Annotation of embedaddon/sudo/plugins/sudoers/auth/pam.c, revision 1.1.1.4
1.1 misho 1: /*
1.1.1.3 misho 2: * Copyright (c) 1999-2005, 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 3: *
4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
7: *
8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: *
16: * Sponsored in part by the Defense Advanced Research Projects
17: * Agency (DARPA) and Air Force Research Laboratory, Air Force
18: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
19: */
20:
21: #include <config.h>
22:
23: #include <sys/types.h>
24: #include <stdio.h>
25: #ifdef STDC_HEADERS
26: # include <stdlib.h>
27: # include <stddef.h>
28: #else
29: # ifdef HAVE_STDLIB_H
30: # include <stdlib.h>
31: # endif
32: #endif /* STDC_HEADERS */
33: #ifdef HAVE_STRING_H
34: # include <string.h>
35: #endif /* HAVE_STRING_H */
36: #ifdef HAVE_STRINGS_H
37: # include <strings.h>
38: #endif /* HAVE_STRINGS_H */
39: #ifdef HAVE_UNISTD_H
40: # include <unistd.h>
41: #endif /* HAVE_UNISTD_H */
42: #include <pwd.h>
43: #include <errno.h>
44:
45: #ifdef HAVE_PAM_PAM_APPL_H
46: # include <pam/pam_appl.h>
47: #else
48: # include <security/pam_appl.h>
49: #endif
50:
51: #ifdef HAVE_LIBINTL_H
52: # if defined(__LINUX_PAM__)
53: # define PAM_TEXT_DOMAIN "Linux-PAM"
54: # elif defined(__sun__)
55: # define PAM_TEXT_DOMAIN "SUNW_OST_SYSOSPAM"
56: # endif
57: #endif
58:
1.1.1.3 misho 59: /* We don't want to translate the strings in the calls to dgt(). */
60: #ifdef PAM_TEXT_DOMAIN
61: # define dgt(d, t) dgettext(d, t)
62: #endif
63:
1.1 misho 64: #include "sudoers.h"
65: #include "sudo_auth.h"
66:
67: /* Only OpenPAM and Linux PAM use const qualifiers. */
68: #if defined(_OPENPAM) || defined(OPENPAM_VERSION) || \
69: defined(__LIBPAM_VERSION) || defined(__LINUX_PAM__)
70: # define PAM_CONST const
71: #else
72: # define PAM_CONST
73: #endif
74:
75: #ifndef PAM_DATA_SILENT
76: #define PAM_DATA_SILENT 0
77: #endif
78:
1.1.1.3 misho 79: static int converse(int, PAM_CONST struct pam_message **,
80: struct pam_response **, void *);
81: static char *def_prompt = "Password:";
82: static int getpass_error;
1.1 misho 83: static pam_handle_t *pamh;
84:
85: int
1.1.1.2 misho 86: sudo_pam_init(struct passwd *pw, sudo_auth *auth)
1.1 misho 87: {
88: static struct pam_conv pam_conv;
89: static int pam_status;
1.1.1.2 misho 90: debug_decl(sudo_pam_init, SUDO_DEBUG_AUTH)
1.1 misho 91:
92: /* Initial PAM setup */
1.1.1.4 ! misho 93: auth->data = (void *) &pam_status;
1.1 misho 94: pam_conv.conv = converse;
1.1.1.4 ! misho 95: pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
! 96: def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
1.1 misho 97: if (pam_status != PAM_SUCCESS) {
1.1.1.3 misho 98: log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM"));
1.1.1.2 misho 99: debug_return_int(AUTH_FATAL);
1.1 misho 100: }
101:
102: /*
103: * Set PAM_RUSER to the invoking user (the "from" user).
104: * We set PAM_RHOST to avoid a bug in Solaris 7 and below.
105: */
106: (void) pam_set_item(pamh, PAM_RUSER, user_name);
107: #ifdef __sun__
108: (void) pam_set_item(pamh, PAM_RHOST, user_host);
109: #endif
110:
111: /*
112: * Some versions of pam_lastlog have a bug that
113: * will cause a crash if PAM_TTY is not set so if
114: * there is no tty, set PAM_TTY to the empty string.
