diff options
author | des <des@FreeBSD.org> | 2002-04-14 18:28:22 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-04-14 18:28:22 +0000 |
commit | 3928c97d18145ce51c22cd530ae9f353b88f85eb (patch) | |
tree | d8361aa94c01d745b7e3ff0f65d6b71e5425c644 /contrib/openpam/lib | |
parent | 38971df82a9b331625c18dbb591759be82a43bcf (diff) | |
download | FreeBSD-src-3928c97d18145ce51c22cd530ae9f353b88f85eb.zip FreeBSD-src-3928c97d18145ce51c22cd530ae9f353b88f85eb.tar.gz |
Vendor import of OpenPAM Cineraria.
Diffstat (limited to 'contrib/openpam/lib')
-rw-r--r-- | contrib/openpam/lib/Makefile | 3 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_configure.c | 264 | ||||
-rw-r--r-- | contrib/openpam/lib/openpam_impl.h | 3 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_acct_mgmt.c | 18 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_authenticate.c | 10 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_chauthtok.c | 8 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_close_session.c | 19 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_open_session.c | 20 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_setcred.c | 25 | ||||
-rw-r--r-- | contrib/openpam/lib/pam_start.c | 221 |
10 files changed, 358 insertions, 233 deletions
diff --git a/contrib/openpam/lib/Makefile b/contrib/openpam/lib/Makefile index f2fb006..eb7f242 100644 --- a/contrib/openpam/lib/Makefile +++ b/contrib/openpam/lib/Makefile @@ -31,7 +31,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $P4: //depot/projects/openpam/lib/Makefile#13 $ +# $P4: //depot/projects/openpam/lib/Makefile#14 $ # LIB = pam @@ -45,6 +45,7 @@ CFLAGS += -DLIB_MAJ=${SHLIB_MAJOR} SRCS = SRCS += openpam_borrow_cred.c +SRCS += openpam_configure.c SRCS += openpam_dispatch.c SRCS += openpam_dynamic.c SRCS += openpam_findenv.c diff --git a/contrib/openpam/lib/openpam_configure.c b/contrib/openpam/lib/openpam_configure.c new file mode 100644 index 0000000..8c12e10 --- /dev/null +++ b/contrib/openpam/lib/openpam_configure.c @@ -0,0 +1,264 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $P4: //depot/projects/openpam/lib/openpam_configure.c#1 $ + */ + +#include <ctype.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include <security/pam_appl.h> + +#include "openpam_impl.h" + +#define PAM_CONF_STYLE 0 +#define PAM_D_STYLE 1 +#define MAX_LINE_LEN 1024 +#define MAX_OPTIONS 256 + +static int +openpam_read_policy_file(pam_handle_t *pamh, + const char *service, + const char *filename, + int style) +{ + char buf[MAX_LINE_LEN], *p, *q; + const char *optv[MAX_OPTIONS + 1]; + int ch, chain, flag, line, optc, n, r; + size_t len; + FILE *f; + + n = 0; + + if ((f = fopen(filename, "r")) == NULL) { + openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE, + "%s: %m", filename); + return (0); + } + openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s", + service, filename); + + for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) { + if ((len = strlen(buf)) == 0) + continue; + + /* check for overflow */ + if (buf[--len] != '\n' && !feof(f)) { + openpam_log(PAM_LOG_ERROR, "%s: line %d too long", + filename, line); + openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d", + filename, line); + while ((ch = fgetc(f)) != EOF) + if (ch == '\n') + break; + continue; + } + + /* strip comments and trailing whitespace */ + if ((p = strchr(buf, '#')) != NULL) + len = p - buf ? p - buf - 1 : p - buf; + while (len > 0 && isspace(buf[len - 1])) + --len; + if (len == 0) + continue; + buf[len] = '\0'; + p = q = buf; + + /* check service name */ + if (style == PAM_CONF_STYLE) { + for (q = p = buf; *q != '\0' && !isspace(*q); ++q) + /* nothing */; + if (*q == '\0') + goto syntax_error; + *q++ = '\0'; + if (strcmp(p, service) != 0) + continue; + openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'", + filename, line, service); + } + + + /* get module type */ + for (p = q; isspace(*p); ++p) + /* nothing */; + for (q = p; *q != '\0' && !isspace(*q); ++q) + /* nothing */; + if (q == p || *q == '\0') + goto syntax_error; + *q++ = '\0'; + if (strcmp(p, "auth") == 0) { + chain = PAM_AUTH; + } else if (strcmp(p, "account") == 0) { + chain = PAM_ACCOUNT; + } else if (strcmp(p, "session") == 0) { + chain = PAM_SESSION; + } else if (strcmp(p, "password") == 0) { + chain = PAM_PASSWORD; + } else { + openpam_log(PAM_LOG_ERROR, + "%s: invalid module type on line %d: '%s'", + filename, line, p); + continue; + } + + /* get control flag */ + for (p = q; isspace(*p); ++p) + /* nothing */; + for (q = p; *q != '\0' && !isspace(*q); ++q) + /* nothing */; + if (q == p || *q == '\0') + goto syntax_error; + *q++ = '\0'; + if (strcmp(p, "required") == 0) { + flag = PAM_REQUIRED; + } else if (strcmp(p, "requisite") == 0) { + flag = PAM_REQUISITE; + } else if (strcmp(p, "sufficient") == 0) { + flag = PAM_SUFFICIENT; + } else if (strcmp(p, "optional") == 0) { + flag = PAM_OPTIONAL; + } else { + openpam_log(PAM_LOG_ERROR, + "%s: invalid control flag on line %d: '%s'", + filename, line, p); + continue; + } + + /* get module name */ + for (p = q; isspace(*p); ++p) + /* nothing */; + for (q = p; *q != '\0' && !isspace(*q); ++q) + /* nothing */; + if (q == p) + goto syntax_error; + + /* get options */ + for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) { + *q++ = '\0'; + while (isspace(*q)) + ++q; + optv[optc] = q; + while (*q != '\0' && !isspace(*q)) + ++q; + } + optv[optc] = NULL; + if (*q != '\0') { + *q = '\0'; + openpam_log(PAM_LOG_ERROR, + "%s: too many options on line %d", + filename, line); + } + + /* + * Finally, add the module at the end of the + * appropriate chain and bump the counter. + */ + r = openpam_add_module(pamh, chain, flag, p, optc, optv); + if (r != PAM_SUCCESS) + return (-r); + ++n; + continue; + syntax_error: + openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d", + filename, line); + openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]", + filename, line, q); + openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d", + filename, line); + } + + if (ferror(f)) + openpam_log(PAM_LOG_ERROR, "%s: %m", filename); + + fclose(f); + return (n); +} + +static const char *openpam_policy_path[] = { + "/etc/pam.d/", + "/etc/pam.conf", + "/usr/local/etc/pam.d/", + NULL +}; + +/* + * OpenPAM internal + * + * Configure a service + */ + +int +openpam_configure(pam_handle_t *pamh, + const char *service) +{ + const char **path; + char *filename; + size_t len; + int r; + + for (path = openpam_policy_path; *path != NULL; ++path) { + len = strlen(*path); + if ((*path)[len - 1] == '/') { + filename = malloc(len + strlen(service) + 1); + if (filename == NULL) { + openpam_log(PAM_LOG_ERROR, "malloc(): %m"); + return (PAM_BUF_ERR); + } + strcpy(filename, *path); + strcat(filename, service); + r = openpam_read_policy_file(pamh, + service, filename, PAM_D_STYLE); + free(filename); + } else { + r = openpam_read_policy_file(pamh, + service, *path, PAM_CONF_STYLE); + } + if (r < 0) + return (-r); + if (r > 0) + return (PAM_SUCCESS); + } + + return (PAM_SYSTEM_ERR); +} + +/* + * NODOC + * + * Error codes: + * PAM_SYSTEM_ERR + * PAM_BUF_ERR + */ diff --git a/contrib/openpam/lib/openpam_impl.h b/contrib/openpam/lib/openpam_impl.h index a9b011e..1fc0184 100644 --- a/contrib/openpam/lib/openpam_impl.h +++ b/contrib/openpam/lib/openpam_impl.h @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/openpam_impl.h#12 $ + * $P4: //depot/projects/openpam/lib/openpam_impl.h#13 $ */ #ifndef _OPENPAM_IMPL_H_INCLUDED @@ -105,6 +105,7 @@ struct pam_saved_cred { #define PAM_OTHER "other" +int openpam_configure(pam_handle_t *, const char *); int openpam_dispatch(pam_handle_t *, int, int); int openpam_findenv(pam_handle_t *, const char *, size_t); int openpam_add_module(pam_handle_t *, int, int, diff --git a/contrib/openpam/lib/pam_acct_mgmt.c b/contrib/openpam/lib/pam_acct_mgmt.c index 4464604..11e389d 100644 --- a/contrib/openpam/lib/pam_acct_mgmt.c +++ b/contrib/openpam/lib/pam_acct_mgmt.