Annotation of embedaddon/sudo/plugins/sudoers/auth/pam.c, revision 1.1.1.5
1.1 misho 1: /*
1.1.1.3 misho 2: * Copyright (c) 1999-2005, 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 3: *
4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
7: *
8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: *
16: * Sponsored in part by the Defense Advanced Research Projects
17: * Agency (DARPA) and Air Force Research Laboratory, Air Force
18: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
19: */
20:
21: #include <config.h>
22:
23: #include <sys/types.h>
24: #include <stdio.h>
25: #ifdef STDC_HEADERS
26: # include <stdlib.h>
27: # include <stddef.h>
28: #else
29: # ifdef HAVE_STDLIB_H
30: # include <stdlib.h>
31: # endif
32: #endif /* STDC_HEADERS */
33: #ifdef HAVE_STRING_H
34: # include <string.h>
35: #endif /* HAVE_STRING_H */
36: #ifdef HAVE_STRINGS_H
37: # include <strings.h>
38: #endif /* HAVE_STRINGS_H */
39: #ifdef HAVE_UNISTD_H
40: # include <unistd.h>
41: #endif /* HAVE_UNISTD_H */
42: #include <pwd.h>
43: #include <errno.h>
44:
45: #ifdef HAVE_PAM_PAM_APPL_H
46: # include <pam/pam_appl.h>
47: #else
48: # include <security/pam_appl.h>
49: #endif
50:
51: #ifdef HAVE_LIBINTL_H
52: # if defined(__LINUX_PAM__)
53: # define PAM_TEXT_DOMAIN "Linux-PAM"
54: # elif defined(__sun__)
55: # define PAM_TEXT_DOMAIN "SUNW_OST_SYSOSPAM"
56: # endif
57: #endif
58:
1.1.1.3 misho 59: /* We don't want to translate the strings in the calls to dgt(). */
60: #ifdef PAM_TEXT_DOMAIN
61: # define dgt(d, t) dgettext(d, t)
62: #endif
63:
1.1 misho 64: #include "sudoers.h"
65: #include "sudo_auth.h"
66:
67: /* Only OpenPAM and Linux PAM use const qualifiers. */
68: #if defined(_OPENPAM) || defined(OPENPAM_VERSION) || \
69: defined(__LIBPAM_VERSION) || defined(__LINUX_PAM__)
70: # define PAM_CONST const
71: #else
72: # define PAM_CONST
73: #endif
74:
75: #ifndef PAM_DATA_SILENT
76: #define PAM_DATA_SILENT 0
77: #endif
78:
1.1.1.3 misho 79: static int converse(int, PAM_CONST struct pam_message **,
80: struct pam_response **, void *);
81: static char *def_prompt = "Password:";
82: static int getpass_error;
1.1 misho 83: static pam_handle_t *pamh;
84:
85: int
1.1.1.2 misho 86: sudo_pam_init(struct passwd *pw, sudo_auth *auth)
1.1 misho 87: {
88: static struct pam_conv pam_conv;
89: static int pam_status;
1.1.1.2 misho 90: debug_decl(sudo_pam_init, SUDO_DEBUG_AUTH)
1.1 misho 91:
92: /* Initial PAM setup */
1.1.1.4 misho 93: auth->data = (void *) &pam_status;
1.1 misho 94: pam_conv.conv = converse;
1.1.1.4 misho 95: pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
96: def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
1.1 misho 97: if (pam_status != PAM_SUCCESS) {
1.1.1.3 misho 98: log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM"));
1.1.1.2 misho 99: debug_return_int(AUTH_FATAL);
1.1 misho 100: }
101:
102: /*
103: * Set PAM_RUSER to the invoking user (the "from" user).
104: * We set PAM_RHOST to avoid a bug in Solaris 7 and below.
105: */
106: (void) pam_set_item(pamh, PAM_RUSER, user_name);
107: #ifdef __sun__
108: (void) pam_set_item(pamh, PAM_RHOST, user_host);
109: #endif
110:
111: /*
112: * Some versions of pam_lastlog have a bug that
113: * will cause a crash if PAM_TTY is not set so if
114: * there is no tty, set PAM_TTY to the empty string.
