <drochner@netbsd.org>
|
||||
Mike Petullo <mike@flyn.org>
|
||||
Mikko Työläjärvi <mbsd@pacbell.net>
|
||||
Mikhail Teterin <mi@aldan.algebra.com>
|
||||
Mikko Työläjärvi <mbsd@pacbell.net>
|
||||
Nick Hibma <nick@van-laarhoven.org>
|
||||
Patrick Bihan-Faou <patrick-fbsd@mindstep.com>
|
||||
Robert Morris <rtm@lcs.mit.edu>
|
||||
Robert Watson <rwatson@freebsd.org>
|
||||
Ruslan Ermilov <ru@freebsd.org>
|
||||
Sebastian Krahmer <sebastian.krahmer@gmail.com>
|
||||
Solar Designer <solar@openwall.com>
|
||||
Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
||||
Tim Creech <tcreech@tcreech.com>
|
||||
Wojciech A. Koszek <wkoszek@freebsd.org>
|
||||
Yar Tikhiy <yar@freebsd.org>
|
||||
|
||||
$P4: //depot/projects/openpam/CREDITS#12 $
|
||||
|
|
212
HISTORY
212
HISTORY
|
@ -1,3 +1,205 @@
|
|||
OpenPAM Ximenia 2023-06-27
|
||||
|
||||
- BUGFIX: Fix race condition in openpam_ttyconv(3) when used with
|
||||
expect scripts.
|
||||
|
||||
- BUGFIX: In openpam_set_option(3), when removing an option, properly
|
||||
decrement the option count.
|
||||
|
||||
- BUGFIX: In openpam_subst(3), avoid incrementing past the end of the
|
||||
template.
|
||||
============================================================================
|
||||
OpenPAM Tabebuia 2019-02-24
|
||||
|
||||
- BUGFIX: Fix off-by-one bug in pam_getenv(3) which was introduced in
|
||||
OpenPAM Radula.
|
||||
|
||||
- ENHANCE: Add unit tests for pam_{get,put,set}env(3).
|
||||
============================================================================
|
||||
OpenPAM Resedacea 2017-04-30
|
||||
|
||||
- BUGFIX: Reinstore the NULL check in pam_end(3) which was removed in
|
||||
OpenPAM Radula, as it breaks common error-handling constructs.
|
||||
|
||||
- BUGFIX: Return PAM_SYMBOL_ERR instead of PAM_SYSTEM_ERR from the
|
||||
dispatcher when the required service function could not be found.
|
||||
|
||||
- ENHANCE: Introduce the PAM_BAD_HANDLE error code for when pamh is
|
||||
NULL in API functions that have a NULL check.
|
||||
|
||||
- ENHANCE: Introduce the PAM_BAD_ITEM, PAM_BAD_FEATURE and
|
||||
PAM_BAD_CONSTANT error codes for situations where we previously
|
||||
incorrectly used PAM_SYMBOL_ERR to denote that an invalid constant
|
||||
had been passed to an API function.
|
||||
|
||||
- ENHANCE: Improve the RETURN VALUES section in API man pages,
|
||||
especially for functions that cannot fail, which were incorrectly
|
||||
documented as returning -1 on failure.
|
||||
============================================================================
|
||||
OpenPAM Radula 2017-02-19
|
||||
|
||||
- BUGFIX: Fix an inverted test which prevented pam_get_authtok(3) and
|
||||
pam_get_user(3) from using application-provided custom prompts.
|
||||
|
||||
- BUGFIX: Plug a memory leak in pam_set_item(3).
|
||||
|
||||
- BUGFIX: Plug a potential memory leak in openpam_readlinev(3).
|
||||
|
||||
- BUGFIX: In openpam_readword(3), support line continuations within
|
||||
whitespace.
|
||||
|
||||
- ENHANCE: Add a feature flag to control fallback to "other" policy.
|
||||
|
||||
- ENHANCE: Add a pam_return(8) module which returns an arbitrary
|
||||
code specified in the module options.
|
||||
|
||||
- ENHANCE: More and better unit tests.
|
||||
============================================================================
|
||||
OpenPAM Ourouparia 2014-09-12
|
||||
|
||||
- ENHANCE: When executing a chain, require at least one service
|
||||
function to succeed. This mitigates fail-open scenarios caused by
|
||||
misconfigurations or missing modules.
|
||||
|
||||
- ENHANCE: Make sure to overwrite buffers which may have contained an
|
||||
authentication token when they're no longer needed.
|
||||
|
||||
- BUGFIX: Under certain circumstances, specifying a non-existent
|
||||
module (or misspelling the name of a module) in a policy could
|
||||
result in a fail-open scenario. (CVE-2014-3879)
|
||||
|
||||
- FEATURE: Add a search path for modules. This was implemented in
|
||||
Nummularia but inadvertently left out of the release notes.
|
||||
|
||||
- BUGFIX: The is_upper() predicate only accepted the letter A as an
|
||||
upper-case character instead of the entire A-Z range. As a result,
|
||||
service and module names containing upper-case letters other than A
|
||||
would be rejected.
|
||||
============================================================================
|
||||
OpenPAM Nummularia 2013-09-07
|
||||
|
||||
- ENHANCE: Rewrite the dynamic loader to improve readability and
|
||||
reliability. Modules can now be listed without the ".so" suffix in
|
||||
the policy file; OpenPAM will automatically add it, just like it
|
||||
will automatically add the version number if required.
|
||||
|
||||
- ENHANCE: Allow openpam_straddch(3) to be called without a character
|
||||
so it can be used to preallocate a string.
|
||||
|
||||
- ENHANCE: Improve portability by adding simple asprintf(3) and
|
||||
vasprintf(3) implementations for platforms that don't have them.
|
||||
|
||||
- ENHANCE: Move the libpam sources into a separate subdirectory.
|
||||
|
||||
- ENHANCE: Substantial documentation improvements.
|
||||
|
||||
- BUGFIX: When openpam_readword(3) encountered an opening quote, it
|
||||
would set the first byte in the buffer to '\0', discarding all
|
||||
existing text and, unless the buffer was empty to begin with, all
|
||||
subsequent text as well. This went unnoticed because none of the
|
||||
unit tests for quoted strings had any text preceding the opening
|
||||
quote.
|
||||
|
||||
- BUGFIX: make --with-modules-dir work the way it was meant to work
|
||||
(but never did).
|
||||
============================================================================
|
||||
OpenPAM Micrampelis 2012-05-26
|
||||
|
||||
- FEATURE: Add an openpam_readword(3) function which reads the next
|
||||
word from an input stream, applying shell quoting and escaping
|
||||
rules. Add numerous unit tests for openpam_readword(3).
|
||||
|
||||
- FEATURE: Add an openpam_readlinev(3) function which uses the
|
||||
openpam_readword(3) function to read words from an input stream one
|
||||
at a time until it reaches an unquoted, unescaped newline, and
|
||||
returns an array of those words. Add several unit tests for
|
||||
openpam_readlinev(3).
|
||||
|
||||
- FEATURE: Add a PAM_HOST item which pam_start(3) initializes to the
|
||||
machine's hostname. This was implemented in Lycopsida but
|
||||
inadvertantly left out of the release notes.
|
||||
|
||||
- FEATURE: In pam_get_authtok(3), if neither the application nor the
|
||||
module have specified a prompt and PAM_HOST and PAM_RHOST are both
|
||||
defined but not equal, use a different default prompt that includes
|
||||
PAM_USER and PAM_HOST.
|
||||
|
||||
- ENHANCE: Rewrite the policy parser to used openpam_readlinev(),
|
||||
which greatly simplifies the code.
|
||||
|
||||
- ENHANCE: The previous implementation of the policy parser relied on
|
||||
the openpam_readline(3) function, which (by design) munges
|
||||
whitespace and understands neither quotes nor backslash escapes.
|
||||
As a result of the aforementioned rewrite, whitespace, quotes and
|
||||
backslash escapes in policy files are now handled in a consistent
|
||||
and predictable manner.
|
||||
|
||||
- ENHANCE: On platforms that have it, use fdlopen(3) to load modules.
|
||||
This closes the race between the ownership / permission check and
|
||||
the dlopen(3) call.
|
||||
|
||||
- ENHANCE: Reduce the amount of pointless error messages generated
|
||||
while searching for a module.
|
||||
|
||||
- ENHANCE: Numerous documentation improvements, both in content and
|
||||
formatting.
|
||||
|
||||
- BUGFIX: A patch incorporated in Lycopsida inadvertantly changed
|
||||
OpenPAM's behavior when several policies exist for the same
|
||||
service, from ignoring all but the first to concatenating them all.
|
||||
Revert to the original behavior.
|
||||
|
||||
- BUGFIX: Plug a memory leak in the policy parser.
|
||||
============================================================================
|
||||
OpenPAM Lycopsida 2011-12-18
|
||||
|
||||
- ENHANCE: removed static build autodetection, which didn't work
|
||||
anyway. Use an explicit, user-specified preprocessor variable
|
||||
instead.
|
||||
|
||||
- ENHANCE: cleaned up the documentation a bit.
|
||||
|
||||
- ENHANCE: added openpam_subst(3), allowing certain PAM items to be
|
||||
embedded in strings such as prompts. Apply it to the prompts used
|
||||
by pam_get_user(3) and pam_get_authtok(3).
|
||||
|
||||
- ENHANCE: added support for the user_prompt, authtok_prompt and
|
||||
oldauthtok_prompt module options, which override the prompts passed
|
||||
by the module to pam_set_user(3) and pam_get_authtok(3).
|
||||
|
||||
- ENHANCE: rewrote the policy parser to support quoted option values.
|
||||
|
||||
- ENHANCE: added pamtest(1), a tool for testing modules and policies.
|
||||
|
||||
- ENHANCE: added code to check the ownership and permissions of a
|
||||
module before loading it.
|
||||
|
||||
- ENHANCE: added / improved input validation in many cases, including
|
||||
the policy file and some function arguments. (CVE-2011-4122)
|
||||
============================================================================
|
||||
OpenPAM Hydrangea 2007-12-21
|
||||
|
||||
- ENHANCE: when compiling with GCC, mark up API functions with GCC
|
||||
attributes where appropriate.
|
||||
|
||||
- BUGFIX: fixed numerous warnings uncovered by GCC 4.
|
||||
|
||||
- ENHANCE: building the documentation is now optional.
|
||||
|
||||
- ENHANCE: corrected a number of mistakes and style issues in the
|
||||
build system.
|
||||
|
||||
- ENHANCE: API function arguments are now const where appropriate, to
|
||||
match corresponding changes in the Solaris PAM and Linux-PAM APIs.
|
||||
|
||||
- ENHANCE: corrected a number of C namespace violations.
|
||||
|
||||
- ENHANCE: the module cache has been removed, allowing long-lived
|
||||
applications to pick up module changes. This also allows multiple
|
||||
threads to use PAM simultaneously (as long as they use separate PAM
|
||||
contexts), since the module cache was the only part of OpenPAM that
|
||||
was not thread-safe.
|
||||
============================================================================
|
||||
OpenPAM Figwort 2005-06-16
|
||||
|
||||
- BUGFIX: Correct several small signedness and initialization bugs
|
||||
|
@ -220,7 +422,7 @@ OpenPAM Cinchona 2002-04-08
|
|||
- ENHANCE: Add openpam_free_data(), a generic cleanup function for
|
||||
pam_set_data() consumers.
|
||||
============================================================================
|
||||
OpenPAM Centaury 2002-03-14
|
||||
OpenPAM Centaury 2002-03-14
|
||||
|
||||
- BUGFIX: Add missing #include <string.h> to openpam_log.c.
|
||||
|
||||
|
@ -259,7 +461,7 @@ OpenPAM Celandine 2002-03-05
|
|||
module with the same version number as the library itself to one
|
||||
with no version number at all.
|
||||
============================================================================
|
||||
OpenPAM Cantaloupe 2002-02-22
|
||||
OpenPAM Cantaloupe 2002-02-22
|
||||
|
||||
- BUGFIX: The proper use of PAM_SYMBOL_ERR is to indicate an invalid
|
||||
argument to pam_[gs]et_item(3), not to indicate dlsym(3) failures.
|
||||
|
@ -289,7 +491,7 @@ OpenPAM Cantaloupe 2002-02-22
|
|||
- ENHANCE: openpam_get_authtok() now respects the echo_pass,
|
||||
try_first_pass, and use_first_pass options.
|
||||
============================================================================
|
||||
OpenPAM Caliopsis 2002-02-13
|
||||
OpenPAM Caliopsis 2002-02-13
|
||||
|
||||
Fixed a number of bugs in the previous release, including:
|
||||
- a number of bugs in and related to pam_[gs]et_item(3)
|
||||
|
@ -300,8 +502,6 @@ Fixed a number of bugs in the previous release, including:
|
|||
- missing 'continue' in openpam_dispatch.c caused successes to be
|
||||
counted as failures
|
||||
============================================================================
|
||||
OpenPAM Calamite 2002-02-09
|
||||
OpenPAM Calamite 2002-02-09
|
||||
|
||||
First (beta) release.
|
||||
============================================================================
|
||||
$P4: //depot/projects/openpam/HISTORY#24 $
|
||||
|
|
14
INSTALL
14
INSTALL
|
@ -16,23 +16,29 @@
|
|||
Use the "configure" shell script to configure OpenPAM for your
|
||||
system. Options include:
|
||||
|
||||
--enable-debug
|
||||
Turn debugging on by default.
|
||||
|
||||
--with-modules-dir=DIR
|
||||
Indicates the directory where PAM modules will be installed.
|
||||
This option should not be used if you intend to install PAM
|
||||
modules in the system library directory.
|
||||
|
||||
--with-pam-su
|
||||
Builds the sample PAM application.
|
||||
--without-doc
|
||||
Skips the documentation.
|
||||
|
||||
--with-pam-unix
|
||||
Builds the sample PAM module.
|
||||
|
||||
--with-su
|
||||
Builds the sample su(1) implementation.
|
||||
|
||||
For more information about configuration options, use the --help
|
||||
option.
|
||||
|
||||
A typical invocation might look like this:
|
||||
|
||||
# ./configure --with-pam-su --with-pam-unix
|
||||
# ./configure --with-pam-unix --with-su
|
||||
|
||||
3. COMPILATION
|
||||
|
||||
|
@ -48,5 +54,3 @@
|
|||
directory:
|
||||
|
||||
# make install
|
||||
|
||||
$P4: //depot/projects/openpam/INSTALL#4 $
|
||||
|
|
3
LICENSE
3
LICENSE
|
@ -1,5 +1,6 @@
|
|||
|
||||
Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
Copyright (c) 2004-2023 Dag-Erling Smørgrav
|
||||
All rights reserved.
|
||||
|
||||
This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,5 +31,3 @@ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|||
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGE.
|
||||
|
||||
$P4: //depot/projects/openpam/LICENSE#6 $
|
||||
|
|
173
MANIFEST
173
MANIFEST
|
@ -1,173 +0,0 @@
|
|||
#
|
||||
# $P4: //depot/projects/openpam/MANIFEST#21 $
|
||||
#
|
||||
CREDITS
|
||||
HISTORY
|
||||
INSTALL
|
||||
LICENSE
|
||||
MANIFEST
|
||||
Makefile.am
|
||||
Makefile.in
|
||||
README
|
||||
RELNOTES
|
||||
aclocal.m4
|
||||
autogen.sh
|
||||
config.guess
|
||||
config.h.in
|
||||
config.sub
|
||||
configure
|
||||
configure.ac
|
||||
depcomp
|
||||
install-sh
|
||||
ltmain.sh
|
||||
missing
|
||||
bin/
|
||||
bin/Makefile.am
|
||||
bin/Makefile.in
|
||||
bin/su/
|
||||
bin/su/Makefile.am
|
||||
bin/su/Makefile.in
|
||||
bin/su/su.c
|
||||
doc/
|
||||
doc/Makefile.am
|
||||
doc/Makefile.in
|
||||
doc/man/
|
||||
doc/man/Makefile.am
|
||||
doc/man/Makefile.in
|
||||
doc/man/openpam.3
|
||||
doc/man/openpam.man
|
||||
doc/man/openpam_borrow_cred.3
|
||||
doc/man/openpam_free_data.3
|
||||
doc/man/openpam_free_envlist.3
|
||||
doc/man/openpam_get_option.3
|
||||
doc/man/openpam_log.3
|
||||
doc/man/openpam_nullconv.3
|
||||
doc/man/openpam_readline.3
|
||||
doc/man/openpam_restore_cred.3
|
||||
doc/man/openpam_set_option.3
|
||||
doc/man/openpam_ttyconv.3
|
||||
doc/man/pam.3
|
||||
doc/man/pam.conf.5
|
||||
doc/man/pam.man
|
||||
doc/man/pam_acct_mgmt.3
|
||||
doc/man/pam_authenticate.3
|
||||
doc/man/pam_chauthtok.3
|
||||
doc/man/pam_close_session.3
|
||||
doc/man/pam_conv.3
|
||||
doc/man/pam_end.3
|
||||
doc/man/pam_error.3
|
||||
doc/man/pam_get_authtok.3
|
||||
doc/man/pam_get_data.3
|
||||
doc/man/pam_get_item.3
|
||||
doc/man/pam_get_user.3
|
||||
doc/man/pam_getenv.3
|
||||
doc/man/pam_getenvlist.3
|
||||
doc/man/pam_info.3
|
||||
doc/man/pam_open_session.3
|
||||
doc/man/pam_prompt.3
|
||||
doc/man/pam_putenv.3
|
||||
doc/man/pam_set_data.3
|
||||
doc/man/pam_set_item.3
|
||||
doc/man/pam_setcred.3
|
||||
doc/man/pam_setenv.3
|
||||
doc/man/pam_sm_acct_mgmt.3
|
||||
doc/man/pam_sm_authenticate.3
|
||||
doc/man/pam_sm_chauthtok.3
|
||||
doc/man/pam_sm_close_session.3
|
||||
doc/man/pam_sm_open_session.3
|
||||
doc/man/pam_sm_setcred.3
|
||||
doc/man/pam_start.3
|
||||
doc/man/pam_strerror.3
|
||||
doc/man/pam_verror.3
|
||||
doc/man/pam_vinfo.3
|
||||
doc/man/pam_vprompt.3
|
||||
include/
|
||||
include/Makefile.am
|
||||
include/Makefile.in
|
||||
include/security/
|
||||
include/security/Makefile.am
|
||||
include/security/Makefile.in
|
||||
include/security/openpam.h
|
||||
include/security/openpam_version.h
|
||||
include/security/pam_appl.h
|
||||
include/security/pam_constants.h
|
||||
include/security/pam_modules.h
|
||||
include/security/pam_types.h
|
||||
lib/
|
||||
lib/Makefile.am
|
||||
lib/Makefile.in
|
||||
lib/openpam_borrow_cred.c
|
||||
lib/openpam_configure.c
|
||||
lib/openpam_dispatch.c
|
||||
lib/openpam_dynamic.c
|
||||
lib/openpam_findenv.c
|
||||
lib/openpam_free_data.c
|
||||
lib/openpam_free_envlist.c
|
||||
lib/openpam_get_option.c
|
||||
lib/openpam_impl.h
|
||||
lib/openpam_load.c
|
||||
lib/openpam_log.c
|
||||
lib/openpam_nullconv.c
|
||||
lib/openpam_readline.c
|
||||
lib/openpam_restore_cred.c
|
||||
lib/openpam_set_option.c
|
||||
lib/openpam_static.c
|
||||
lib/openpam_ttyconv.c
|
||||
lib/pam_acct_mgmt.c
|
||||
lib/pam_authenticate.c
|
||||
lib/pam_authenticate_secondary.c
|
||||
lib/pam_chauthtok.c
|
||||
lib/pam_close_session.c
|
||||
lib/pam_end.c
|
||||
lib/pam_error.c
|
||||
lib/pam_get_authtok.c
|
||||
lib/pam_get_data.c
|
||||
lib/pam_get_item.c
|
||||
lib/pam_get_mapped_authtok.c
|
||||
lib/pam_get_mapped_username.c
|
||||
lib/pam_get_user.c
|
||||
lib/pam_getenv.c
|
||||
lib/pam_getenvlist.c
|
||||
lib/pam_info.c
|
||||
lib/pam_open_session.c
|
||||
lib/pam_prompt.c
|
||||
lib/pam_putenv.c
|
||||
lib/pam_set_data.c
|
||||
lib/pam_set_item.c
|
||||
lib/pam_set_mapped_authtok.c
|
||||
lib/pam_set_mapped_username.c
|
||||
lib/pam_setcred.c
|
||||
lib/pam_setenv.c
|
||||
lib/pam_sm_acct_mgmt.c
|
||||
lib/pam_sm_authenticate.c
|
||||
lib/pam_sm_authenticate_secondary.c
|
||||
lib/pam_sm_chauthtok.c
|
||||
lib/pam_sm_close_session.c
|
||||
lib/pam_sm_get_mapped_authtok.c
|
||||
lib/pam_sm_get_mapped_username.c
|
||||
lib/pam_sm_open_session.c
|
||||
lib/pam_sm_set_mapped_authtok.c
|
||||
lib/pam_sm_set_mapped_username.c
|
||||
lib/pam_sm_setcred.c
|
||||
lib/pam_start.c
|
||||
lib/pam_strerror.c
|
||||
lib/pam_verror.c
|
||||
lib/pam_vinfo.c
|
||||
lib/pam_vprompt.c
|
||||
misc/
|
||||
misc/gendoc.pl
|
||||
modules/
|
||||
modules/Makefile.am
|
||||
modules/Makefile.in
|
||||
modules/pam_deny/
|
||||
modules/pam_deny/Makefile.am
|
||||
modules/pam_deny/Makefile.in
|
||||
modules/pam_deny/pam_deny.c
|
||||
modules/pam_permit/
|
||||
modules/pam_permit/Makefile.am
|
||||
modules/pam_permit/Makefile.in
|
||||
modules/pam_permit/pam_permit.c
|
||||
modules/pam_unix/
|
||||
modules/pam_unix/Makefile.am
|
||||
modules/pam_unix/Makefile.in
|
||||
modules/pam_unix/pam_unix.c
|
49
Makefile.am
49
Makefile.am
|
@ -1,5 +1,48 @@
|
|||
# $P4: //depot/projects/openpam/Makefile.am#3 $
|
||||
ACLOCAL_AMFLAGS = -I m4
|
||||
|
||||
SUBDIRS = lib bin modules doc include
|
||||
SUBDIRS = misc include lib bin modules
|
||||
|
||||
EXTRA_DIST = CREDITS HISTORY INSTALL LICENSE MANIFEST README RELNOTES
|
||||
if WITH_DOC
|
||||
SUBDIRS += doc
|
||||
endif
|
||||
|
||||
SUBDIRS += t
|
||||
|
||||
EXTRA_DIST = \
|
||||
CREDITS \
|
||||
HISTORY \
|
||||
INSTALL \
|
||||
LICENSE \
|
||||
README \
|
||||
RELNOTES \
|
||||
autogen.sh \
|
||||
misc/gendoc.pl
|
||||
|
||||
if WITH_CODE_COVERAGE
|
||||
covdir = @abs_top_builddir@/cov
|
||||
coverage: coverage-clean all coverage-prepare coverage-run coverage-report
|
||||
coverage-clean:
|
||||
-rm -rf "${covdir}"
|
||||
coverage-prepare:
|
||||
mkdir "${covdir}"
|
||||
if CLANG_CODE_COVERAGE
|
||||
profdata = ${covdir}/@PACKAGE@.profdata
|
||||
# hardcoding libpam.so here is horrible, need to find a better solution
|
||||
coverage-run:
|
||||
LLVM_PROFILE_FILE="${covdir}/@PACKAGE@.%p.raw" \
|
||||
${MAKE} -C "@abs_top_builddir@" check
|
||||
coverage-report:
|
||||
llvm-profdata@clang_ver@ merge \
|
||||
--sparse "${covdir}/@PACKAGE@".*.raw -o "${profdata}"
|
||||
llvm-cov@clang_ver@ show \
|
||||
--format=html --tab-size=8 \
|
||||
--output-dir="${covdir}" \
|
||||
--instr-profile="${profdata}" \
|
||||
--object "@abs_top_builddir@/lib/libpam/.libs/libpam.so"
|
||||
@echo "coverage report: file://${covdir}/index.html"
|
||||
endif
|
||||
else
|
||||
coverage:
|
||||
echo "code coverage is not enabled." >&2
|
||||
false
|
||||
endif
|
||||
|
|
19
README
19
README
|
@ -7,21 +7,4 @@ implementations disagree, OpenPAM tries to remain compatible with
|
|||
Solaris, at the expense of XSSO conformance and Linux-PAM
|
||||
compatibility.
|
||||
|
||||
These are some of OpenPAM's features:
|
||||
|
||||
- Implements the complete PAM API as described in the original PAM
|
||||
paper and in OSF-RFC 86.0; this corresponds to the full XSSO API
|
||||
except for mappings and secondary authentication. Also
|
||||
implements some extensions found in Solaris 9.
|
||||
|
||||
- Extends the API with several useful and time-saving functions.
|
||||
|
||||
- Performs strict checking of return values from service modules.
|
||||
|
||||
- Reads configuration from /etc/pam.d/, /etc/pam.conf,
|
||||
/usr/local/etc/pam.d/ and /usr/local/etc/pam.conf, in that order;
|
||||
this will be made configurable in a future release.
|
||||
|
||||
Please direct bug reports and inquiries to des@freebsd.org.
|
||||
|
||||
$P4: //depot/projects/openpam/README#5 $
|
||||
Please direct bug reports and inquiries to <des@des.no>.
|
||||
|
|
34
RELNOTES
34
RELNOTES
|
@ -1,29 +1,21 @@
|
|||
|
||||
Release notes for OpenPAM Figwort
|
||||
Release notes for OpenPAM Ximenia
|
||||
=================================
|
||||
|
||||
This release corresponds to the code used in FreeBSD-CURRENT as of the
|
||||
release date. It has also been tested on several other platforms, and
|
||||
is expected to work on almost any POSIX-like platform that has GNU
|
||||
autotools, GNU make and the GNU compiler suite installed. One notable
|
||||
exception is MacOS X, which ships with a very weird, heavily modified
|
||||
version of GCC.
|
||||
OpenPAM is developed primarily on FreeBSD, but is expected to work on
|
||||
almost any POSIX-like platform that has GNU autotools, GNU make and
|
||||
the GNU compiler suite installed.
|
||||
|
||||
The library itself is complete. Documentation exists in the form of
|
||||
man pages for the library functions. These man pages are generated by
|
||||
a Perl script from specially marked-up comments in the source files
|
||||
themselves, which minimizes the chance that any of them should be out
|
||||
of date.
|
||||
The OpenPAM distribution consists of the following components:
|
||||
|
||||
The distribution also includes three sample modules (pam_deny,
|
||||
pam_permit and pam_unix) and a sample application (su). These are not
|
||||
intended for actual use, but rather to serve as examples for module or
|
||||
application developers.
|
||||
- The PAM library itself, with complete API documentation.
|
||||
|
||||
NOTE: to the person who sent me MacOS patches in July 2002: I have
|
||||
lost your name and email address. Please contact me so I can give you
|
||||
proper credit for your contribution.
|
||||
- Sample modules (pam_permit, pam_deny and pam_unix) and a sample
|
||||
application (su) which demonstrate how to use the PAM library.
|
||||
|
||||
Please direct bug reports and inquiries to <des@freebsd.org>.
|
||||
- A test application (pamtest) which can be used to test policies and
|
||||
modules.
|
||||
|
||||
$P4: //depot/projects/openpam/RELNOTES#22 $
|
||||
- Unit tests for limited portions of the library.
|
||||
|
||||
Please direct bug reports and inquiries to <des@des.no>.
