diff options
author | markm <markm@FreeBSD.org> | 2001-03-27 19:40:51 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2001-03-27 19:40:51 +0000 |
commit | f767ca7e60f2f04f4d7f30da195b56abab4296df (patch) | |
tree | 2c45c3c7d9ffb06e8a26fdf6d772beb282ddfad9 /libexec | |
parent | 51ca15c2dcae271222dd76f75c0c909596323a8c (diff) | |
download | FreeBSD-src-f767ca7e60f2f04f4d7f30da195b56abab4296df.zip FreeBSD-src-f767ca7e60f2f04f4d7f30da195b56abab4296df.tar.gz |
Add full PAM support for account management and sessions.
The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c
Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/ftpd/Makefile | 5 | ||||
-rw-r--r-- | libexec/ftpd/ftpd.c | 59 | ||||
-rw-r--r-- | libexec/rshd/Makefile | 9 | ||||
-rw-r--r-- | libexec/rshd/rshd.8 | 10 | ||||
-rw-r--r-- | libexec/rshd/rshd.c | 262 |
5 files changed, 279 insertions, 66 deletions
diff --git a/libexec/ftpd/Makefile b/libexec/ftpd/Makefile index a1c2547..6d81aee 100644 --- a/libexec/ftpd/Makefile +++ b/libexec/ftpd/Makefile @@ -18,9 +18,8 @@ LSDIR= ../../bin/ls SRCS+= ls.c cmp.c print.c util.c CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR} -.if defined(NOPAM) -CFLAGS+=-DNOPAM -.else +.if !defined(NOPAM) +CFLAGS+=-DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c index b5b6136..c7a74ee 100644 --- a/libexec/ftpd/ftpd.c +++ b/libexec/ftpd/ftpd.c @@ -95,7 +95,7 @@ static const char rcsid[] = #include <skey.h> #endif -#if !defined(NOPAM) +#ifdef USE_PAM #include <security/pam_appl.h> #endif @@ -182,8 +182,9 @@ char *ident = NULL; static char ttyline[20]; char *tty = ttyline; /* for klogin */ -#if !defined(NOPAM) +#ifdef USE_PAM static int auth_pam __P((struct passwd**, const char*)); +pam_handle_t *pamh = NULL; #endif char *pid_file = NULL; @@ -1033,6 +1034,9 @@ checkuser(fname, name, pwset) static void end_login() { +#ifdef USE_PAM + int e; +#endif (void) seteuid((uid_t)0); if (logged_in) @@ -1042,12 +1046,21 @@ end_login() setusercontext(NULL, getpwuid(0), (uid_t)0, LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK); #endif +#ifdef USE_PAM + if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e)); + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + pamh = NULL; +#endif logged_in = 0; guest = 0; dochroot = 0; } -#if !defined(NOPAM) +#ifdef USE_PAM /* * the following code is stolen from imap-uw PAM authentication module and @@ -1166,19 +1179,34 @@ auth_pam(struct passwd **ppw, const char *pass) break; default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); + syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e)); rval = -1; break; } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; + if (rval == 0) { + e = pam_acct_mgmt(pamh, 0); + if (e == PAM_NEW_AUTHTOK_REQD) { + e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (e != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e)); + rval = 1; + } + } else if (e != PAM_SUCCESS) { + rval = 1; + } + } + + if (rval != 0) { + if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); + } + pamh = NULL; } return rval; } -#endif /* !defined(NOPAM) */ +#endif /* USE_PAM */ void pass(passwd) @@ -1189,6 +1217,9 @@ pass(passwd) #ifdef LOGIN_CAP login_cap_t *lc = NULL; #endif +#ifdef USE_PAM + int e; +#endif if (logged_in || askpasswd == 0) { reply(503, "Login with USER first."); @@ -1200,7 +1231,7 @@ pass(passwd) rval = 1; /* failure below */ goto skip; } -#if !defined(NOPAM) +#ifdef USE_PAM rval = auth_pam(&pw, passwd); if (rval >= 0) goto skip; @@ -1281,6 +1312,16 @@ skip: (void) initgroups(pw->pw_name, pw->pw_gid); #endif +#ifdef USE_PAM + if (pamh) { + if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e)); + } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e)); + } + } +#endif + /* open wtmp before chroot */ ftpd_logwtmp(ttyline, pw->pw_name, remotehost); logged_in = 1; diff --git a/libexec/rshd/Makefile b/libexec/rshd/Makefile index 54e254b..735c00d 100644 --- a/libexec/rshd/Makefile +++ b/libexec/rshd/Makefile @@ -7,11 +7,16 @@ MAN= rshd.8 #CFLAGS+= -DCRYPT -# For login_cap handling -CFLAGS+=-DLOGIN_CAP -Wall +CFLAGS+= -Wall DPADD+= ${LIBUTIL} LDADD+= -lutil +.if !defined(NOPAM) +CFLAGS+= -DUSE_PAM +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} +.endif + # IPv6 support CFLAGS+= -DINET6 diff --git a/libexec/rshd/rshd.8 b/libexec/rshd/rshd.8 index bf18b20..52245da 100644 --- a/libexec/rshd/rshd.8 +++ b/libexec/rshd/rshd.8 @@ -241,6 +241,16 @@ and is not preceded by a flag byte. .It Pa /etc/login.conf .It Ev $HOME Ns Pa /.rhosts .It Pa /var/run/nologin +.It Pa /etc/pam.conf +if +.Nm +is configured with PAM support, it uses +.Pa /etc/pam.conf +entries with service name +.Dq rsh . +authentication modules requiring passwords (such as +.Nm pam_unix ) +are not supported .El .Sh BUGS The authentication procedure used here assumes the integrity diff --git a/libexec/rshd/rshd.c b/libexec/rshd/rshd.c index 20f794a..efe5beb1 100644 --- a/libexec/rshd/rshd.c +++ b/libexec/rshd/rshd.c @@ -76,9 +76,27 @@ static const char rcsid[] = #include <string.h> #include <syslog.h> #include <unistd.h> -#ifdef LOGIN_CAP #include <login_cap.h> -#endif + +#ifdef USE_PAM +#include <security/pam_appl.h> +#include <sys/wait.h> + +static int export_pam_environment __P((void)); +static int ok_to_export __P((const char *)); + +static pam_handle_t *pamh; +static char **environ_pam; + +#define PAM_END { \ + if ((retcode = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_setcred: %s", pam_strerror(pamh, retcode)); \ + if ((retcode = pam_close_session(pamh,0)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_close_session: %s", pam_strerror(pamh, retcode)); \ + if ((retcode = pam_end(pamh, retcode)) != PAM_SUCCESS) \ + syslog(LOG_ERR|LOG_AUTH, "pam_end: %s", pam_strerror(pamh, retcode)); \ +} +#endif /* USE_PAM */ /* wrapper for KAME-special getnameinfo() */ #ifndef NI_WITHSCOPEID @@ -188,6 +206,20 @@ main(argc, argv) return(0); } +#ifdef USE_PAM +/* + * We can't have a conversation with the client over the rsh connection. + * You must use auth methods that don't require one, like pam_rhosts. + */ + +int null_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + syslog(LOG_ERR, "PAM conversation is not supported"); + return PAM_CONV_ERR; +} +#endif /* USE_PAM */ + char username[20] = "USER="; char homedir[64] = "HOME="; char shell[64] = "SHELL="; @@ -216,9 +248,11 @@ doit(fromp) int rc; int pv1[2], pv2[2]; #endif -#ifdef LOGIN_CAP login_cap_t *lc; -#endif +#ifdef USE_PAM + static struct pam_conv conv = { null_conv, NULL }; + int retcode; +#endif /* USE_PAM */ (void) signal(SIGINT, SIG_DFL); (void) signal(SIGQUIT, SIG_DFL); @@ -229,7 +263,7 @@ doit(fromp) && af != AF_INET6 #endif ) { - syslog(LOG_ERR, "malformed \"from\" address (af %d)\n", af); + syslog(LOG_ERR, "malformed \"from\" address (af %d)", af); exit(1); } err = getnameinfo((struct sockaddr *)fromp, fromp->su_len, numericname, @@ -341,6 +375,52 @@ doit(fromp) getstr(locuser, sizeof(locuser), "locuser"); getstr(cmdbuf, sizeof(cmdbuf), "command"); + +#ifdef USE_PAM + retcode = pam_start("rsh", locuser, &conv, &pamh); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_start: %s", pam_strerror(pamh, retcode)); + error("Login incorrect.