115: */
116: if (user_ttypath == NULL)
117: (void) pam_set_item(pamh, PAM_TTY, "");
118: else
119: (void) pam_set_item(pamh, PAM_TTY, user_ttypath);
120:
1.1.1.4 ! misho 121: /*
! 122: * If PAM session and setcred support is disabled we don't
! 123: * need to keep a sudo process around to close the session.
! 124: */
! 125: if (!def_pam_session && !def_pam_setcred)
! 126: auth->end_session = NULL;
! 127:
1.1.1.2 misho 128: debug_return_int(AUTH_SUCCESS);
1.1 misho 129: }
130:
131: int
1.1.1.2 misho 132: sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
1.1 misho 133: {
134: const char *s;
135: int *pam_status = (int *) auth->data;
1.1.1.2 misho 136: debug_decl(sudo_pam_verify, SUDO_DEBUG_AUTH)
1.1 misho 137:
138: def_prompt = prompt; /* for converse */
139:
140: /* PAM_SILENT prevents the authentication service from generating output. */
141: *pam_status = pam_authenticate(pamh, PAM_SILENT);
142: switch (*pam_status) {
143: case PAM_SUCCESS:
144: *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
145: switch (*pam_status) {
146: case PAM_SUCCESS:
1.1.1.2 misho 147: debug_return_int(AUTH_SUCCESS);
1.1 misho 148: case PAM_AUTH_ERR:
1.1.1.3 misho 149: log_warning(NO_MAIL, N_("account validation failure, "
1.1 misho 150: "is your account locked?"));
1.1.1.2 misho 151: debug_return_int(AUTH_FATAL);
1.1 misho 152: case PAM_NEW_AUTHTOK_REQD:
1.1.1.3 misho 153: log_warning(NO_MAIL, N_("Account or password is "
1.1 misho 154: "expired, reset your password and try again"));
155: *pam_status = pam_chauthtok(pamh,
156: PAM_CHANGE_EXPIRED_AUTHTOK);
157: if (*pam_status == PAM_SUCCESS)
1.1.1.2 misho 158: debug_return_int(AUTH_SUCCESS);
1.1.1.3 misho 159: if ((s = pam_strerror(pamh, *pam_status)) != NULL) {
160: log_warning(NO_MAIL,
161: N_("unable to change expired password: %s"), s);
162: }
1.1.1.2 misho 163: debug_return_int(AUTH_FAILURE);
1.1 misho 164: case PAM_AUTHTOK_EXPIRED:
1.1.1.3 misho 165: log_warning(NO_MAIL,
166: N_("Password expired, contact your system administrator"));
1.1.1.2 misho 167: debug_return_int(AUTH_FATAL);
1.1 misho 168: case PAM_ACCT_EXPIRED:
1.1.1.3 misho 169: log_warning(NO_MAIL,
170: N_("Account expired or PAM config lacks an \"account\" "
1.1 misho 171: "section for sudo, contact your system administrator"));
1.1.1.2 misho 172: debug_return_int(AUTH_FATAL);
1.1 misho 173: }
174: /* FALLTHROUGH */
175: case PAM_AUTH_ERR:
1.1.1.2 misho 176: case PAM_AUTHINFO_UNAVAIL:
177: if (getpass_error) {
1.1 misho 178: /* error or ^C from tgetpass() */
1.1.1.2 misho 179: debug_return_int(AUTH_INTR);
1.1 misho 180: }
1.1.1.2 misho 181: /* FALLTHROUGH */
1.1 misho 182: case PAM_MAXTRIES:
183: case PAM_PERM_DENIED:
1.1.1.2 misho 184: debug_return_int(AUTH_FAILURE);
1.1 misho 185: default:
1.1.1.3 misho 186: if ((s = pam_strerror(pamh, *pam_status)) != NULL)
187: log_warning(NO_MAIL, N_("PAM authentication error: %s"), s);
1.1.1.2 misho 188: debug_return_int(AUTH_FATAL);
1.1 misho 189: }
190: }
191:
192: int
1.1.1.2 misho 193: sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth)
1.1 misho 194: {
195: int *pam_status = (int *) auth->data;
1.1.1.2 misho 196: debug_decl(sudo_pam_cleanup, SUDO_DEBUG_AUTH)
1.1 misho 197:
1.1.1.4 ! misho 198: /* If successful, we can't close the session until sudo_pam_end_session() */
! 199: if (*pam_status != PAM_SUCCESS || auth->end_session == NULL) {
! 200: *pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
! 201: pamh = NULL;
! 202: }
1.1.1.2 misho 203: debug_return_int(*pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
1.1 misho 204: }
205:
206: int
1.1.1.2 misho 207: sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
1.1 misho 208: {
1.1.1.4 ! misho 209: int status = AUTH_SUCCESS;
! 210: int *pam_status = (int *) auth->data;
1.1.1.2 misho 211: debug_decl(sudo_pam_begin_session, SUDO_DEBUG_AUTH)
1.1 misho 212:
213: /*
214: * If there is no valid user we cannot open a PAM session.