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
- Fix try_first_pass / use_first_pass (pam_get_authtok() code &
|
||||
documentation are slightly incorrect, OpenPAM's pam_unix(8) is
|
||||
incorrect, all FreeBSD modules are broken)
|
||||
|
||||
- Add loop detection to openpam_load_chain().
|
||||
|
||||
- Complete unit tests for openpam_dispatch().
|
||||
|
||||
- Stop using PAM_SYMBOL_ERR incorrectly.
|
|
@ -0,0 +1,19 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -ex
|
||||
|
||||
. ./autogen.sh
|
||||
|
||||
# autoconf prior to 2.62 has issues with zsh 4.2 and newer
|
||||
export CONFIG_SHELL=/bin/sh
|
||||
|
||||
./configure \
|
||||
--with-doc \
|
||||
--with-pam-unix \
|
||||
--with-pamtest \
|
||||
--with-su \
|
||||
--enable-debug \
|
||||
--enable-developer-warnings \
|
||||
--enable-werror \
|
||||
--enable-code-coverage \
|
||||
"$@"
|
|
@ -1,10 +1,7 @@
|
|||
#!/bin/sh -ex
|
||||
#
|
||||
# $P4: //depot/projects/openpam/autogen.sh#2 $
|
||||
#
|
||||
#!/bin/sh
|
||||
|
||||
libtoolize --copy --force
|
||||
aclocal
|
||||
aclocal -I m4
|
||||
autoheader
|
||||
automake -a -c --foreign
|
||||
automake --add-missing --copy --foreign
|
||||
autoconf
|
||||
|
|
|
@ -1,3 +1,9 @@
|
|||
# $P4: //depot/projects/openpam/bin/Makefile.am#2 $
|
||||
SUBDIRS = openpam_dump_policy
|
||||
|
||||
SUBDIRS = su
|
||||
if WITH_PAMTEST
|
||||
SUBDIRS += pamtest
|
||||
endif
|
||||
|
||||
if WITH_SU
|
||||
SUBDIRS += su
|
||||
endif
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
/openpam_dump_policy
|
|
@ -0,0 +1,9 @@
|
|||
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/lib/libpam
|
||||
|
||||
noinst_PROGRAMS = openpam_dump_policy
|
||||
openpam_dump_policy_SOURCES = openpam_dump_policy.c
|
||||
if WITH_SYSTEM_LIBPAM
|
||||
openpam_dump_policy_LDADD = $(SYSTEM_LIBPAM)
|
||||
else
|
||||
openpam_dump_policy_LDADD = $(top_builddir)/lib/libpam/libpam.la
|
||||
endif
|
|
@ -0,0 +1,200 @@
|
|||
/*-
|
||||
* Copyright (c) 2011-2014 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_asprintf.h"
|
||||
|
||||
static char *
|
||||
openpam_chain_name(const char *service, pam_facility_t fclt)
|
||||
{
|
||||
const char *facility = pam_facility_name[fclt];
|
||||
char *name;
|
||||
|
||||
if (asprintf(&name, "pam_%s_%s", service, facility) == -1)
|
||||
return (NULL);
|
||||
return (name);
|
||||
}
|
||||
|
||||
static char *
|
||||
openpam_facility_index_name(pam_facility_t fclt)
|
||||
{
|
||||
const char *facility = pam_facility_name[fclt];
|
||||
char *name, *p;
|
||||
|
||||
if (asprintf(&name, "PAM_%s", facility) == -1)
|
||||
return (NULL);
|
||||
for (p = name + 4; *p; ++p)
|
||||
*p = toupper((unsigned char)*p);
|
||||
return (name);
|
||||
}
|
||||
|
||||
int
|
||||
openpam_dump_chain(const char *name, pam_chain_t *chain)
|
||||
{
|
||||
char *modname, **opt, *p;
|
||||
int i;
|
||||
|
||||
for (i = 0; chain != NULL; ++i, chain = chain->next) {
|
||||
/* declare the module's struct pam_module */
|
||||
modname = strrchr(chain->module->path, '/');
|
||||
modname = strdup(modname ? modname : chain->module->path);
|
||||
if (modname == NULL)
|
||||
return (PAM_BUF_ERR);
|
||||
for (p = modname; *p && *p != '.'; ++p)
|
||||
/* nothing */ ;
|
||||
*p = '\0';
|
||||
printf("extern struct pam_module %s_pam_module;\n", modname);
|
||||
/* module arguments */
|
||||
printf("static char *%s_%d_optv[] = {\n", name, i);
|
||||
for (opt = chain->optv; *opt; ++opt) {
|
||||
printf("\t\"");
|
||||
for (p = *opt; *p; ++p) {
|
||||
if (isprint((unsigned char)*p) && *p != '"')
|
||||
printf("%c", *p);
|
||||
else
|
||||
printf("\\x%02x", (unsigned char)*p);
|
||||
}
|
||||
printf("\",\n");
|
||||
}
|
||||
printf("\tNULL,\n");
|
||||
printf("};\n");
|
||||
/* next module in chain */
|
||||
if (chain->next != NULL)
|
||||
printf("static pam_chain_t %s_%d;\n", name, i + 1);
|
||||
/* chain entry */
|
||||
printf("static pam_chain_t %s_%d = {\n", name, i);
|
||||
printf("\t.module = &%s_pam_module,\n", modname);
|
||||
printf("\t.flag = 0x%08x,\n", chain->flag);
|
||||
printf("\t.optc = %d,\n", chain->optc);
|
||||
printf("\t.optv = %s_%d_optv,\n", name, i);
|
||||
if (chain->next)
|
||||
printf("\t.next = &%s_%d,\n", name, i + 1);
|
||||
else
|
||||
printf("\t.next = NULL,\n");
|
||||
printf("};\n");
|
||||
free(modname);
|
||||
}
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
int
|
||||
openpam_dump_policy(const char *service)
|
||||
{
|
||||
pam_handle_t *pamh;
|
||||
char *name;
|
||||
int fclt, ret;
|
||||
|
||||
if ((pamh = calloc(1, sizeof *pamh)) == NULL)
|
||||
return (PAM_BUF_ERR);
|
||||
if ((ret = openpam_configure(pamh, service)) != PAM_SUCCESS)
|
||||
return (ret);
|
||||
for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
|
||||
if (pamh->chains[fclt] != NULL) {
|
||||
if ((name = openpam_chain_name(service, fclt)) == NULL)
|
||||
return (PAM_BUF_ERR);
|
||||
ret = openpam_dump_chain(name, pamh->chains[fclt]);
|
||||
free(name);
|
||||
if (ret != PAM_SUCCESS)
|
||||
return (ret);
|
||||
}
|
||||
}
|
||||
printf("static pam_policy_t pam_%s_policy = {\n", service);
|
||||
printf("\t.service = \"%s\",\n", service);
|
||||
printf("\t.chains = {\n");
|
||||
for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
|
||||
if ((name = openpam_facility_index_name(fclt)) == NULL)
|
||||
return (PAM_BUF_ERR);
|
||||
printf("\t\t[%s] = ", name);
|
||||
free(name);
|
||||
if (pamh->chains[fclt] != NULL) {
|
||||
if ((name = openpam_chain_name(service, fclt)) == NULL)
|
||||
return (PAM_BUF_ERR);
|
||||
printf("&%s_0,\n", name);
|
||||
free(name);
|
||||
} else {
|
||||
printf("NULL,\n");
|
||||
}
|
||||
}
|
||||
printf("\t},\n");
|
||||
printf("};\n");
|
||||
free(pamh);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
|
||||
fprintf(stderr, "usage: openpam_dump_policy [-d] policy ...\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
int i, opt;
|
||||
|
||||
while ((opt = getopt(argc, argv, "d")) != -1)
|
||||
switch (opt) {
|
||||
case 'd':
|
||||
openpam_debug = 1;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
}
|
||||
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
|
||||
if (argc < 1)
|
||||
usage();
|
||||
|
||||
printf("#include <security/pam_appl.h>\n");
|
||||
printf("#include \"openpam_impl.h\"\n");
|
||||
for (i = 0; i < argc; ++i)
|
||||
openpam_dump_policy(argv[i]);
|
||||
printf("pam_policy_t *pam_embedded_policies[] = {\n");
|
||||
for (i = 0; i < argc; ++i)
|
||||
printf("\t&pam_%s_policy,\n", argv[i]);
|
||||
printf("\tNULL,\n");
|
||||
printf("};\n");
|
||||
exit(0);
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
/pamtest
|
|
@ -0,0 +1,11 @@
|
|||
AM_CPPFLAGS = -I$(top_srcdir)/include
|
||||
|
||||
bin_PROGRAMS = pamtest
|
||||
pamtest_SOURCES = pamtest.c
|
||||
if WITH_SYSTEM_LIBPAM
|
||||
pamtest_LDADD = $(SYSTEM_LIBPAM)
|
||||
else
|
||||
pamtest_LDADD = $(top_builddir)/lib/libpam/libpam.la
|
||||
endif
|
||||
|
||||
dist_man1_MANS = pamtest.1
|
|
@ -0,0 +1,187 @@
|
|||
.\"-
|
||||
.\" Copyright (c) 2011-2017 Dag-Erling Smørgrav
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\" 3. The name of the author may not be used to endorse or promote
|
||||
.\" products derived from this software without specific prior written
|
||||
.\" permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd July 11, 2013
|
||||
.Dt PAMTEST 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm pamtest
|
||||
.Nd PAM policy tester
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl dkMPsv
|
||||
.Op Fl H Ar rhost
|
||||
.Op Fl h Ar host
|
||||
.Op Fl T Ar timeout
|
||||
.Op Fl t Ar tty
|
||||
.Op Fl U Ar ruser
|
||||
.Op Fl u Ar user
|
||||
.Ar service
|
||||
.Op Ar command ...
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
utility offers an easy way to test PAM modules and policies from the
|
||||
command line.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
utility loads the PAM policy specified by the
|
||||
.Ar service
|
||||
argument, starts a PAM transaction by calling
|
||||
.Xr pam_start 3 ,
|
||||
then executes the primitives specified by the remaining command-line
|
||||
arguments.
|
||||
Finally, it ends the transaction by calling
|
||||
.Xr pam_end 3 .
|
||||
.Pp
|
||||
The commands are:
|
||||
.Bl -tag -width 6n
|
||||
.It Cm authenticate , Cm auth
|
||||
Call
|
||||
.Xr pam_authenticate 3 .
|
||||
.It Cm acct_mgmt , Cm account
|
||||
Call
|
||||
.Xr pam_acct_mgmt 3 .
|
||||
.It Cm chauthtok , Cm change
|
||||
Call
|
||||
.Xr pam_chauthtok 3
|
||||
with the
|
||||
.Dv PAM_CHANGE_EXPIRED_AUTHTOK
|
||||
flag set.
|
||||
.It Cm forcechauthtok , Cm forcechange
|
||||
Call
|
||||
.Xr pam_chauthtok 3
|
||||
with no flags set.
|
||||
.It Cm setcred , Cm establish_cred
|
||||
Call
|
||||
.Xr pam_setcred 3
|
||||
with the
|
||||
.Dv PAM_ESTABLISH_CRED
|
||||
flag set.
|
||||
.It Cm open_session , Cm open
|
||||
Call
|
||||
.Xr pam_open_session 3 .
|
||||
.It Cm close_session , Cm close
|
||||
Call
|
||||
.Xr pam_close_session 3 .
|
||||
.It Cm unsetcred , Cm delete_cred
|
||||
Call
|
||||
.Xr pam_setcred 3
|
||||
with the
|
||||
.Dv PAM_DELETE_CRED
|
||||
flag set.
|
||||
.It Cm listenv , Cm env
|
||||
Call
|
||||
.Xr pam_getenvlist 3
|
||||
and print the contents of the list it returns.
|
||||
.El
|
||||
.Pp
|
||||
The following options are available:
|
||||
.Bl -tag -width Fl
|
||||
.It Fl d
|
||||
Enables debug messages within the OpenPAM library.
|
||||
See
|
||||
.Xr openpam_log 3
|
||||
for details.
|
||||
.It Fl H Ar rhost
|
||||
Specify the name of the fictitious remote host.
|
||||
The default is to use the name of the local host.
|
||||
.It Fl h Ar host
|
||||
Specify the name of the local host.
|
||||
The default is to use the result of calling
|
||||
.Xr gethostname 3 .
|
||||
.It Fl k
|
||||
Keep going even if one of the commands fails.
|
||||
.It Fl M
|
||||
Disable path, ownership and permission checks on module files.
|
||||
.It Fl P
|
||||
Disable service name validation and path, ownership and permission
|
||||
checks on policy files.
|
||||
.It Fl s
|
||||
Set the
|
||||
.Dv PAM_SILENT
|
||||
flag when calling the
|
||||
.Xr pam_authenticate 3 ,
|
||||
.Xr pam_acct_mgmt 3 ,
|
||||
.Xr pam_chauthok 3 ,
|
||||
.Xr pam_setcred 3 ,
|
||||
.Xr pam_open_session 3
|
||||
and
|
||||
.Xr pam_close_session 3
|
||||
primitives.
|
||||
.It Fl T Ar timeout
|
||||
Set the conversation timeout (in seconds) for
|
||||
.Xr openpam_ttyconv 3 .
|
||||
.It Fl t Ar tty
|
||||
Specify the name of the tty.
|
||||
The default is to use the result of calling
|
||||
.Xr ttyname 3 .
|
||||
.It Fl U Ar ruser
|
||||
Specify the name of the supplicant (remote user).
|
||||
.It Fl u Ar user
|
||||
Specify the name of the principal (local user).
|
||||
.It Fl v
|
||||
Enables debug messages from
|
||||
.Nm
|
||||
itself.
|
||||
.El
|
||||
.Sh EXAMPLES
|
||||
Simulate a typical PAM transaction using the
|
||||
.Dq system
|
||||
policy:
|
||||
.Bd -literal -offset indent
|
||||
pamtest -v system auth account change setcred open close unsetcred
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr openpam 3 ,
|
||||
.Xr pam 3 ,
|
||||
.Xr pam.conf 5
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Nm
|
||||
utility and this manual page were written by
|
||||
.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
|
||||
.Sh BUGS
|
||||
The
|
||||
.Nm
|
||||
utility does not (yet) support setting and getting individual PAM
|
||||
items or environment variables.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
utility does not afford the user complete control over the flags
|
||||
passed to the
|
||||
.Xr pam_authenticate 3 ,
|
||||
.Xr pam_acct_mgmt 3 ,
|
||||
.Xr pam_chauthok 3 ,
|
||||
.Xr pam_setcred 3 ,
|
||||
.Xr pam_open_session 3
|
||||
and
|
||||
.Xr pam_close_session 3
|
||||
primitives.
|
|
@ -0,0 +1,465 @@
|
|||
/*-
|
||||
* Copyright (c) 2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <err.h>
|
||||
#include <limits.h>
|
||||
#include <pwd.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h> /* for openpam_ttyconv() */
|
||||
|
||||
/* OpenPAM internals */
|
||||
extern const char *pam_item_name[PAM_NUM_ITEMS];
|
||||
extern int openpam_debug;
|
||||
|
||||
static pam_handle_t *pamh;
|
||||
static struct pam_conv pamc;
|
||||
|
||||
static int silent;
|
||||
static int verbose;
|
||||
|
||||
static void pt_verbose(const char *, ...)
|
||||
OPENPAM_FORMAT ((__printf__, 1, 2));
|
||||
static void pt_error(int, const char *, ...)
|
||||
OPENPAM_FORMAT ((__printf__, 2, 3));
|
||||
|
||||
/*
|
||||
* Print an information message if -v was specified at least once
|
||||
*/
|
||||
static void
|
||||
pt_verbose(const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
if (verbose) {
|
||||
va_start(ap, fmt);
|
||||
vfprintf(stderr, fmt, ap);
|
||||
va_end(ap);
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Print an error message
|
||||
*/
|
||||
static void
|
||||
pt_error(int e, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
if (e == PAM_SUCCESS && !verbose)
|
||||
return;
|
||||
va_start(ap, fmt);
|
||||
vfprintf(stderr, fmt, ap);
|
||||
va_end(ap);
|
||||
fprintf(stderr, ": %s\n", pam_strerror(NULL, e));
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_start(3)
|
||||
*/
|
||||
static int
|
||||
pt_start(const char *service, const char *user)
|
||||
{
|
||||
int pame;
|
||||
|
||||
pamc.conv = &openpam_ttyconv;
|
||||
pt_verbose("pam_start(%s, %s)", service, user);
|
||||
if ((pame = pam_start(service, user, &pamc, &pamh)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_start(%s)", service);
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_authenticate(3)
|
||||
*/
|
||||
static int
|
||||
pt_authenticate(int flags)
|
||||
{
|
||||
int pame;
|
||||
|
||||
flags |= silent;
|
||||
pt_verbose("pam_authenticate()");
|
||||
if ((pame = pam_authenticate(pamh, flags)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_authenticate()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_acct_mgmt(3)
|
||||
*/
|
||||
static int
|
||||
pt_acct_mgmt(int flags)
|
||||
{
|
||||
int pame;
|
||||
|
||||
flags |= silent;
|
||||
pt_verbose("pam_acct_mgmt()");
|
||||
if ((pame = pam_acct_mgmt(pamh, flags)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_acct_mgmt()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_chauthtok(3)
|
||||
*/
|
||||
static int
|
||||
pt_chauthtok(int flags)
|
||||
{
|
||||
int pame;
|
||||
|
||||
flags |= silent;
|
||||
pt_verbose("pam_chauthtok()");
|
||||
if ((pame = pam_chauthtok(pamh, flags)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_chauthtok()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_setcred(3)
|
||||
*/
|
||||
static int
|
||||
pt_setcred(int flags)
|
||||
{
|
||||
int pame;
|
||||
|
||||
flags |= silent;
|
||||
pt_verbose("pam_setcred()");
|
||||
if ((pame = pam_setcred(pamh, flags)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_setcred()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_open_session(3)
|
||||
*/
|
||||
static int
|
||||
pt_open_session(int flags)
|
||||
{
|
||||
int pame;
|
||||
|
||||
flags |= silent;
|
||||
pt_verbose("pam_open_session()");
|
||||
if ((pame = pam_open_session(pamh, flags)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_open_session()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_close_session(3)
|
||||
*/
|
||||
static int
|
||||
pt_close_session(int flags)
|
||||
{
|
||||
int pame;
|
||||
|
||||
flags |= silent;
|
||||
pt_verbose("pam_close_session()");
|
||||
if ((pame = pam_close_session(pamh, flags)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_close_session()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_set_item(3)
|
||||
*/
|
||||
static int
|
||||
pt_set_item(int item, const char *p)
|
||||
{
|
||||
int pame;
|
||||
|
||||
switch (item) {
|
||||
case PAM_SERVICE:
|
||||
case PAM_USER:
|
||||
case PAM_AUTHTOK:
|
||||
case PAM_OLDAUTHTOK:
|
||||
case PAM_TTY:
|
||||
case PAM_RHOST:
|
||||
case PAM_RUSER:
|
||||
case PAM_USER_PROMPT:
|
||||
case PAM_AUTHTOK_PROMPT:
|
||||
case PAM_OLDAUTHTOK_PROMPT:
|
||||
case PAM_HOST:
|
||||
pt_verbose("setting %s to %s", pam_item_name[item], p);
|
||||
break;
|
||||
default:
|
||||
pt_verbose("setting %s", pam_item_name[item]);
|
||||
break;
|
||||
}
|
||||
if ((pame = pam_set_item(pamh, item, p)) != PAM_SUCCESS)
|
||||
pt_error(pame, "pam_set_item(%s)", pam_item_name[item]);
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Wrapper for pam_end(3)
|
||||
*/
|
||||
static int
|
||||
pt_end(int pame)
|
||||
{
|
||||
|
||||
if (pamh != NULL && (pame = pam_end(pamh, pame)) != PAM_SUCCESS)
|
||||
/* can't happen */
|
||||
pt_error(pame, "pam_end()");
|
||||
return (pame);
|
||||
}
|
||||
|
||||
/*
|
||||
* Retrieve and list the PAM environment variables
|
||||
*/
|
||||
static int
|
||||
pt_listenv(void)
|
||||
{
|
||||
char **pam_envlist, **pam_env;
|
||||
|
||||
if ((pam_envlist = pam_getenvlist(pamh)) == NULL ||
|
||||
*pam_envlist == NULL) {
|
||||
pt_verbose("no environment variables.");
|
||||
} else {
|
||||
pt_verbose("environment variables:");
|
||||
for (pam_env = pam_envlist; *pam_env != NULL; ++pam_env) {
|
||||
printf(" %s\n", *pam_env);
|
||||
free(*pam_env);
|
||||
}
|
||||
}
|
||||
free(pam_envlist);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
* Print usage string and exit
|
||||
*/
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
|
||||
fprintf(stderr, "usage: pamtest %s service command ...\n",
|
||||
"[-dkMPsv] [-H rhost] [-h host] [-t tty] [-U ruser] [-u user]");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Handle an option that takes an int argument and can be used only once
|
||||
*/
|
||||
static void
|
||||
opt_num_once(int opt, long *num, const char *arg)
|
||||
{
|
||||
char *end;
|
||||
long l;
|
||||
|
||||
l = strtol(arg, &end, 0);
|
||||
if (end == optarg || *end != '\0') {
|
||||
fprintf(stderr,
|
||||
"The -%c option expects a numeric argument\n", opt);
|
||||
usage();
|
||||
}
|
||||
*num = l;
|
||||
}
|
||||
|
||||
/*
|
||||
* Handle an option that takes a string argument and can be used only once
|
||||
*/
|
||||
static void
|
||||
opt_str_once(int opt, const char **p, const char *arg)
|
||||
{
|
||||
|
||||
if (*p != NULL) {
|
||||
fprintf(stderr, "The -%c option can only be used once\n", opt);
|
||||
usage();
|
||||
}
|
||||
*p = arg;
|
||||
}
|
||||
|
||||
/*
|
||||
* Entry point
|
||||
*/
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
char hostname[1024];
|
||||
const char *rhost = NULL;
|
||||
const char *host = NULL;
|
||||
const char *ruser = NULL;
|
||||
const char *user = NULL;
|
||||
const char *service = NULL;
|
||||
const char *tty = NULL;
|
||||
long timeout = 0;
|
||||
int keepatit = 0;
|
||||
int pame;
|
||||
int opt;
|
||||
|
||||
while ((opt = getopt(argc, argv, "dH:h:kMPsT:t:U:u:v")) != -1)
|
||||
switch (opt) {
|
||||
case 'd':
|
||||
openpam_debug++;
|
||||
break;
|
||||
case 'H':
|
||||
opt_str_once(opt, &rhost, optarg);
|
||||
break;
|
||||
case 'h':
|
||||
opt_str_once(opt, &host, optarg);
|
||||
break;
|
||||
case 'k':
|
||||
keepatit = 1;
|
||||
break;
|
||||
case 'M':
|
||||
openpam_set_feature(OPENPAM_RESTRICT_MODULE_NAME, 0);
|
||||
openpam_set_feature(OPENPAM_VERIFY_MODULE_FILE, 0);
|
||||
break;
|
||||
case 'P':
|
||||
openpam_set_feature(OPENPAM_RESTRICT_SERVICE_NAME, 0);
|
||||
openpam_set_feature(OPENPAM_VERIFY_POLICY_FILE, 0);
|
||||
break;
|
||||
case 's':
|
||||
silent = PAM_SILENT;
|
||||
break;
|
||||
case 'T':
|
||||
opt_num_once(opt, &timeout, optarg);
|
||||
if (timeout < 0 || timeout > INT_MAX) {
|
||||
fprintf(stderr,
|
||||
"Invalid conversation timeout\n");
|
||||
usage();
|
||||
}
|
||||
openpam_ttyconv_timeout = (int)timeout;
|
||||
break;
|
||||
case 't':
|
||||
opt_str_once(opt, &tty, optarg);
|
||||
break;
|
||||
case 'U':
|
||||
opt_str_once(opt, &ruser, optarg);
|
||||
break;
|
||||
case 'u':
|
||||
opt_str_once(opt, &user, optarg);
|
||||
break;
|
||||
case 'v':
|
||||
verbose++;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
}
|
||||
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
|
||||
if (argc < 1)
|
||||
usage();
|
||||
|
||||
service = *argv;
|
||||
--argc;
|
||||
++argv;
|
||||
|
||||
/* defaults */
|
||||
if (service == NULL)
|
||||
service = "pamtest";
|
||||
if (rhost == NULL) {
|
||||
if (gethostname(hostname, sizeof(hostname)) == -1)
|
||||
err(1, "gethostname()");
|
||||
rhost = hostname;
|
||||
}
|
||||
if (tty == NULL)
|
||||
tty = ttyname(STDERR_FILENO);
|
||||
if (user == NULL)
|
||||
user = getlogin();
|
||||
if (ruser == NULL)
|
||||
ruser = user;
|
||||
|
||||
/* initialize PAM */
|
||||
if ((pame = pt_start(service, user)) != PAM_SUCCESS)
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* pam_start(3) sets this to the machine's hostname, but we allow
|
||||
* the user to override it.
|
||||
*/
|
||||
if (host != NULL)
|
||||
if ((pame = pt_set_item(PAM_HOST, host)) != PAM_SUCCESS)
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* The remote host / user / tty are usually set by the
|
||||
* application.
|
||||
*/
|
||||
if ((pame = pt_set_item(PAM_RHOST, rhost)) != PAM_SUCCESS ||
|
||||
(pame = pt_set_item(PAM_RUSER, ruser)) != PAM_SUCCESS ||
|
||||
(pame = pt_set_item(PAM_TTY, tty)) != PAM_SUCCESS)
|
||||
goto end;
|
||||
|
||||
while (argc > 0) {
|
||||
if (strcmp(*argv, "listenv") == 0 ||
|
||||
strcmp(*argv, "env") == 0) {
|
||||
pame = pt_listenv();
|
||||
} else if (strcmp(*argv, "authenticate") == 0 ||
|
||||
strcmp(*argv, "auth") == 0) {
|
||||
pame = pt_authenticate(0);
|
||||
} else if (strcmp(*argv, "acct_mgmt") == 0 ||
|
||||
strcmp(*argv, "account") == 0) {
|
||||
pame = pt_acct_mgmt(0);
|
||||
} else if (strcmp(*argv, "chauthtok") == 0 ||
|
||||
strcmp(*argv, "change") == 0) {
|
||||
pame = pt_chauthtok(PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
} else if (strcmp(*argv, "forcechauthtok") == 0 ||
|
||||
strcmp(*argv, "forcechange") == 0) {
|
||||
pame = pt_chauthtok(0);
|
||||
} else if (strcmp(*argv, "setcred") == 0 ||
|
||||
strcmp(*argv, "establish_cred") == 0) {
|
||||
pame = pt_setcred(PAM_ESTABLISH_CRED);
|
||||
} else if (strcmp(*argv, "open_session") == 0 ||
|
||||
strcmp(*argv, "open") == 0) {
|
||||
pame = pt_open_session(0);
|
||||
} else if (strcmp(*argv, "close_session") == 0 ||
|
||||
strcmp(*argv, "close") == 0) {
|
||||
pame = pt_close_session(0);
|
||||
} else if (strcmp(*argv, "unsetcred") == 0 ||
|
||||
strcmp(*argv, "delete_cred") == 0) {
|
||||
pame = pt_setcred(PAM_DELETE_CRED);
|
||||
} else {
|
||||
warnx("unknown primitive: %s", *argv);
|
||||
pame = PAM_SYSTEM_ERR;
|
||||
}
|
||||
if (pame != PAM_SUCCESS && !keepatit) {
|
||||
warnx("test aborted");
|
||||
break;
|
||||
}
|
||||
--argc;
|
||||
++argv;
|
||||
}
|
||||
|
||||
end:
|
||||
(void)pt_end(pame);
|
||||
exit(pame == PAM_SUCCESS ? 0 : 1);
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
/su
|
|
@ -1,9 +1,11 @@
|
|||
# $P4: //depot/projects/openpam/bin/su/Makefile.am#2 $
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/include
|
||||
|
||||
INCLUDES = -I$(top_srcdir)/include
|
||||
|
||||
if WITH_PAM_SU
|
||||
bin_PROGRAMS = su
|
||||
su_SOURCES = su.c
|
||||
su_LDADD = $(top_builddir)/lib/libpam.la
|
||||
if WITH_SYSTEM_LIBPAM
|
||||
su_LDADD = $(SYSTEM_LIBPAM)
|
||||
else
|
||||
su_LDADD = $(top_builddir)/lib/libpam/libpam.la
|
||||
endif
|
||||
|
||||
dist_man1_MANS = su.1
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
.\"-
|
||||
.\" Copyright (c) 2011-2017 Dag-Erling Smørgrav
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\" 3. The name of the author may not be used to endorse or promote
|
||||
.\" products derived from this software without specific prior written
|
||||
.\" permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 2, 2011
|
||||
.Dt SU 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm su
|
||||
.Nd switch user identity
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Ar login Op Ar ...
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
utility starts a shell under the identity of the user specified by the
|
||||
first argument on the command line.
|
||||
If no user is specified, the default is
|
||||
.Dq root .
|
||||
.Pp
|
||||
Any additional command-line arguments are passed as-is to the shell.
|
||||
.Pp
|
||||
The requesting user is authenticated using the
|
||||
.Dq su
|
||||
PAM policy.
|
||||
.Sh IMPLEMENTATION NOTES
|
||||
The
|
||||
.Nm
|
||||
utility is provided with the OpenPAM library as a sample application
|
||||
and should not be used in production systems.
