diff options
author | des <des@FreeBSD.org> | 2002-04-08 12:30:31 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-04-08 12:30:31 +0000 |
commit | 343af1294ca2f648272ae5428bf8fe04ec051308 (patch) | |
tree | 13fbc5f0e3fdcef7dedc9ab85b563bf59eaa3af5 /contrib/openpam/lib | |
parent | 1b3dab89b21d32019ba4c46b362a853fcdb5a062 (diff) | |
download | FreeBSD-src-343af1294ca2f648272ae5428bf8fe04ec051308.zip FreeBSD-src-343af1294ca2f648272ae5428bf8fe04ec051308.tar.gz |
Vendor import of OpenPAM Cinchona.
Diffstat (limited to 'contrib/openpam/lib')
-rw-r--r-- | contrib/openpam/lib/Makefile | 5 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_borrow_cred.c | 105 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_free_data.c | 67 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_impl.h | 12 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_restore_cred.c | 86 |
5 files changed, 273 insertions, 2 deletions
diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile index d9f38c3..f2fb006 100644 --- a/contrib/openpam/lib/Makefile +++ b/contrib/openpam/lib/Makefile @@ -31,7 +31,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $P4: //depot/projects/openpam/lib/Makefile#12 $ +# $P4: //depot/projects/openpam/lib/Makefile#13 $ # LIB = pam @@ -44,12 +44,15 @@ CFLAGS += -I${.CURDIR}/../include CFLAGS += -DLIB_MAJ=${SHLIB_MAJOR} SRCS = +SRCS += openpam_borrow_cred.c SRCS += openpam_dispatch.c SRCS += openpam_dynamic.c SRCS += openpam_findenv.c +SRCS += openpam_free_data.c SRCS += openpam_get_option.c SRCS += openpam_load.c SRCS += openpam_log.c +SRCS += openpam_restore_cred.c SRCS += openpam_set_option.c SRCS += openpam_static.c SRCS += openpam_ttyconv.c diff --git a/contrib/openpam/lib/openpam_borrow_cred.c b/contrib/openpam/lib/openpam_borrow_cred.c new file mode 100644 index 0000000..87aed86 --- /dev/null +++ b/contrib/openpam/lib/openpam_borrow_cred.c @@ -0,0 +1,105 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#1 $ + */ + +#include <sys/param.h> + +#include <pwd.h> +#include <stdlib.h> +#include <unistd.h> + +#include <security/pam_appl.h> + +#include "openpam_impl.h" + +/* + * OpenPAM extension + * + * Temporarily borrow user credentials + */ + +int +openpam_borrow_cred(pam_handle_t *pamh, + const struct passwd *pwd) +{ + struct pam_saved_cred *scred; + int r; + + if (geteuid() != 0) + return (PAM_PERM_DENIED); + scred = calloc(1, sizeof *scred); + if (scred == NULL) + return (PAM_BUF_ERR); + scred->euid = geteuid(); + scred->egid = getegid(); + r = getgroups(NGROUPS_MAX, scred->groups); + if (r == -1) { + free(scred); + return (PAM_SYSTEM_ERR); + } + scred->ngroups = r; + r = pam_set_data(pamh, PAM_SAVED_CRED, scred, &openpam_free_data); + if (r != PAM_SUCCESS) { + free(scred); + return (r); + } + if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 || + setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) { + openpam_restore_cred(pamh); + return (PAM_SYSTEM_ERR); + } + return (PAM_SUCCESS); +} + +/* + * Error codes: + * + * =pam_set_data + * PAM_SYSTEM_ERR + * PAM_BUF_ERR + * PAM_PERM_DENIED + */ + +/** + * The =openpam_borrow_cred function saves the current credentials and + * switches to those of the user specified by its =pwd argument. The + * affected credentials are the effective UID, the effective GID, and the + * group access list. The original credentials can be restored using + * =openpam_restore_cred. + * + * >setegid + * >seteuid + * >setgroups + */ diff --git a/contrib/openpam/lib/openpam_free_data.c b/contrib/openpam/lib/openpam_free_data.c new file mode 100644 index 0000000..6c71266 --- /dev/null +++ b/contrib/openpam/lib/openpam_free_data.c @@ -0,0 +1,67 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $P4: //depot/projects/openpam/lib/openpam_free_data.c#1 $ + */ + +#include <stdlib.h> +#include <string.h> + +#include <security/pam_appl.h> + +#include "openpam_impl.h" + +/* + * OpenPAM extension + * + * Generic cleanup function + */ + +void +openpam_free_data(pam_handle_t *pamh, void *data, int status) +{ + /* silence compiler warnings */ + pamh = pamh; + status = status; + free(data); +} + +/* + * Error codes: + */ + +/** + * The =openpam_free_data is a cleanup function suitable for passing to + * =pam_set_data. It simply releases the data by passing its =data + * argument to =free. + */ diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h index 8300b0f..a9b011e 100644 --- a/contrib/openpam/lib/openpam_impl.h +++ b/contrib/openpam/lib/openpam_impl.h @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_impl.h#11 $ + * $P4: //depot/projects/openpam/lib/openpam_impl.h#12 $ */ #ifndef _OPENPAM_IMPL_H_INCLUDED @@ -93,6 +93,16 @@ struct pam_handle { int env_size; }; +#ifdef NGROUPS_MAX +#define PAM_SAVED_CRED "pam_saved_cred" +struct pam_saved_cred { + uid_t euid; + gid_t egid; + gid_t groups[NGROUPS_MAX]; + int ngroups; +}; +#endif + #define PAM_OTHER "other" int openpam_dispatch(pam_handle_t *, int, int); diff --git a/contrib/openpam/lib/openpam_restore_cred.c b/contrib/openpam/lib/openpam_restore_cred.c new file mode 100644 index 0000000..05c3b10 --- /dev/null +++ b/contrib/openpam/lib/openpam_restore_cred.c @@ -0,0 +1,86 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#1 $ + */ + +#include <sys/param.h> + +#include <pwd.h> +#include <stdlib.h> +#include <unistd.h> + +#include <security/pam_appl.h> + +#include "openpam_impl.h" + +/* + * OpenPAM extension + * + * Restore credentials + */ + +int +openpam_restore_cred(pam_handle_t *pamh) +{ + struct pam_saved_cred *scred; + int r; + + r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred); + if (r != PAM_SUCCESS) + return (r); + if (scred == NULL) + return (PAM_SYSTEM_ERR); + if (seteuid(scred->euid) == -1 || + setgroups(scred->ngroups, scred->groups) == -1 || + setegid(scred->egid) == -1) + return (PAM_SYSTEM_ERR); + pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL); + return (PAM_SUCCESS); +} + +/* + * Error codes: + * + * =pam_get_data + * PAM_SYSTEM_ERR + */ + +/** + * The =openpam_restore_cred function restores the credentials saved by + * =openpam_borrow_cred. + * + * >setegid + * >seteuid + * >setgroups + */ |