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_acct_mgmt.c#8 $ */ #include <sys/param.h> @@ -62,3 +62,19 @@ pam_acct_mgmt(pam_handle_t *pamh, * =pam_sm_acct_mgmt * !PAM_IGNORE */ + +/** + * The =pam_acct_mgmt function verifies and enforces account restrictions + * after the user has been authenticated. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * =PAM_DISALLOW_NULL_AUTHTOK: + * Fail if the user's authentication token is null. + * + * If any other bits are set, =pam_authenticate will return + * =PAM_SYMBOL_ERR. + */ diff --git a/contrib/openpam/lib/pam_authenticate.c b/contrib/openpam/lib/pam_authenticate.c index 20c656e..fbf3829 100644 --- a/contrib/openpam/lib/pam_authenticate.c +++ b/contrib/openpam/lib/pam_authenticate.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_authenticate.c#9 $ + * $P4: //depot/projects/openpam/lib/pam_authenticate.c#10 $ */ #include <sys/param.h> @@ -66,6 +66,7 @@ pam_authenticate(pam_handle_t *pamh, * =openpam_dispatch * =pam_sm_authenticate * !PAM_IGNORE + * PAM_SYMBOL_ERR */ /** @@ -79,8 +80,11 @@ pam_authenticate(pam_handle_t *pamh, * The =flags argument is the binary or of zero or more of the following * values: * - * =PAM_SILENT + * =PAM_SILENT: * Do not emit any messages. - * =PAM_DISALLOW_NULL_AUTHTOK + * =PAM_DISALLOW_NULL_AUTHTOK: * Fail if the user's authentication token is null. + * + * If any other bits are set, =pam_authenticate will return + * =PAM_SYMBOL_ERR. */ diff --git a/contrib/openpam/lib/pam_chauthtok.c b/contrib/openpam/lib/pam_chauthtok.c index bf56a13..3101d0c 100644 --- a/contrib/openpam/lib/pam_chauthtok.c +++ b/contrib/openpam/lib/pam_chauthtok.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#10 $ + * $P4: //depot/projects/openpam/lib/pam_chauthtok.c#11 $ */ #include <sys/param.h> @@ -82,8 +82,10 @@ pam_chauthtok(pam_handle_t *pamh, * The =flags argument is the binary or of zero or more of the following * values: * - * =PAM_SILENT + * =PAM_SILENT: * Do not emit any messages. - * =PAM_CHANGE_EXPIRED_AUTHTOK + * =PAM_CHANGE_EXPIRED_AUTHTOK: * Change only those authentication tokens that have expired. + * + * If any other bits are set, =pam_chauthtok will return =PAM_SYMBOL_ERR. */ diff --git a/contrib/openpam/lib/pam_close_session.c b/contrib/openpam/lib/pam_close_session.c index bf806f7..50d8ba2 100644 --- a/contrib/openpam/lib/pam_close_session.c +++ b/contrib/openpam/lib/pam_close_session.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_close_session.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_close_session.c#8 $ */ #include <sys/param.h> @@ -52,6 +52,8 @@ pam_close_session(pam_handle_t *pamh, int flags) { + if (flags & ~(PAM_SILENT)) + return (PAM_SYMBOL_ERR); return (openpam_dispatch(pamh, PAM_SM_CLOSE_SESSION, flags)); } @@ -61,4 +63,19 @@ pam_close_session(pam_handle_t *pamh, * =openpam_dispatch * =pam_sm_close_session * !PAM_IGNORE + * PAM_SYMBOL_ERR + */ + +/** + * The =pam_close_session function tears down the user session previously + * set up by =pam_open_session. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * + * If any other bits are set, =pam_close_session will return + * =PAM_SYMBOL_ERR. */ diff --git a/contrib/openpam/lib/pam_open_session.c b/contrib/openpam/lib/pam_open_session.c index c33c829..02f73fb 100644 --- a/contrib/openpam/lib/pam_open_session.c +++ b/contrib/openpam/lib/pam_open_session.