|
||||
.Sh SEE ALSO
|
||||
.Xr openpam 3 ,
|
||||
.Xr pam 3
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Nm
|
||||
utility and this manual page were written by
|
||||
.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
|
17
bin/su/su.c
17
bin/su/su.c
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/bin/su/su.c#12 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
|
@ -58,7 +61,7 @@ static void
|
|||
usage(void)
|
||||
{
|
||||
|
||||
fprintf(stderr, "Usage: su [login [args]]\n");
|
||||
fprintf(stderr, "usage: su [login [args]]\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
@ -67,14 +70,14 @@ main(int argc, char *argv[])
|
|||
{
|
||||
char hostname[MAXHOSTNAMELEN];
|
||||
const char *user, *tty;
|
||||
const void *item;
|
||||
char **args, **pam_envlist, **pam_env;
|
||||
struct passwd *pwd;
|
||||
int o, pam_err, status;
|
||||
pid_t pid;
|
||||
|
||||
while ((o = getopt(argc, argv, "h")) != -1)
|
||||
while ((o = getopt(argc, argv, "")) != -1)
|
||||
switch (o) {
|
||||
case 'h':
|
||||
default:
|
||||
usage();
|
||||
}
|
||||
|
@ -122,8 +125,8 @@ main(int argc, char *argv[])
|
|||
goto pamerr;
|
||||
|
||||
/* get mapped user name; PAM may have changed it */
|
||||
pam_err = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
if (pam_err != PAM_SUCCESS || (pwd = getpwnam(user)) == NULL)
|
||||
pam_err = pam_get_item(pamh, PAM_USER, &item);
|
||||
if (pam_err != PAM_SUCCESS || (pwd = getpwnam(user = item)) == NULL)
|
||||
goto pamerr;
|
||||
|
||||
/* export PAM environment */
|
||||
|
|
13
clean.sh
13
clean.sh
|
@ -1,13 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# $P4: //depot/projects/openpam/clean.sh#2 $
|
||||
|
||||
tmpfile="/tmp/openpam-clean.$$"
|
||||
p4 files ... | grep -v 'delete change' |
|
||||
sed 's|^.*/openpam/||; s|#.*$||' > "${tmpfile}"
|
||||
find . -not -type d | cut -c 3- | while read file ; do
|
||||
grep "^${file}\$" "${tmpfile}" >/dev/null || rm -v "${file}"
|
||||
done
|
||||
find . -type d -empty -print -delete
|
||||
rm "${tmpfile}"
|
||||
|
223
configure.ac
223
configure.ac
|
@ -1,99 +1,170 @@
|
|||
dnl $P4: //depot/projects/openpam/configure.ac#2 $
|
||||
|
||||
AC_PREREQ(2.53)
|
||||
AC_INIT([OpenPAM],[20050201],[des@freebsd.org],[openpam])
|
||||
AC_CONFIG_SRCDIR([lib/pam_start.c])
|
||||
AC_PREREQ([2.69])
|
||||
AC_INIT([OpenPAM], [trunk], [des@des.no], [openpam], [https://openpam.org/])
|
||||
AC_CONFIG_SRCDIR([lib/libpam/pam_start.c])
|
||||
AC_CONFIG_MACRO_DIR([m4])
|
||||
AM_INIT_AUTOMAKE([foreign])
|
||||
AM_CONFIG_HEADER([config.h])
|
||||
|
||||
AC_CANONICAL_SYSTEM
|
||||
# C compiler and features
|
||||
AC_LANG(C)
|
||||
AC_PROG_CC([clang gcc cc])
|
||||
AC_PROG_CC_STDC
|
||||
AC_PROG_CPP
|
||||
AC_PROG_CXX([clang++ g++ c++])
|
||||
AC_GNU_SOURCE
|
||||
AC_C_CONST
|
||||
AC_C_RESTRICT
|
||||
AC_C_VOLATILE
|
||||
AC_DISABLE_STATIC
|
||||
AC_PROG_LIBTOOL
|
||||
AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
|
||||
AX_COMPILER_VENDOR
|
||||
|
||||
# libtool
|
||||
LT_PREREQ([2.2.6])
|
||||
LT_INIT([disable-static dlopen])
|
||||
|
||||
# pkg-config
|
||||
AX_PROG_PKG_CONFIG
|
||||
|
||||
# other programs
|
||||
AC_PROG_INSTALL
|
||||
|
||||
LIB_MAJ=2
|
||||
AC_SUBST(LIB_MAJ)
|
||||
AC_DEFINE_UNQUOTED(LIB_MAJ, $LIB_MAJ, [OpenPAM library major number])
|
||||
|
||||
AC_MSG_CHECKING([whether loading unversioned modules support is enabled])
|
||||
AC_ARG_ENABLE(unversioned-modules,
|
||||
AC_HELP_STRING([--disable-unversioned-modules],
|
||||
[support loading of unversioned modules]),
|
||||
[if test "$enableval" = "no"; then
|
||||
AC_DEFINE(DISABLE_UNVERSIONED_MODULES,
|
||||
1,
|
||||
[Whether loading unversioned modules support is disabled])
|
||||
fi
|
||||
AC_MSG_RESULT(no)],
|
||||
AC_MSG_RESULT(yes))
|
||||
AC_ARG_ENABLE([debug],
|
||||
AC_HELP_STRING([--enable-debug],
|
||||
[turn debugging macros on]),
|
||||
AC_DEFINE(OPENPAM_DEBUG, 1, [Turn debugging macros on]))
|
||||
|
||||
AC_MSG_CHECKING([for modules directory support])
|
||||
AC_ARG_WITH(modules-dir,
|
||||
AC_HELP_STRING([--with-modules-dir=DIR],
|
||||
[OpenPAM modules directory]),
|
||||
[if test "$withval" != "no"; then
|
||||
OPENPAM_MODULES_DIR="$withval"
|
||||
AC_DEFINE_UNQUOTED(OPENPAM_MODULES_DIR,
|
||||
"$OPENPAM_MODULES_DIR",
|
||||
[OpenPAM modules directory])
|
||||
AC_MSG_RESULT($OPENPAM_MODULES_DIR)
|
||||
else
|
||||
OPENPAM_MODULES_DIR="$libdir"
|
||||
AC_MSG_RESULT(no)
|
||||
fi],
|
||||
[OPENPAM_MODULES_DIR="$libdir"
|
||||
AC_MSG_RESULT(no)])
|
||||
AC_ARG_ENABLE([unversioned-modules],
|
||||
AC_HELP_STRING([--disable-unversioned-modules],
|
||||
[support loading of unversioned modules]),
|
||||
[AS_IF([test x"$enableval" = x"no"], [
|
||||
AC_DEFINE(DISABLE_UNVERSIONED_MODULES,
|
||||
1,
|
||||
[Whether loading unversioned modules support is disabled])
|
||||
])])
|
||||
|
||||
AC_ARG_WITH([modules-dir],
|
||||
AC_HELP_STRING([--with-modules-dir=DIR],
|
||||
[OpenPAM modules directory]),
|
||||
[AS_IF([test x"$withval" != x"no"], [
|
||||
OPENPAM_MODULES_DIR="$withval"
|
||||
AC_DEFINE_UNQUOTED(OPENPAM_MODULES_DIR,
|
||||
"${OPENPAM_MODULES_DIR%/}",
|
||||
[OpenPAM modules directory])
|
||||
])])
|
||||
AC_SUBST(OPENPAM_MODULES_DIR)
|
||||
AM_CONDITIONAL([CUSTOM_MODULES_DIR], [test x"$OPENPAM_MODULES_DIR" != x""])
|
||||
|
||||
AC_MSG_CHECKING([whether to build example version of /bin/su])
|
||||
AC_ARG_WITH(pam-su,
|
||||
AC_HELP_STRING([--with-pam-su],
|
||||
[compile example version of /bin/su]),
|
||||
,
|
||||
[with_pam_su=no])
|
||||
AC_MSG_RESULT($with_pam_su)
|
||||
AC_ARG_WITH([doc],
|
||||
AC_HELP_STRING([--without-doc], [do not build documentation]),
|
||||
[],
|
||||
[with_doc=yes])
|
||||
AM_CONDITIONAL([WITH_DOC], [test x"$with_doc" = x"yes"])
|
||||
|
||||
AC_MSG_CHECKING([whether to build example version of pam_unix.so])
|
||||
AC_ARG_WITH(pam-unix,
|
||||
AC_HELP_STRING([--with-pam-unix],
|
||||
[compile example version of pam_unix.so]),
|
||||
,
|
||||
[with_pam_unix=no])
|
||||
AC_MSG_RESULT($with_pam_unix)
|
||||
AC_ARG_WITH([pam-unix],
|
||||
AC_HELP_STRING([--with-pam-unix], [build sample pam_unix(8) module]),
|
||||
[],
|
||||
[with_pam_unix=no])
|
||||
AM_CONDITIONAL([WITH_PAM_UNIX], [test x"$with_pam_unix" = x"yes"])
|
||||
|
||||
AM_CONDITIONAL(WITH_PAM_SU, test "x$with_pam_su" = "xyes")
|
||||
AM_CONDITIONAL(WITH_PAM_UNIX, test "x$with_pam_unix" = "xyes")
|
||||
AC_ARG_WITH(pamtest,
|
||||
AC_HELP_STRING([--with-pamtest], [build test application]),
|
||||
[],
|
||||
[with_pamtest=no])
|
||||
AM_CONDITIONAL([WITH_PAMTEST], [test x"$with_pamtest" = x"yes"])
|
||||
|
||||
AC_PROG_INSTALL
|
||||
AC_ARG_WITH(su,
|
||||
AC_HELP_STRING([--with-su], [build sample su(1) implementation]),
|
||||
[],
|
||||
[with_su=no])
|
||||
AM_CONDITIONAL([WITH_SU], [test x"$with_su" = x"yes"])
|
||||
|
||||
AC_CHECK_HEADERS(crypt.h)
|
||||
AC_ARG_WITH(system-libpam,
|
||||
AC_HELP_STRING([--with-system-libpam], [use system libpam]),
|
||||
[],
|
||||
[with_system_libpam=no])
|
||||
AM_CONDITIONAL([WITH_SYSTEM_LIBPAM], [test x"$with_system_libpam" = x"yes"])
|
||||
|
||||
AC_CHECK_FUNCS(fpurge)
|
||||
AC_CHECK_HEADERS([crypt.h])
|
||||
|
||||
DL_LIBS=
|
||||
AC_CHECK_LIB(dl, dlopen, DL_LIBS=-ldl)
|
||||
AC_CHECK_FUNCS([asprintf vasprintf])
|
||||
AC_CHECK_FUNCS([dlfunc fdlopen])
|
||||
AC_CHECK_FUNCS([fpurge])
|
||||
AC_CHECK_FUNCS([setlogmask])
|
||||
AC_CHECK_FUNCS([strlcat strlcmp strlcpy strlset])
|
||||
|
||||
saved_LIBS="${LIBS}"
|
||||
LIBS=""
|
||||
AC_CHECK_LIB([dl], [dlopen])
|
||||
DL_LIBS="${LIBS}"
|
||||
LIBS="${saved_LIBS}"
|
||||
AC_SUBST(DL_LIBS)
|
||||
|
||||
CRYPT_LIBS=
|
||||
AC_CHECK_LIB(crypt, crypt, CRYPT_LIBS=-lcrypt)
|
||||
AC_SUBST(CRYPT_LIBS)
|
||||
saved_LIBS="${LIBS}"
|
||||
LIBS=""
|
||||
AC_CHECK_LIB([pam], [pam_start])
|
||||
SYSTEM_LIBPAM="${LIBS}"
|
||||
LIBS="${saved_LIBS}"
|
||||
AC_SUBST(SYSTEM_LIBPAM)
|
||||
|
||||
CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
|
||||
AC_SUBST(CPPFLAGS)
|
||||
AX_PKG_CONFIG_CHECK([cryb-test],
|
||||
[AC_MSG_NOTICE([Cryb test framework found, unit tests enabled.])],
|
||||
[AC_MSG_WARN([Cryb test framework not found, unit tests disabled.])])
|
||||
AM_CONDITIONAL([WITH_TEST], [test x"$CRYB_TEST_LIBS" != x""])
|
||||
|
||||
CFLAGS="$CFLAGS -Werror"
|
||||
AC_SUBST(CFLAGS)
|
||||
AC_ARG_ENABLE([developer-warnings],
|
||||
AS_HELP_STRING([--enable-developer-warnings], [enable strict warnings (default is NO)]),
|
||||
[CFLAGS="${CFLAGS} -Wall -Wextra -Wcast-qual"])
|
||||
AC_ARG_ENABLE([debugging-symbols],
|
||||
AS_HELP_STRING([--enable-debugging-symbols], [enable debugging symbols (default is NO)]),
|
||||
[CFLAGS="${CFLAGS} -O0 -g -fno-inline"])
|
||||
AC_ARG_ENABLE([werror],
|
||||
AS_HELP_STRING([--enable-werror], [use -Werror (default is NO)]),
|
||||
[CFLAGS="${CFLAGS} -Werror"])
|
||||
|
||||
AC_CONFIG_FILES([bin/Makefile
|
||||
bin/su/Makefile
|
||||
include/Makefile
|
||||
include/security/Makefile
|
||||
lib/Makefile
|
||||
modules/Makefile
|
||||
modules/pam_unix/Makefile
|
||||
modules/pam_deny/Makefile
|
||||
modules/pam_permit/Makefile
|
||||
doc/Makefile
|
||||
doc/man/Makefile
|
||||
Makefile])
|
||||
AC_ARG_ENABLE([code-coverage],
|
||||
AS_HELP_STRING([--enable-code-coverage],
|
||||
[enable code coverage]))
|
||||
AS_IF([test x"$enable_code_coverage" = x"yes"], [
|
||||
AM_COND_IF([WITH_TEST], [
|
||||
AS_IF([test x"$ax_cv_c_compiler_vendor" = x"clang"], [
|
||||
CFLAGS="${CFLAGS} -fprofile-instr-generate -fcoverage-mapping"
|
||||
clang_code_coverage="yes"
|
||||
AC_SUBST([clang_ver], [${CC#clang}])
|
||||
], [
|
||||
AC_MSG_ERROR([code coverage is only supported with clang])
|
||||
])
|
||||
AC_DEFINE([WITH_CODE_COVERAGE], [1], [Define to 1 if code coverage is enabled])
|
||||
AC_MSG_NOTICE([code coverage enabled])
|
||||
], [
|
||||
AC_MSG_ERROR([code coverage requires unit tests])
|
||||
])
|
||||
])
|
||||
AM_CONDITIONAL([WITH_CODE_COVERAGE], [test x"$enable_code_coverage" = x"yes"])
|
||||
AM_CONDITIONAL([CLANG_CODE_COVERAGE], [test x"$clang_code_coverage" = x"yes"])
|
||||
|
||||
AC_CONFIG_FILES([
|
||||
Makefile
|
||||
bin/Makefile
|
||||
bin/openpam_dump_policy/Makefile
|
||||
bin/pamtest/Makefile
|
||||
bin/su/Makefile
|
||||
doc/Makefile
|
||||
doc/man/Makefile
|
||||
freebsd/Makefile
|
||||
include/Makefile
|
||||
include/security/Makefile
|
||||
lib/Makefile
|
||||
lib/libpam/Makefile
|
||||
misc/Makefile
|
||||
modules/Makefile
|
||||
modules/pam_deny/Makefile
|
||||
modules/pam_permit/Makefile
|
||||
modules/pam_return/Makefile
|
||||
modules/pam_unix/Makefile
|
||||
t/Makefile
|
||||
])
|
||||
AC_CONFIG_FILES([misc/coverity.sh],[chmod +x misc/coverity.sh])
|
||||
AC_OUTPUT
|
||||
|
|
33
dist.sh
33
dist.sh
|
@ -1,33 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# $P4: //depot/projects/openpam/dist.sh#11 $
|
||||
#
|
||||
|
||||
set -e
|
||||
|
||||
srcdir=$(dirname $(realpath $0))
|
||||
release=$(perl -ne '/^#define\s+_OPENPAM_VERSION\s+(\d+)/ && print $1' \
|
||||
$srcdir/include/security/openpam_version.h)
|
||||
distname="openpam-${release}"
|
||||
tarball="${distname}.tar.gz"
|
||||
|
||||
install -d -m 0755 "${distname}"
|
||||
grep '^[A-Za-z].*/$' MANIFEST | while read dir; do
|
||||
echo "Creating ${dir}"
|
||||
install -d -m 0755 "${distname}/${dir}" || exit 1
|
||||
done
|
||||
grep '^[A-Za-z].*[^/]$' MANIFEST | while read file; do
|
||||
echo "Adding ${file}"
|
||||
install -c -m 0644 "${file}" "${distname}/${file}" || exit 1
|
||||
done
|
||||
for file in autogen.sh configure depcomp install-sh ltmain.sh ; do
|
||||
echo "Adjusting permissions for ${file}"
|
||||
chmod a+x "${distname}/${file}"
|
||||
done
|
||||
find "${distname}" | sort -r | xargs touch -t "${release}0000"
|
||||
tar zcf "${tarball}" "${distname}"
|
||||
dd if=/dev/zero of="${tarball}" conv=notrunc bs=4 oseek=1 count=1
|
||||
rm -rf "${distname}"
|
||||
|
||||
echo
|
||||
md5 "${tarball}"
|
|
@ -1,3 +1 @@
|
|||
# $P4: //depot/projects/openpam/doc/Makefile.am#2 $
|
||||
|
||||
SUBDIRS = man
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
/*.3
|
||||
!/pam_conv.3
|
|
@ -1,9 +1,7 @@
|
|||
# $P4: //depot/projects/openpam/doc/man/Makefile.am#3 $
|
||||
|
||||
NULL =
|
||||
|
||||
# Standard PAM API
|
||||
PMAN = \
|
||||
PAM_MAN = \
|
||||
pam_acct_mgmt.3 \
|
||||
pam_authenticate.3 \
|
||||
pam_chauthtok.3 \
|
||||
|
@ -24,7 +22,7 @@ PMAN = \
|
|||
$(NULL)
|
||||
|
||||
# Standard module API
|
||||
MMAN = \
|
||||
MOD_MAN = \
|
||||
pam_sm_acct_mgmt.3 \
|
||||
pam_sm_authenticate.3 \
|
||||
pam_sm_chauthtok.3 \
|
||||
|
@ -34,16 +32,22 @@ MMAN = \
|
|||
$(NULL)
|
||||
|
||||
# OpenPAM extensions
|
||||
OMAN = \
|
||||
OPENPAM_MAN = \
|
||||
openpam_borrow_cred.3 \
|
||||
openpam_free_data.3 \
|
||||
openpam_free_envlist.3 \
|
||||
openpam_get_feature.3 \
|
||||
openpam_get_option.3 \
|
||||
openpam_log.3 \
|
||||
openpam_nullconv.3 \
|
||||
openpam_readline.3 \
|
||||
openpam_readlinev.3 \
|
||||
openpam_readword.3 \
|
||||
openpam_restore_cred.3 \
|
||||
openpam_set_feature.3 \
|
||||
openpam_set_option.3 \
|
||||
openpam_straddch.3 \
|
||||
openpam_subst.3 \
|
||||
openpam_ttyconv.3 \
|
||||
pam_error.3 \
|
||||
pam_get_authtok.3 \
|
||||
|
@ -55,32 +59,37 @@ OMAN = \
|
|||
pam_vprompt.3 \
|
||||
$(NULL)
|
||||
|
||||
ALLCMAN = $(PMAN) $(MMAN) $(OMAN)
|
||||
LINKS= $(ALLCMAN:.3=.c)
|
||||
EXTRA_DIST = openpam.man pam.man
|
||||
|
||||
man3_MANS = $(ALLCMAN) openpam.3 pam.3 pam_conv.3
|
||||
if !WITH_SYSTEM_LIBPAM
|
||||
PAMCMAN = $(PAM_MAN) $(MOD_MAN) $(OPENPAM_MAN)
|
||||
PAMXMAN = openpam.3 pam.3
|
||||
endif
|
||||
|
||||
man5_MANS = pam.conf.5
|
||||
ALLCMAN = $(PAMCMAN)
|
||||
GENMAN = $(ALLCMAN) $(PAMXMAN)
|
||||
|
||||
CLEANFILES = $(ALLCMAN) $(LINKS) openpam.3 pam.3 symlink-stamp
|
||||
dist_man3_MANS = $(GENMAN) pam_conv.3
|
||||
|
||||
dist_man5_MANS = pam.conf.5
|
||||
|
||||
CLEANFILES = $(GENMAN)
|
||||
|
||||
GENDOC = $(top_srcdir)/misc/gendoc.pl
|
||||
|
||||
LIBPAMSRCDIR = $(top_srcdir)/lib/libpam
|
||||
|
||||
VPATH = $(LIBPAMSRCDIR) $(srcdir)
|
||||
|
||||
SUFFIXES = .3
|
||||
|
||||
$(LINKS): symlink-stamp
|
||||
.c.3: $(GENDOC)
|
||||
perl -w $(GENDOC) $< || rm $@
|
||||
|
||||
symlink-stamp: Makefile
|
||||
for lnk in $(LINKS); do \
|
||||
ln -sf $(top_srcdir)/lib/$$lnk ./; \
|
||||
done && \
|
||||
touch symlink-stamp
|
||||
openpam.3: $(OPENPAM_MAN) $(GENDOC) $(srcdir)/openpam.man
|
||||
perl -w $(GENDOC) -o $(OPENPAM_MAN) <$(srcdir)/openpam.man || rm $@
|
||||
|
||||
.c.3: symlink-stamp
|
||||
perl -w $(GENDOC) $(top_srcdir)/lib/$*.c
|
||||
pam.3: $(PAM_MAN) $(GENDOC) $(srcdir)/pam.man
|
||||
perl -w $(GENDOC) -p $(PAM_MAN) <$(srcdir)/pam.man || rm $@
|
||||
|
||||
openpam.3: $(OMAN) $(GENDOC) openpam.man
|
||||
perl -w $(GENDOC) -o $(OMAN) <$(srcdir)/openpam.man
|
||||
|
||||
pam.3: $(PMAN) $(GENDOC) pam.man
|
||||
perl -w $(GENDOC) -p $(PMAN) <$(srcdir)/pam.man
|
||||
$(GENMAN): $(GENDOC)
|
||||
|
|
|
@ -1,6 +1,3 @@
|
|||
.\"
|
||||
.\" $P4: //depot/projects/openpam/doc/man/openpam.man#2 $
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
These functions are OpenPAM extensions to the PAM API.
|
||||
Those named
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
.\"-
|
||||
.\" Copyright (c) 2005 Dag-Erling Coïdan Smørgrav
|
||||
.\" Copyright (c) 2005-2017 Dag-Erling Smørgrav
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
|
@ -26,9 +26,7 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/openpam/doc/man/pam.conf.5#2 $
|
||||
.\"
|
||||
.Dd June 9, 2005
|
||||
.Dd March 17, 2013
|
||||
.Dt PAM.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -50,14 +48,14 @@ decreasing order of preference:
|
|||
.Pp
|
||||
If none of these locations contains a policy for the given service,
|
||||
the
|
||||
.Dv default
|
||||
.Dq Dv other
|
||||
policy is used instead, if it exists.
|
||||
.Pp
|
||||
Entries in per-service policy files must be of one of the two forms
|
||||
below:
|
||||
.Bd -unfilled -offset indent
|
||||
.Ar function-class Ar control-flag Ar module-path Op Ar arguments ...
|
||||
.Ar function-class Cm include Ar other-service-name
|
||||
.Ar facility control-flag module-path Op Ar arguments ...
|
||||
.Ar facility Cm include Ar other-service-name
|
||||
.Ed
|
||||
.Pp
|
||||
Entries in
|
||||
|
@ -65,14 +63,16 @@ Entries in
|
|||
policy files are of the same form, but are prefixed by an additional
|
||||
field specifying the name of the service they apply to.
|
||||
.Pp
|
||||
In both types of policy files, blank lines are ignored, as is anything
|
||||
to the right of a `#' sign.
|
||||
In both cases, blank lines and comments introduced by a
|
||||
.Ql #
|
||||
sign are ignored, and the normal shell quoting rules apply.
|
||||
The precise details of how the file is tokenized are described in
|
||||
.Xr openpam_readword 3 .
|
||||
.Pp
|
||||
The
|
||||
.Ar function-class
|
||||
field specifies the class of functions the entry applies to, and is
|
||||
one of:
|
||||
.Bl -tag -width "password"
|
||||
.Ar facility
|
||||
field specifies the facility the entry applies to, and is one of:
|
||||
.Bl -tag -width 12n
|
||||
.It Cm auth
|
||||
Authentication functions
|
||||
.Po
|
||||
|
@ -98,7 +98,7 @@ The
|
|||
field determines how the result returned by the module affects the
|
||||
flow of control through (and the final result of) the rest of the
|
||||
chain, and is one of:
|
||||
.Bl -tag -width "sufficient"
|
||||
.Bl -tag -width 12n
|
||||
.It Cm required
|
||||
If this module succeeds, the result of the chain will be success
|
||||
unless a later module fails.
|
||||
|
@ -107,7 +107,7 @@ will be failure regardless of the success of later modules.
|
|||
.It Cm requisite
|
||||
If this module succeeds, the result of the chain will be success
|
||||
unless a later module fails.
|
||||
If it module fails, the chain is broken and the result is failure.
|
||||
If the module fails, the chain is broken and the result is failure.
|
||||
.It Cm sufficient
|
||||
If this module succeeds, the chain is broken and the result is
|
||||
success.
|
||||
|
@ -140,11 +140,18 @@ phase of
|
|||
.Pp
|
||||
The
|
||||
.Ar module-path
|
||||
field specifies the name, or optionally the full path, of the module
|
||||
to call.
|
||||
field specifies the name or full path of the module to call.
|
||||
If only the name is specified, the PAM library will search for it in
|
||||
the following locations:
|
||||
.Bl -enum
|
||||
.It
|
||||
.Pa /usr/lib
|
||||
.It
|
||||
.Pa /usr/local/lib
|
||||
.El
|
||||
.Pp
|
||||
The remaining fields are passed as arguments to the module if and when
|
||||
it is invoked.
|
||||
The remaining fields, if any, are passed unmodified to the module if
|
||||
and when it is invoked.
|
||||
.Pp
|
||||
The
|
||||
.Cm include
|
||||
|
@ -155,6 +162,37 @@ This allows one to define system-wide policies which are then included
|
|||
into service-specific policies.
|
||||
The system-wide policy can then be modified without having to also
|
||||
modify each and every service-specific policy.
|
||||
.Pp
|
||||
.Bf -symbolic
|
||||
Take care not to introduce loops when using
|
||||
.Cm include
|
||||
rules, as there is currently no loop detection in place.
|
||||
.Ef
|
||||
.Sh MODULE OPTIONS
|
||||
Some PAM library functions may alter their behavior when called by a
|
||||
service module if certain module options were specified, regardless of
|
||||
whether the module itself accords them any importance.
|
||||
One such option is
|
||||
.Cm debug ,
|
||||
which causes the dispatcher to enable debugging messages before
|
||||
calling each service function, and disable them afterwards (unless
|
||||
they were already enabled).
|
||||
Other special options include:
|
||||
.Bl -tag -width 12n
|
||||
.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt
|
||||
These options can be used to override the prompts used by
|
||||
.Xr pam_get_authtok 3
|
||||
and
|
||||
.Xr pam_get_user 3 .
|
||||
.It Cm echo_pass
|
||||
This option controls whether
|
||||
.Xr pam_get_authtok 3
|
||||
will allow the user to see what they are typing.
|
||||
.It Cm try_first_pass , Cm use_first_pass
|
||||
These options control
|
||||
.Xr pam_get_authtok 3 Ns 's
|
||||
use of cached authentication tokens.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr pam 3
|
||||
.Sh STANDARDS
|
||||
|
@ -163,12 +201,13 @@ modify each and every service-specific policy.
|
|||
.%D "June 1997"
|
||||
.Re
|
||||
.Sh AUTHORS
|
||||
The OpenPAM library was developed for the FreeBSD Project by ThinkSec
|
||||
AS and Network Associates Laboratories, the Security Research Division
|
||||
of Network Associates, Inc. under DARPA/SPAWAR contract
|
||||
N66001-01-C-8035
|
||||
The OpenPAM library was developed for the
|
||||
.Fx
|
||||
Project by ThinkSec AS and Network Associates Laboratories, the
|
||||
Security Research Division of Network Associates, Inc.\& under
|
||||
DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.Pq Dq CBOSS ,
|
||||
as part of the DARPA CHATS research program.
|
||||
.Pp
|
||||
This manual page was written by
|
||||
.An Dag-Erling Sm\(/orgrav Aq des@FreeBSD.org .
|
||||
The OpenPAM library is maintained by
|
||||
.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
|
||||
|
|
|
@ -1,6 +1,3 @@
|
|||
.\"
|
||||
.\" $P4: //depot/projects/openpam/doc/man/pam.man#4 $
|
||||
.\"
|
||||
.Sh DESCRIPTION
|
||||
The Pluggable Authentication Modules (PAM) library abstracts a number
|
||||
of common authentication-related operations and provides a framework
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
.\"-
|
||||
.\" Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
.\" Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -31,9 +32,7 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/openpam/doc/man/pam_conv.3#4 $
|
||||
.\"
|
||||
.Dd May 27, 2002
|
||||
.Dd June 16, 2005
|
||||
.Dt PAM_CONV 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -75,7 +74,7 @@ item.
|
|||
.Pp
|
||||
The conversation function's first argument specifies the number of
|
||||
messages (up to
|
||||
.Dv PAM_NUM_MSG )
|
||||
.Dv PAM_MAX_NUM_MSG )
|
||||
to process.
|
||||
The second argument is a pointer to an array of pointers to
|
||||
.Vt pam_message
|
||||
|
@ -159,8 +158,8 @@ Success.
|
|||
System error.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr openpam_ttyconv 3 ,
|
||||
.Xr openpam_nullconv 3 ,
|
||||
.Xr openpam_ttyconv 3 ,
|
||||
.Xr pam 3 ,
|
||||
.Xr pam_error 3 ,
|
||||
.Xr pam_get_item 3 ,
|
||||
|
@ -176,7 +175,10 @@ System error.
|
|||
.Sh AUTHORS
|
||||
The OpenPAM library and this manual page were developed for the
|
||||
FreeBSD Project by ThinkSec AS and Network Associates Laboratories,
|
||||
the Security Research Division of Network Associates, Inc. under
|
||||
the Security Research Division of Network Associates, Inc.\& under
|
||||
DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.Pq Dq CBOSS ,
|
||||
as part of the DARPA CHATS research program.
|
||||
.Pp
|
||||
The OpenPAM library is maintained by
|
||||
.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
$P4: //depot/projects/openpam/doc/xsso_errata.txt#9 $
|
||||
|
||||
Errata in XSSO, chapter 5:
|
||||
|
||||
p. 25: the first member of struct pam_response is named "resp", not
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
!/Makefile.in
|
||||
/work
|
|
@ -0,0 +1,33 @@
|
|||
# $FreeBSD: portlint$
|
||||
|
||||
PORTNAME= @PACKAGE_TARNAME@
|
||||
PORTVERSION= @PACKAGE_VERSION@
|
||||
CATEGORIES= security devel
|
||||
MASTER_SITES= #
|
||||
DISTFILES= #
|
||||
|
||||
MAINTAINER= @PACKAGE_BUGREPORT@
|
||||
COMMENT= BSD-licensed implementation of Pluggable Authentication Modules
|
||||
|
||||
LICENSE= BSD3CLAUSE
|
||||
|
||||
USES= gmake libtool pkgconfig
|
||||
USE_LDCONFIG= yes
|
||||
GNU_CONFIGURE= yes
|
||||
INSTALL_TARGET= install-strip
|
||||
TEST_TARGET= check
|
||||
|
||||
DESCR= ${WRKDIR}/pkg-descr
|
||||
|
||||
do-extract:
|
||||
(cd @abs_top_srcdir@ && \
|
||||
${GMAKE} distdir && ${MV} ${PKGNAME} ${WRKDIR})
|
||||
(${CAT} ${WRKSRC}/README && ${ECHO} && \
|
||||
${ECHO} "WWW: @PACKAGE_URL@") >${DESCR}
|
||||
|
||||
post-stage:
|
||||
(cd ${STAGEDIR} && \
|
||||
${FIND} -s . -type f -or -type l | cut -c 2- | \
|
||||
${SED} -E '/\/man\//s/([0-9])$$/\1.gz/') >>${TMPPLIST}
|
||||
|
||||
.include <bsd.port.mk>
|
|
@ -1,3 +1 @@
|
|||
# $P4: //depot/projects/openpam/include/Makefile.am#2 $
|
||||
|
||||
SUBDIRS = security
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
# $P4: //depot/projects/openpam/include/security/Makefile.am#3 $
|
||||
securitydir = $(includedir)/security
|
||||
|
||||
openpamdir = $(includedir)/security
|
||||
|
||||
openpam_HEADERS = \
|
||||
security_HEADERS = \
|
||||
openpam.h \
|
||||
openpam_attr.h \
|
||||
openpam_version.h \
|
||||
pam_appl.h \
|
||||
pam_constants.h \
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2015 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,18 +31,18 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/include/security/openpam.h#28 $
|
||||
*/
|
||||
|
||||
#ifndef _SECURITY_OPENPAM_H_INCLUDED
|
||||
#define _SECURITY_OPENPAM_H_INCLUDED
|
||||
#ifndef SECURITY_OPENPAM_H_INCLUDED
|
||||
#define SECURITY_OPENPAM_H_INCLUDED
|
||||
|
||||
/*
|
||||
* Annoying but necessary header pollution
|
||||
*/
|
||||
#include <stdarg.h>
|
||||
|
||||
#include <security/openpam_attr.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
@ -53,7 +54,14 @@ struct passwd;
|
|||
*/
|
||||
int
|
||||
openpam_borrow_cred(pam_handle_t *_pamh,
|
||||
const struct passwd *_pwd);
|
||||
const struct passwd *_pwd)
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
openpam_subst(const pam_handle_t *_pamh,
|
||||
char *_buf,
|
||||
size_t *_bufsize,
|
||||
const char *_template);
|
||||
|
||||
void
|
||||
openpam_free_data(pam_handle_t *_pamh,
|
||||
|
@ -68,7 +76,8 @@ openpam_get_option(pam_handle_t *_pamh,
|
|||
const char *_option);
|
||||
|
||||
int
|
||||
openpam_restore_cred(pam_handle_t *_pamh);
|
||||
openpam_restore_cred(pam_handle_t *_pamh)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
openpam_set_option(pam_handle_t *_pamh,
|
||||
|
@ -76,50 +85,64 @@ openpam_set_option(pam_handle_t *_pamh,
|
|||
const char *_value);
|
||||
|
||||
int
|
||||
pam_error(pam_handle_t *_pamh,
|
||||
pam_error(const pam_handle_t *_pamh,
|
||||
const char *_fmt,
|
||||
...);
|
||||
...)
|
||||
OPENPAM_FORMAT ((__printf__, 2, 3))
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
pam_get_authtok(pam_handle_t *_pamh,
|
||||
int _item,
|
||||
const char **_authtok,
|
||||
const char *_prompt);
|
||||
const char *_prompt)
|
||||
OPENPAM_NONNULL((1,3));
|
||||
|
||||
int
|
||||
pam_info(pam_handle_t *_pamh,
|
||||
pam_info(const pam_handle_t *_pamh,
|
||||
const char *_fmt,
|
||||
...);
|
||||
...)