215: * This is not an error as sudo can run commands with arbitrary
216: * uids, it just means we are done from a session management standpoint.
217: */
218: if (pw == NULL) {
219: if (pamh != NULL) {
220: (void) pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
221: pamh = NULL;
222: }
223: goto done;
224: }
225:
226: /*
227: * Update PAM_USER to reference the user we are running the command
228: * as, as opposed to the user we authenticated as.
229: */
230: (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
231:
232: /*
233: * Set credentials (may include resource limits, device ownership, etc).
1.1.1.4 ! misho 234: * We don't worry about a failure from pam_setcred() since with
! 235: * stacked PAM auth modules a failure from one module may override
! 236: * PAM_SUCCESS from another. For example, given a non-local user,
! 237: * pam_unix will fail but pam_ldap or pam_sss may succeed, but if
! 238: * pam_unix is first in the stack, pam_setcred() will fail.
1.1 misho 239: */
1.1.1.4 ! misho 240: if (def_pam_setcred)
! 241: (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
! 242:
! 243: if (def_pam_session) {
! 244: *pam_status = pam_open_session(pamh, 0);
! 245: if (*pam_status != PAM_SUCCESS) {
! 246: (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
! 247: pamh = NULL;
! 248: status = AUTH_FAILURE;
! 249: }
1.1.1.3 misho 250: }
1.1 misho 251:
1.1.1.2 misho 252: #ifdef HAVE_PAM_GETENVLIST
253: /*
254: * Update environment based on what is stored in pamh.
255: * If no authentication is done we will only have environment
256: * variables if pam_env is called via session.
257: */
258: if (user_envp != NULL) {
259: char **pam_envp = pam_getenvlist(pamh);
260: if (pam_envp != NULL) {
1.1.1.4 ! misho 261: /* Merge pam env with user env. */
1.1.1.2 misho 262: env_init(*user_envp);
1.1.1.4 ! misho 263: env_merge(pam_envp);
1.1.1.2 misho 264: *user_envp = env_get();
265: env_init(NULL);
266: efree(pam_envp);
267: /* XXX - we leak any duplicates that were in pam_envp */
268: }
269: }
270: #endif /* HAVE_PAM_GETENVLIST */
271:
1.1 misho 272: done:
1.1.1.4 ! misho 273: debug_return_int(status);
1.1 misho 274: }
275:
276: int
1.1.1.2 misho 277: sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
1.1 misho 278: {
1.1.1.4 ! misho 279: int status = AUTH_SUCCESS;
1.1.1.2 misho 280: debug_decl(sudo_pam_end_session, SUDO_DEBUG_AUTH)
1.1 misho 281:
282: if (pamh != NULL) {
283: /*
284: * Update PAM_USER to reference the user we are running the command
1.1.1.2 misho 285: * as, as opposed to the user we authenticated as.
286: * XXX - still needed now that session init is in parent?
1.1 misho 287: */
288: (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
1.1.1.3 misho 289: if (def_pam_session)
290: (void) pam_close_session(pamh, PAM_SILENT);
1.1.1.4 ! misho 291: if (def_pam_setcred)
1.1.1.3 misho 292: (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
1.1.1.4 ! misho 293: if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) != PAM_SUCCESS)
! 294: status = AUTH_FAILURE;
1.1 misho 295: pamh = NULL;
296: }
297:
1.1.1.4 ! misho 298: debug_return_int(status);
1.1 misho 299: }
300:
301: /*
302: * ``Conversation function'' for PAM.