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_open_session.c#7 $ + * $P4: //depot/projects/openpam/lib/pam_open_session.c#8 $ */ #include <sys/param.h> @@ -52,6 +52,8 @@ pam_open_session(pam_handle_t *pamh, int flags) { + if (flags & ~(PAM_SILENT)) + return (PAM_SYMBOL_ERR); return (openpam_dispatch(pamh, PAM_SM_OPEN_SESSION, flags)); } @@ -61,4 +63,20 @@ pam_open_session(pam_handle_t *pamh, * =openpam_dispatch * =pam_sm_open_session * !PAM_IGNORE + * PAM_SYMBOL_ERR + */ + +/** + * The =pam_open_session sets up a user session for a previously + * authenticated user. The session should later be torn down by a call to + * =pam_close_session. + * + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * + * If any other bits are set, =pam_open_session will return + * =PAM_SYMBOL_ERR. */ diff --git a/contrib/openpam/lib/pam_setcred.c b/contrib/openpam/lib/pam_setcred.c index f381139..1273cb4 100644 --- a/contrib/openpam/lib/pam_setcred.c +++ b/contrib/openpam/lib/pam_setcred.c @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_setcred.c#8 $ + * $P4: //depot/projects/openpam/lib/pam_setcred.c#9 $ */ #include <sys/param.h> @@ -52,6 +52,10 @@ pam_setcred(pam_handle_t *pamh, int flags) { + if (flags & ~(PAM_SILENT|PAM_ESTABLISH_CRED|PAM_DELETE_CRED| + PAM_REINITIALIZE_CRED|PAM_REFRESH_CRED)) + return (PAM_SYMBOL_ERR); + /* XXX enforce exclusivity */ return (openpam_dispatch(pamh, PAM_SM_SETCRED, flags)); } @@ -61,18 +65,27 @@ pam_setcred(pam_handle_t *pamh, * =openpam_dispatch * =pam_sm_setcred * !PAM_IGNORE + * PAM_SYMBOL_ERR */ /** * The =pam_setcred function manages the application's credentials. - * The operation to perform is specified by the =flags argument: * - * PAM_ESTABLISH_CRED: + * The =flags argument is the binary or of zero or more of the following + * values: + * + * =PAM_SILENT: + * Do not emit any messages. + * =PAM_ESTABLISH_CRED: * Establish the credentials of the target user. - * PAM_DELETE_CRED: + * =PAM_DELETE_CRED: * Revoke all established credentials. - * PAM_REINITIALIZE_CRED: + * =PAM_REINITIALIZE_CRED: * Fully reinitialise credentials. - * PAM_REFRESH_CRED: + * =PAM_REFRESH_CRED: * Refresh credentials. + * + * The latter four are mutually exclusive. + * + * If any other bits are set, =pam_setcred will return =PAM_SYMBOL_ERR. */ diff --git a/contrib/openpam/lib/pam_start.c b/contrib/openpam/lib/pam_start.c index 4043f16..49976b4 100644 --- a/contrib/openpam/lib/pam_start.c +++ b/contrib/openpam/lib/pam_start.c @@ -31,21 +31,15 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/lib/pam_start.c#12 $ + * $P4: //depot/projects/openpam/lib/pam_start.c#13 $ */ -#include <ctype.h> -#include <errno.h> -#include <stdio.h> #include <stdlib.h> -#include <string.h> #include <security/pam_appl.h> #include "openpam_impl.h" -static int _pam_configure_service(pam_handle_t *pamh, const char *service); - /* * XSSO 4.2.1 * XSSO 6 page 89 @@ -71,9 +65,9 @@ pam_start(const char *service, if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS) goto fail; - if ((r = _pam_configure_service(ph, service)) != PAM_SUCCESS && - r != PAM_BUF_ERR) - r = _pam_configure_service(ph, PAM_OTHER); + r = openpam_configure(ph, service); + if (r != PAM_SUCCESS && r != PAM_BUF_ERR) + r = openpam_configure(ph, PAM_OTHER); if (r != PAM_SUCCESS) goto fail; @@ -86,217 +80,12 @@ pam_start(const char *service, return (r); } -#define PAM_CONF_STYLE 0 -#define PAM_D_STYLE 1 -#define MAX_LINE_LEN 1024 -#define MAX_OPTIONS 256 - -static int -_pam_read_policy_file(pam_handle_t *pamh, - const char *service, - const char *filename, - int style) -{ - char buf[MAX_LINE_LEN], *p, *q; - const char *optv[MAX_OPTIONS + 1]; - int ch, chain, flag, line, optc, n, r; - size_t len; - FILE *f; - - n = 0; - - if ((f = fopen(filename, "r")) == NULL) { - openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_NOTICE, - "%s: %m", filename); - return (0); - } - openpam_log(PAM_LOG_DEBUG, "looking for '%s' in %s", - service, filename); - - for (line = 1; fgets(buf, MAX_LINE_LEN, f) != NULL; ++line) { - if ((len = strlen(buf)) == 0) - continue; - - /* check for overflow */ - if (buf[--len] != '\n' && !feof(f)) { - openpam_log(PAM_LOG_ERROR, "%s: line %d too