|
||||
OPENPAM_FORMAT ((__printf__, 2, 3))
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
pam_prompt(pam_handle_t *_pamh,
|
||||
pam_prompt(const pam_handle_t *_pamh,
|
||||
int _style,
|
||||
char **_resp,
|
||||
const char *_fmt,
|
||||
...);
|
||||
...)
|
||||
OPENPAM_FORMAT ((__printf__, 4, 5))
|
||||
OPENPAM_NONNULL((1,4));
|
||||
|
||||
int
|
||||
pam_setenv(pam_handle_t *_pamh,
|
||||
const char *_name,
|
||||
const char *_value,
|
||||
int _overwrite);
|
||||
int _overwrite)
|
||||
OPENPAM_NONNULL((1,2,3));
|
||||
|
||||
int
|
||||
pam_vinfo(pam_handle_t *_pamh,
|
||||
pam_vinfo(const pam_handle_t *_pamh,
|
||||
const char *_fmt,
|
||||
va_list _ap);
|
||||
va_list _ap)
|
||||
OPENPAM_FORMAT ((__printf__, 2, 0))
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
pam_verror(pam_handle_t *_pamh,
|
||||
pam_verror(const pam_handle_t *_pamh,
|
||||
const char *_fmt,
|
||||
va_list _ap);
|
||||
va_list _ap)
|
||||
OPENPAM_FORMAT ((__printf__, 2, 0))
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
pam_vprompt(pam_handle_t *_pamh,
|
||||
pam_vprompt(const pam_handle_t *_pamh,
|
||||
int _style,
|
||||
char **_resp,
|
||||
const char *_fmt,
|
||||
va_list _ap);
|
||||
va_list _ap)
|
||||
OPENPAM_FORMAT ((__printf__, 4, 0))
|
||||
OPENPAM_NONNULL((1,4));
|
||||
|
||||
/*
|
||||
* Read cooked lines.
|
||||
|
@ -130,13 +153,52 @@ pam_vprompt(pam_handle_t *_pamh,
|
|||
char *
|
||||
openpam_readline(FILE *_f,
|
||||
int *_lineno,
|
||||
size_t *_lenp);
|
||||
size_t *_lenp)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
char **
|
||||
openpam_readlinev(FILE *_f,
|
||||
int *_lineno,
|
||||
int *_lenp)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
char *
|
||||
openpam_readword(FILE *_f,
|
||||
int *_lineno,
|
||||
size_t *_lenp)
|
||||
OPENPAM_NONNULL((1));
|
||||
#endif
|
||||
|
||||
int
|
||||
openpam_straddch(char **_str,
|
||||
size_t *_sizep,
|
||||
size_t *_lenp,
|
||||
int ch)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
/*
|
||||
* Enable / disable optional features
|
||||
*/
|
||||
enum {
|
||||
OPENPAM_RESTRICT_SERVICE_NAME,
|
||||
OPENPAM_VERIFY_POLICY_FILE,
|
||||
OPENPAM_RESTRICT_MODULE_NAME,
|
||||
OPENPAM_VERIFY_MODULE_FILE,
|
||||
OPENPAM_FALLBACK_TO_OTHER,
|
||||
OPENPAM_NUM_FEATURES
|
||||
};
|
||||
|
||||
int
|
||||
openpam_set_feature(int _feature, int _onoff);
|
||||
|
||||
int
|
||||
openpam_get_feature(int _feature, int *_onoff);
|
||||
|
||||
/*
|
||||
* Log levels
|
||||
*/
|
||||
enum {
|
||||
PAM_LOG_LIBDEBUG = -1,
|
||||
PAM_LOG_DEBUG,
|
||||
PAM_LOG_VERBOSE,
|
||||
PAM_LOG_NOTICE,
|
||||
|
@ -151,10 +213,8 @@ _openpam_log(int _level,
|
|||
const char *_func,
|
||||
const char *_fmt,
|
||||
...)
|
||||
#if defined(__GNUC__)
|
||||
__attribute__((__format__(__printf__, 3, 4)))
|
||||
#endif
|
||||
;
|
||||
OPENPAM_FORMAT ((__printf__, 3, 4))
|
||||
OPENPAM_NONNULL((3));
|
||||
|
||||
#if defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 199901L)
|
||||
#define openpam_log(lvl, ...) \
|
||||
|
@ -172,7 +232,9 @@ _openpam_log(int _level,
|
|||
void
|
||||
openpam_log(int _level,
|
||||
const char *_format,
|
||||
...);
|
||||
...)
|
||||
OPENPAM_FORMAT ((__printf__, 2, 3))
|
||||
OPENPAM_NONNULL((2));
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -217,6 +279,11 @@ PAM_EXTERN int \
|
|||
pam_sm_##type(pam_handle_t *pamh, int flags, \
|
||||
int argc, const char *argv[]) \
|
||||
{ \
|
||||
\
|
||||
(void)pamh; \
|
||||
(void)flags; \
|
||||
(void)argc; \
|
||||
(void)argv; \
|
||||
return (PAM_IGNORE); \
|
||||
}
|
||||
|
||||
|
@ -234,9 +301,6 @@ struct pam_module {
|
|||
char *path;
|
||||
pam_func_t func[PAM_NUM_PRIMITIVES];
|
||||
void *dlh;
|
||||
int refcount;
|
||||
pam_module_t *prev;
|
||||
pam_module_t *next;
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -244,73 +308,83 @@ struct pam_module {
|
|||
*/
|
||||
#if defined(PAM_SM_AUTH) || defined(PAM_SM_ACCOUNT) || \
|
||||
defined(PAM_SM_SESSION) || defined(PAM_SM_PASSWORD)
|
||||
#define LINUX_PAM_MODULE
|
||||
# define LINUX_PAM_MODULE
|
||||
#endif
|
||||
|
||||
#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_AUTH)
|
||||
#define _PAM_SM_AUTHENTICATE 0
|
||||
#define _PAM_SM_SETCRED 0
|
||||
# define _PAM_SM_AUTHENTICATE 0
|
||||
# define _PAM_SM_SETCRED 0
|
||||
#else
|
||||
#undef PAM_SM_AUTH
|
||||
#define PAM_SM_AUTH
|
||||
#define _PAM_SM_AUTHENTICATE pam_sm_authenticate
|
||||
#define _PAM_SM_SETCRED pam_sm_setcred
|
||||
# undef PAM_SM_AUTH
|
||||
# define PAM_SM_AUTH
|
||||
# define _PAM_SM_AUTHENTICATE pam_sm_authenticate
|
||||
# define _PAM_SM_SETCRED pam_sm_setcred
|
||||
#endif
|
||||
|
||||
#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_ACCOUNT)
|
||||
#define _PAM_SM_ACCT_MGMT 0
|
||||
# define _PAM_SM_ACCT_MGMT 0
|
||||
#else
|
||||
#undef PAM_SM_ACCOUNT
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define _PAM_SM_ACCT_MGMT pam_sm_acct_mgmt
|
||||
# undef PAM_SM_ACCOUNT
|
||||
# define PAM_SM_ACCOUNT
|
||||
# define _PAM_SM_ACCT_MGMT pam_sm_acct_mgmt
|
||||
#endif
|
||||
|
||||
#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_SESSION)
|
||||
#define _PAM_SM_OPEN_SESSION 0
|
||||
#define _PAM_SM_CLOSE_SESSION 0
|
||||
# define _PAM_SM_OPEN_SESSION 0
|
||||
# define _PAM_SM_CLOSE_SESSION 0
|
||||
#else
|
||||
#undef PAM_SM_SESSION
|
||||
#define PAM_SM_SESSION
|
||||
#define _PAM_SM_OPEN_SESSION pam_sm_open_session
|
||||
#define _PAM_SM_CLOSE_SESSION pam_sm_close_session
|
||||
# undef PAM_SM_SESSION
|
||||
# define PAM_SM_SESSION
|
||||
# define _PAM_SM_OPEN_SESSION pam_sm_open_session
|
||||
# define _PAM_SM_CLOSE_SESSION pam_sm_close_session
|
||||
#endif
|
||||
|
||||
#if defined(LINUX_PAM_MODULE) && !defined(PAM_SM_PASSWORD)
|
||||
#define _PAM_SM_CHAUTHTOK 0
|
||||
# define _PAM_SM_CHAUTHTOK 0
|
||||
#else
|
||||
#undef PAM_SM_PASSWORD
|
||||
#define PAM_SM_PASSWORD
|
||||
#define _PAM_SM_CHAUTHTOK pam_sm_chauthtok
|
||||
# undef PAM_SM_PASSWORD
|
||||
# define PAM_SM_PASSWORD
|
||||
# define _PAM_SM_CHAUTHTOK pam_sm_chauthtok
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Infrastructure for static modules using GCC linker sets.
|
||||
* You are not expected to understand this.
|
||||
*/
|
||||
#if defined(__FreeBSD__)
|
||||
#define PAM_SOEXT ".so"
|
||||
#else
|
||||
#ifndef NO_STATIC_MODULES
|
||||
#define NO_STATIC_MODULES
|
||||
#if !defined(PAM_SOEXT)
|
||||
# define PAM_SOEXT ".so"
|
||||
#endif
|
||||
#endif
|
||||
#if defined(__GNUC__) && !defined(__PIC__) && !defined(NO_STATIC_MODULES)
|
||||
|
||||
#if defined(OPENPAM_STATIC_MODULES)
|
||||
# if !defined(__GNUC__)
|
||||
# error "Don't know how to build static modules on non-GNU compilers"
|
||||
# endif
|
||||
/* gcc, static linking */
|
||||
#include <sys/cdefs.h>
|
||||
#include <linker_set.h>
|
||||
#define OPENPAM_STATIC_MODULES
|
||||
#define PAM_EXTERN static
|
||||
#define PAM_MODULE_ENTRY(name) \
|
||||
static char _pam_name[] = name PAM_SOEXT; \
|
||||
static struct pam_module _pam_module = { _pam_name, { \
|
||||
_PAM_SM_AUTHENTICATE, _PAM_SM_SETCRED, _PAM_SM_ACCT_MGMT, \
|
||||
_PAM_SM_OPEN_SESSION, _PAM_SM_CLOSE_SESSION, _PAM_SM_CHAUTHTOK }, \
|
||||
NULL, 0, NULL, NULL }; \
|
||||
DATA_SET(_openpam_static_modules, _pam_module)
|
||||
# include <sys/cdefs.h>
|
||||
# include <linker_set.h>
|
||||
# define PAM_EXTERN static
|
||||
# define PAM_MODULE_ENTRY(name) \
|
||||
static char _pam_name[] = name PAM_SOEXT; \
|
||||
static struct pam_module _pam_module = { \
|
||||
.path = _pam_name, \
|
||||
.func = { \
|
||||
[PAM_SM_AUTHENTICATE] = _PAM_SM_AUTHENTICATE, \
|
||||
[PAM_SM_SETCRED] = _PAM_SM_SETCRED, \
|
||||
[PAM_SM_ACCT_MGMT] = _PAM_SM_ACCT_MGMT, \
|
||||
[PAM_SM_OPEN_SESSION] = _PAM_SM_OPEN_SESSION, \
|
||||
[PAM_SM_CLOSE_SESSION] = _PAM_SM_CLOSE_SESSION, \
|
||||
[PAM_SM_CHAUTHTOK] = _PAM_SM_CHAUTHTOK \
|
||||
}, \
|
||||
}; \
|
||||
DATA_SET(_openpam_static_modules, _pam_module)
|
||||
#else
|
||||
/* normal case */
|
||||
#define PAM_EXTERN
|
||||
#define PAM_MODULE_ENTRY(name)
|
||||
# define PAM_EXTERN
|
||||
# define PAM_MODULE_ENTRY(name)
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
#endif /* !SECURITY_OPENPAM_H_INCLUDED */
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
#ifndef SECURITY_OPENPAM_ATTR_H_INCLUDED
|
||||
#define SECURITY_OPENPAM_ATTR_H_INCLUDED
|
||||
|
||||
/* GCC attributes */
|
||||
#if defined(__GNUC__) && defined(__GNUC_MINOR__) && !defined(__STRICT_ANSI__)
|
||||
# define OPENPAM_GNUC_PREREQ(maj, min) \
|
||||
((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
|
||||
#else
|
||||
# define OPENPAM_GNUC_PREREQ(maj, min) 0
|
||||
#endif
|
||||
|
||||
#if OPENPAM_GNUC_PREREQ(2,5)
|
||||
# define OPENPAM_FORMAT(params) __attribute__((__format__ params))
|
||||
#else
|
||||
# define OPENPAM_FORMAT(params)
|
||||
#endif
|
||||
|
||||
#if OPENPAM_GNUC_PREREQ(3,3)
|
||||
# define OPENPAM_NONNULL(params) __attribute__((__nonnull__ params))
|
||||
#else
|
||||
# define OPENPAM_NONNULL(params)
|
||||
#endif
|
||||
|
||||
#if OPENPAM_GNUC_PREREQ(2,7)
|
||||
# define OPENPAM_UNUSED(var) var __attribute__((__unused__))
|
||||
#else
|
||||
# define OPENPAM_UNUSED(var) var
|
||||
#endif
|
||||
|
||||
#endif /* !SECURITY_OPENPAM_ATTR_H_INCLUDED */
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2023 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,15 +31,13 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/include/security/openpam_version.h#14 $
|
||||
*/
|
||||
|
||||
#ifndef _OPENPAM_VERSION_H_INCLUDED
|
||||
#define _OPENPAM_VERSION_H_INCLUDED
|
||||
#ifndef SECURITY_OPENPAM_VERSION_H_INCLUDED
|
||||
#define SECURITY_OPENPAM_VERSION_H_INCLUDED
|
||||
|
||||
#define _OPENPAM
|
||||
#define _OPENPAM_VERSION 20050616
|
||||
#define _OPENPAM_RELEASE "Figwort"
|
||||
#define OPENPAM
|
||||
#define OPENPAM_VERSION 20230627
|
||||
#define OPENPAM_RELEASE "Ximenia"
|
||||
|
||||
#endif
|
||||
#endif /* !SECURITY_OPENPAM_VERSION_H_INCLUDED */
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,15 +31,14 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/include/security/pam_appl.h#14 $
|
||||
*/
|
||||
|
||||
#ifndef _PAM_APPL_H_INCLUDED
|
||||
#define _PAM_APPL_H_INCLUDED
|
||||
#ifndef SECURITY_PAM_APPL_H_INCLUDED
|
||||
#define SECURITY_PAM_APPL_H_INCLUDED
|
||||
|
||||
#include <security/pam_types.h>
|
||||
#include <security/pam_constants.h>
|
||||
#include <security/openpam_attr.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
@ -50,53 +50,64 @@ extern "C" {
|
|||
|
||||
int
|
||||
pam_acct_mgmt(pam_handle_t *_pamh,
|
||||
int _flags);
|
||||
int _flags)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_authenticate(pam_handle_t *_pamh,
|
||||
int _flags);
|
||||
int _flags)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_chauthtok(pam_handle_t *_pamh,
|
||||
int _flags);
|
||||
int _flags)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_close_session(pam_handle_t *_pamh,
|
||||
int _flags);
|
||||
int _flags)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_end(pam_handle_t *_pamh,
|
||||
int _status);
|
||||
|
||||
int
|
||||
pam_get_data(pam_handle_t *_pamh,
|
||||
pam_get_data(const pam_handle_t *_pamh,
|
||||
const char *_module_data_name,
|
||||
void **_data);
|
||||
const void **_data)
|
||||
OPENPAM_NONNULL((1,2,3));
|
||||
|
||||
int
|
||||
pam_get_item(pam_handle_t *_pamh,
|
||||
pam_get_item(const pam_handle_t *_pamh,
|
||||
int _item_type,
|
||||
const void **_item);
|
||||
const void **_item)
|
||||
OPENPAM_NONNULL((1,3));
|
||||
|
||||
int
|
||||
pam_get_user(pam_handle_t *_pamh,
|
||||
const char **_user,
|
||||
const char *_prompt);
|
||||
const char *_prompt)
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
const char *
|
||||
pam_getenv(pam_handle_t *_pamh,
|
||||
const char *_name);
|
||||
const char *_name)
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
char **
|
||||
pam_getenvlist(pam_handle_t *_pamh);
|
||||
pam_getenvlist(pam_handle_t *_pamh)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_open_session(pam_handle_t *_pamh,
|
||||
int _flags);
|
||||
int _flags)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_putenv(pam_handle_t *_pamh,
|
||||
const char *_namevalue);
|
||||
const char *_namevalue)
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
pam_set_data(pam_handle_t *_pamh,
|
||||
|
@ -104,25 +115,29 @@ pam_set_data(pam_handle_t *_pamh,
|
|||
void *_data,
|
||||
void (*_cleanup)(pam_handle_t *_pamh,
|
||||
void *_data,
|
||||
int _pam_end_status));
|
||||
int _pam_end_status))
|
||||
OPENPAM_NONNULL((1,2));
|
||||
|
||||
int
|
||||
pam_set_item(pam_handle_t *_pamh,
|
||||
int _item_type,
|
||||
const void *_item);
|
||||
const void *_item)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_setcred(pam_handle_t *_pamh,
|
||||
int _flags);
|
||||
int _flags)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int
|
||||
pam_start(const char *_service,
|
||||
const char *_user,
|
||||
const struct pam_conv *_pam_conv,
|
||||
pam_handle_t **_pamh);
|
||||
pam_handle_t **_pamh)
|
||||
OPENPAM_NONNULL((4));
|
||||
|
||||
const char *
|
||||
pam_strerror(pam_handle_t *_pamh,
|
||||
pam_strerror(const pam_handle_t *_pamh,
|
||||
int _error_number);
|
||||
|
||||
/*
|
||||
|
@ -177,4 +192,4 @@ pam_set_mapped_username(pam_handle_t *_pamh,
|
|||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
#endif /* !SECURITY_PAM_APPL_H_INCLUDED */
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,12 +31,10 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/include/security/pam_constants.h#22 $
|
||||
*/
|
||||
|
||||
#ifndef _PAM_CONSTANTS_H_INCLUDED
|
||||
#define _PAM_CONSTANTS_H_INCLUDED
|
||||
#ifndef SECURITY_PAM_CONSTANTS_H_INCLUDED
|
||||
#define SECURITY_PAM_CONSTANTS_H_INCLUDED
|
||||
|
||||
#include <security/openpam_version.h>
|
||||
|
||||
|
@ -77,6 +76,10 @@ enum {
|
|||
PAM_TRY_AGAIN = 27,
|
||||
PAM_MODULE_UNKNOWN = 28,
|
||||
PAM_DOMAIN_UNKNOWN = 29,
|
||||
PAM_BAD_HANDLE = 30, /* OpenPAM extension */
|
||||
PAM_BAD_ITEM = 31, /* OpenPAM extension */
|
||||
PAM_BAD_FEATURE = 32, /* OpenPAM extension */
|
||||
PAM_BAD_CONSTANT = 33, /* OpenPAM extension */
|
||||
PAM_NUM_ERRORS /* OpenPAM extension */
|
||||
};
|
||||
|
||||
|
@ -125,6 +128,7 @@ enum {
|
|||
PAM_REPOSITORY = 10,
|
||||
PAM_AUTHTOK_PROMPT = 11, /* OpenPAM extension */
|
||||
PAM_OLDAUTHTOK_PROMPT = 12, /* OpenPAM extension */
|
||||
PAM_HOST = 13, /* OpenPAM extension */
|
||||
PAM_NUM_ITEMS /* OpenPAM extension */
|
||||
};
|
||||
|
||||
|
@ -132,4 +136,4 @@ enum {
|
|||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
#endif /* !SECURITY_PAM_CONSTANTS_H_INCLUDED */
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,12 +31,10 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/include/security/pam_modules.h#9 $
|
||||
*/
|
||||
|
||||
#ifndef _PAM_MODULES_H_INCLUDED
|
||||
#define _PAM_MODULES_H_INCLUDED
|
||||
#ifndef SECURITY_PAM_MODULES_H_INCLUDED
|
||||
#define SECURITY_PAM_MODULES_H_INCLUDED
|
||||
|
||||
#include <security/pam_types.h>
|
||||
#include <security/pam_constants.h>
|
||||
|
@ -157,4 +156,4 @@ pam_sm_set_mapped_username(pam_handle_t *_pamh,
|
|||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
#endif /* !SECURITY_PAM_MODULES_H_INCLUDED */
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,12 +31,10 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/include/security/pam_types.h#13 $
|
||||
*/
|
||||
|
||||
#ifndef _PAM_TYPES_H_INCLUDED
|
||||
#define _PAM_TYPES_H_INCLUDED
|
||||
#ifndef SECURITY_PAM_TYPES_H_INCLUDED
|
||||
#define SECURITY_PAM_TYPES_H_INCLUDED
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
|
@ -77,11 +76,11 @@ typedef struct pam_handle pam_handle_t;
|
|||
typedef struct pam_repository {
|
||||
char *type;
|
||||
void *scope;
|
||||
size_t scope_len;
|
||||
size_t scope_len;
|
||||
} pam_repository_t;
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
||||
#endif /* !SECURITY_PAM_TYPES_H_INCLUDED */
|
||||
|
|
|
@ -1,62 +1,5 @@
|
|||
# $P4: //depot/projects/openpam/lib/Makefile.am#5 $
|
||||
SUBDIRS =
|
||||
|
||||
NULL =
|
||||
|
||||
INCLUDES = -I$(top_srcdir)/include
|
||||
|
||||
lib_LTLIBRARIES = libpam.la
|
||||
|
||||
libpam_la_SOURCES = \
|
||||
openpam_borrow_cred.c \
|
||||
openpam_configure.c \
|
||||
openpam_dispatch.c \
|
||||
openpam_dynamic.c \
|
||||
openpam_findenv.c \
|
||||
openpam_free_data.c \
|
||||
openpam_free_envlist.c \
|
||||
openpam_get_option.c \
|
||||
openpam_load.c \
|
||||
openpam_log.c \
|
||||
openpam_nullconv.c \
|
||||
openpam_readline.c \
|
||||
openpam_restore_cred.c \
|
||||
openpam_set_option.c \
|
||||
openpam_static.c \
|
||||
openpam_ttyconv.c \
|
||||
pam_acct_mgmt.c \
|
||||
pam_authenticate.c \
|
||||
pam_chauthtok.c \
|
||||
pam_close_session.c \
|
||||
pam_end.c \
|
||||
pam_error.c \
|
||||
pam_get_authtok.c \
|
||||
pam_get_data.c \
|
||||
pam_get_item.c \
|
||||
pam_get_user.c \
|
||||
pam_getenv.c \
|
||||
pam_getenvlist.c \
|
||||
pam_info.c \
|
||||
pam_open_session.c \
|
||||
pam_prompt.c \
|
||||
pam_putenv.c \
|
||||
pam_set_data.c \
|
||||
pam_set_item.c \
|
||||
pam_setcred.c \
|
||||
pam_setenv.c \
|
||||
pam_start.c \
|
||||
pam_strerror.c \
|
||||
pam_verror.c \
|
||||
pam_vinfo.c \
|
||||
pam_vprompt.c \
|
||||
$(NULL)
|
||||
|
||||
libpam_la_CFLAGS = -DOPENPAM_MODULES_DIR='"@OPENPAM_MODULES_DIR@/"'
|
||||
|
||||
libpam_la_LDFLAGS = -no-undefined -version-info @LIB_MAJ@ @DL_LIBS@
|
||||
|
||||
# Not implemented yet:
|
||||
# pam_authenticate_secondary.c
|
||||
# pam_get_mapped_authtok.c
|
||||
# pam_get_mapped_username.c
|
||||
# pam_set_mapped_authtok.c
|
||||
# pam_set_mapped_username.c
|
||||
if !WITH_SYSTEM_LIBPAM
|
||||
SUBDIRS += libpam
|
||||
endif
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
NULL =
|
||||
|
||||
AM_CPPFLAGS = -I$(top_srcdir)/include
|
||||
|
||||
lib_LTLIBRARIES = libpam.la
|
||||
|
||||
noinst_HEADERS = \
|
||||
openpam_asprintf.h \
|
||||
openpam_constants.h \
|
||||
openpam_cred.h \
|
||||
openpam_ctype.h \
|
||||
openpam_debug.h \
|
||||
openpam_dlfunc.h \
|
||||
openpam_features.h \
|
||||
openpam_impl.h \
|
||||
openpam_strlcat.h \
|
||||
openpam_strlcmp.h \
|
||||
openpam_strlcpy.h \
|
||||
openpam_strlset.h \
|
||||
openpam_vasprintf.h
|
||||
|
||||
libpam_la_SOURCES = \
|
||||
openpam_asprintf.c \
|
||||
openpam_borrow_cred.c \
|
||||
openpam_check_owner_perms.c \
|
||||
openpam_configure.c \
|
||||
openpam_constants.c \
|
||||
openpam_dispatch.c \
|
||||
openpam_dynamic.c \
|
||||
openpam_features.c \
|
||||
openpam_findenv.c \
|
||||
openpam_free_data.c \
|
||||
openpam_free_envlist.c \
|
||||
openpam_get_feature.c \
|
||||
openpam_get_option.c \
|
||||
openpam_load.c \
|
||||
openpam_log.c \
|
||||
openpam_nullconv.c \
|
||||
openpam_readline.c \
|
||||
openpam_readlinev.c \
|
||||
openpam_readword.c \
|
||||
openpam_restore_cred.c \
|
||||
openpam_set_option.c \
|
||||
openpam_set_feature.c \
|
||||
openpam_static.c \
|
||||
openpam_straddch.c \
|
||||
openpam_strlcat.c \
|
||||
openpam_strlcpy.c \
|
||||
openpam_strlset.c \
|
||||
openpam_subst.c \
|
||||
openpam_vasprintf.c \
|
||||
openpam_ttyconv.c \
|
||||
pam_acct_mgmt.c \
|
||||
pam_authenticate.c \
|
||||
pam_chauthtok.c \
|
||||
pam_close_session.c \
|
||||
pam_end.c \
|
||||
pam_error.c \
|
||||
pam_get_authtok.c \
|
||||
pam_get_data.c \
|
||||
pam_get_item.c \
|
||||
pam_get_user.c \
|
||||
pam_getenv.c \
|
||||
pam_getenvlist.c \
|
||||
pam_info.c \
|
||||
pam_open_session.c \
|
||||
pam_prompt.c \
|
||||
pam_putenv.c \
|
||||
pam_set_data.c \
|
||||
pam_set_item.c \
|
||||
pam_setcred.c \
|
||||
pam_setenv.c \
|
||||
pam_start.c \
|
||||
pam_strerror.c \
|
||||
pam_verror.c \
|
||||
pam_vinfo.c \
|
||||
pam_vprompt.c \
|
||||
$(NULL)
|
||||
|
||||
libpam_la_LDFLAGS = -no-undefined -version-info $(LIB_MAJ)
|
||||
libpam_la_LIBADD = $(DL_LIBS)
|
||||
|
||||
EXTRA_DIST = \
|
||||
pam_authenticate_secondary.c \
|
||||
pam_get_mapped_authtok.c \
|
||||
pam_get_mapped_username.c \
|
||||
pam_set_mapped_authtok.c \
|
||||
pam_set_mapped_username.c \
|
||||
\
|
||||
pam_sm_acct_mgmt.c \
|
||||
pam_sm_authenticate.c \
|
||||
pam_sm_authenticate_secondary.c \
|
||||
pam_sm_chauthtok.c \
|
||||
pam_sm_close_session.c \
|
||||
pam_sm_get_mapped_authtok.c \
|
||||
pam_sm_get_mapped_username.c \
|
||||
pam_sm_open_session.c \
|
||||
pam_sm_set_mapped_authtok.c \
|
||||
pam_sm_set_mapped_username.c \
|
||||
pam_sm_setcred.c
|
|
@ -0,0 +1,55 @@
|
|||
/*-
|
||||
* Copyright (c) 2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_ASPRINTF
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "openpam_asprintf.h"
|
||||
#include "openpam_vasprintf.h"
|
||||
|
||||
/* like sprintf(3), but allocates memory for the result. */
|
||||
int
|
||||
openpam_asprintf(char **str, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
int ret;
|
||||
|
||||
va_start(ap, fmt);
|
||||
ret = vasprintf(str, fmt, ap);
|
||||
va_end(ap);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,39 @@
|
|||
/*-
|
||||
* Copyright (c) 2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_ASPRINTF_H_INCLUDED
|
||||
#define OPENPAM_ASPRINTF_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_ASPRINTF
|
||||
int openpam_asprintf(char **, const char *, ...);
|
||||
#undef asprintf
|
||||
#define asprintf(arg, ...) openpam_asprintf(arg, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#13 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <grp.h>
|
||||
|
@ -45,6 +48,7 @@
|
|||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_cred.h"
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
|
@ -57,18 +61,18 @@ openpam_borrow_cred(pam_handle_t *pamh,
|
|||
const struct passwd *pwd)
|
||||
{
|
||||
struct pam_saved_cred *scred;
|
||||
void *scredp;
|
||||
const void *scredp;
|
||||
int r;
|
||||
|
||||
ENTERI(pwd->pw_uid);
|
||||
r = pam_get_data(pamh, PAM_SAVED_CRED, &scredp);
|
||||
if (r == PAM_SUCCESS && scredp != NULL) {
|
||||
openpam_log(PAM_LOG_DEBUG,
|
||||
openpam_log(PAM_LOG_LIBDEBUG,
|
||||
"already operating under borrowed credentials");
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
}
|
||||
if (geteuid() != 0 && geteuid() != pwd->pw_uid) {
|
||||
openpam_log(PAM_LOG_DEBUG, "called with non-zero euid: %d",
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "called with non-zero euid: %d",
|
||||
(int)geteuid());
|
||||
RETURNC(PAM_PERM_DENIED);
|
||||
}
|
|
@ -0,0 +1,143 @@
|
|||
/*-
|
||||
* Copyright (c) 2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
*
|
||||
* Verify that the file or directory referenced by the given descriptor is
|
||||
* owned by either root or the arbitrator and that it is not writable by
|
||||
* group or other.
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_check_desc_owner_perms(const char *name, int fd)
|
||||
{
|
||||
uid_t root, arbitrator;
|
||||
struct stat sb;
|
||||
int serrno;
|
||||
|
||||
root = 0;
|
||||
arbitrator = geteuid();
|
||||
if (fstat(fd, &sb) != 0) {
|
||||
serrno = errno;
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", name);
|
||||
errno = serrno;
|
||||
return (-1);
|
||||
}
|
||||
if (!S_ISREG(sb.st_mode)) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s: not a regular file", name);
|
||||
errno = EINVAL;
|
||||
return (-1);
|
||||
}
|
||||
if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
|
||||
(sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s: insecure ownership or permissions", name);
|
||||
errno = EPERM;
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
*
|
||||
* Verify that a file or directory and all components of the path leading
|
||||
* up to it are owned by either root or the arbitrator and that they are
|
||||
* not writable by group or other.
|
||||
*
|
||||
* Note that openpam_check_desc_owner_perms() should be used instead if
|
||||
* possible to avoid a race between the ownership / permission check and
|
||||
* the actual open().