\n"); + exit(1); + } + + retcode = pam_set_item (pamh, PAM_RUSER, remuser); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RUSER): %s", pam_strerror(pamh, retcode)); + error("Login incorrect.\n"); + exit(1); + } + retcode = pam_set_item (pamh, PAM_RHOST, fromhost); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_RHOST): %s", pam_strerror(pamh, retcode)); + error("Login incorrect.\n"); + exit(1); + } + retcode = pam_set_item (pamh, PAM_TTY, "tty"); + if (retcode != PAM_SUCCESS) { + syslog(LOG_ERR|LOG_AUTH, "pam_set_item(PAM_TTY): %s", pam_strerror(pamh, retcode)); + error("Login incorrect.\n"); + exit(1); + } + + retcode = pam_authenticate(pamh, 0); + if (retcode == PAM_SUCCESS) { + if ((retcode = pam_get_item(pamh, PAM_USER, (const void **) &cp)) == PAM_SUCCESS) { + strncpy(locuser, cp, sizeof(locuser)); + locuser[sizeof(locuser) - 1] = '\0'; + } else + syslog(LOG_ERR|LOG_AUTH, "pam_get_item(PAM_USER): %s", + pam_strerror(pamh, retcode)); + retcode = pam_acct_mgmt(pamh, 0); + } + if (retcode != PAM_SUCCESS) { + syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, pam_strerror(pamh, retcode), cmdbuf); + error("Login incorrect.\n"); + exit(1); + } +#endif /* USE_PAM */ + setpwent(); pwd = getpwnam(locuser); if (pwd == NULL) { @@ -349,13 +429,36 @@ doit(fromp) remuser, fromhost, locuser, cmdbuf); if (errorstr == NULL) errorstr = "Login incorrect.\n"; - goto fail; + error(errorstr, fromhost); + exit(1); } -#ifdef LOGIN_CAP + +#ifndef USE_PAM + if (errorstr || + (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, + remuser, locuser) < 0) { + if (__rcmd_errstr) + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied (%s). cmd='%.80s'", + remuser, fromhost, locuser, __rcmd_errstr, + cmdbuf); + else + syslog(LOG_INFO|LOG_AUTH, + "%s@%s as %s: permission denied. cmd='%.80s'", + remuser, fromhost, locuser, cmdbuf); + if (errorstr == NULL) + errorstr = "Login incorrect.\n"; + error(errorstr, fromhost); + exit(1); + } +#endif /* USE_PAM */ + lc = login_getpwclass(pwd); -#endif + if (pwd->pw_uid) + auth_checknologin(lc); + if (chdir(pwd->pw_dir) < 0) { -#ifdef LOGIN_CAP if (chdir("/") < 0 || login_getcapbool(lc, "requirehome", !!pwd->pw_uid)) { syslog(LOG_INFO|LOG_AUTH, @@ -364,44 +467,9 @@ doit(fromp) error("No remote home directory.\n"); exit(0); } -#else - (void) chdir("/"); -#ifdef notdef - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: no home directory. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); - error("No remote directory.\n"); - exit(1); -#endif -#endif pwd->pw_dir = "/"; } - if (errorstr || - (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0) { - if (__rcmd_errstr) - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied (%s). cmd='%.80s'", - remuser, fromhost, locuser, __rcmd_errstr, - cmdbuf); - else - syslog(LOG_INFO|LOG_AUTH, - "%s@%s as %s: permission denied. cmd='%.80s'", - remuser, fromhost, locuser, cmdbuf); -fail: - if (errorstr == NULL) - errorstr = "Login incorrect.