long", - filename, line); - openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d", - filename, line); - while ((ch = fgetc(f)) != EOF) - if (ch == '\n') - break; - continue; - } - - /* strip comments and trailing whitespace */ - if ((p = strchr(buf, '#')) != NULL) - len = p - buf ? p - buf - 1 : p - buf; - while (len > 0 && isspace(buf[len - 1])) - --len; - if (len == 0) - continue; - buf[len] = '\0'; - p = q = buf; - - /* check service name */ - if (style == PAM_CONF_STYLE) { - for (q = p = buf; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (*q == '\0') - goto syntax_error; - *q++ = '\0'; - if (strcmp(p, service) != 0) - continue; - openpam_log(PAM_LOG_DEBUG, "%s: line %d matches '%s'", - filename, line, service); - } - - - /* get module type */ - for (p = q; isspace(*p); ++p) - /* nothing */; - for (q = p; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (q == p || *q == '\0') - goto syntax_error; - *q++ = '\0'; - if (strcmp(p, "auth") == 0) { - chain = PAM_AUTH; - } else if (strcmp(p, "account") == 0) { - chain = PAM_ACCOUNT; - } else if (strcmp(p, "session") == 0) { - chain = PAM_SESSION; - } else if (strcmp(p, "password") == 0) { - chain = PAM_PASSWORD; - } else { - openpam_log(PAM_LOG_ERROR, - "%s: invalid module type on line %d: '%s'", - filename, line, p); - continue; - } - - /* get control flag */ - for (p = q; isspace(*p); ++p) - /* nothing */; - for (q = p; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (q == p || *q == '\0') - goto syntax_error; - *q++ = '\0'; - if (strcmp(p, "required") == 0) { - flag = PAM_REQUIRED; - } else if (strcmp(p, "requisite") == 0) { - flag = PAM_REQUISITE; - } else if (strcmp(p, "sufficient") == 0) { - flag = PAM_SUFFICIENT; - } else if (strcmp(p, "optional") == 0) { - flag = PAM_OPTIONAL; - } else { - openpam_log(PAM_LOG_ERROR, - "%s: invalid control flag on line %d: '%s'", - filename, line, p); - continue; - } - - /* get module name */ - for (p = q; isspace(*p); ++p) - /* nothing */; - for (q = p; *q != '\0' && !isspace(*q); ++q) - /* nothing */; - if (q == p) - goto syntax_error; - - /* get options */ - for (optc = 0; *q != '\0' && optc < MAX_OPTIONS; ++optc) { - *q++ = '\0'; - while (isspace(*q)) - ++q; - optv[optc] = q; - while (*q != '\0' && !isspace(*q)) - ++q; - } - optv[optc] = NULL; - if (*q != '\0') { - *q = '\0'; - openpam_log(PAM_LOG_ERROR, - "%s: too many options on line %d", - filename, line); - } - - /* - * Finally, add the module at the end of the - * appropriate chain and bump the counter. - */ - r = openpam_add_module(pamh, chain, flag, p, optc, optv); - if (r != PAM_SUCCESS) - return (-r); - ++n; - continue; - syntax_error: - openpam_log(PAM_LOG_ERROR, "%s: syntax error on line %d", - filename, line); - openpam_log(PAM_LOG_DEBUG, "%s: line %d: [%s]", - filename, line, q); - openpam_log(PAM_LOG_ERROR, "%s: ignoring line %d", - filename, line); - } - - if (ferror(f)) - openpam_log(PAM_LOG_ERROR, "%s: %m", filename); - - fclose(f); - return (n); -} - -static const char *_pam_policy_path[] = { - "/etc/pam.d/", - "/etc/pam.conf", - "/usr/local/etc/pam.d/", - NULL -}; - -static int -_pam_configure_service(pam_handle_t *pamh, - const char *service) -{ - const char **path; - char *filename; - size_t len; - int r; - - for (path = _pam_policy_path; *path != NULL; ++path) { - len = strlen(*path); - if ((*path)[len - 1] == '/') { - filename = malloc(len + strlen(service) + 1); - if (filename == NULL) { - openpam_log(PAM_LOG_ERROR, "malloc(): %m"); - return (PAM_BUF_ERR); - } - strcpy(filename, *path); - strcat(filename, service); - r = _pam_read_policy_file(pamh, - service, filename, PAM_D_STYLE); - free(filename); - } else { - r = _pam_read_policy_file(pamh, - service, *path, PAM_CONF_STYLE); - } - if (r < 0) - return (-r); - if (r > 0) - return (PAM_SUCCESS); - } - - return (PAM_SYSTEM_ERR); -} - /* * Error codes: * + * =openpam_configure * =pam_set_item * !PAM_SYMBOL_ERR - * PAM_SYSTEM_ERR * PAM_BUF_ERR */ |