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_check_path_owner_perms(const char *path)
|
||||
{
|
||||
uid_t root, arbitrator;
|
||||
char pathbuf[PATH_MAX];
|
||||
struct stat sb;
|
||||
int len, serrno, tip;
|
||||
|
||||
tip = 1;
|
||||
root = 0;
|
||||
arbitrator = geteuid();
|
||||
if (realpath(path, pathbuf) == NULL)
|
||||
return (-1);
|
||||
len = strlen(pathbuf);
|
||||
while (len > 0) {
|
||||
if (stat(pathbuf, &sb) != 0) {
|
||||
if (errno != ENOENT) {
|
||||
serrno = errno;
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", pathbuf);
|
||||
errno = serrno;
|
||||
}
|
||||
return (-1);
|
||||
}
|
||||
if (tip && !S_ISREG(sb.st_mode)) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s: not a regular file", pathbuf);
|
||||
errno = EINVAL;
|
||||
return (-1);
|
||||
}
|
||||
if ((sb.st_uid != root && sb.st_uid != arbitrator) ||
|
||||
(sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s: insecure ownership or permissions", pathbuf);
|
||||
errno = EPERM;
|
||||
return (-1);
|
||||
}
|
||||
while (--len > 0 && pathbuf[len] != '/')
|
||||
pathbuf[len] = '\0';
|
||||
tip = 0;
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* NOPARSE
|
||||
*/
|
|
@ -0,0 +1,486 @@
|
|||
/*-
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2015 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* Network Associates Laboratories, the Security Research Division of
|
||||
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_ctype.h"
|
||||
#include "openpam_strlcat.h"
|
||||
#include "openpam_strlcpy.h"
|
||||
|
||||
static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t);
|
||||
|
||||
/*
|
||||
* Validate a service name.
|
||||
*
|
||||
* Returns a non-zero value if the argument points to a NUL-terminated
|
||||
* string consisting entirely of characters in the POSIX portable filename
|
||||
* character set, excluding the path separator character.
|
||||
*/
|
||||
static int
|
||||
valid_service_name(const char *name)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
if (OPENPAM_FEATURE(RESTRICT_SERVICE_NAME)) {
|
||||
/* path separator not allowed */
|
||||
for (p = name; *p != '\0'; ++p)
|
||||
if (!is_pfcs(*p))
|
||||
return (0);
|
||||
} else {
|
||||
/* path separator allowed */
|
||||
for (p = name; *p != '\0'; ++p)
|
||||
if (!is_pfcs(*p) && *p != '/')
|
||||
return (0);
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the facility name.
|
||||
*
|
||||
* Returns the corresponding pam_facility_t value, or -1 if the argument
|
||||
* is not a valid facility name.
|
||||
*/
|
||||
static pam_facility_t
|
||||
parse_facility_name(const char *name)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < PAM_NUM_FACILITIES; ++i)
|
||||
if (strcmp(pam_facility_name[i], name) == 0)
|
||||
return (i);
|
||||
return ((pam_facility_t)-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the control flag.
|
||||
*
|
||||
* Returns the corresponding pam_control_t value, or -1 if the argument is
|
||||
* not a valid control flag name.
|
||||
*/
|
||||
static pam_control_t
|
||||
parse_control_flag(const char *name)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i)
|
||||
if (strcmp(pam_control_flag_name[i], name) == 0)
|
||||
return (i);
|
||||
return ((pam_control_t)-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate a file name.
|
||||
*
|
||||
* Returns a non-zero value if the argument points to a NUL-terminated
|
||||
* string consisting entirely of characters in the POSIX portable filename
|
||||
* character set, including the path separator character.
|
||||
*/
|
||||
static int
|
||||
valid_module_name(const char *name)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME)) {
|
||||
/* path separator not allowed */
|
||||
for (p = name; *p != '\0'; ++p)
|
||||
if (!is_pfcs(*p))
|
||||
return (0);
|
||||
} else {
|
||||
/* path separator allowed */
|
||||
for (p = name; *p != '\0'; ++p)
|
||||
if (!is_pfcs(*p) && *p != '/')
|
||||
return (0);
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
|
||||
typedef enum { pam_conf_style, pam_d_style } openpam_style_t;
|
||||
|
||||
/*
|
||||
* Extracts given chains from a policy file.
|
||||
*
|
||||
* Returns the number of policy entries which were found for the specified
|
||||
* service and facility, or -1 if a system error occurred or a syntax
|
||||
* error was encountered.
|
||||
*/
|
||||
static int
|
||||
openpam_parse_chain(pam_handle_t *pamh,
|
||||
const char *service,
|
||||
pam_facility_t facility,
|
||||
FILE *f,
|
||||
const char *filename,
|
||||
openpam_style_t style)
|
||||
{
|
||||
pam_chain_t *this, **next;
|
||||
pam_facility_t fclt;
|
||||
pam_control_t ctlf;
|
||||
char *name, *servicename, *modulename;
|
||||
int count, lineno, ret, serrno;
|
||||
char **wordv, *word;
|
||||
int i, wordc;
|
||||
|
||||
count = 0;
|
||||
this = NULL;
|
||||
name = NULL;
|
||||
lineno = 0;
|
||||
wordc = 0;
|
||||
wordv = NULL;
|
||||
while ((wordv = openpam_readlinev(f, &lineno, &wordc)) != NULL) {
|
||||
/* blank line? */
|
||||
if (wordc == 0) {
|
||||
FREEV(wordc, wordv);
|
||||
continue;
|
||||
}
|
||||
i = 0;
|
||||
|
||||
/* check service name if necessary */
|
||||
if (style == pam_conf_style &&
|
||||
strcmp(wordv[i++], service) != 0) {
|
||||
FREEV(wordc, wordv);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* check facility name */
|
||||
if ((word = wordv[i++]) == NULL ||
|
||||
(fclt = parse_facility_name(word)) == (pam_facility_t)-1) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s(%d): missing or invalid facility",
|
||||
filename, lineno);
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
if (facility != fclt && facility != PAM_FACILITY_ANY) {
|
||||
FREEV(wordc, wordv);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* check for "include" */
|
||||
if ((word = wordv[i++]) != NULL &&
|
||||
strcmp(word, "include") == 0) {
|
||||
if ((servicename = wordv[i++]) == NULL ||
|
||||
!valid_service_name(servicename)) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s(%d): missing or invalid service name",
|
||||
filename, lineno);
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
if (wordv[i] != NULL) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s(%d): garbage at end of line",
|
||||
filename, lineno);
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
ret = openpam_load_chain(pamh, servicename, fclt);
|
||||
FREEV(wordc, wordv);
|
||||
if (ret < 0) {
|
||||
/*
|
||||
* Bogus errno, but this ensures that the
|
||||
* outer loop does not just ignore the
|
||||
* error and keep searching.
|
||||
*/
|
||||
if (errno == ENOENT)
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
/* get control flag */
|
||||
if (word == NULL || /* same word we compared to "include" */
|
||||
(ctlf = parse_control_flag(word)) == (pam_control_t)-1) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s(%d): missing or invalid control flag",
|
||||
filename, lineno);
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/* get module name */
|
||||
if ((modulename = wordv[i++]) == NULL ||
|
||||
!valid_module_name(modulename)) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s(%d): missing or invalid module name",
|
||||
filename, lineno);
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/* allocate new entry */
|
||||
if ((this = calloc(1, sizeof *this)) == NULL)
|
||||
goto syserr;
|
||||
this->flag = ctlf;
|
||||
|
||||
/* load module */
|
||||
if ((this->module = openpam_load_module(modulename)) == NULL) {
|
||||
if (errno == ENOENT)
|
||||
errno = ENOEXEC;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* The remaining items in wordv are the module's
|
||||
* arguments. We could set this->optv = wordv + i, but
|
||||
* then free(this->optv) wouldn't work. Instead, we free
|
||||
* the words we've already consumed, shift the rest up,
|
||||
* and clear the tail end of the array.
|
||||
*/
|
||||
this->optc = wordc - i;
|
||||
for (i = 0; i < wordc - this->optc; ++i) {
|
||||
FREE(wordv[i]);
|
||||
}
|
||||
for (i = 0; i < this->optc; ++i) {
|
||||
wordv[i] = wordv[wordc - this->optc + i];
|
||||
wordv[wordc - this->optc + i] = NULL;
|
||||
}
|
||||
this->optv = wordv;
|
||||
wordv = NULL;
|
||||
wordc = 0;
|
||||
|
||||
/* hook it up */
|
||||
for (next = &pamh->chains[fclt]; *next != NULL;
|
||||
next = &(*next)->next)
|
||||
/* nothing */ ;
|
||||
*next = this;
|
||||
this = NULL;
|
||||
++count;
|
||||
}
|
||||
/*
|
||||
* The loop ended because openpam_readword() returned NULL, which
|
||||
* can happen for four different reasons: an I/O error (ferror(f)
|
||||
* is true), a memory allocation failure (ferror(f) is false,
|
||||
* feof(f) is false, errno is non-zero), the file ended with an
|
||||
* unterminated quote or backslash escape (ferror(f) is false,
|
||||
* feof(f) is true, errno is non-zero), or the end of the file was
|
||||
* reached without error (ferror(f) is false, feof(f) is true,
|
||||
* errno is zero).
|
||||
*/
|
||||
if (ferror(f) || errno != 0)
|
||||
goto syserr;
|
||||
if (!feof(f))
|
||||
goto fail;
|
||||
fclose(f);
|
||||
return (count);
|
||||
syserr:
|
||||
serrno = errno;
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
|
||||
errno = serrno;
|
||||
/* fall through */
|
||||
fail:
|
||||
serrno = errno;
|
||||
if (this && this->optc && this->optv)
|
||||
FREEV(this->optc, this->optv);
|
||||
FREE(this);
|
||||
FREEV(wordc, wordv);
|
||||
FREE(wordv);
|
||||
FREE(name);
|
||||
fclose(f);
|
||||
errno = serrno;
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Read the specified chains from the specified file.
|
||||
*
|
||||
* Returns 0 if the file exists but does not contain any matching lines.
|
||||
*
|
||||
* Returns -1 and sets errno to ENOENT if the file does not exist.
|
||||
*
|
||||
* Returns -1 and sets errno to some other non-zero value if the file
|
||||
* exists but is unsafe or unreadable, or an I/O error occurs.
|
||||
*/
|
||||
static int
|
||||
openpam_load_file(pam_handle_t *pamh,
|
||||
const char *service,
|
||||
pam_facility_t facility,
|
||||
const char *filename,
|
||||
openpam_style_t style)
|
||||
{
|
||||
FILE *f;
|
||||
int ret, serrno;
|
||||
|
||||
/* attempt to open the file */
|
||||
if ((f = fopen(filename, "r")) == NULL) {
|
||||
serrno = errno;
|
||||
openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_ERROR,
|
||||
"%s: %m", filename);
|
||||
errno = serrno;
|
||||
RETURNN(-1);
|
||||
} else {
|
||||
openpam_log(PAM_LOG_DEBUG, "found %s", filename);
|
||||
}
|
||||
|
||||
/* verify type, ownership and permissions */
|
||||
if (OPENPAM_FEATURE(VERIFY_POLICY_FILE) &&
|
||||
openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
|
||||
/* already logged the cause */
|
||||
serrno = errno;
|
||||
fclose(f);
|
||||
errno = serrno;
|
||||
RETURNN(-1);
|
||||
}
|
||||
|
||||
/* parse the file */
|
||||
ret = openpam_parse_chain(pamh, service, facility,
|
||||
f, filename, style);
|
||||
RETURNN(ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Locates the policy file for a given service and reads the given chains
|
||||
* from it.
|
||||
*
|
||||
* Returns the number of policy entries which were found for the specified
|
||||
* service and facility, or -1 if a system error occurred or a syntax
|
||||
* error was encountered.
|
||||
*/
|
||||
static int
|
||||
openpam_load_chain(pam_handle_t *pamh,
|
||||
const char *service,
|
||||
pam_facility_t facility)
|
||||
{
|
||||
const char *p, **path;
|
||||
char filename[PATH_MAX];
|
||||
size_t len;
|
||||
openpam_style_t style;
|
||||
int ret;
|
||||
|
||||
ENTERS(facility < 0 ? "any" : pam_facility_name[facility]);
|
||||
|
||||
/* either absolute or relative to cwd */
|
||||
if (strchr(service, '/') != NULL) {
|
||||
if ((p = strrchr(service, '.')) != NULL && strcmp(p, ".conf") == 0)
|
||||
style = pam_conf_style;
|
||||
else
|
||||
style = pam_d_style;
|
||||
ret = openpam_load_file(pamh, service, facility,
|
||||
service, style);
|
||||
RETURNN(ret);
|
||||
}
|
||||
|
||||
/* search standard locations */
|
||||
for (path = openpam_policy_path; *path != NULL; ++path) {
|
||||
/* construct filename */
|
||||
len = strlcpy(filename, *path, sizeof filename);
|
||||
if (len >= sizeof filename) {
|
||||
errno = ENAMETOOLONG;
|
||||
RETURNN(-1);
|
||||
}
|
||||
if (filename[len - 1] == '/') {
|
||||
len = strlcat(filename, service, sizeof filename);
|
||||
if (len >= sizeof filename) {
|
||||
errno = ENAMETOOLONG;
|
||||
RETURNN(-1);
|
||||
}
|
||||
style = pam_d_style;
|
||||
} else {
|
||||
style = pam_conf_style;
|
||||
}
|
||||
ret = openpam_load_file(pamh, service, facility,
|
||||
filename, style);
|
||||
/* success */
|
||||
if (ret > 0)
|
||||
RETURNN(ret);
|
||||
/* the file exists, but an error occurred */
|
||||
if (ret == -1 && errno != ENOENT)
|
||||
RETURNN(ret);
|
||||
/* in pam.d style, an empty file counts as a hit */
|
||||
if (ret == 0 && style == pam_d_style)
|
||||
RETURNN(ret);
|
||||
}
|
||||
|
||||
/* no hit */
|
||||
errno = ENOENT;
|
||||
RETURNN(-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
*
|
||||
* Configure a service
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_configure(pam_handle_t *pamh,
|
||||
const char *service)
|
||||
{
|
||||
pam_facility_t fclt;
|
||||
int serrno;
|
||||
|
||||
ENTERS(service);
|
||||
if (!valid_service_name(service)) {
|
||||
openpam_log(PAM_LOG_ERROR, "invalid service name");
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
}
|
||||
if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
|
||||
if (errno != ENOENT)
|
||||
goto load_err;
|
||||
}
|
||||
for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
|
||||
if (pamh->chains[fclt] != NULL)
|
||||
continue;
|
||||
if (OPENPAM_FEATURE(FALLBACK_TO_OTHER)) {
|
||||
if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
|
||||
goto load_err;
|
||||
}
|
||||
}
|
||||
RETURNC(PAM_SUCCESS);
|
||||
load_err:
|
||||
serrno = errno;
|
||||
openpam_clear_chains(pamh->chains);
|
||||
errno = serrno;
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
}
|
||||
|
||||
/*
|
||||
* NODOC
|
||||
*
|
||||
* Error codes:
|
||||
* PAM_SYSTEM_ERR
|
||||
*/
|
|
@ -0,0 +1,183 @@
|
|||
/*-
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* Network Associates Laboratories, the Security Research Division of
|
||||
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
const char *pam_err_name[PAM_NUM_ERRORS] = {
|
||||
[PAM_SUCCESS] = "PAM_SUCCESS",
|
||||
[PAM_OPEN_ERR] = "PAM_OPEN_ERR",
|
||||
[PAM_SYMBOL_ERR] = "PAM_SYMBOL_ERR",
|
||||
[PAM_SERVICE_ERR] = "PAM_SERVICE_ERR",
|
||||
[PAM_SYSTEM_ERR] = "PAM_SYSTEM_ERR",
|
||||
[PAM_BUF_ERR] = "PAM_BUF_ERR",
|
||||
[PAM_CONV_ERR] = "PAM_CONV_ERR",
|
||||
[PAM_PERM_DENIED] = "PAM_PERM_DENIED",
|
||||
[PAM_MAXTRIES] = "PAM_MAXTRIES",
|
||||
[PAM_AUTH_ERR] = "PAM_AUTH_ERR",
|
||||
[PAM_NEW_AUTHTOK_REQD] = "PAM_NEW_AUTHTOK_REQD",
|
||||
[PAM_CRED_INSUFFICIENT] = "PAM_CRED_INSUFFICIENT",
|
||||
[PAM_AUTHINFO_UNAVAIL] = "PAM_AUTHINFO_UNAVAIL",
|
||||
[PAM_USER_UNKNOWN] = "PAM_USER_UNKNOWN",
|
||||
[PAM_CRED_UNAVAIL] = "PAM_CRED_UNAVAIL",
|
||||
[PAM_CRED_EXPIRED] = "PAM_CRED_EXPIRED",
|
||||
[PAM_CRED_ERR] = "PAM_CRED_ERR",
|
||||
[PAM_ACCT_EXPIRED] = "PAM_ACCT_EXPIRED",
|
||||
[PAM_AUTHTOK_EXPIRED] = "PAM_AUTHTOK_EXPIRED",
|
||||
[PAM_SESSION_ERR] = "PAM_SESSION_ERR",
|
||||
[PAM_AUTHTOK_ERR] = "PAM_AUTHTOK_ERR",
|
||||
[PAM_AUTHTOK_RECOVERY_ERR] = "PAM_AUTHTOK_RECOVERY_ERR",
|
||||
[PAM_AUTHTOK_LOCK_BUSY] = "PAM_AUTHTOK_LOCK_BUSY",
|
||||
[PAM_AUTHTOK_DISABLE_AGING] = "PAM_AUTHTOK_DISABLE_AGING",
|
||||
[PAM_NO_MODULE_DATA] = "PAM_NO_MODULE_DATA",
|
||||
[PAM_IGNORE] = "PAM_IGNORE",
|
||||
[PAM_ABORT] = "PAM_ABORT",
|
||||
[PAM_TRY_AGAIN] = "PAM_TRY_AGAIN",
|
||||
[PAM_MODULE_UNKNOWN] = "PAM_MODULE_UNKNOWN",
|
||||
[PAM_DOMAIN_UNKNOWN] = "PAM_DOMAIN_UNKNOWN",
|
||||
[PAM_BAD_HANDLE] = "PAM_BAD_HANDLE",
|
||||
[PAM_BAD_ITEM] = "PAM_BAD_ITEM",
|
||||
[PAM_BAD_FEATURE] = "PAM_BAD_FEATURE",
|
||||
[PAM_BAD_CONSTANT] = "PAM_BAD_CONSTANT",
|
||||
};
|
||||
|
||||
const char *pam_err_text[PAM_NUM_ERRORS] = {
|
||||
[PAM_SUCCESS] = "Success",
|
||||
[PAM_OPEN_ERR] = "Failed to load module",
|
||||
[PAM_SYMBOL_ERR] = "Invalid symbol",
|
||||
[PAM_SERVICE_ERR] = "Error in service module",
|
||||
[PAM_SYSTEM_ERR] = "System error",
|
||||
[PAM_BUF_ERR] = "Memory buffer error",
|
||||
[PAM_CONV_ERR] = "Conversation failure",
|
||||
[PAM_PERM_DENIED] = "Permission denied",
|
||||
[PAM_MAXTRIES] = "Maximum number of tries exceeded",
|
||||
[PAM_AUTH_ERR] = "Authentication error",
|
||||
[PAM_NEW_AUTHTOK_REQD] = "New authentication token required",
|
||||
[PAM_CRED_INSUFFICIENT] = "Insufficient credentials",
|
||||
[PAM_AUTHINFO_UNAVAIL] = "Authentication information is unavailable",
|
||||
[PAM_USER_UNKNOWN] = "Unknown user",
|
||||
[PAM_CRED_UNAVAIL] = "Failed to retrieve user credentials",
|
||||
[PAM_CRED_EXPIRED] = "User credentials have expired",
|
||||
[PAM_CRED_ERR] = "Failed to set user credentials",
|
||||
[PAM_ACCT_EXPIRED] = "User account has expired",
|
||||
[PAM_AUTHTOK_EXPIRED] = "Password has expired",
|
||||
[PAM_SESSION_ERR] = "Session failure",
|
||||
[PAM_AUTHTOK_ERR] = "Authentication token failure",
|
||||
[PAM_AUTHTOK_RECOVERY_ERR] = "Failed to recover old authentication token",
|
||||
[PAM_AUTHTOK_LOCK_BUSY] = "Authentication token lock busy",
|
||||
[PAM_AUTHTOK_DISABLE_AGING] = "Authentication token aging disabled",
|
||||
[PAM_NO_MODULE_DATA] = "Module data not found",
|
||||
[PAM_IGNORE] = "Ignore this module",
|
||||
[PAM_ABORT] = "General failure",
|
||||
[PAM_TRY_AGAIN] = "Try again",
|
||||
[PAM_MODULE_UNKNOWN] = "Unknown module type",
|
||||
[PAM_DOMAIN_UNKNOWN] = "Unknown authentication domain",
|
||||
[PAM_BAD_HANDLE] = "Invalid PAM handle",
|
||||
[PAM_BAD_ITEM] = "Unrecognized or restricted item",
|
||||
[PAM_BAD_FEATURE] = "Unrecognized or restricted feature",
|
||||
[PAM_BAD_CONSTANT] = "Invalid constant",
|
||||
};
|
||||
|
||||
const char *pam_item_name[PAM_NUM_ITEMS] = {
|
||||
[PAM_SERVICE] = "PAM_SERVICE",
|
||||
[PAM_USER] = "PAM_USER",
|
||||
[PAM_TTY] = "PAM_TTY",
|
||||
[PAM_RHOST] = "PAM_RHOST",
|
||||
[PAM_CONV] = "PAM_CONV",
|
||||
[PAM_AUTHTOK] = "PAM_AUTHTOK",
|
||||
[PAM_OLDAUTHTOK] = "PAM_OLDAUTHTOK",
|
||||
[PAM_RUSER] = "PAM_RUSER",
|
||||
[PAM_USER_PROMPT] = "PAM_USER_PROMPT",
|
||||
[PAM_REPOSITORY] = "PAM_REPOSITORY",
|
||||
[PAM_AUTHTOK_PROMPT] = "PAM_AUTHTOK_PROMPT",
|
||||
[PAM_OLDAUTHTOK_PROMPT] = "PAM_OLDAUTHTOK_PROMPT",
|
||||
[PAM_HOST] = "PAM_HOST",
|
||||
};
|
||||
|
||||
const char *pam_facility_name[PAM_NUM_FACILITIES] = {
|
||||
[PAM_ACCOUNT] = "account",
|
||||
[PAM_AUTH] = "auth",
|
||||
[PAM_PASSWORD] = "password",
|
||||
[PAM_SESSION] = "session",
|
||||
};
|
||||
|
||||
const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS] = {
|
||||
[PAM_BINDING] = "binding",
|
||||
[PAM_OPTIONAL] = "optional",
|
||||
[PAM_REQUIRED] = "required",
|
||||
[PAM_REQUISITE] = "requisite",
|
||||
[PAM_SUFFICIENT] = "sufficient",
|
||||
};
|
||||
|
||||
const char *pam_func_name[PAM_NUM_PRIMITIVES] = {
|
||||
[PAM_SM_AUTHENTICATE] = "pam_authenticate",
|
||||
[PAM_SM_SETCRED] = "pam_setcred",
|
||||
[PAM_SM_ACCT_MGMT] = "pam_acct_mgmt",
|
||||
[PAM_SM_OPEN_SESSION] = "pam_open_session",
|
||||
[PAM_SM_CLOSE_SESSION] = "pam_close_session",
|
||||
[PAM_SM_CHAUTHTOK] = "pam_chauthtok"
|
||||
};
|
||||
|
||||
const char *pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
|
||||
[PAM_SM_AUTHENTICATE] = "pam_sm_authenticate",
|
||||
[PAM_SM_SETCRED] = "pam_sm_setcred",
|
||||
[PAM_SM_ACCT_MGMT] = "pam_sm_acct_mgmt",
|
||||
[PAM_SM_OPEN_SESSION] = "pam_sm_open_session",
|
||||
[PAM_SM_CLOSE_SESSION] = "pam_sm_close_session",
|
||||
[PAM_SM_CHAUTHTOK] = "pam_sm_chauthtok"
|
||||
};
|
||||
|
||||
const char *openpam_policy_path[] = {
|
||||
"/etc/pam.d/",
|
||||
"/etc/pam.conf",
|
||||
"/usr/local/etc/pam.d/",
|
||||
"/usr/local/etc/pam.conf",
|
||||
NULL
|
||||
};
|
||||
|
||||
const char *openpam_module_path[] = {
|
||||
#ifdef OPENPAM_MODULES_DIRECTORY
|
||||
OPENPAM_MODULES_DIRECTORY,
|
||||
#else
|
||||
"/usr/lib",
|
||||
"/usr/local/lib",
|
||||
#endif
|
||||
NULL
|
||||
};
|
|
@ -0,0 +1,44 @@
|
|||
/*-
|
||||
* Copyright (c) 2011-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_CONSTANTS_H_INCLUDED
|
||||
#define OPENPAM_CONSTANTS_H_INCLUDED
|
||||
|
||||
extern const char *pam_err_name[PAM_NUM_ERRORS];
|
||||
extern const char *pam_err_text[PAM_NUM_ERRORS];
|
||||
extern const char *pam_item_name[PAM_NUM_ITEMS];
|
||||
extern const char *pam_facility_name[PAM_NUM_FACILITIES];
|
||||
extern const char *pam_control_flag_name[PAM_NUM_CONTROL_FLAGS];
|
||||
extern const char *pam_func_name[PAM_NUM_PRIMITIVES];
|
||||
extern const char *pam_sm_func_name[PAM_NUM_PRIMITIVES];
|
||||
|
||||
extern const char *openpam_policy_path[];
|
||||
extern const char *openpam_module_path[];
|
||||
|
||||
#endif
|
|
@ -0,0 +1,50 @@
|
|||
/*-
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* Network Associates Laboratories, the Security Research Division of
|
||||
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_CRED_H_INCLUDED
|
||||
#define OPENPAM_CRED_H_INCLUDED
|
||||
|
||||
/*
|
||||
* Saved credentials
|
||||
*/
|
||||
#define PAM_SAVED_CRED "pam_saved_cred"
|
||||
struct pam_saved_cred {
|
||||
uid_t euid;
|
||||
gid_t egid;
|
||||
gid_t groups[NGROUPS_MAX];
|
||||
int ngroups;
|
||||
};
|
||||
|
||||
#endif
|
|
@ -0,0 +1,95 @@
|
|||
/*-
|
||||
* Copyright (c) 2012-2014 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_CTYPE_H_INCLUDED
|
||||
#define OPENPAM_CTYPE_H_INCLUDED
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a digit.
|
||||
*/
|
||||
#define is_digit(ch) \
|
||||
(ch >= '0' && ch <= '9')
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a hex digit.
|
||||
*/
|
||||
#define is_xdigit(ch) \
|
||||
((ch >= '0' && ch <= '9') || \
|
||||
(ch >= 'a' && ch <= 'f') || \
|
||||
(ch >= 'A' && ch <= 'F'))
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is an uppercase letter.
|
||||
*/
|
||||
#define is_upper(ch) \
|
||||
(ch >= 'A' && ch <= 'Z')
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a lowercase letter.
|
||||
*/
|
||||
#define is_lower(ch) \
|
||||
(ch >= 'a' && ch <= 'z')
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a letter.
|
||||
*/
|
||||
#define is_letter(ch) \
|
||||
(is_upper(ch) || is_lower(ch))
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a linear whitespace character.
|
||||
* For the purposes of this macro, the definition of linear whitespace is
|
||||
* extended to include the form feed and carraige return characters.
|
||||
*/
|
||||
#define is_lws(ch) \
|
||||
(ch == ' ' || ch == '\t' || ch == '\f' || ch == '\r')
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a whitespace character.
|
||||
*/
|
||||
#define is_ws(ch) \
|
||||
(is_lws(ch) || ch == '\n')
|
||||
|
||||
/*
|
||||
* Evaluates to non-zero if the argument is a printable ASCII character.
|
||||
* Assumes that the execution character set is a superset of ASCII.
|
||||
*/
|
||||
#define is_p(ch) \
|
||||
(ch >= '!' && ch <= '~')
|
||||
|
||||
/*
|
||||
* Returns non-zero if the argument belongs to the POSIX Portable Filename
|
||||
* Character Set. Assumes that the execution character set is a superset
|
||||
* of ASCII.