115: */
116: if (user_ttypath == NULL)
117: (void) pam_set_item(pamh, PAM_TTY, "");
118: else
119: (void) pam_set_item(pamh, PAM_TTY, user_ttypath);
120:
1.1.1.4 misho 121: /*
122: * If PAM session and setcred support is disabled we don't
123: * need to keep a sudo process around to close the session.
124: */
125: if (!def_pam_session && !def_pam_setcred)
126: auth->end_session = NULL;
127:
1.1.1.2 misho 128: debug_return_int(AUTH_SUCCESS);
1.1 misho 129: }
130:
131: int
1.1.1.2 misho 132: sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
1.1 misho 133: {
134: const char *s;
135: int *pam_status = (int *) auth->data;
1.1.1.2 misho 136: debug_decl(sudo_pam_verify, SUDO_DEBUG_AUTH)
1.1 misho 137:
138: def_prompt = prompt; /* for converse */
139:
140: /* PAM_SILENT prevents the authentication service from generating output. */
141: *pam_status = pam_authenticate(pamh, PAM_SILENT);
142: switch (*pam_status) {
143: case PAM_SUCCESS:
144: *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
145: switch (*pam_status) {
146: case PAM_SUCCESS:
1.1.1.2 misho 147: debug_return_int(AUTH_SUCCESS);
1.1 misho 148: case PAM_AUTH_ERR:
1.1.1.3 misho 149: log_warning(NO_MAIL, N_("account validation failure, "
1.1 misho 150: "is your account locked?"));
1.1.1.2 misho 151: debug_return_int(AUTH_FATAL);
1.1 misho 152: case PAM_NEW_AUTHTOK_REQD:
1.1.1.3 misho 153: log_warning(NO_MAIL, N_("Account or password is "
1.1 misho 154: "expired, reset your password and try again"));
155: *pam_status = pam_chauthtok(pamh,
156: PAM_CHANGE_EXPIRED_AUTHTOK);
157: if (*pam_status == PAM_SUCCESS)
1.1.1.2 misho 158: debug_return_int(AUTH_SUCCESS);
1.1.1.3 misho 159: if ((s = pam_strerror(pamh, *pam_status)) != NULL) {
160: log_warning(NO_MAIL,
161: N_("unable to change expired password: %s"), s);
162: }
1.1.1.2 misho 163: debug_return_int(AUTH_FAILURE);
1.1 misho 164: case PAM_AUTHTOK_EXPIRED:
1.1.1.3 misho 165: log_warning(NO_MAIL,
166: N_("Password expired, contact your system administrator"));
1.1.1.2 misho 167: debug_return_int(AUTH_FATAL);
1.1 misho 168: case PAM_ACCT_EXPIRED:
1.1.1.3 misho 169: log_warning(NO_MAIL,
170: N_("Account expired or PAM config lacks an \"account\" "
1.1 misho 171: "section for sudo, contact your system administrator"));
1.1.1.2 misho 172: debug_return_int(AUTH_FATAL);
1.1 misho 173: }
174: /* FALLTHROUGH */
175: case PAM_AUTH_ERR:
1.1.1.2 misho 176: case PAM_AUTHINFO_UNAVAIL:
177: if (getpass_error) {
1.1 misho 178: /* error or ^C from tgetpass() */
1.1.1.2 misho 179: debug_return_int(AUTH_INTR);
1.1 misho 180: }
1.1.1.2 misho 181: /* FALLTHROUGH */
1.1 misho 182: case PAM_MAXTRIES:
183: case PAM_PERM_DENIED:
1.1.1.2 misho 184: debug_return_int(AUTH_FAILURE);
1.1 misho 185: default:
1.1.1.3 misho 186: if ((s = pam_strerror(pamh, *pam_status)) != NULL)
187: log_warning(NO_MAIL, N_("PAM authentication error: %s"), s);
1.1.1.2 misho 188: debug_return_int(AUTH_FATAL);
1.1 misho 189: }
190: }
191:
192: int
1.1.1.2 misho 193: sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth)
1.1 misho 194: {
195: int *pam_status = (int *) auth->data;
1.1.1.2 misho 196: debug_decl(sudo_pam_cleanup, SUDO_DEBUG_AUTH)
1.1 misho 197:
1.1.1.4 misho 198: /* If successful, we can't close the session until sudo_pam_end_session() */
199: if (*pam_status != PAM_SUCCESS || auth->end_session == NULL) {
200: *pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
201: pamh = NULL;
202: }
1.1.1.2 misho 203: debug_return_int(*pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
1.1 misho 204: }
205:
206: int
1.1.1.2 misho 207: sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
1.1 misho 208: {
1.1.1.4 misho 209: int status = AUTH_SUCCESS;
210: int *pam_status = (int *) auth->data;
1.1.1.2 misho 211: debug_decl(sudo_pam_begin_session, SUDO_DEBUG_AUTH)
1.1 misho 212:
213: /*
214: * If there is no valid user we cannot open a PAM session.