303: * XXX - does not handle PAM_BINARY_PROMPT
304: */
305: static int
306: converse(int num_msg, PAM_CONST struct pam_message **msg,
307: struct pam_response **response, void *appdata_ptr)
308: {
309: struct pam_response *pr;
310: PAM_CONST struct pam_message *pm;
311: const char *prompt;
312: char *pass;
313: int n, type, std_prompt;
1.1.1.2 misho 314: int ret = PAM_AUTH_ERR;
315: debug_decl(converse, SUDO_DEBUG_AUTH)
1.1 misho 316:
317: if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL)
1.1.1.2 misho 318: debug_return_int(PAM_SYSTEM_ERR);
1.1.1.4 ! misho 319: memset(*response, 0, num_msg * sizeof(struct pam_response));
1.1 misho 320:
321: for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
322: type = SUDO_CONV_PROMPT_ECHO_OFF;
323: switch (pm->msg_style) {
324: case PAM_PROMPT_ECHO_ON:
325: type = SUDO_CONV_PROMPT_ECHO_ON;
1.1.1.2 misho 326: /* FALLTHROUGH */
1.1 misho 327: case PAM_PROMPT_ECHO_OFF:
328: prompt = def_prompt;
329:
330: /* Error out if the last password read was interrupted. */
1.1.1.2 misho 331: if (getpass_error)
332: goto done;
1.1 misho 333:
1.1.1.3 misho 334: /* Is the sudo prompt standard? (If so, we'll just use PAM's) */
1.1 misho 335: std_prompt = strncmp(def_prompt, "Password:", 9) == 0 &&
336: (def_prompt[9] == '\0' ||
337: (def_prompt[9] == ' ' && def_prompt[10] == '\0'));
338:
339: /* Only override PAM prompt if it matches /^Password: ?/ */
340: #if defined(PAM_TEXT_DOMAIN) && defined(HAVE_LIBINTL_H)
341: if (!def_passprompt_override && (std_prompt ||
1.1.1.3 misho 342: (strcmp(pm->msg, dgt(PAM_TEXT_DOMAIN, "Password: ")) &&
343: strcmp(pm->msg, dgt(PAM_TEXT_DOMAIN, "Password:")))))
1.1 misho 344: prompt = pm->msg;
345: #else
346: if (!def_passprompt_override && (std_prompt ||
347: strncmp(pm->msg, "Password:", 9) || (pm->msg[9] != '\0'
348: && (pm->msg[9] != ' ' || pm->msg[10] != '\0'))))
349: prompt = pm->msg;
350: #endif
351: /* Read the password unless interrupted. */
352: pass = auth_getpass(prompt, def_passwd_timeout * 60, type);
353: if (pass == NULL) {
1.1.1.2 misho 354: /* Error (or ^C) reading password, don't try again. */
355: getpass_error = 1;
356: #if (defined(__darwin__) || defined(__APPLE__)) && !defined(OPENPAM_VERSION)
1.1 misho 357: pass = "";
358: #else
1.1.1.2 misho 359: goto done;
1.1 misho 360: #endif
361: }
362: pr->resp = estrdup(pass);
1.1.1.4 ! misho 363: memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass));
1.1 misho 364: break;
365: case PAM_TEXT_INFO:
366: if (pm->msg)
367: (void) puts(pm->msg);
368: break;
369: case PAM_ERROR_MSG:
370: if (pm->msg) {
371: (void) fputs(pm->msg, stderr);
372: (void) fputc('\n', stderr);
373: }
374: break;
375: default:
1.1.1.2 misho 376: ret = PAM_CONV_ERR;
377: goto done;
1.1 misho 378: }
379: }
1.1.1.2 misho 380: ret = PAM_SUCCESS;
1.1 misho 381:
1.1.1.2 misho 382: done:
383: if (ret != PAM_SUCCESS) {
384: /* Zero and free allocated memory and return an error. */
385: for (pr = *response, n = num_msg; n--; pr++) {
386: if (pr->resp != NULL) {
1.1.1.4 ! misho 387: memset_s(pr->resp, SUDO_CONV_REPL_MAX, 0, strlen(pr->resp));
1.1.1.2 misho 388: free(pr->resp);
389: pr->resp = NULL;
390: }
1.1 misho 391: }
1.1.1.2 misho 392: free(*response);
393: *response = NULL;
1.1 misho 394: }
1.1.1.2 misho 395: debug_return_int(ret);
1.1 misho 396: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>