|
||||
*/
|
||||
#define is_pfcs(ch) \
|
||||
(is_digit(ch) || is_letter(ch) || \
|
||||
ch == '.' || ch == '_' || ch == '-')
|
||||
|
||||
#endif
|
|
@ -0,0 +1,110 @@
|
|||
/*-
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* Network Associates Laboratories, the Security Research Division of
|
||||
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_DEBUG_H_INCLUDED
|
||||
#define OPENPAM_DEBUG_H_INCLUDED
|
||||
|
||||
#ifdef OPENPAM_DEBUG
|
||||
#define ENTER() openpam_log(PAM_LOG_LIBDEBUG, "entering")
|
||||
#define ENTERI(i) do { \
|
||||
int i_ = (i); \
|
||||
if (i_ > 0 && i_ < PAM_NUM_ITEMS) \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", pam_item_name[i_]); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", i_); \
|
||||
} while (0)
|
||||
#define ENTERN(n) do { \
|
||||
int n_ = (n); \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", n_); \
|
||||
} while (0)
|
||||
#define ENTERS(s) do { \
|
||||
const char *s_ = (s); \
|
||||
if (s_ == NULL) \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: '%s'", s_); \
|
||||
} while (0)
|
||||
#define ENTERF(f) do { \
|
||||
int f_ = (f); \
|
||||
if (f_ >= 0 && f_ <= OPENPAM_NUM_FEATURES) \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: %s", \
|
||||
openpam_features[f_].name); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "entering: %d", f_); \
|
||||
} while (0)
|
||||
#define RETURNV() openpam_log(PAM_LOG_LIBDEBUG, "returning")
|
||||
#define RETURNC(c) do { \
|
||||
int c_ = (c); \
|
||||
if (c_ >= 0 && c_ < PAM_NUM_ERRORS) \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning %s", pam_err_name[c_]); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning %d!", c_); \
|
||||
return (c_); \
|
||||
} while (0)
|
||||
#define RETURNN(n) do { \
|
||||
int n_ = (n); \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning %d", n_); \
|
||||
return (n_); \
|
||||
} while (0)
|
||||
#define RETURNP(p) do { \
|
||||
void *p_ = (p); \
|
||||
if (p_ == NULL) \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning %p", p_); \
|
||||
return (p_); \
|
||||
} while (0)
|
||||
#define RETURNS(s) do { \
|
||||
const char *s_ = (s); \
|
||||
if (s_ == NULL) \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "returning '%s'", s_); \
|
||||
return (s_); \
|
||||
} while (0)
|
||||
#else
|
||||
#define ENTER()
|
||||
#define ENTERI(i)
|
||||
#define ENTERN(n)
|
||||
#define ENTERS(s)
|
||||
#define ENTERF(f)
|
||||
#define RETURNV() return
|
||||
#define RETURNC(c) return (c)
|
||||
#define RETURNN(n) return (n)
|
||||
#define RETURNP(p) return (p)
|
||||
#define RETURNS(s) return (s)
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,20 +31,24 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_dispatch.c#21 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
#if !defined(OPENPAM_RELAX_CHECKS)
|
||||
static void _openpam_check_error_code(int, int);
|
||||
static void openpam_check_error_code(int, int);
|
||||
#else
|
||||
#define _openpam_check_error_code(a, b)
|
||||
#define openpam_check_error_code(a, b)
|
||||
#endif /* !defined(OPENPAM_RELAX_CHECKS) */
|
||||
|
||||
/*
|
||||
|
@ -58,22 +63,18 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
int flags)
|
||||
{
|
||||
pam_chain_t *chain;
|
||||
int err, fail, r;
|
||||
#ifdef DEBUG
|
||||
int err, fail, nsuccess, r;
|
||||
int debug;
|
||||
#endif
|
||||
|
||||
ENTER();
|
||||
if (pamh == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
|
||||
/* prevent recursion */
|
||||
if (pamh->current != NULL) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"%s() called while %s::%s() is in progress",
|
||||
_pam_func_name[primitive],
|
||||
pam_func_name[primitive],
|
||||
pamh->current->module->path,
|
||||
_pam_sm_func_name[pamh->primitive]);
|
||||
pam_sm_func_name[pamh->primitive]);
|
||||
RETURNC(PAM_ABORT);
|
||||
}
|
||||
|
||||
|
@ -98,36 +99,35 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
}
|
||||
|
||||
/* execute */
|
||||
for (err = fail = 0; chain != NULL; chain = chain->next) {
|
||||
err = PAM_SUCCESS;
|
||||
fail = nsuccess = 0;
|
||||
for (; chain != NULL; chain = chain->next) {
|
||||
if (chain->module->func[primitive] == NULL) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: no %s()",
|
||||
chain->module->path, _pam_sm_func_name[primitive]);
|
||||
continue;
|
||||
chain->module->path, pam_sm_func_name[primitive]);
|
||||
r = PAM_SYMBOL_ERR;
|
||||
} else {
|
||||
pamh->primitive = primitive;
|
||||
pamh->current = chain;
|
||||
#ifdef DEBUG
|
||||
debug = (openpam_get_option(pamh, "debug") != NULL);
|
||||
if (debug)
|
||||
++_openpam_debug;
|
||||
openpam_log(PAM_LOG_DEBUG, "calling %s() in %s",
|
||||
_pam_sm_func_name[primitive], chain->module->path);
|
||||
#endif
|
||||
++openpam_debug;
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "calling %s() in %s",
|
||||
pam_sm_func_name[primitive], chain->module->path);
|
||||
r = (chain->module->func[primitive])(pamh, flags,
|
||||
chain->optc, (const char **)chain->optv);
|
||||
chain->optc, (const char **)(intptr_t)chain->optv);
|
||||
pamh->current = NULL;
|
||||
#ifdef DEBUG
|
||||
openpam_log(PAM_LOG_DEBUG, "%s: %s(): %s",
|
||||
chain->module->path, _pam_sm_func_name[primitive],
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
|
||||
chain->module->path, pam_sm_func_name[primitive],
|
||||
pam_strerror(pamh, r));
|
||||
if (debug)
|
||||
--_openpam_debug;
|
||||
#endif
|
||||
--openpam_debug;
|
||||
}
|
||||
|
||||
if (r == PAM_IGNORE)
|
||||
continue;
|
||||
if (r == PAM_SUCCESS) {
|
||||
++nsuccess;
|
||||
/*
|
||||
* For pam_setcred() and pam_chauthtok() with the
|
||||
* PAM_PRELIM_CHECK flag, treat "sufficient" as
|
||||
|
@ -142,18 +142,18 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
continue;
|
||||
}
|
||||
|
||||
_openpam_check_error_code(primitive, r);
|
||||
openpam_check_error_code(primitive, r);
|
||||
|
||||
/*
|
||||
* Record the return code from the first module to
|
||||
* fail. If a required module fails, record the
|
||||
* return code from the first required module to fail.
|
||||
*/
|
||||
if (err == 0)
|
||||
if (err == PAM_SUCCESS)
|
||||
err = r;
|
||||
if ((chain->flag == PAM_REQUIRED ||
|
||||
chain->flag == PAM_BINDING) && !fail) {
|
||||
openpam_log(PAM_LOG_DEBUG, "required module failed");
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "required module failed");
|
||||
fail = 1;
|
||||
err = r;
|
||||
}
|
||||
|
@ -163,7 +163,7 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
* immediately.
|
||||
*/
|
||||
if (chain->flag == PAM_REQUISITE) {
|
||||
openpam_log(PAM_LOG_DEBUG, "requisite module failed");
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "requisite module failed");
|
||||
fail = 1;
|
||||
break;
|
||||
}
|
||||
|
@ -171,15 +171,28 @@ openpam_dispatch(pam_handle_t *pamh,
|
|||
|
||||
if (!fail && err != PAM_NEW_AUTHTOK_REQD)
|
||||
err = PAM_SUCCESS;
|
||||
|
||||
/*
|
||||
* Require the chain to be non-empty, and at least one module
|
||||
* in the chain to be successful, so that we don't fail open.
|
||||
*/
|
||||
if (err == PAM_SUCCESS && nsuccess < 1) {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"all modules were unsuccessful for %s()",
|
||||
pam_sm_func_name[primitive]);
|
||||
err = PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
RETURNC(err);
|
||||
}
|
||||
|
||||
#if !defined(OPENPAM_RELAX_CHECKS)
|
||||
static void
|
||||
_openpam_check_error_code(int primitive, int r)
|
||||
openpam_check_error_code(int primitive, int r)
|
||||
{
|
||||
/* common error codes */
|
||||
if (r == PAM_SUCCESS ||
|
||||
r == PAM_SYSTEM_ERR ||
|
||||
r == PAM_SERVICE_ERR ||
|
||||
r == PAM_BUF_ERR ||
|
||||
r == PAM_CONV_ERR ||
|
||||
|
@ -228,7 +241,7 @@ _openpam_check_error_code(int primitive, int r)
|
|||
}
|
||||
|
||||
openpam_log(PAM_LOG_ERROR, "%s(): unexpected return value %d",
|
||||
_pam_sm_func_name[primitive], r);
|
||||
pam_sm_func_name[primitive], r);
|
||||
}
|
||||
#endif /* !defined(OPENPAM_RELAX_CHECKS) */
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
/*-
|
||||
* Copyright (c) 2013 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_DLFCN_H_INCLUDED
|
||||
#define OPENPAM_DLFCN_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_DLFUNC
|
||||
typedef void (*dlfunc_t)();
|
||||
|
||||
static inline dlfunc_t
|
||||
dlfunc(void *handle, const char *symbol)
|
||||
{
|
||||
|
||||
return ((dlfunc_t)dlsym(handle, symbol));
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,260 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* Network Associates Laboratories, the Security Research Division of
|
||||
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <dlfcn.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_asprintf.h"
|
||||
#include "openpam_ctype.h"
|
||||
#include "openpam_dlfunc.h"
|
||||
|
||||
#ifndef RTLD_NOW
|
||||
#define RTLD_NOW RTLD_LAZY
|
||||
#endif
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
*
|
||||
* Perform sanity checks and attempt to load a module
|
||||
*/
|
||||
|
||||
#ifdef HAVE_FDLOPEN
|
||||
static void *
|
||||
try_dlopen(const char *modfn)
|
||||
{
|
||||
void *dlh;
|
||||
int fd;
|
||||
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "dlopen(%s)", modfn);
|
||||
if ((fd = open(modfn, O_RDONLY)) < 0) {
|
||||
if (errno != ENOENT)
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", modfn);
|
||||
return (NULL);
|
||||
}
|
||||
if (OPENPAM_FEATURE(VERIFY_MODULE_FILE) &&
|
||||
openpam_check_desc_owner_perms(modfn, fd) != 0) {
|
||||
close(fd);
|
||||
return (NULL);
|
||||
}
|
||||
if ((dlh = fdlopen(fd, RTLD_NOW)) == NULL) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
|
||||
close(fd);
|
||||
errno = 0;
|
||||
return (NULL);
|
||||
}
|
||||
close(fd);
|
||||
return (dlh);
|
||||
}
|
||||
#else
|
||||
static void *
|
||||
try_dlopen(const char *modfn)
|
||||
{
|
||||
int check_module_file;
|
||||
void *dlh;
|
||||
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "dlopen(%s)", modfn);
|
||||
openpam_get_feature(OPENPAM_VERIFY_MODULE_FILE,
|
||||
&check_module_file);
|
||||
if (check_module_file &&
|
||||
openpam_check_path_owner_perms(modfn) != 0)
|
||||
return (NULL);
|
||||
if ((dlh = dlopen(modfn, RTLD_NOW)) == NULL) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s", modfn, dlerror());
|
||||
errno = 0;
|
||||
return (NULL);
|
||||
}
|
||||
return (dlh);
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Try to load a module from the suggested location.
|
||||
*/
|
||||
static pam_module_t *
|
||||
try_module(const char *modpath)
|
||||
{
|
||||
const pam_module_t *dlmodule;
|
||||
pam_module_t *module;
|
||||
int i, serrno;
|
||||
|
||||
if ((module = calloc(1, sizeof *module)) == NULL ||
|
||||
(module->path = strdup(modpath)) == NULL ||
|
||||
(module->dlh = try_dlopen(modpath)) == NULL)
|
||||
goto err;
|
||||
dlmodule = dlsym(module->dlh, "_pam_module");
|
||||
for (i = 0; i < PAM_NUM_PRIMITIVES; ++i) {
|
||||
if (dlmodule) {
|
||||
module->func[i] = dlmodule->func[i];
|
||||
} else {
|
||||
module->func[i] = (pam_func_t)dlfunc(module->dlh,
|
||||
pam_sm_func_name[i]);
|
||||
/*
|
||||
* This openpam_log() call is a major source of
|
||||
* log spam, and the cases that matter are caught
|
||||
* and logged in openpam_dispatch(). This would
|
||||
* be less problematic if dlerror() returned an
|
||||
* error code so we could log an error only when
|
||||
* dlfunc() failed for a reason other than "no
|
||||
* such symbol".
|
||||
*/
|
||||
#if 0
|
||||
if (module->func[i] == NULL)
|
||||
openpam_log(PAM_LOG_LIBDEBUG, "%s: %s(): %s",
|
||||
modpath, pam_sm_func_name[i], dlerror());
|
||||
#endif
|
||||
}
|
||||
}
|
||||
return (module);
|
||||
err:
|
||||
serrno = errno;
|
||||
if (module != NULL) {
|
||||
if (module->dlh != NULL)
|
||||
dlclose(module->dlh);
|
||||
if (module->path != NULL)
|
||||
FREE(module->path);
|
||||
FREE(module);
|
||||
}
|
||||
errno = serrno;
|
||||
if (serrno != 0 && serrno != ENOENT)
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", modpath);
|
||||
errno = serrno;
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
*
|
||||
* Locate a dynamically linked module
|
||||
*/
|
||||
|
||||
pam_module_t *
|
||||
openpam_dynamic(const char *modname)
|
||||
{
|
||||
pam_module_t *module;
|
||||
char modpath[PATH_MAX];
|
||||
const char **path, *p;
|
||||
int has_so, has_ver;
|
||||
int dot, len;
|
||||
|
||||
/*
|
||||
* Simple case: module name contains path separator(s)
|
||||
*/
|
||||
if (strchr(modname, '/') != NULL) {
|
||||
/*
|
||||
* Absolute paths are not allowed if RESTRICT_MODULE_NAME
|
||||
* is in effect (default off). Relative paths are never
|
||||
* allowed.
|
||||
*/
|
||||
if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME) ||
|
||||
modname[0] != '/') {
|
||||
openpam_log(PAM_LOG_ERROR,
|
||||
"invalid module name: %s", modname);
|
||||
return (NULL);
|
||||
}
|
||||
return (try_module(modname));
|
||||
}
|
||||
|
||||
/*
|
||||
* Check for .so and version sufixes
|
||||
*/
|
||||
p = strchr(modname, '\0');
|
||||
has_ver = has_so = 0;
|
||||
while (is_digit(*p))
|
||||
--p;
|
||||
if (*p == '.' && *++p != '\0') {
|
||||
/* found a numeric suffix */
|
||||
has_ver = 1;
|
||||
/* assume that .so is either present or unneeded */
|
||||
has_so = 1;
|
||||
} else if (*p == '\0' && p >= modname + sizeof PAM_SOEXT &&
|
||||
strcmp(p - sizeof PAM_SOEXT + 1, PAM_SOEXT) == 0) {
|
||||
/* found .so suffix */
|
||||
has_so = 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Complicated case: search for the module in the usual places.
|
||||
*/
|
||||
for (path = openpam_module_path; *path != NULL; ++path) {
|
||||
/*
|
||||
* Assemble the full path, including the version suffix. Take
|
||||
* note of where the suffix begins so we can cut it off later.
|
||||
*/
|
||||
if (has_ver)
|
||||
len = snprintf(modpath, sizeof modpath, "%s/%s%n",
|
||||
*path, modname, &dot);
|
||||
else if (has_so)
|
||||
len = snprintf(modpath, sizeof modpath, "%s/%s%n.%d",
|
||||
*path, modname, &dot, LIB_MAJ);
|
||||
else
|
||||
len = snprintf(modpath, sizeof modpath, "%s/%s%s%n.%d",
|
||||
*path, modname, PAM_SOEXT, &dot, LIB_MAJ);
|
||||
/* check for overflow */
|
||||
if (len < 0 || (unsigned int)len >= sizeof modpath) {
|
||||
errno = ENOENT;
|
||||
continue;
|
||||
}
|
||||
/* try the versioned path */
|
||||
if ((module = try_module(modpath)) != NULL)
|
||||
return (module);
|
||||
if (errno == ENOENT && modpath[dot] != '\0') {
|
||||
/* no luck, try the unversioned path */
|
||||
modpath[dot] = '\0';
|
||||
if ((module = try_module(modpath)) != NULL)
|
||||
return (module);
|
||||
}
|
||||
}
|
||||
|
||||
/* :( */
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* NOPARSE
|
||||
*/
|
|
@ -0,0 +1,71 @@
|
|||
/*-
|
||||
* Copyright (c) 2012-2015 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
#define STRUCT_OPENPAM_FEATURE(name, descr, dflt) \
|
||||
[OPENPAM_##name] = { \
|
||||
"OPENPAM_" #name, \
|
||||
descr, \
|
||||
dflt \
|
||||
}
|
||||
|
||||
struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES] = {
|
||||
STRUCT_OPENPAM_FEATURE(
|
||||
RESTRICT_SERVICE_NAME,
|
||||
"Disallow path separators in service names",
|
||||
1
|
||||
),
|
||||
STRUCT_OPENPAM_FEATURE(
|
||||
VERIFY_POLICY_FILE,
|
||||
"Verify ownership and permissions of policy files",
|
||||
1
|
||||
),
|
||||
STRUCT_OPENPAM_FEATURE(
|
||||
RESTRICT_MODULE_NAME,
|
||||
"Disallow path separators in module names",
|
||||
0
|
||||
),
|
||||
STRUCT_OPENPAM_FEATURE(
|
||||
VERIFY_MODULE_FILE,
|
||||
"Verify ownership and permissions of module files",
|
||||
1
|
||||
),
|
||||
STRUCT_OPENPAM_FEATURE(
|
||||
FALLBACK_TO_OTHER,
|
||||
"Fall back to \"other\" policy for empty chains",
|
||||
1
|
||||
),
|
||||
};
|
|
@ -0,0 +1,45 @@
|
|||
/*-
|
||||
* Copyright (c) 2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_FEATURES_H_INCLUDED
|
||||
#define OPENPAM_FEATURES_H_INCLUDED
|
||||
|
||||
struct openpam_feature {
|
||||
const char *name;
|
||||
const char *desc;
|
||||
int onoff;
|
||||
};
|
||||
|
||||
extern struct openpam_feature openpam_features[OPENPAM_NUM_FEATURES];
|
||||
|
||||
/* shortcut for internal use */
|
||||
#define OPENPAM_FEATURE(f) \
|
||||
openpam_features[OPENPAM_##f].onoff
|
||||
|
||||
#endif
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,13 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_findenv.c#12 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -54,12 +58,11 @@ openpam_findenv(pam_handle_t *pamh,
|
|||
int i;
|
||||
|
||||
ENTER();
|
||||
if (pamh == NULL)
|
||||
RETURNN(-1);
|
||||
for (i = 0; i < pamh->env_count; ++i)
|
||||
if (strncmp(pamh->env[i], name, len) == 0 &&
|
||||
pamh->env[i][len] == '=')
|
||||
RETURNN(i);
|
||||
errno = ENOENT;
|
||||
RETURNN(-1);
|
||||
}
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_free_data.c#7 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
|
@ -1,13 +1,12 @@
|
|||
/*-
|
||||
* Copyright (c) 2005 Dag-Erling Coïdan Smørgrav
|
||||
* Copyright (c) 2005-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer
|
||||
* in this position and unchanged.
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
|
@ -24,10 +23,12 @@
|
|||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_free_envlist.c#2 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -63,4 +64,6 @@ openpam_free_envlist(char **envlist)
|
|||
* frees all the environment variables in an environment list, and the
|
||||
* list itself.
|
||||
* It is suitable for freeing the return value from =pam_getenvlist.
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -0,0 +1,96 @@
|
|||
/*-
|
||||
* Copyright (c) 2012-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
*
|
||||
* Query the state of an optional feature.
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_get_feature(int feature, int *onoff)
|
||||
{
|
||||
|
||||
ENTERF(feature);
|
||||
if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
|
||||
RETURNC(PAM_BAD_FEATURE);
|
||||
*onoff = openpam_features[feature].onoff;
|
||||
RETURNC(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
* Error codes:
|
||||
*
|
||||
* PAM_BAD_FEATURE
|
||||
*/
|
||||
|
||||
/**
|
||||
* EXPERIMENTAL
|
||||
*
|
||||
* The =openpam_get_feature function stores the current state of the
|
||||
* specified feature in the variable pointed to by its =onoff argument.
|
||||
*
|
||||
* The following features are recognized:
|
||||
*
|
||||
* =OPENPAM_RESTRICT_SERVICE_NAME:
|
||||
* Disallow path separators in service names.
|
||||
* This feature is enabled by default.
|
||||
* Disabling it allows the application to specify the path to
|
||||
* the desired policy file directly.
|
||||
*
|
||||
* =OPENPAM_VERIFY_POLICY_FILE:
|
||||
* Verify the ownership and permissions of the policy file
|
||||
* and the path leading up to it.
|
||||
* This feature is enabled by default.
|
||||
*
|
||||
* =OPENPAM_RESTRICT_MODULE_NAME:
|
||||
* Disallow path separators in module names.
|
||||
* This feature is disabled by default.
|
||||
* Enabling it prevents the use of modules in non-standard
|
||||
* locations.
|
||||
*
|
||||
* =OPENPAM_VERIFY_MODULE_FILE:
|
||||
* Verify the ownership and permissions of each loadable
|
||||
* module and the path leading up to it.
|
||||
* This feature is enabled by default.
|
||||
*
|
||||
*
|
||||
* >openpam_set_feature
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,16 +31,17 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_get_option.c#10 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,25 +31,14 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_impl.h#29 $
|
||||
*/
|
||||
|
||||
#ifndef _OPENPAM_IMPL_H_INCLUDED
|
||||
#define _OPENPAM_IMPL_H_INCLUDED
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include <config.h>
|
||||
#endif
|
||||
#ifndef OPENPAM_IMPL_H_INCLUDED
|
||||
#define OPENPAM_IMPL_H_INCLUDED
|
||||
|
||||
#include <security/openpam.h>
|
||||
|
||||
extern const char *_pam_func_name[PAM_NUM_PRIMITIVES];
|
||||
extern const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES];
|
||||
extern const char *_pam_err_name[PAM_NUM_ERRORS];
|
||||
extern const char *_pam_item_name[PAM_NUM_ITEMS];
|
||||
|
||||
extern int _openpam_debug;
|
||||
extern int openpam_debug;
|
||||
|
||||
/*
|
||||
* Control flags
|
||||
|
@ -74,6 +64,9 @@ typedef enum {
|
|||
PAM_NUM_FACILITIES
|
||||
} pam_facility_t;
|
||||
|
||||
/*
|
||||
* Module chains
|
||||
*/
|
||||
typedef struct pam_chain pam_chain_t;
|
||||
struct pam_chain {
|
||||
pam_module_t *module;
|
||||
|
@ -83,6 +76,21 @@ struct pam_chain {
|
|||
pam_chain_t *next;
|
||||
};
|
||||
|
||||
/*
|
||||
* Service policies
|
||||
*/
|
||||
#if defined(OPENPAM_EMBEDDED)
|
||||
typedef struct pam_policy pam_policy_t;
|
||||
struct pam_policy {
|
||||
const char *service;
|
||||
pam_chain_t *chains[PAM_NUM_FACILITIES];
|
||||
};
|
||||
extern pam_policy_t *pam_embedded_policies[];
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Module-specific data
|
||||
*/
|
||||
typedef struct pam_data pam_data_t;
|
||||
struct pam_data {
|
||||
char *name;
|
||||
|
@ -91,6 +99,9 @@ struct pam_data {
|
|||
pam_data_t *next;
|
||||
};
|
||||
|
||||
/*
|
||||
* PAM context
|
||||
*/
|
||||
struct pam_handle {
|
||||
char *service;
|
||||
|
||||
|
@ -109,91 +120,54 @@ struct pam_handle {
|
|||
int env_size;
|
||||
};
|
||||
|
||||
#ifdef NGROUPS_MAX
|
||||
#define PAM_SAVED_CRED "pam_saved_cred"
|
||||
struct pam_saved_cred {
|
||||
uid_t euid;
|
||||
gid_t egid;
|
||||
gid_t groups[NGROUPS_MAX];
|
||||
int ngroups;
|
||||
};
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Default policy
|
||||
*/
|
||||
#define PAM_OTHER "other"
|
||||
|
||||
int openpam_configure(pam_handle_t *, const char *);
|
||||
int openpam_dispatch(pam_handle_t *, int, int);
|
||||
int openpam_findenv(pam_handle_t *, const char *, size_t);
|
||||
pam_module_t *openpam_load_module(const char *);
|
||||
void openpam_clear_chains(pam_chain_t **);
|
||||
/*
|
||||
* Internal functions
|
||||
*/
|
||||
int openpam_configure(pam_handle_t *, const char *)
|
||||
OPENPAM_NONNULL((1));
|
||||
int openpam_dispatch(pam_handle_t *, int, int)
|
||||
OPENPAM_NONNULL((1));
|
||||
int openpam_findenv(pam_handle_t *, const char *, size_t)
|
||||
OPENPAM_NONNULL((1,2));
|
||||
pam_module_t *openpam_load_module(const char *)
|
||||
OPENPAM_NONNULL((1));
|
||||
void openpam_clear_chains(pam_chain_t **)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
int openpam_check_desc_owner_perms(const char *, int)
|
||||
OPENPAM_NONNULL((1));
|
||||
int openpam_check_path_owner_perms(const char *)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
#ifdef OPENPAM_STATIC_MODULES
|
||||
pam_module_t *openpam_static(const char *);
|
||||
pam_module_t *openpam_static(const char *)
|
||||
OPENPAM_NONNULL((1));
|
||||
#endif
|
||||
pam_module_t *openpam_dynamic(const char *);
|
||||
pam_module_t *openpam_dynamic(const char *)
|
||||
OPENPAM_NONNULL((1));
|
||||
|
||||
#define FREE(p) do { free((p)); (p) = NULL; } while (0)
|
||||
#define FREE(p) \
|
||||
do { \
|
||||
free(p); \
|
||||
(p) = NULL; \
|
||||
} while (0)
|
||||
|
||||
#ifdef DEBUG
|
||||
#define ENTER() openpam_log(PAM_LOG_DEBUG, "entering")
|
||||
#define ENTERI(i) do { \
|
||||
int _i = (i); \
|
||||
if (_i > 0 && _i < PAM_NUM_ITEMS) \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: %s", _pam_item_name[_i]); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: %d", _i); \
|
||||
} while (0)
|
||||
#define ENTERN(n) do { \
|
||||
int _n = (n); \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: %d", _n); \
|
||||
} while (0)
|
||||
#define ENTERS(s) do { \
|
||||
const char *_s = (s); \
|
||||
if (_s == NULL) \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "entering: '%s'", _s); \
|
||||
} while (0)
|
||||
#define RETURNV() openpam_log(PAM_LOG_DEBUG, "returning")
|
||||
#define RETURNC(c) do { \
|
||||
int _c = (c); \
|
||||
if (_c >= 0 && _c < PAM_NUM_ERRORS) \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %s", _pam_err_name[_c]); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %d!", _c); \
|
||||
return (_c); \
|
||||
} while (0)
|
||||
#define RETURNN(n) do { \
|
||||
int _n = (n); \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %d", _n); \
|
||||
return (_n); \
|
||||
} while (0)
|
||||
#define RETURNP(p) do { \
|
||||
const void *_p = (p); \
|
||||
if (_p == NULL) \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning %p", _p); \
|
||||
return (p); \
|
||||
} while (0)
|
||||
#define RETURNS(s) do { \
|
||||
const char *_s = (s); \
|
||||
if (_s == NULL) \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning NULL"); \
|
||||
else \
|
||||
openpam_log(PAM_LOG_DEBUG, "returning '%s'", _s); \
|
||||
return (_s); \
|
||||
} while (0)
|
||||
#else
|
||||
#define ENTER()
|
||||
#define ENTERI(i)
|
||||
#define ENTERN(n)
|
||||
#define ENTERS(s)
|
||||
#define RETURNV() return
|
||||
#define RETURNC(c) return (c)
|
||||
#define RETURNN(n) return (n)
|
||||
#define RETURNP(p) return (p)
|
||||
#define RETURNS(s) return (s)
|
||||
#endif
|
||||
#define FREEV(c, v) \
|
||||
do { \
|
||||
if ((v) != NULL) { \
|
||||
while ((c)-- > 0) \
|
||||
FREE((v)[(c)]); \
|
||||
FREE(v); \
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#include "openpam_constants.h"
|
||||
#include "openpam_debug.h"
|
||||
#include "openpam_features.h"
|
||||
|
||||
#endif
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2013 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_load.c#21 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <dlfcn.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
@ -42,66 +45,31 @@
|
|||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
const char *_pam_func_name[PAM_NUM_PRIMITIVES] = {
|
||||
"pam_authenticate",
|
||||
"pam_setcred",
|
||||
"pam_acct_mgmt",
|
||||
"pam_open_session",
|
||||
"pam_close_session",
|
||||
"pam_chauthtok"
|
||||
};
|
||||
|
||||
const char *_pam_sm_func_name[PAM_NUM_PRIMITIVES] = {
|
||||
"pam_sm_authenticate",
|
||||
"pam_sm_setcred",
|
||||
"pam_sm_acct_mgmt",
|
||||
"pam_sm_open_session",
|
||||
"pam_sm_close_session",
|
||||
"pam_sm_chauthtok"
|
||||
};
|
||||
|
||||
static pam_module_t *modules;
|
||||
|
||||
/*
|
||||
* Locate a matching dynamic or static module. Keep a list of previously
|
||||
* found modules to speed up the process.
|
||||
* Locate a matching dynamic or static module.
|
||||
*/
|
||||
|
||||
pam_module_t *
|
||||
openpam_load_module(const char *path)
|
||||
openpam_load_module(const char *modulename)
|
||||
{
|
||||
pam_module_t *module;
|
||||
|
||||
/* check cache first */
|
||||
for (module = modules; module != NULL; module = module->next)
|
||||
if (strcmp(module->path, path) == 0)
|
||||
goto found;
|
||||
|
||||
/* nope; try to load */
|
||||
module = openpam_dynamic(path);
|
||||
module = openpam_dynamic(modulename);
|
||||
openpam_log(PAM_LOG_DEBUG, "%s dynamic %s",
|
||||
(module == NULL) ? "no" : "using", path);
|
||||
(module == NULL) ? "no" : "using", modulename);
|
||||
|
||||
#ifdef OPENPAM_STATIC_MODULES
|
||||
/* look for a static module */
|
||||
if (module == NULL && strchr(path, '/') == NULL) {
|
||||
module = openpam_static(path);
|
||||
if (module == NULL && strchr(modulename, '/') == NULL) {
|
||||
module = openpam_static(modulename);
|
||||
openpam_log(PAM_LOG_DEBUG, "%s static %s",
|
||||
(module == NULL) ? "no" : "using", path);
|
||||
(module == NULL) ? "no" : "using", modulename);
|
||||
}
|
||||
#endif
|
||||
if (module == NULL) {
|
||||
openpam_log(PAM_LOG_ERROR, "no %s found", path);
|
||||
openpam_log(PAM_LOG_ERROR, "no %s found", modulename);
|
||||
return (NULL);
|
||||
}
|
||||
openpam_log(PAM_LOG_DEBUG, "adding %s to cache", module->path);
|
||||
module->next = modules;
|
||||
if (module->next != NULL)
|
||||
module->next->prev = module;
|
||||
module->prev = NULL;
|
||||
modules = module;
|
||||
found:
|
||||
++module->refcount;
|
||||
return (module);
|
||||
}
|
||||
|
||||
|
@ -114,27 +82,13 @@ openpam_load_module(const char *path)
|
|||
static void
|
||||
openpam_release_module(pam_module_t *module)
|
||||
{
|
||||
|
||||
if (module == NULL)
|
||||
return;
|
||||
--module->refcount;
|
||||
if (module->refcount > 0)
|
||||
/* still in use */
|
||||
return;
|
||||
if (module->refcount < 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "module %s has negative refcount",
|
||||
module->path);
|
||||
module->refcount = 0;
|
||||
}
|
||||
if (module->dlh == NULL)
|
||||
/* static module */
|
||||
return;
|
||||
dlclose(module->dlh);
|
||||
if (module->prev != NULL)
|
||||
module->prev->next = module->next;
|
||||
if (module->next != NULL)
|
||||
module->next->prev = module->prev;
|
||||
if (module == modules)
|
||||
modules = module->next;
|
||||
openpam_log(PAM_LOG_DEBUG, "releasing %s", module->path);
|
||||
FREE(module->path);
|
||||
FREE(module);
|
||||
|
@ -149,15 +103,12 @@ openpam_release_module(pam_module_t *module)
|
|||
static void
|
||||
openpam_destroy_chain(pam_chain_t *chain)
|
||||
{
|
||||
|
||||
if (chain == NULL)
|
||||
return;
|
||||
openpam_destroy_chain(chain->next);
|
||||
chain->next = NULL;
|
||||
while (chain->optc) {
|
||||
--chain->optc;
|
||||
FREE(chain->optv[chain->optc]);
|
||||
}
|
||||
FREE(chain->optv);
|
||||
FREEV(chain->optc, chain->optv);
|
||||
openpam_release_module(chain->module);
|
||||
chain->module = NULL;
|
||||
FREE(chain);
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,22 +31,24 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_log.c#24 $
|
||||
*/
|
||||
|
||||
#include <ctype.h>
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_asprintf.h"
|
||||
|
||||
int _openpam_debug = 0;
|
||||
int openpam_debug = 0;
|
||||
|
||||
#if !defined(openpam_log)
|
||||
|
||||
|
@ -60,10 +63,12 @@ openpam_log(int level, const char *fmt, ...)
|
|||
{
|
||||
va_list ap;
|
||||
int priority;
|
||||
int serrno;
|
||||
|
||||
switch (level) {
|
||||
case PAM_LOG_LIBDEBUG:
|
||||
case PAM_LOG_DEBUG:
|
||||
if (!_openpam_debug)
|
||||
if (!openpam_debug)
|
||||
return;
|
||||
priority = LOG_DEBUG;
|
||||
break;
|
||||
|
@ -78,9 +83,11 @@ openpam_log(int level, const char *fmt, ...)
|
|||
priority = LOG_ERR;
|
||||
break;
|
||||
}
|
||||
serrno = errno;
|
||||
va_start(ap, fmt);
|
||||
vsyslog(priority, fmt, ap);
|
||||
va_end(ap);
|
||||
errno = serrno;
|
||||
}
|
||||
|
||||
#else
|
||||
|
@ -91,10 +98,12 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
|
|||
va_list ap;
|
||||
char *format;
|
||||
int priority;
|
||||
int serrno;
|
||||
|
||||
switch (level) {
|
||||
case PAM_LOG_LIBDEBUG:
|
||||
case PAM_LOG_DEBUG:
|
||||
if (!_openpam_debug)
|
||||
if (!openpam_debug)
|
||||
return;
|
||||
priority = LOG_DEBUG;
|
||||
break;
|
||||
|
@ -109,14 +118,18 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
|
|||
priority = LOG_ERR;
|
||||
break;
|
||||
}
|
||||
serrno = errno;
|
||||
va_start(ap, fmt);
|
||||
if (asprintf(&format, "in %s(): %s", func, fmt) > 0) {
|
||||
errno = serrno;
|
||||
vsyslog(priority, format, ap);
|
||||
FREE(format);
|
||||
} else {
|
||||
errno = serrno;
|
||||
vsyslog(priority, fmt, ap);
|
||||
}
|
||||
va_end(ap);
|
||||
errno = serrno;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
@ -128,10 +141,13 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
|
|||
* The =level argument indicates the importance of the message.
|
||||
* The following levels are defined:
|
||||
*
|
||||
* =PAM_LOG_LIBDEBUG:
|
||||
* Debugging messages.
|
||||
* For internal use only.
|
||||
* =PAM_LOG_DEBUG:
|
||||
* Debugging messages.
|
||||
* These messages are normally not logged unless the global
|
||||
* integer variable :_openpam_debug is set to a non-zero
|
||||
* integer variable :openpam_debug is set to a non-zero
|
||||
* value, in which case they are logged with a =syslog
|
||||
* priority of =LOG_DEBUG.
|
||||
* =PAM_LOG_VERBOSE:
|
||||
|
@ -150,4 +166,6 @@ _openpam_log(int level, const char *func, const char *fmt, ...)
|
|||
*
|
||||
* The remaining arguments are a =printf format string and the
|
||||
* corresponding arguments.
|
||||
*
|
||||
* The =openpam_log function does not modify the value of :errno.