215: * This is not an error as sudo can run commands with arbitrary
216: * uids, it just means we are done from a session management standpoint.
217: */
218: if (pw == NULL) {
219: if (pamh != NULL) {
220: (void) pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
221: pamh = NULL;
222: }
223: goto done;
224: }
225:
226: /*
227: * Update PAM_USER to reference the user we are running the command
228: * as, as opposed to the user we authenticated as.
229: */
230: (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
231:
232: /*
1.1.1.5 ! misho 233: * Reinitialize credentials when changing the user.
1.1.1.4 misho 234: * We don't worry about a failure from pam_setcred() since with
235: * stacked PAM auth modules a failure from one module may override
236: * PAM_SUCCESS from another. For example, given a non-local user,
237: * pam_unix will fail but pam_ldap or pam_sss may succeed, but if
238: * pam_unix is first in the stack, pam_setcred() will fail.
1.1 misho 239: */
1.1.1.4 misho 240: if (def_pam_setcred)
1.1.1.5 ! misho 241: (void) pam_setcred(pamh, PAM_REINITIALIZE_CRED);
1.1.1.4 misho 242:
243: if (def_pam_session) {
244: *pam_status = pam_open_session(pamh, 0);
245: if (*pam_status != PAM_SUCCESS) {
246: (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
247: pamh = NULL;
248: status = AUTH_FAILURE;
1.1.1.5 ! misho 249: goto done;
1.1.1.4 misho 250: }
1.1.1.3 misho 251: }
1.1 misho 252:
1.1.1.2 misho 253: #ifdef HAVE_PAM_GETENVLIST
254: /*
255: * Update environment based on what is stored in pamh.
256: * If no authentication is done we will only have environment
257: * variables if pam_env is called via session.
258: */
259: if (user_envp != NULL) {
260: char **pam_envp = pam_getenvlist(pamh);
261: if (pam_envp != NULL) {
1.1.1.4 misho 262: /* Merge pam env with user env. */
1.1.1.2 misho 263: env_init(*user_envp);
1.1.1.4 misho 264: env_merge(pam_envp);
1.1.1.2 misho 265: *user_envp = env_get();
266: env_init(NULL);
267: efree(pam_envp);
268: /* XXX - we leak any duplicates that were in pam_envp */
269: }
270: }
271: #endif /* HAVE_PAM_GETENVLIST */
272:
1.1 misho 273: done:
1.1.1.4 misho 274: debug_return_int(status);
1.1 misho 275: }
276:
277: int
1.1.1.2 misho 278: sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
1.1 misho 279: {
1.1.1.4 misho 280: int status = AUTH_SUCCESS;
1.1.1.2 misho 281: debug_decl(sudo_pam_end_session, SUDO_DEBUG_AUTH)
1.1 misho 282:
283: if (pamh != NULL) {
284: /*
285: * Update PAM_USER to reference the user we are running the command
1.1.1.2 misho 286: * as, as opposed to the user we authenticated as.
287: * XXX - still needed now that session init is in parent?
1.1 misho 288: */
289: (void) pam_set_item(pamh, PAM_USER, pw->pw_name);
1.1.1.3 misho 290: if (def_pam_session)
291: (void) pam_close_session(pamh, PAM_SILENT);
1.1.1.4 misho 292: if (def_pam_setcred)
1.1.1.3 misho 293: (void) pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
1.1.1.4 misho 294: if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) != PAM_SUCCESS)
295: status = AUTH_FAILURE;
1.1 misho 296: pamh = NULL;
297: }
298:
1.1.1.4 misho 299: debug_return_int(status);
1.1 misho 300: }
301:
302: /*
303: * ``Conversation function'' for PAM.
304: * XXX - does not handle PAM_BINARY_PROMPT
305: */
306: static int
307: converse(int num_msg, PAM_CONST struct pam_message **msg,
308: struct pam_response **response, void *appdata_ptr)
309: {
310: struct pam_response *pr;
311: PAM_CONST struct pam_message *pm;
312: const char *prompt;
313: char *pass;
314: int n, type, std_prompt;
1.1.1.2 misho 315: int ret = PAM_AUTH_ERR;
316: debug_decl(converse, SUDO_DEBUG_AUTH)
1.1 misho 317:
318: if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL)
1.1.1.2 misho 319: debug_return_int(PAM_SYSTEM_ERR);
1.1.1.4 misho 320: memset(*response, 0, num_msg * sizeof(struct pam_response));
1.1 misho 321:
322: for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
323: type = SUDO_CONV_PROMPT_ECHO_OFF;
324: switch (pm->msg_style) {
325: case PAM_PROMPT_ECHO_ON:
326: type = SUDO_CONV_PROMPT_ECHO_ON;
1.1.1.2 misho 327: /* FALLTHROUGH */
1.1 misho 328: case PAM_PROMPT_ECHO_OFF:
329: prompt = def_prompt;
330:
331: /* Error out if the last password read was interrupted. */
1.1.1.2 misho 332: if (getpass_error)
333: goto done;
1.1 misho 334:
1.1.1.3 misho 335: /* Is the sudo prompt standard? (If so, we'll just use PAM's) */
1.1 misho 336: std_prompt = strncmp(def_prompt, "Password:", 9) == 0 &&
337: (def_prompt[9] == '\0' ||
338: (def_prompt[9] == ' ' && def_prompt[10] == '\0'));
339:
340: /* Only override PAM prompt if it matches /^Password: ?/ */
341: #if defined(PAM_TEXT_DOMAIN) && defined(HAVE_LIBINTL_H)
342: if (!def_passprompt_override && (std_prompt ||
1.1.1.3 misho 343: (strcmp(pm->msg, dgt(PAM_TEXT_DOMAIN, "Password: ")) &&
344: strcmp(pm->msg, dgt(PAM_TEXT_DOMAIN, "Password:")))))
1.1 misho 345: prompt = pm->msg;
346: #else
347: if (!def_passprompt_override && (std_prompt ||
348: strncmp(pm->msg, "Password:", 9) || (pm->msg[9] != '\0'
349: && (pm->msg[9] != ' ' || pm->msg[10] != '\0'))))
350: prompt = pm->msg;
351: #endif
352: /* Read the password unless interrupted. */
353: pass = auth_getpass(prompt, def_passwd_timeout * 60, type);
354: if (pass == NULL) {
1.1.1.2 misho 355: /* Error (or ^C) reading password, don't try again. */
356: getpass_error = 1;
357: #if (defined(__darwin__) || defined(__APPLE__)) && !defined(OPENPAM_VERSION)
1.1 misho 358: pass = "";
359: #else
1.1.1.2 misho 360: goto done;
1.1 misho 361: #endif
362: }
363: pr->resp = estrdup(pass);
1.1.1.4 misho 364: memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass));
1.1 misho 365: break;
366: case PAM_TEXT_INFO:
367: if (pm->msg)
368: (void) puts(pm->msg);
369: break;
370: case PAM_ERROR_MSG:
371: if (pm->msg) {
372: (void) fputs(pm->msg, stderr);
373: (void) fputc('\n', stderr);
374: }
375: break;
376: default:
1.1.1.2 misho 377: ret = PAM_CONV_ERR;
378: goto done;
1.1 misho 379: }
380: }
1.1.1.2 misho 381: ret = PAM_SUCCESS;
1.1 misho 382:
1.1.1.2 misho 383: done:
384: if (ret != PAM_SUCCESS) {
385: /* Zero and free allocated memory and return an error. */
386: for (pr = *response, n = num_msg; n--; pr++) {
387: if (pr->resp != NULL) {
1.1.1.4 misho 388: memset_s(pr->resp, SUDO_CONV_REPL_MAX, 0, strlen(pr->resp));
1.1.1.2 misho 389: free(pr->resp);
390: pr->resp = NULL;
391: }
1.1 misho 392: }
1.1.1.2 misho 393: free(*response);
394: *response = NULL;
1.1 misho 395: }
1.1.1.2 misho 396: debug_return_int(ret);
1.1 misho 397: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pam.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers / auth