\n"; - error(errorstr, fromhost); - exit(1); - } - - if (pwd->pw_uid && !access(_PATH_NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - exit(1); - } -#ifdef LOGIN_CAP if (lc != NULL && fromp->su_family == AF_INET) { /*XXX*/ char remote_ip[MAXHOSTNAMELEN]; @@ -421,13 +489,30 @@ fail: exit(1); } } -#endif /* !LOGIN_CAP */ #if BSD > 43 /* before fork, while we're session leader */ if (setlogin(pwd->pw_name) < 0) syslog(LOG_ERR, "setlogin() failed: %m"); #endif + /* + * PAM modules might add supplementary groups in + * pam_setcred(), so initialize them first. + * But we need to open the session as root. + */ + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) { + syslog(LOG_ERR, "setusercontext: %m"); + exit(1); + } + +#ifdef USE_PAM + if ((retcode = pam_open_session(pamh, 0)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, retcode)); + } else if ((retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, retcode)); + } +#endif /* USE_PAM */ + (void) write(STDERR_FILENO, "\0", 1); sent_null = 1; @@ -569,6 +654,9 @@ fail: (doencrypt && FD_ISSET(pv1[0], &readfrom)) || #endif FD_ISSET(pv[0], &readfrom)); +#ifdef USE_PAM + PAM_END; +#endif /* USE_PAM */ exit(0); } setpgrp(0, getpid()); @@ -586,9 +674,38 @@ fail: dup2(pv[1], 2); close(pv[1]); } +#ifdef USE_PAM + else { + pid = fork(); + if (pid == -1) { + error("Can't fork; try again.\n"); + exit(1); + } + if (pid) { + /* Parent. */ + wait(NULL); + PAM_END; + exit(0); + } + } +#endif /* USE_PAM */ + if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; environ = envinit; + +#ifdef USE_PAM + /* + * Add any environmental variables that the + * PAM modules may have set. + */ + environ_pam = pam_getenvlist(pamh); + if (environ_pam) + export_pam_environment(); + if ((retcode = pam_end(pamh, PAM_DATA_SILENT)) != PAM_SUCCESS) + syslog(LOG_ERR|LOG_AUTH, "pam_end: %s", pam_strerror(pamh, retcode)); +#endif /* USE_PAM */ + strncat(homedir, pwd->pw_dir, sizeof(homedir)-6); strcat(path, _PATH_DEFPATH); strncat(shell, pwd->pw_shell, sizeof(shell)-7); @@ -598,17 +715,13 @@ fail: cp++; else cp = pwd->pw_shell; -#ifdef LOGIN_CAP - if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL) != 0) { + + if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL & ~LOGIN_SETGROUP) != 0) { syslog(LOG_ERR, "setusercontext: %m"); exit(1); } login_close(lc); -#else - (void) setgid((gid_t)pwd->pw_gid); - initgroups(pwd->pw_name, pwd->pw_gid); - (void) setuid((uid_t)pwd->pw_uid); -#endif + endpwent(); if (log_success || pwd->pw_uid == 0) { syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: cmd='%.80s'", @@ -717,6 +830,51 @@ topdomain(h) return (maybe); } +#ifdef USE_PAM +static int +export_pam_environment() +{ + char **pp; + + for (pp = environ_pam; *pp != NULL; pp++) { + if (ok_to_export(*pp)) + (void) putenv(*pp); + free(*pp); + } + return PAM_SUCCESS; +} + +/* + * Sanity checks on PAM environmental variables: + * - Make sure there is an '=' in the string. + * - Make sure the string doesn't run on too long. + * - Do not export certain variables. This list was taken from the + * Solaris pam_putenv(3) man page. + */ +static int +ok_to_export(s) + const char *s; +{ + static const char *noexport[] = { + "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", + "IFS", "PATH", NULL + }; + const char **pp; + size_t n; + + if (strlen(s) > 1024 || strchr(s, '=') == NULL) + return 0; + if (strncmp(s, "LD_", 3) == 0) + return 0; + for (pp = noexport; *pp != NULL; pp++) { + n = strlen(*pp); + if (s[n] == '=' && strncmp(s, *pp, n) == 0) + return 0; + } + return 1; +} +#endif /* USE_PAM */ + void usage() { |