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_nullconv.c#7 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,15 +31,17 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_readline.c#3 $
|
||||
*/
|
||||
|
||||
#include <ctype.h>
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
#define MIN_LINE_LENGTH 128
|
||||
|
@ -52,26 +55,13 @@
|
|||
char *
|
||||
openpam_readline(FILE *f, int *lineno, size_t *lenp)
|
||||
{
|
||||
unsigned char *line;
|
||||
char *line;
|
||||
size_t len, size;
|
||||
int ch;
|
||||
|
||||
if ((line = malloc(MIN_LINE_LENGTH)) == NULL)
|
||||
line = NULL;
|
||||
if (openpam_straddch(&line, &size, &len, 0) != 0)
|
||||
return (NULL);
|
||||
size = MIN_LINE_LENGTH;
|
||||
len = 0;
|
||||
|
||||
#define line_putch(ch) do { \
|
||||
if (len >= size - 1) { \
|
||||
unsigned char *tmp = realloc(line, size *= 2); \
|
||||
if (tmp == NULL) \
|
||||
goto fail; \
|
||||
line = tmp; \
|
||||
} \
|
||||
line[len++] = ch; \
|
||||
line[len] = '\0'; \
|
||||
} while (0)
|
||||
|
||||
for (;;) {
|
||||
ch = fgetc(f);
|
||||
/* strip comment */
|
||||
|
@ -82,66 +72,53 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
|
|||
}
|
||||
/* eof */
|
||||
if (ch == EOF) {
|
||||
/* remove trailing whitespace */
|
||||
while (len > 0 && isspace(line[len - 1]))
|
||||
--len;
|
||||
line[len] = '\0';
|
||||
if (len == 0)
|
||||
goto fail;
|
||||
/* done */
|
||||
break;
|
||||
}
|
||||
/* eol */
|
||||
if (ch == '\n') {
|
||||
if (lineno != NULL)
|
||||
++*lineno;
|
||||
|
||||
/* remove trailing whitespace */
|
||||
while (len > 0 && isspace(line[len - 1]))
|
||||
--len;
|
||||
line[len] = '\0';
|
||||
/* skip blank lines */
|
||||
if (len == 0)
|
||||
continue;
|
||||
/* continuation */
|
||||
if (line[len - 1] == '\\') {
|
||||
line[--len] = '\0';
|
||||
/* fall through to whitespace case */
|
||||
} else {
|
||||
break;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
/* whitespace */
|
||||
if (isspace(ch)) {
|
||||
/* ignore leading whitespace */
|
||||
/* collapse linear whitespace */
|
||||
if (len > 0 && line[len - 1] != ' ')
|
||||
line_putch(' ');
|
||||
continue;
|
||||
/* done */
|
||||
break;
|
||||
}
|
||||
/* anything else */
|
||||
line_putch(ch);
|
||||
if (openpam_straddch(&line, &size, &len, ch) != 0)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (len == 0)
|
||||
goto fail;
|
||||
if (lenp != NULL)
|
||||
*lenp = len;
|
||||
return (line);
|
||||
fail:
|
||||
fail:
|
||||
FREE(line);
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED openpam_readlinev
|
||||
*
|
||||
* The =openpam_readline function reads a line from a file, and returns it
|
||||
* in a NUL-terminated buffer allocated with =malloc.
|
||||
* in a NUL-terminated buffer allocated with =!malloc.
|
||||
*
|
||||
* The =openpam_readline function performs a certain amount of processing
|
||||
* on the data it reads.
|
||||
* Comments (introduced by a hash sign) are stripped, as is leading and
|
||||
* trailing whitespace.
|
||||
* Any amount of linear whitespace is collapsed to a single space.
|
||||
* Blank lines are ignored.
|
||||
* If a line ends in a backslash, the backslash is stripped and the next
|
||||
* line is appended.
|
||||
* on the data it reads:
|
||||
*
|
||||
* - Comments (introduced by a hash sign) are stripped.
|
||||
*
|
||||
* - Blank lines are ignored.
|
||||
*
|
||||
* - If a line ends in a backslash, the backslash is stripped and the
|
||||
* next line is appended.
|
||||
*
|
||||
* If =lineno is not =NULL, the integer variable it points to is
|
||||
* incremented every time a newline character is read.
|
||||
|
@ -150,5 +127,8 @@ openpam_readline(FILE *f, int *lineno, size_t *lenp)
|
|||
* terminating NUL character) is stored in the variable it points to.
|
||||
*
|
||||
* The caller is responsible for releasing the returned buffer by passing
|
||||
* it to =free.
|
||||
* it to =!free.
|
||||
*
|
||||
* >openpam_readlinev
|
||||
* >openpam_readword
|
||||
*/
|
|
@ -0,0 +1,153 @@
|
|||
/*-
|
||||
* Copyright (c) 2012-2016 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
#define MIN_WORDV_SIZE 32
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
*
|
||||
* Read a line from a file and split it into words.
|
||||
*/
|
||||
|
||||
char **
|
||||
openpam_readlinev(FILE *f, int *lineno, int *lenp)
|
||||
{
|
||||
char *word, **wordv, **tmp;
|
||||
size_t wordlen, wordvsize;
|
||||
int ch, serrno, wordvlen;
|
||||
|
||||
wordvsize = MIN_WORDV_SIZE;
|
||||
wordvlen = 0;
|
||||
if ((wordv = malloc(wordvsize * sizeof *wordv)) == NULL) {
|
||||
errno = ENOMEM;
|
||||
return (NULL);
|
||||
}
|
||||
wordv[wordvlen] = NULL;
|
||||
while ((word = openpam_readword(f, lineno, &wordlen)) != NULL) {
|
||||
if ((unsigned int)wordvlen + 1 >= wordvsize) {
|
||||
/* need to expand the array */
|
||||
wordvsize *= 2;
|
||||
tmp = realloc(wordv, wordvsize * sizeof *wordv);
|
||||
if (tmp == NULL) {
|
||||
errno = ENOMEM;
|
||||
break;
|
||||
}
|
||||
wordv = tmp;
|
||||
}
|
||||
/* insert our word */
|
||||
wordv[wordvlen++] = word;
|
||||
wordv[wordvlen] = NULL;
|
||||
word = NULL;
|
||||
}
|
||||
if (errno != 0) {
|
||||
/* I/O error or out of memory */
|
||||
serrno = errno;
|
||||
while (wordvlen--)
|
||||
free(wordv[wordvlen]);
|
||||
free(wordv);
|
||||
free(word);
|
||||
errno = serrno;
|
||||
return (NULL);
|
||||
}
|
||||
/* assert(!ferror(f)) */
|
||||
ch = fgetc(f);
|
||||
/* assert(ch == EOF || ch == '\n') */
|
||||
if (ch == EOF && wordvlen == 0) {
|
||||
free(wordv);
|
||||
return (NULL);
|
||||
}
|
||||
if (ch == '\n' && lineno != NULL)
|
||||
++*lineno;
|
||||
if (lenp != NULL)
|
||||
*lenp = wordvlen;
|
||||
return (wordv);
|
||||
}
|
||||
|
||||
/**
|
||||
* The =openpam_readlinev function reads a line from a file, splits it
|
||||
* into words according to the rules described in the =openpam_readword
|
||||
* manual page, and returns a list of those words.
|
||||
*
|
||||
* If =lineno is not =NULL, the integer variable it points to is
|
||||
* incremented every time a newline character is read.
|
||||
* This includes quoted or escaped newline characters and the newline
|
||||
* character at the end of the line.
|
||||
*
|
||||
* If =lenp is not =NULL, the number of words on the line is stored in the
|
||||
* variable to which it points.
|
||||
*
|
||||
* RETURN VALUES
|
||||
*
|
||||
* If successful, the =openpam_readlinev function returns a pointer to a
|
||||
* dynamically allocated array of pointers to individual dynamically
|
||||
* allocated NUL-terminated strings, each containing a single word, in the
|
||||
* order in which they were encountered on the line.
|
||||
* The array is terminated by a =NULL pointer.
|
||||
*
|
||||
* The caller is responsible for freeing both the array and the individual
|
||||
* strings by passing each of them to =!free.
|
||||
*
|
||||
* If the end of the line was reached before any words were read,
|
||||
* =openpam_readlinev returns a pointer to a dynamically allocated array
|
||||
* containing a single =NULL pointer.
|
||||
*
|
||||
* The =openpam_readlinev function can fail and return =NULL for one of
|
||||
* four reasons:
|
||||
*
|
||||
* - The end of the file was reached before any words were read; :errno is
|
||||
* zero, =!ferror returns zero, and =!feof returns a non-zero value.
|
||||
*
|
||||
* - The end of the file was reached while a quote or backslash escape
|
||||
* was in effect; :errno is set to =EINVAL, =!ferror returns zero, and
|
||||
* =!feof returns a non-zero value.
|
||||
*
|
||||
* - An error occurred while reading from the file; :errno is non-zero,
|
||||
* =!ferror returns a non-zero value and =!feof returns zero.
|
||||
*
|
||||
* - A =!malloc or =!realloc call failed; :errno is set to =ENOMEM,
|
||||
* =!ferror returns a non-zero value, and =!feof may or may not return
|
||||
* a non-zero value.
|
||||
*
|
||||
* >openpam_readline
|
||||
* >openpam_readword
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -0,0 +1,214 @@
|
|||
/*-
|
||||
* Copyright (c) 2012-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_ctype.h"
|
||||
|
||||
#define MIN_WORD_SIZE 32
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
*
|
||||
* Read a word from a file, respecting shell quoting rules.
|
||||
*/
|
||||
|
||||
char *
|
||||
openpam_readword(FILE *f, int *lineno, size_t *lenp)
|
||||
{
|
||||
char *word;
|
||||
size_t size, len;
|
||||
int ch, escape, quote;
|
||||
int serrno;
|
||||
|
||||
errno = 0;
|
||||
|
||||
/* skip initial whitespace */
|
||||
escape = quote = 0;
|
||||
while ((ch = getc(f)) != EOF) {
|
||||
if (ch == '\n') {
|
||||
/* either EOL or line continuation */
|
||||
if (!escape)
|
||||
break;
|
||||
if (lineno != NULL)
|
||||
++*lineno;
|
||||
escape = 0;
|
||||
} else if (escape) {
|
||||
/* escaped something else */
|
||||
break;
|
||||
} else if (ch == '#') {
|
||||
/* comment: until EOL, no continuation */
|
||||
while ((ch = getc(f)) != EOF)
|
||||
if (ch == '\n')
|
||||
break;
|
||||
break;
|
||||
} else if (ch == '\\') {
|
||||
escape = 1;
|
||||
} else if (!is_ws(ch)) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (ch == EOF)
|
||||
return (NULL);
|
||||
ungetc(ch, f);
|
||||
if (ch == '\n')
|
||||
return (NULL);
|
||||
|
||||
word = NULL;
|
||||
size = len = 0;
|
||||
while ((ch = fgetc(f)) != EOF && (!is_ws(ch) || quote || escape)) {
|
||||
if (ch == '\\' && !escape && quote != '\'') {
|
||||
/* escape next character */
|
||||
escape = ch;
|
||||
} else if ((ch == '\'' || ch == '"') && !quote && !escape) {
|
||||
/* begin quote */
|
||||
quote = ch;
|
||||
/* edge case: empty quoted string */
|
||||
if (openpam_straddch(&word, &size, &len, 0) != 0)
|
||||
return (NULL);
|
||||
} else if (ch == quote && !escape) {
|
||||
/* end quote */
|
||||
quote = 0;
|
||||
} else if (ch == '\n' && escape) {
|
||||
/* line continuation */
|
||||
escape = 0;
|
||||
} else {
|
||||
if (escape && quote && ch != '\\' && ch != quote &&
|
||||
openpam_straddch(&word, &size, &len, '\\') != 0) {
|
||||
free(word);
|
||||
errno = ENOMEM;
|
||||
return (NULL);
|
||||
}
|
||||
if (openpam_straddch(&word, &size, &len, ch) != 0) {
|
||||
free(word);
|
||||
errno = ENOMEM;
|
||||
return (NULL);
|
||||
}
|
||||
escape = 0;
|
||||
}
|
||||
if (lineno != NULL && ch == '\n')
|
||||
++*lineno;
|
||||
}
|
||||
if (ch == EOF && ferror(f)) {
|
||||
serrno = errno;
|
||||
free(word);
|
||||
errno = serrno;
|
||||
return (NULL);
|
||||
}
|
||||
if (ch == EOF && (escape || quote)) {
|
||||
/* Missing escaped character or closing quote. */
|
||||
free(word);
|
||||
errno = EINVAL;
|
||||
return (NULL);
|
||||
}
|
||||
ungetc(ch, f);
|
||||
if (lenp != NULL)
|
||||
*lenp = len;
|
||||
return (word);
|
||||
}
|
||||
|
||||
/**
|
||||
* The =openpam_readword function reads the next word from a file, and
|
||||
* returns it in a NUL-terminated buffer allocated with =!malloc.
|
||||
*
|
||||
* A word is a sequence of non-whitespace characters.
|
||||
* However, whitespace characters can be included in a word if quoted or
|
||||
* escaped according to the following rules:
|
||||
*
|
||||
* - An unescaped single or double quote introduces a quoted string,
|
||||
* which ends when the same quote character is encountered a second
|
||||
* time.
|
||||
* The quotes themselves are stripped.
|
||||
*
|
||||
* - Within a single- or double-quoted string, all whitespace characters,
|
||||
* including the newline character, are preserved as-is.
|
||||
*
|
||||
* - Outside a quoted string, a backslash escapes the next character,
|
||||
* which is preserved as-is, unless that character is a newline, in
|
||||
* which case it is discarded and reading continues at the beginning of
|
||||
* the next line as if the backslash and newline had not been there.
|
||||
* In all cases, the backslash itself is discarded.
|
||||
*
|
||||
* - Within a single-quoted string, double quotes and backslashes are
|
||||
* preserved as-is.
|
||||
*
|
||||
* - Within a double-quoted string, a single quote is preserved as-is,
|
||||
* and a backslash is preserved as-is unless used to escape a double
|
||||
* quote.
|
||||
*
|
||||
* In addition, if the first non-whitespace character on the line is a
|
||||
* hash character (#), the rest of the line is discarded.
|
||||
* If a hash character occurs within a word, however, it is preserved
|
||||
* as-is.
|
||||
* A backslash at the end of a comment does cause line continuation.
|
||||
*
|
||||
* If =lineno is not =NULL, the integer variable it points to is
|
||||
* incremented every time a quoted or escaped newline character is read.
|
||||
*
|
||||
* If =lenp is not =NULL, the length of the word (after quotes and
|
||||
* backslashes have been removed) is stored in the variable it points to.
|
||||
*
|
||||
* RETURN VALUES
|
||||
*
|
||||
* If successful, the =openpam_readword function returns a pointer to a
|
||||
* dynamically allocated NUL-terminated string containing the first word
|
||||
* encountered on the line.
|
||||
*
|
||||
* The caller is responsible for releasing the returned buffer by passing
|
||||
* it to =!free.
|
||||
*
|
||||
* If =openpam_readword reaches the end of the line or file before any
|
||||
* characters are copied to the word, it returns =NULL. In the former
|
||||
* case, the newline is pushed back to the file.
|
||||
*
|
||||
* If =openpam_readword reaches the end of the file while a quote or
|
||||
* backslash escape is in effect, it sets :errno to =EINVAL and returns
|
||||
* =NULL.
|
||||
*
|
||||
* IMPLEMENTATION NOTES
|
||||
*
|
||||
* The parsing rules are intended to be equivalent to the normal POSIX
|
||||
* shell quoting rules.
|
||||
* Any discrepancy is a bug and should be reported to the author along
|
||||
* with sample input that can be used to reproduce the error.
|
||||
*
|
||||
* >openpam_readline
|
||||
* >openpam_readlinev
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#11 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <grp.h>
|
||||
|
@ -45,6 +48,7 @@
|
|||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_cred.h"
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
|
@ -55,8 +59,8 @@
|
|||
int
|
||||
openpam_restore_cred(pam_handle_t *pamh)
|
||||
{
|
||||
struct pam_saved_cred *scred;
|
||||
void *scredp;
|
||||
const struct pam_saved_cred *scred;
|
||||
const void *scredp;
|
||||
int r;
|
||||
|
||||
ENTER();
|
|
@ -0,0 +1,72 @@
|
|||
/*-
|
||||
* Copyright (c) 2012-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
*
|
||||
* Enable or disable an optional feature.
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_set_feature(int feature, int onoff)
|
||||
{
|
||||
|
||||
ENTERF(feature);
|
||||
if (feature < 0 || feature >= OPENPAM_NUM_FEATURES)
|
||||
RETURNC(PAM_BAD_FEATURE);
|
||||
openpam_features[feature].onoff = onoff;
|
||||
RETURNC(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
* Error codes:
|
||||
*
|
||||
* PAM_BAD_FEATURE
|
||||
*/
|
||||
|
||||
/**
|
||||
* EXPERIMENTAL
|
||||
*
|
||||
* The =openpam_set_feature function sets the state of the specified
|
||||
* feature to the value specified by the =onoff argument.
|
||||
* See =openpam_get_feature for a list of recognized features.
|
||||
*
|
||||
* >openpam_get_feature
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2023 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_set_option.c#13 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdio.h>
|
||||
|
@ -41,9 +44,9 @@
|
|||
#include <string.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_asprintf.h"
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
|
@ -80,6 +83,7 @@ openpam_set_option(pam_handle_t *pamh,
|
|||
for (free(cur->optv[i]); i < cur->optc; ++i)
|
||||
cur->optv[i] = cur->optv[i + 1];
|
||||
cur->optv[i] = NULL;
|
||||
--cur->optc;
|
||||
RETURNC(PAM_SUCCESS);
|
||||
}
|
||||
if (asprintf(&opt, "%.*s=%s", (int)len, option, value) < 0)
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/openpam_static.c#6 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -42,7 +45,7 @@
|
|||
|
||||
#ifdef OPENPAM_STATIC_MODULES
|
||||
|
||||
SET_DECLARE(_openpam_static_modules, pam_module_t);
|
||||
SET_DECLARE(openpam_static_modules, pam_module_t);
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
|
@ -55,7 +58,7 @@ openpam_static(const char *path)
|
|||
{
|
||||
pam_module_t **module;
|
||||
|
||||
SET_FOREACH(module, _openpam_static_modules) {
|
||||
SET_FOREACH(module, openpam_static_modules) {
|
||||
if (strcmp((*module)->path, path) == 0)
|
||||
return (*module);
|
||||
}
|
|
@ -0,0 +1,113 @@
|
|||
/*-
|
||||
* Copyright (c) 2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
#define MIN_STR_SIZE 32
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
*
|
||||
* Add a character to a string, expanding the buffer if needed.
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_straddch(char **str, size_t *size, size_t *len, int ch)
|
||||
{
|
||||
size_t tmpsize;
|
||||
char *tmpstr;
|
||||
|
||||
if (*str == NULL) {
|
||||
/* initial allocation */
|
||||
tmpsize = MIN_STR_SIZE;
|
||||
if ((tmpstr = malloc(tmpsize)) == NULL) {
|
||||
errno = ENOMEM;
|
||||
return (-1);
|
||||
}
|
||||
*str = tmpstr;
|
||||
*size = tmpsize;
|
||||
*len = 0;
|
||||
} else if (ch != 0 && *len + 1 >= *size) {
|
||||
/* additional space required */
|
||||
tmpsize = *size * 2;
|
||||
if ((tmpstr = realloc(*str, tmpsize)) == NULL) {
|
||||
errno = ENOMEM;
|
||||
return (-1);
|
||||
}
|
||||
*size = tmpsize;
|
||||
*str = tmpstr;
|
||||
}
|
||||
if (ch != 0) {
|
||||
(*str)[*len] = ch;
|
||||
++*len;
|
||||
}
|
||||
(*str)[*len] = '\0';
|
||||
return (0);
|
||||
}
|
||||
|
||||
/**
|
||||
* The =openpam_straddch function appends a character to a dynamically
|
||||
* allocated NUL-terminated buffer, reallocating the buffer as needed.
|
||||
*
|
||||
* The =str argument points to a variable containing either a pointer to
|
||||
* an existing buffer or =NULL.
|
||||
* If the value of the variable pointed to by =str is =NULL, a new buffer
|
||||
* is allocated.
|
||||
*
|
||||
* The =size and =len argument point to variables used to hold the size
|
||||
* of the buffer and the length of the string it contains, respectively.
|
||||
*
|
||||
* The final argument, =ch, is the character that should be appended to
|
||||
* the string. If =ch is 0, nothing is appended, but a new buffer is
|
||||
* still allocated if =str is NULL. This can be used to "bootstrap" the
|
||||
* string.
|
||||
*
|
||||
* If a new buffer is allocated or an existing buffer is reallocated to
|
||||
* make room for the additional character, =str and =size are updated
|
||||
* accordingly.
|
||||
*
|
||||
* The =openpam_straddch function ensures that the buffer is always
|
||||
* NUL-terminated.
|
||||
*
|
||||
* If the =openpam_straddch function is successful, it increments the
|
||||
* integer variable pointed to by =len (unless =ch was 0) and returns 0.
|
||||
* Otherwise, it leaves the variables pointed to by =str, =size and =len
|
||||
* unmodified, sets :errno to =ENOMEM and returns -1.
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -0,0 +1,56 @@
|
|||
/*-
|
||||
* Copyright (c) 2011-2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_STRLCAT
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
#include "openpam_strlcat.h"
|
||||
|
||||
/* like strcat(3), but always NUL-terminates; returns strlen(src) */
|
||||
size_t
|
||||
openpam_strlcat(char *dst, const char *src, size_t size)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
for (len = 0; *dst && size > 1; ++len, --size)
|
||||
dst++;
|
||||
for (; *src && size > 1; ++len, --size)
|
||||
*dst++ = *src++;
|
||||
*dst = '\0';
|
||||
while (*src)
|
||||
++len, ++src;
|
||||
return (len);
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,39 @@
|
|||
/*-
|
||||
* Copyright (c) 2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_STRLCAT_H_INCLUDED
|
||||
#define OPENPAM_STRLCAT_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_STRLCAT
|
||||
size_t openpam_strlcat(char *, const char *, size_t);
|
||||
#undef strlcat
|
||||
#define strlcat(arg, ...) openpam_strlcat(arg, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,46 @@
|
|||
/*-
|
||||
* Copyright (c) 2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_STRLCMP_H_INCLUDED
|
||||
#define OPENPAM_STRLCMP_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_STRLCMP
|
||||
/* like strcmp(3), but verifies that the entirety of s1 was matched */
|
||||
static int
|
||||
strlcmp(const char *s1, const char *s2, size_t len)
|
||||
{
|
||||
|
||||
for (; len && *s1 && *s2; --len, ++s1, ++s2)
|
||||
if (*s1 != *s2)
|
||||
return ((unsigned char)*s1 - (unsigned char)*s2);
|
||||
return ((unsigned char)*s1);
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,54 @@
|
|||
/*-
|
||||
* Copyright (c) 2011-2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_STRLCPY
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
#include "openpam_strlcpy.h"
|
||||
|
||||
/* like strcpy(3), but always NUL-terminates; returns strlen(src) */
|
||||
size_t
|
||||
openpam_strlcpy(char *dst, const char *src, size_t size)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
for (len = 0; *src && size > 1; ++len, --size)
|
||||
*dst++ = *src++;
|
||||
*dst = '\0';
|
||||
while (*src)
|
||||
++len, ++src;
|
||||
return (len);
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,39 @@
|
|||
/*-
|
||||
* Copyright (c) 2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_STRLCPY_H_INCLUDED
|
||||
#define OPENPAM_STRLCPY_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_STRLCPY
|
||||
size_t openpam_strlcpy(char *, const char *, size_t);
|
||||
#undef strlcpy
|
||||
#define strlcpy(arg, ...) openpam_strlcpy(arg, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,56 @@
|
|||
/*-
|
||||
* Copyright (c) 2014 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_STRLSET
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
#include "openpam_strlset.h"
|
||||
|
||||
/*
|
||||
* like memset(3), but stops at the first NUL byte and NUL-terminates the
|
||||
* result. Returns the number of bytes that were written, not including
|
||||
* the terminating NUL.
|
||||
*/
|
||||
size_t
|
||||
openpam_strlset(char *str, int ch, size_t size)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
for (len = 0; *str && size > 1; ++len, --size)
|
||||
*str++ = ch;
|
||||
*str = '\0';
|
||||
return (++len);
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,39 @@
|
|||
/*-
|
||||
* Copyright (c) 2014 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_STRLSET_H_INCLUDED
|
||||
#define OPENPAM_STRLSET_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_STRLSET
|
||||
size_t openpam_strlset(char *, int, size_t);
|
||||
#undef strlset
|
||||
#define strlset(arg, ...) openpam_strlset(arg, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,169 @@
|
|||
/*-
|
||||
* Copyright (c) 2011-2023 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
|
||||
#define subst_char(ch) do { \
|
||||
int ch_ = (ch); \
|
||||
if (buf && len < *bufsize) \
|
||||
*buf++ = ch_; \
|
||||
++len; \
|
||||
} while (0)
|
||||
|
||||
#define subst_string(s) do { \
|
||||
const char *s_ = (s); \
|
||||
while (*s_) \
|
||||
subst_char(*s_++); \
|
||||
} while (0)
|
||||
|
||||
#define subst_item(i) do { \
|
||||
int i_ = (i); \
|
||||
const void *p_; \
|
||||
ret = pam_get_item(pamh, i_, &p_); \
|
||||
if (ret == PAM_SUCCESS && p_ != NULL) \
|
||||
subst_string(p_); \
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* OpenPAM internal
|
||||
*
|
||||
* Substitute PAM item values in a string
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_subst(const pam_handle_t *pamh,
|
||||
char *buf, size_t *bufsize, const char *template)
|
||||
{
|
||||
size_t len;
|
||||
int ret;
|
||||
|
||||
ENTERS(template);
|
||||
if (template == NULL)
|
||||
template = "(null)";
|
||||
|
||||
len = 1; /* initialize to 1 for terminating NUL */
|
||||
ret = PAM_SUCCESS;
|
||||
while (*template && ret == PAM_SUCCESS) {
|
||||
if (template[0] == '%') {
|
||||
++template;
|
||||
switch (*template) {
|
||||
case 's':
|
||||
subst_item(PAM_SERVICE);
|
||||
break;
|
||||
case 't':
|
||||
subst_item(PAM_TTY);
|
||||
break;
|
||||
case 'h':
|
||||
subst_item(PAM_HOST);
|
||||
break;
|
||||
case 'u':
|
||||
subst_item(PAM_USER);
|
||||
break;
|
||||
case 'H':
|
||||
subst_item(PAM_RHOST);
|
||||
break;
|
||||
case 'U':
|
||||
subst_item(PAM_RUSER);
|
||||
break;
|
||||
case '\0':
|
||||
subst_char('%');
|
||||
break;
|
||||
default:
|
||||
subst_char('%');
|
||||
subst_char(*template);
|
||||
}
|
||||
if (*template)
|
||||
++template;
|
||||
} else {
|
||||
subst_char(*template++);
|
||||
}
|
||||
}
|
||||
if (buf)
|
||||
*buf = '\0';
|
||||
if (ret == PAM_SUCCESS) {
|
||||
if (len > *bufsize)
|
||||
ret = PAM_TRY_AGAIN;
|
||||
*bufsize = len;
|
||||
}
|
||||
RETURNC(ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Error codes:
|
||||
*
|
||||
* =pam_get_item
|
||||
* !PAM_SYMBOL_ERR
|
||||
* PAM_TRY_AGAIN
|
||||
*/
|
||||
|
||||
/**
|
||||
* The =openpam_subst function expands a string, substituting PAM item
|
||||
* values for all occurrences of specific substitution codes.
|
||||
* The =template argument points to the initial string.
|
||||
* The result is stored in the buffer pointed to by the =buf argument; the
|
||||
* =bufsize argument specifies the size of that buffer.
|
||||
* The actual size of the resulting string, including the terminating NUL
|
||||
* character, is stored in the location pointed to by the =bufsize
|
||||
* argument.
|
||||
*
|
||||
* If =buf is NULL, or if the buffer is too small to hold the expanded
|
||||
* string, =bufsize is updated to reflect the amount of space required to
|
||||
* hold the entire string, and =openpam_subst returns =PAM_TRY_AGAIN.
|
||||
*
|
||||
* If =openpam_subst fails for any other reason, the =bufsize argument is
|
||||
* untouched, but part of the buffer may still have been overwritten.
|
||||
*
|
||||
* Substitution codes are introduced by a percent character and correspond
|
||||
* to PAM items:
|
||||
*
|
||||
* %H:
|
||||
* Replaced by the current value of the =PAM_RHOST item.
|
||||
* %h:
|
||||
* Replaced by the current value of the =PAM_HOST item.
|
||||
* %s:
|
||||
* Replaced by the current value of the =PAM_SERVICE item.
|
||||
* %t:
|
||||
* Replaced by the current value of the =PAM_TTY item.
|
||||
* %U:
|
||||
* Replaced by the current value of the =PAM_RUSER item.
|
||||
* %u:
|
||||
* Replaced by the current value of the =PAM_USER item.
|
||||
*
|
||||
* >pam_get_authtok
|
||||
* >pam_get_item
|
||||
* >pam_get_user
|
||||
*
|
||||
* AUTHOR DES
|
||||
*/
|
|
@ -0,0 +1,400 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2014 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
* Network Associates Laboratories, the Security Research Division of
|
||||
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/poll.h>
|
||||
#include <sys/time.h>
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <termios.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_strlset.h"
|
||||
|
||||
int openpam_ttyconv_timeout = 0;
|
||||
|
||||
static volatile sig_atomic_t caught_signal;
|
||||
|
||||
/*
|
||||
* Handle incoming signals during tty conversation
|
||||
*/
|
||||
static void
|
||||
catch_signal(int signo)
|
||||
{
|
||||
|
||||
switch (signo) {
|
||||
case SIGINT:
|
||||
case SIGQUIT:
|
||||
case SIGTERM:
|
||||
caught_signal = signo;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Accept a response from the user on a tty
|
||||
*/
|
||||
static int
|
||||
prompt_tty(int ifd, int ofd, const char *message, char *response, int echo)
|
||||
{
|
||||
struct sigaction action;
|
||||
struct sigaction saction_sigint, saction_sigquit, saction_sigterm;
|
||||
struct termios tcattr;
|
||||
struct timeval now, target, remaining;
|
||||
int remaining_ms;
|
||||
tcflag_t slflag;
|
||||
struct pollfd pfd;
|
||||
int serrno;
|
||||
int pos, ret;
|
||||
char ch;
|
||||
|
||||
/* turn echo off if requested */
|
||||
slflag = 0; /* prevent bogus uninitialized variable warning */
|
||||
if (!echo) {
|
||||
if (tcgetattr(ifd, &tcattr) != 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "tcgetattr(): %m");
|
||||
return (-1);
|
||||
}
|
||||
slflag = tcattr.c_lflag;
|
||||
tcattr.c_lflag &= ~ECHO;
|
||||
if (tcsetattr(ifd, TCSAFLUSH, &tcattr) != 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "tcsetattr(): %m");
|
||||
return (-1);
|
||||
}
|
||||
}
|
||||
|
||||
/* write prompt */
|
||||
if (write(ofd, message, strlen(message)) < 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "write(): %m");
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/* install signal handlers */
|
||||
caught_signal = 0;
|
||||
action.sa_handler = &catch_signal;
|
||||
action.sa_flags = 0;
|
||||
sigfillset(&action.sa_mask);
|
||||
sigaction(SIGINT, &action, &saction_sigint);
|
||||
sigaction(SIGQUIT, &action, &saction_sigquit);
|
||||
sigaction(SIGTERM, &action, &saction_sigterm);
|
||||
|
||||
/* compute timeout */
|
||||
if (openpam_ttyconv_timeout > 0) {
|
||||
(void)gettimeofday(&now, NULL);
|
||||
remaining.tv_sec = openpam_ttyconv_timeout;
|
||||
remaining.tv_usec = 0;
|
||||
timeradd(&now, &remaining, &target);
|
||||
} else {
|
||||
/* prevent bogus uninitialized variable warning */
|
||||
now.tv_sec = now.tv_usec = 0;
|
||||
remaining.tv_sec = remaining.tv_usec = 0;
|
||||
target.tv_sec = target.tv_usec = 0;
|
||||
}
|
||||
|
||||
/* input loop */
|
||||
pos = 0;
|
||||
ret = -1;
|
||||
serrno = 0;
|
||||
while (!caught_signal) {
|
||||
pfd.fd = ifd;
|
||||
pfd.events = POLLIN;
|
||||
pfd.revents = 0;
|
||||
if (openpam_ttyconv_timeout > 0) {
|
||||
gettimeofday(&now, NULL);
|
||||
if (timercmp(&now, &target, >))
|
||||
break;
|
||||
timersub(&target, &now, &remaining);
|
||||
remaining_ms = remaining.tv_sec * 1000 +
|
||||
remaining.tv_usec / 1000;
|
||||
} else {
|
||||
remaining_ms = -1;
|
||||
}
|
||||
if ((ret = poll(&pfd, 1, remaining_ms)) < 0) {
|
||||
serrno = errno;
|
||||
if (errno == EINTR)
|
||||
continue;
|
||||
openpam_log(PAM_LOG_ERROR, "poll(): %m");
|
||||
break;
|
||||
} else if (ret == 0) {
|
||||
/* timeout */
|
||||
write(ofd, " timed out", 10);
|
||||
openpam_log(PAM_LOG_NOTICE, "timed out");
|
||||
break;
|
||||
}
|
||||
if ((ret = read(ifd, &ch, 1)) < 0) {
|
||||
serrno = errno;
|
||||
openpam_log(PAM_LOG_ERROR, "read(): %m");
|
||||
break;
|
||||
} else if (ret == 0 || ch == '\n') {
|
||||
response[pos] = '\0';
|
||||
ret = pos;
|
||||
break;
|
||||
}
|
||||
if (pos + 1 < PAM_MAX_RESP_SIZE)
|
||||
response[pos++] = ch;
|
||||
/* overflow is discarded */
|
||||
}
|
||||
|
||||
/* restore tty state */
|
||||
if (!echo) {
|
||||
tcattr.c_lflag = slflag;
|
||||
if (tcsetattr(ifd, 0, &tcattr) != 0) {
|
||||
/* treat as non-fatal, since we have our answer */
|
||||
openpam_log(PAM_LOG_NOTICE, "tcsetattr(): %m");
|
||||
}
|
||||
}
|
||||
|
||||
/* restore signal handlers and re-post caught signal*/
|
||||
sigaction(SIGINT, &saction_sigint, NULL);
|
||||
sigaction(SIGQUIT, &saction_sigquit, NULL);
|
||||
sigaction(SIGTERM, &saction_sigterm, NULL);
|
||||
if (caught_signal != 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "caught signal %d",
|
||||
(int)caught_signal);
|
||||
raise((int)caught_signal);
|
||||
/* if raise() had no effect... */
|
||||
serrno = EINTR;
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
/* done */
|
||||
write(ofd, "\n", 1);
|
||||
errno = serrno;
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Accept a response from the user on a non-tty stdin.
|
||||
*/
|
||||
static int
|
||||
prompt_notty(const char *message, char *response)
|
||||
{
|
||||
struct timeval now, target, remaining;
|
||||
int remaining_ms;
|
||||
struct pollfd pfd;
|
||||
int ch, pos, ret;
|
||||
|
||||
/* show prompt */
|
||||
fputs(message, stdout);
|
||||
fflush(stdout);
|
||||
|
||||
/* compute timeout */
|
||||
if (openpam_ttyconv_timeout > 0) {
|
||||
(void)gettimeofday(&now, NULL);
|
||||
remaining.tv_sec = openpam_ttyconv_timeout;
|
||||
remaining.tv_usec = 0;
|
||||
timeradd(&now, &remaining, &target);
|
||||
} else {
|
||||
/* prevent bogus uninitialized variable warning */
|
||||
now.tv_sec = now.tv_usec = 0;
|
||||
remaining.tv_sec = remaining.tv_usec = 0;
|
||||
target.tv_sec = target.tv_usec = 0;
|
||||
}
|
||||
|
||||
/* input loop */
|
||||
pos = 0;
|
||||
for (;;) {
|
||||
pfd.fd = STDIN_FILENO;
|
||||
pfd.events = POLLIN;
|
||||
pfd.revents = 0;
|
||||
if (openpam_ttyconv_timeout > 0) {
|
||||
gettimeofday(&now, NULL);
|
||||
if (timercmp(&now, &target, >))
|
||||
break;
|
||||
timersub(&target, &now, &remaining);
|
||||
remaining_ms = remaining.tv_sec * 1000 +
|
||||
remaining.tv_usec / 1000;
|
||||
} else {
|
||||
remaining_ms = -1;
|
||||
}
|
||||
if ((ret = poll(&pfd, 1, remaining_ms)) < 0) {
|
||||
/* interrupt is ok, everything else -> bail */
|
||||
if (errno == EINTR)
|
||||
continue;
|
||||
perror("\nopenpam_ttyconv");
|
||||
return (-1);
|
||||
} else if (ret == 0) {
|
||||
/* timeout */
|
||||
break;
|
||||
} else {
|
||||
/* input */
|
||||
if ((ch = getchar()) == EOF && ferror(stdin)) {
|
||||
perror("\nopenpam_ttyconv");
|
||||
return (-1);
|
||||
}
|
||||
if (ch == EOF || ch == '\n') {
|
||||
response[pos] = '\0';
|
||||
return (pos);
|
||||
}
|
||||
if (pos + 1 < PAM_MAX_RESP_SIZE)
|
||||
response[pos++] = ch;
|
||||
/* overflow is discarded */
|
||||
}
|
||||
}
|
||||
fputs("\nopenpam_ttyconv: timeout\n", stderr);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Determine whether stdin is a tty; if not, try to open the tty; in
|
||||
* either case, call the appropriate method.
|
||||
*/
|
||||
static int
|
||||
prompt(const char *message, char *response, int echo)
|
||||
{
|
||||
int ifd, ofd, ret;
|
||||
|
||||
if (isatty(STDIN_FILENO)) {
|
||||
fflush(stdout);
|
||||
#ifdef HAVE_FPURGE
|
||||
fpurge(stdin);
|
||||
#endif
|
||||
ifd = STDIN_FILENO;
|
||||
ofd = STDOUT_FILENO;
|
||||
} else {
|
||||
if ((ifd = open("/dev/tty", O_RDWR)) < 0)
|
||||
/* no way to prevent echo */
|
||||
return (prompt_notty(message, response));
|
||||
ofd = ifd;
|
||||
}
|
||||
ret = prompt_tty(ifd, ofd, message, response, echo);
|
||||
if (ifd != STDIN_FILENO)
|
||||
close(ifd);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* OpenPAM extension
|
||||
*
|
||||
* Simple tty-based conversation function
|
||||
*/
|
||||
|
||||
int
|
||||
openpam_ttyconv(int n,
|
||||
const struct pam_message **msg,
|
||||
struct pam_response **resp,
|
||||
void *data)
|
||||
{
|
||||
char respbuf[PAM_MAX_RESP_SIZE];
|
||||
struct pam_response *aresp;
|
||||
int i;
|
||||
|
||||
ENTER();
|
||||
(void)data;
|
||||
if (n <= 0 || n > PAM_MAX_NUM_MSG)
|
||||
RETURNC(PAM_CONV_ERR);
|
||||
if ((aresp = calloc(n, sizeof *aresp)) == NULL)
|
||||
RETURNC(PAM_BUF_ERR);
|
||||
for (i = 0; i < n; ++i) {
|
||||
aresp[i].resp_retcode = 0;
|
||||
aresp[i].resp = NULL;
|
||||
switch (msg[i]->msg_style) {
|
||||
case PAM_PROMPT_ECHO_OFF:
|
||||
if (prompt(msg[i]->msg, respbuf, 0) < 0 ||
|
||||
(aresp[i].resp = strdup(respbuf)) == NULL)
|
||||
goto fail;
|
||||
break;
|
||||
case PAM_PROMPT_ECHO_ON:
|
||||
if (prompt(msg[i]->msg, respbuf, 1) < 0 ||
|
||||
(aresp[i].resp = strdup(respbuf)) == NULL)
|
||||
goto fail;
|
||||
break;
|
||||
case PAM_ERROR_MSG:
|
||||
fputs(msg[i]->msg, stderr);
|
||||
if (strlen(msg[i]->msg) > 0 &&
|
||||
msg[i]->msg[strlen(msg[i]->msg) - 1] != '\n')
|
||||
fputc('\n', stderr);
|
||||
break;
|
||||
case PAM_TEXT_INFO:
|
||||
fputs(msg[i]->msg, stdout);
|
||||
if (strlen(msg[i]->msg) > 0 &&
|
||||
msg[i]->msg[strlen(msg[i]->msg) - 1] != '\n')
|
||||
fputc('\n', stdout);
|
||||
break;
|
||||
default:
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
*resp = aresp;
|
||||
memset(respbuf, 0, sizeof respbuf);
|
||||
RETURNC(PAM_SUCCESS);
|
||||
fail:
|
||||
for (i = 0; i < n; ++i) {
|
||||
if (aresp[i].resp != NULL) {
|
||||
strlset(aresp[i].resp, 0, PAM_MAX_RESP_SIZE);
|
||||
FREE(aresp[i].resp);
|
||||
}
|
||||
}
|
||||
memset(aresp, 0, n * sizeof *aresp);
|
||||
FREE(aresp);
|
||||
*resp = NULL;
|
||||
memset(respbuf, 0, sizeof respbuf);
|
||||
RETURNC(PAM_CONV_ERR);
|
||||
}
|
||||
|
||||
/*
|
||||
* Error codes:
|
||||
*
|
||||
* PAM_SYSTEM_ERR
|
||||
* PAM_BUF_ERR
|
||||
* PAM_CONV_ERR
|
||||
*/
|
||||
|
||||
/**
|
||||
* The =openpam_ttyconv function is a standard conversation function
|
||||
* suitable for use on TTY devices.
|
||||
* It should be adequate for the needs of most text-based interactive
|
||||
* programs.
|
||||
*
|
||||
* The =openpam_ttyconv function allows the application to specify a
|
||||
* timeout for user input by setting the global integer variable
|
||||
* :openpam_ttyconv_timeout to the length of the timeout in seconds.
|
||||
*
|
||||
* >openpam_nullconv
|
||||
* >pam_prompt
|
||||
* >pam_vprompt
|
||||
*/
|
|
@ -0,0 +1,58 @@
|
|||
/*-
|
||||
* Copyright (c) 2011-2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_VASPRINTF
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "openpam_vasprintf.h"
|
||||
|
||||
/* like vsprintf(3), but allocates memory for the result. */
|
||||
int
|
||||
openpam_vasprintf(char **str, const char *fmt, va_list ap)
|
||||
{
|
||||
va_list apcopy;
|
||||
int len, ret;
|
||||
|
||||
va_copy(apcopy, ap);
|
||||
len = vsnprintf(NULL, 0, fmt, ap);
|
||||
if ((*str = malloc(len + 1)) == NULL)
|
||||
return (-1);
|
||||
ret = vsnprintf(*str, len + 1, fmt, apcopy);
|
||||
va_end(apcopy);
|
||||
return (ret);
|
||||
}
|
||||
|
||||
#endif
|
|
@ -0,0 +1,39 @@
|
|||
/*-
|
||||
* Copyright (c) 2012 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#ifndef OPENPAM_VASPRINTF_H_INCLUDED
|
||||
#define OPENPAM_VASPRINTF_H_INCLUDED
|
||||
|
||||
#ifndef HAVE_VASPRINTF
|
||||
int openpam_vasprintf(char **, const char *, va_list);
|
||||
#undef vasprintf
|
||||
#define vasprintf(arg, ...) openpam_vasprintf(arg, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#14 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_authenticate.c#15 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -55,7 +58,7 @@ pam_authenticate(pam_handle_t *pamh,
|
|||
|
||||
ENTER();
|
||||
if (flags & ~(PAM_SILENT|PAM_DISALLOW_NULL_AUTHTOK))
|
||||
RETURNC(PAM_SYMBOL_ERR);
|
||||
RETURNC(PAM_BAD_CONSTANT);
|
||||
r = openpam_dispatch(pamh, PAM_SM_AUTHENTICATE, flags);
|
||||
pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
||||
RETURNC(r);
|
||||
|
@ -67,7 +70,7 @@ pam_authenticate(pam_handle_t *pamh,
|
|||
* =openpam_dispatch
|
||||
* =pam_sm_authenticate
|
||||
* !PAM_IGNORE
|
||||
* PAM_SYMBOL_ERR
|
||||
* PAM_BAD_CONSTANT
|
||||
*/
|
||||
|
||||
/**
|
||||
|
@ -87,5 +90,5 @@ pam_authenticate(pam_handle_t *pamh,
|
|||
* Fail if the user's authentication token is null.
|
||||
*
|
||||
* If any other bits are set, =pam_authenticate will return
|
||||
* =PAM_SYMBOL_ERR.
|
||||
* =PAM_BAD_CONSTANT.
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_authenticate_secondary.c#8 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
||||
/*
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_chauthtok.c#16 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -55,7 +58,7 @@ pam_chauthtok(pam_handle_t *pamh,
|
|||
|
||||
ENTER();
|
||||
if (flags & ~(PAM_SILENT|PAM_CHANGE_EXPIRED_AUTHTOK))
|
||||
RETURNC(PAM_SYMBOL_ERR);
|
||||
RETURNC(PAM_BAD_CONSTANT);
|
||||
r = openpam_dispatch(pamh, PAM_SM_CHAUTHTOK,
|
||||
flags | PAM_PRELIM_CHECK);
|
||||
if (r == PAM_SUCCESS)
|
||||
|
@ -72,7 +75,7 @@ pam_chauthtok(pam_handle_t *pamh,
|
|||
* =openpam_dispatch
|
||||
* =pam_sm_chauthtok
|
||||
* !PAM_IGNORE
|
||||
* PAM_SYMBOL_ERR
|
||||
* PAM_BAD_CONSTANT
|
||||
*/
|
||||
|
||||
/**
|
||||
|
@ -88,5 +91,5 @@ pam_chauthtok(pam_handle_t *pamh,
|
|||
* =PAM_CHANGE_EXPIRED_AUTHTOK:
|
||||
* Change only those authentication tokens that have expired.
|
||||
*
|
||||
* If any other bits are set, =pam_chauthtok will return =PAM_SYMBOL_ERR.
|
||||
* If any other bits are set, =pam_chauthtok will return =PAM_BAD_CONSTANT.
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_close_session.c#13 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -55,7 +58,7 @@ pam_close_session(pam_handle_t *pamh,
|
|||
|
||||
ENTER();
|
||||
if (flags & ~(PAM_SILENT))
|
||||
RETURNC(PAM_SYMBOL_ERR);
|
||||
RETURNC(PAM_BAD_CONSTANT);
|
||||
r = openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags);
|
||||
RETURNC(r);
|
||||
}
|
||||
|
@ -66,7 +69,7 @@ pam_close_session(pam_handle_t *pamh,
|
|||
* =openpam_dispatch
|
||||
* =pam_sm_close_session
|
||||
* !PAM_IGNORE
|
||||
* PAM_SYMBOL_ERR
|
||||
* PAM_BAD_CONSTANT
|
||||
*/
|
||||
|
||||
/**
|
||||
|
@ -80,5 +83,5 @@ pam_close_session(pam_handle_t *pamh,
|
|||
* Do not emit any messages.
|
||||
*
|
||||
* If any other bits are set, =pam_close_session will return
|
||||
* =PAM_SYMBOL_ERR.
|
||||
* =PAM_BAD_CONSTANT.
|
||||
*/
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_end.c#14 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -56,7 +59,7 @@ pam_end(pam_handle_t *pamh,
|
|||
|
||||
ENTER();
|
||||
if (pamh == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
RETURNC(PAM_BAD_HANDLE);
|
||||
|
||||
/* clear module data */
|
||||
while ((dp = pamh->module_data) != NULL) {
|
||||
|
@ -89,7 +92,7 @@ pam_end(pam_handle_t *pamh,
|
|||
/*
|
||||
* Error codes:
|
||||
*
|
||||
* PAM_SYSTEM_ERR
|
||||
* PAM_BAD_HANDLE
|
||||
*/
|
||||
|
||||
/**
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2011 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_error.c#10 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
@ -50,7 +53,7 @@
|
|||
*/
|
||||
|
||||
int
|
||||
pam_error(pam_handle_t *pamh,
|
||||
pam_error(const pam_handle_t *pamh,
|
||||
const char *fmt,
|
||||
...)
|
||||
{
|
|
@ -1,5 +1,6 @@
|
|||
/*-
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2004-2017 Dag-Erling Smørgrav
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
||||
|
@ -30,10 +31,12 @@
|
|||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/openpam/lib/pam_get_authtok.c#28 $
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
# include "config.h"
|
||||
#endif
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdlib.h>
|
||||
|
@ -43,8 +46,10 @@
|
|||
#include <security/openpam.h>
|
||||
|
||||
#include "openpam_impl.h"
|
||||
#include "openpam_strlset.h"
|
||||
|
||||
static const char authtok_prompt[] = "Password:";
|
||||
static const char authtok_prompt_remote[] = "Password for %u@%h:";
|
||||
static const char oldauthtok_prompt[] = "Old Password:";
|
||||
static const char newauthtok_prompt[] = "New Password:";
|
||||
|
||||
|
@ -60,20 +65,30 @@ pam_get_authtok(pam_handle_t *pamh,
|
|||
const char **authtok,
|
||||
const char *prompt)
|
||||
{
|
||||
char prompt_buf[1024];
|
||||
size_t prompt_size;
|
||||
const void *oldauthtok, *prevauthtok, *promptp;
|
||||
const char *default_prompt;
|
||||
const char *prompt_option, *default_prompt;
|
||||
const void *lhost, *rhost;
|
||||
char *resp, *resp2;
|
||||
int pitem, r, style, twice;
|
||||
|
||||
ENTER();
|
||||
if (pamh == NULL || authtok == NULL)
|
||||
RETURNC(PAM_SYSTEM_ERR);
|
||||
*authtok = NULL;
|
||||
twice = 0;
|
||||
switch (item) {
|
||||
case PAM_AUTHTOK:
|
||||
pitem = PAM_AUTHTOK_PROMPT;
|
||||
prompt_option = "authtok_prompt";
|
||||
default_prompt = authtok_prompt;
|
||||
r = pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||
if (r == PAM_SUCCESS && rhost != NULL) {
|
||||
r = pam_get_item(pamh, PAM_HOST, &lhost);
|
||||
if (r == PAM_SUCCESS && lhost != NULL) {
|
||||
if (strcmp(rhost, lhost) != 0)
|
||||
default_prompt = authtok_prompt_remote;
|
||||
}
|
||||
}
|
||||
r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok);
|
||||
if (r == PAM_SUCCESS && oldauthtok != NULL) {
|
||||
default_prompt = newauthtok_prompt;
|
||||
|
@ -82,11 +97,12 @@ pam_get_authtok(pam_handle_t *pamh,
|
|||
break;
|
||||
case PAM_OLDAUTHTOK:
|
||||
pitem = PAM_OLDAUTHTOK_PROMPT;
|
||||
prompt_option = "oldauthtok_prompt";
|
||||
default_prompt = oldauthtok_prompt;
|
||||
twice = 0;
|
||||
break;
|
||||
default:
|
||||
RETURNC(PAM_SYMBOL_ERR);
|
||||
RETURNC(PAM_BAD_CONSTANT);
|
||||
}
|
||||
if (openpam_get_option(pamh, "try_first_pass") ||
|
||||
openpam_get_option(pamh, "use_first_pass")) {
|
||||
|
@ -94,17 +110,27 @@ pam_get_authtok(pam_handle_t *pamh,
|
|||
if (r == PAM_SUCCESS && prevauthtok != NULL) {
|
||||
*authtok = prevauthtok;
|
||||
RETURNC(PAM_SUCCESS);
|
||||
}
|
||||
else if (openpam_get_option(pamh, "use_first_pass"))
|
||||
} else if (openpam_get_option(pamh, "use_first_pass")) {
|
||||
RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
|
||||
}
|
||||
}
|
||||
/* pam policy overrides the module's choice */
|
||||
if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL)
|
||||
prompt = promptp;
|
||||
/* no prompt provided, see if there is one tucked away somewhere */
|
||||
if (prompt == NULL) {
|
||||
r = pam_get_item(pamh, pitem, &promptp);
|
||||
if (r != PAM_SUCCESS || promptp == NULL)
|
||||
prompt = default_prompt;
|
||||
else
|
||||
if (r == PAM_SUCCESS && promptp != NULL)
|
||||
prompt = promptp;
|
||||
}
|
||||
/* fall back to hardcoded default */
|
||||
if (prompt == NULL)
|
||||
prompt = default_prompt;
|
||||
/* expand */
|
||||
prompt_size = sizeof prompt_buf;
|
||||
r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt);
|
||||
if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf)
|
||||
prompt = prompt_buf;
|
||||
style = openpam_get_option(pamh, "echo_pass") ?
|
||||
PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
|
||||
r = pam_prompt(pamh, style, &resp, "%s", prompt);
|
||||
|
@ -113,16 +139,21 @@ pam_get_authtok(pam_handle_t *pamh,
|
|||
if (twice) {
|
||||
r = pam_prompt(pamh, style, &resp2, "Retype %s", prompt);
|
||||
if (r != PAM_SUCCESS) {
|
||||
strlset(resp, 0, PAM_MAX_RESP_SIZE);
|
||||
FREE(resp);
|
||||
RETURNC(r);
|
||||
}
|
||||
if (strcmp(resp, resp2) != 0)
|
||||
if (strcmp(resp, resp2) != 0) {
|
||||
strlset(resp, 0, PAM_MAX_RESP_SIZE);
|
||||
FREE(resp);
|
||||
}
|
||||
strlset(resp2, 0, PAM_MAX_RESP_SIZE);
|
||||
FREE(resp2);
|
||||
}
|
||||
if (resp == NULL)
|
||||
RETURNC(PAM_TRY_AGAIN);
|
||||
r = pam_set_item(pamh, item, resp);
|
||||
strlset(resp, 0, PAM_MAX_RESP_SIZE);
|
||||
FREE(resp);
|
||||
if (r != PAM_SUCCESS)
|
||||
RETURNC(r);
|
||||
|
@ -137,14 +168,17 @@ pam_get_authtok(pam_handle_t *pamh,
|
|||
* =pam_prompt
|
||||
* =pam_set_item
|
||||
* !PAM_SYMBOL_ERR
|
||||
* PAM_BAD_CONSTANT
|
||||
* PAM_TRY_AGAIN
|
||||
*/
|
||||
|
||||
/**
|
||||
* The =pam_get_authtok function returns the cached authentication token,
|
||||
* or prompts the user if no token is currently cached.
|
||||
* The =pam_get_authtok function either prompts the user for an
|
||||
* authentication token or retrieves a cached authentication token,
|
||||
* depending on circumstances.
|
||||
* Either way, a pointer to the authentication token is stored in the
|
||||
* location pointed to by the =authtok argument.
|
||||
* location pointed to by the =authtok argument, and the corresponding PAM
|
||||
* item is updated.
|
||||
*
|
||||
* The =item argument must have one of the following values:
|
||||
*
|
||||
|
@ -159,12 +193,47 @@ pam_get_authtok(pam_handle_t *pamh,
|
|||
* If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item,
|
||||
* as appropriate, will be used.
|
||||
* If that item is also =NULL, a hardcoded default prompt will be used.
|
||||
* Additionally, when =pam_get_authtok is called from a service module,
|
||||
* the prompt may be affected by module options as described below.
|
||||
* The prompt is then expanded using =openpam_subst before it is passed to
|
||||
* the conversation function.
|
||||
*
|
||||
* If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK
|
||||
* item, =pam_get_authtok will ask the user to confirm the new token by
|
||||
* retyping it.
|
||||
* If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN.
|
||||
*
|
||||
* MODULE OPTIONS
|
||||
*
|
||||
* When called by a service module, =pam_get_authtok will recognize the
|
||||
* following module options:
|
||||
*
|
||||
* ;authtok_prompt:
|
||||
* Prompt to use when =item is set to =PAM_AUTHTOK.
|
||||
* This option overrides both the =prompt argument and the
|
||||
* =PAM_AUTHTOK_PROMPT item.
|
||||
* ;echo_pass:
|
||||
* If the application's conversation function allows it, this
|
||||
* lets the user see what they are typing.
|
||||
* This should only be used for non-reusable authentication
|
||||
* tokens.
|
||||
* ;oldauthtok_prompt:
|
||||
* Prompt to use when =item is set to =PAM_OLDAUTHTOK.
|
||||
* This option overrides both the =prompt argument and the
|
||||
* =PAM_OLDAUTHTOK_PROMPT item.
|
||||
* ;try_first_pass:
|
||||
* If the requested item is non-null, return it without
|
||||
* prompting the user.
|
||||
* Typically, the service module will verify the token, and
|
||||
* if it does not match, clear the item before calling
|
||||
* =pam_get_authtok a second time.
|
||||
* ;use_first_pass:
|
||||
* Do not prompt the user at all; just return the cached
|
||||
* value, or =PAM_AUTH_ERR if there is none.
|
||||
*
|
||||
* >pam_conv
|
||||
* >pam_get_item
|
||||
* >pam_get_user
|
||||
* >openpam_get_option
|
||||
* >openpam_subst
|
||||
*/
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue