diff options
Diffstat (limited to 'contrib/libpam/modules')
108 files changed, 0 insertions, 18950 deletions
diff --git a/contrib/libpam/modules/Makefile b/contrib/libpam/modules/Makefile deleted file mode 100644 index 0066fb4..0000000 --- a/contrib/libpam/modules/Makefile +++ /dev/null @@ -1,132 +0,0 @@ -# $Id: Makefile,v 1.21 1997/04/05 06:44:43 morgan Exp morgan $ -# -# Makefile -# -# This makefile controls the build process of shared and static PAM modules. -# -# $Log: Makefile,v $ -# Revision 1.21 1997/04/05 06:44:43 morgan -# pam_env and pam_tally added -# -# Revision 1.20 1997/02/15 18:57:11 morgan -# fixed bash syntax -# -# Revision 1.19 1997/01/04 20:21:32 morgan -# moved responsibility of conditional compilation to modules (more flexible) -# -# Revision 1.18 1996/12/01 03:34:40 morgan -# update for .54 -# -# Revision 1.17 1996/11/10 20:20:15 morgan -# cross platform support and new modules -# -# Revision 1.16 1996/09/05 06:20:45 morgan -# added two modules: listfile and shells -# -# Revision 1.15 1996/08/09 05:38:28 morgan -# added new/proposed modules. -# fixed makefile installation dependencies -# -# Revision 1.14 1996/07/08 00:00:33 morgan -# added wheel and group modules -# - -MODDIRS=\ - pam_access \ - pam_afs \ - pam_afsauth \ - pam_afspass \ - pam_afstok \ - pam_cracklib \ - pam_deny \ - pam_desgold \ - pam_env \ - pam_filter \ - pam_ftp \ - pam_group \ - pam_kerberos \ - pam_krb4 \ - pam_lastlog \ - pam_listfile \ - pam_limits \ - pam_mail \ - pam_nologin \ - pam_opie \ - pam_passwd+ \ - pam_permit \ - pam_pwdb \ - pam_radius \ - pam_restrict \ - pam_rhosts \ - pam_rootok \ - pam_securetty \ - pam_shells \ - pam_sid \ - pam_skey \ - pam_skey2 \ - pam_stress \ - pam_syslog \ - pam_tally \ - pam_time \ - pam_unix \ - pam_warn \ - pam_wheel - - -# //////////////////////////////////////////////////// -# // You should not modify anything below this line // -# //////////////////////////////////////////////////// - -dummy: - @echo "*** This is not a top-level Makefile! ***" - -# ----------------------------------------------------------- - -all: - @echo modules for $(OS) are: - @ls -d $(MODDIRS) 2>/dev/null ; echo :-------- - @echo -ifdef STATIC - rm -f ./_static_module_* -endif - @for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i all ; \ - if [ $$? -ne 0 ]; then exit 1 ; fi ; \ - } elif [ -f ./.$$i ]; then { \ - cat ./.$$i ; \ - } fi ; \ - done - -install: - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i install ; \ - if [ $$? -ne 0 ]; then exit 1 ; fi ; \ - } fi ; \ - done - -remove: - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i remove ; \ - } fi ; \ - done - -lclean: - rm -f _static_module_* - -clean: lclean - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then { \ - $(MAKE) -C $$i clean ; \ - } fi ; \ - done - -extraclean: lclean - for i in $(MODDIRS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i extraclean ; \ - fi ; \ - done - diff --git a/contrib/libpam/modules/README b/contrib/libpam/modules/README deleted file mode 100644 index 8641594..0000000 --- a/contrib/libpam/modules/README +++ /dev/null @@ -1,55 +0,0 @@ -This directory contains the modules. - -If you want to reserve a module name please email <pam-list@redhat.com> -and announce its name. Andrew Morgan, <morgan@parc.power.net>, will -add it to the Makefile in the next release of Linux-PAM. - -As of Linux-PAM-0.40 modules can optionally conform to the static -modules conventions. - -This file was updated for Linux-PAM-0.53. - -The conventions are as follows: - -There are only 6 functions that a module may declare as "public" they -fall into 4 managment groups as follows: - - functions Management group - ------------------------------------------ ---------------- - pam_sm_authenticate, pam_sm_setcred, PAM_SM_AUTH - pam_sm_acct_mgmt, PAM_SM_ACCOUNT - pam_sm_open_session, pam_sm_close_session, PAM_SM_SESSION - pam_sm_chauthtok PAM_SM_PASSWORD - -If a module contains definitions for any of the above functions, it -must supply definitions for all of the functions in the corresponding -management group. - -The header file that defines the ANSI prototypes for these functions -is <security/pam_modules.h> . In the case that the module wishes to -offer the functions of a given managment group, it must #define -PAM_SM_XXX, where XXX is one of the above four tokens. These -definitions must occur *prior* to the -#include <security/pam_modules.h> line. - -The pam_sm_... functions should be defined to be of type 'PAM_EXTERN int'. - -In the case that a module is being compiled with PAM_STATIC #define'd -it should also define a globally accessible structure -_"NAME"_modstruct containing references to each of the functions -defined by the module. (this structure is defined in -<security/pam_modules.h>. "NAME" is the title of the module -(eg. "pam_deny") - -If a module wants to be included in the static libpam.a its Makefile -should execute "register_static" with appropriate arguments (in this -directory). - -[ -For SIMPLE working examples, see - - ./modules/pam_deny/* and ./modules/pam_rootok/* -.] - -Andrew Morgan -96/11/10 diff --git a/contrib/libpam/modules/dont_makefile b/contrib/libpam/modules/dont_makefile deleted file mode 100644 index f256ce1..0000000 --- a/contrib/libpam/modules/dont_makefile +++ /dev/null @@ -1,19 +0,0 @@ -######################################################################### -# This is a makefile that does nothing. It is designed to be included -# by module Makefile-s when they are not compatable with the local -# system -######################################################################### - -all: - @echo "This module will not be compiled on this system" - -extraclean: clean - -install: clean - -clean: - @echo "Nothing to do" - -######################################################################### -# all over.. -######################################################################### diff --git a/contrib/libpam/modules/pam_access/Makefile b/contrib/libpam/modules/pam_access/Makefile deleted file mode 100644 index a3d684b..0000000 --- a/contrib/libpam/modules/pam_access/Makefile +++ /dev/null @@ -1,111 +0,0 @@ -# $Id: Makefile,v 1.1 1997/06/23 00:39:42 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.1 1997/06/23 00:39:42 morgan -# Initial revision -# -# - -TITLE=pam_access -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/access.conf -export CONFILE - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -DEFS=-DCONFILE=\"$(CONFILE)\" - -CFLAGS += $(DEFS) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(CONFILE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f ./.ignore_age - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< diff --git a/contrib/libpam/modules/pam_access/README b/contrib/libpam/modules/pam_access/README deleted file mode 100644 index df10c26..0000000 --- a/contrib/libpam/modules/pam_access/README +++ /dev/null @@ -1,40 +0,0 @@ -# Description of its configuration file (/etc/security/access.conf): -# -# Login access control table. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. -# -# The second field should be a list of one or more login names, group -# names, or ALL (always matches). A pattern of the form user@host is -# matched when the login name matches the "user" part, and when the -# "host" part matches the local machine name. -# -# The third field should be a list of one or more tty names (for -# non-networked logins), host names, domain names (begin with "."), host -# addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). -# -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Both the user's primary group is matched, as well as -# groups in which users are explicitly listed. -# -# Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15 -############################################################################ diff --git a/contrib/libpam/modules/pam_access/access.conf b/contrib/libpam/modules/pam_access/access.conf deleted file mode 100644 index abfefa5..0000000 --- a/contrib/libpam/modules/pam_access/access.conf +++ /dev/null @@ -1,52 +0,0 @@ -# Login access control table. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. -# -# The second field should be a list of one or more login names, group -# names, or ALL (always matches). A pattern of the form user@host is -# matched when the login name matches the "user" part, and when the -# "host" part matches the local machine name. -# -# The third field should be a list of one or more tty names (for -# non-networked logins), host names, domain names (begin with "."), host -# addresses, internet network numbers (end with "."), ALL (always -# matches) or LOCAL (matches any string that does not contain a "." -# character). -# -# If you run NIS you can use @netgroupname in host or user patterns; this -# even works for @usergroup@@hostgroup patterns. Weird. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Both the user's primary group is matched, as well as -# groups in which users are explicitly listed. -# -############################################################################## -# -# Disallow console logins to all but a few accounts. -# -#-:ALL EXCEPT wheel shutdown sync:console -# -# Disallow non-local logins to privileged accounts (group wheel). -# -#-:wheel:ALL EXCEPT LOCAL .win.tue.nl -# -# Some accounts are not allowed to login from anywhere: -# -#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL -# -# All other accounts are allowed to login from anywhere. -# diff --git a/contrib/libpam/modules/pam_access/install_conf b/contrib/libpam/modules/pam_access/install_conf deleted file mode 100755 index 0667b5e..0000000 --- a/contrib/libpam/modules/pam_access/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -CONF=./access.conf -QUIET_INSTALL=../../.quiet_install -MODULE=pam_access - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_access/pam_access.c b/contrib/libpam/modules/pam_access/pam_access.c deleted file mode 100644 index 1213339..0000000 --- a/contrib/libpam/modules/pam_access/pam_access.c +++ /dev/null @@ -1,424 +0,0 @@ -/* pam_access module */ - -/* - * Written by Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15 - * (I took login_access from logdaemon-5.6 and converted it to PAM - * using parts of pam_time code.) - * - */ - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -/* man page says above file includes this... */ -extern int gethostname(char *name, size_t len); - -#include <stdarg.h> -#include <syslog.h> -#include <string.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <pwd.h> -#include <grp.h> -#include <errno.h> -#include <ctype.h> -#include <sys/utsname.h> - -#ifndef BROKEN_NETWORK_MATCH -# include <netdb.h> -# include <sys/socket.h> -#endif - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include <security/_pam_macros.h> -#include <security/pam_modules.h> - -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_access", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_ERR, format, args); - va_end(args); - closelog(); -} - -#define PAM_ACCESS_CONFIG CONFILE - -int strcasecmp(const char *s1, const char *s2); - -/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */ - - /* - * This module implements a simple but effective form of login access - * control based on login names and on host (or domain) names, internet - * addresses (or network numbers), or on terminal line names in case of - * non-networked logins. Diagnostics are reported through syslog(3). - * - * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. - */ - -#if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64) -#undef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 256 -#endif - - /* Delimiters for fields and for lists of users, ttys or hosts. */ - -static char fs[] = ":"; /* field separator */ -static char sep[] = ", \t"; /* list-element separator */ - - /* Constants to be used in assignments only, not in comparisons... */ - -#define YES 1 -#define NO 0 - - /* - * A structure to bundle up all login-related information to keep the - * functional interfaces as generic as possible. - */ -struct login_info { - struct passwd *user; - char *from; -}; - -typedef int match_func (char *, struct login_info *); - -static int list_match (char *, struct login_info *, - match_func *); -static int user_match (char *, struct login_info *); -static int from_match (char *, struct login_info *); -static int string_match (char *, char *); - -/* login_access - match username/group and host/tty with access control file */ - -static int login_access(struct passwd *user, char *from) -{ - struct login_info item; - FILE *fp; - char line[BUFSIZ]; - char *perm; /* becomes permission field */ - char *users; /* becomes list of login names */ - char *froms; /* becomes list of terminals or hosts */ - int match = NO; - int end; - int lineno = 0; /* for diagnostics */ - - /* - * Bundle up the arguments to avoid unnecessary clumsiness lateron. - */ - item.user = user; - item.from = from; - - /* - * Process the table one line at a time and stop at the first match. - * Blank lines and lines that begin with a '#' character are ignored. - * Non-comment lines are broken at the ':' character. All fields are - * mandatory. The first field should be a "+" or "-" character. A - * non-existing table means no access control. - */ - - if ((fp = fopen(PAM_ACCESS_CONFIG, "r"))!=NULL) { - while (!match && fgets(line, sizeof(line), fp)) { - lineno++; - if (line[end = strlen(line) - 1] != '\n') { - _log_err("%s: line %d: missing newline or line too long", - PAM_ACCESS_CONFIG, lineno); - continue; - } - if (line[0] == '#') - continue; /* comment line */ - while (end > 0 && isspace(line[end - 1])) - end--; - line[end] = 0; /* strip trailing whitespace */ - if (line[0] == 0) /* skip blank lines */ - continue; - if (!(perm = strtok(line, fs)) - || !(users = strtok((char *) 0, fs)) - || !(froms = strtok((char *) 0, fs)) - || strtok((char *) 0, fs)) { - _log_err("%s: line %d: bad field count", PAM_ACCESS_CONFIG, lineno); - continue; - } - if (perm[0] != '+' && perm[0] != '-') { - _log_err("%s: line %d: bad first field", PAM_ACCESS_CONFIG, lineno); - continue; - } - match = (list_match(froms, &item, from_match) - && list_match(users, &item, user_match)); - } - (void) fclose(fp); - } else if (errno != ENOENT) { - _log_err("cannot open %s: %m", PAM_ACCESS_CONFIG); - } - return (match == 0 || (line[0] == '+')); -} - -/* list_match - match an item against a list of tokens with exceptions */ - -static int list_match(char *list, struct login_info *item, match_func *match_fn) -{ - char *tok; - int match = NO; - - /* - * Process tokens one at a time. We have exhausted all possible matches - * when we reach an "EXCEPT" token or the end of the list. If we do find - * a match, look for an "EXCEPT" list and recurse to determine whether - * the match is affected by any exceptions. - */ - - for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { - if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ - break; - if ((match = (*match_fn) (tok, item))) /* YES */ - break; - } - /* Process exceptions to matches. */ - - if (match != NO) { - while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) - /* VOID */ ; - if (tok == 0 || list_match((char *) 0, item, match_fn) == NO) - return (match); - } - return (NO); -} - -/* myhostname - figure out local machine name */ - -static char * myhostname(void) -{ - static char name[MAXHOSTNAMELEN + 1]; - - gethostname(name, MAXHOSTNAMELEN); - name[MAXHOSTNAMELEN] = 0; - return (name); -} - -/* netgroup_match - match group against machine or user */ - -static int netgroup_match(char *group, char *machine, char *user) -{ -#ifdef NIS - static char *mydomain = 0; - - if (mydomain == 0) - yp_get_default_domain(&mydomain); - return (innetgr(group, machine, user, mydomain)); -#else - _log_err("NIS netgroup support not configured"); - return (NO); -#endif -} - -/* user_match - match a username against one token */ - -static int user_match(char *tok, struct login_info *item) -{ - char *string = item->user->pw_name; - struct login_info fake_item; - struct group *group; - int i; - char *at; - - /* - * If a token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the username, if the - * token is a group that contains the username, or if the token is the - * name of the user's primary group. - */ - - if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ - *at = 0; - fake_item.from = myhostname(); - return (user_match(tok, item) && from_match(at + 1, &fake_item)); - } else if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, (char *) 0, string)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if ((group = getgrnam(tok))) { /* try group membership */ - if (item->user->pw_gid == group->gr_gid) - return (YES); - for (i = 0; group->gr_mem[i]; i++) - if (strcasecmp(string, group->gr_mem[i]) == 0) - return (YES); - } - return (NO); -} - -/* from_match - match a host or tty against a list of tokens */ - -static int from_match(char *tok, struct login_info *item) -{ - char *string = item->from; - int tok_len; - int str_len; - - /* - * If a token has the magic value "ALL" the match always succeeds. Return - * YES if the token fully matches the string. If the token is a domain - * name, return YES if it matches the last fields of the string. If the - * token has the magic value "LOCAL", return YES if the string does not - * contain a "." character. If the token is a network number, return YES - * if it matches the head of the string. - */ - - if (tok[0] == '@') { /* netgroup */ - return (netgroup_match(tok + 1, string, (char *) 0)); - } else if (string_match(tok, string)) { /* ALL or exact match */ - return (YES); - } else if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(string)) > (tok_len = strlen(tok)) - && strcasecmp(tok, string + str_len - tok_len) == 0) - return (YES); - } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ - if (strchr(string, '.') == 0) - return (YES); -#ifdef BROKEN_NETWORK_MATCH - } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ - && strncmp(tok, string, tok_len) == 0) { - return (YES); -#else /* BROKEN_NETWORK_MATCH */ - } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { - /* - The code below does a more correct check if the address specified - by "string" starts from "tok". - 1998/01/27 Andrey V. Savochkin <saw@msu.ru> - */ - struct hostent *h; - char hn[3+1+3+1+3+1+3+1]; - int r; - - h = gethostbyname(string); - if (h == NULL) - return (NO); - if (h->h_addrtype != AF_INET) - return (NO); - if (h->h_length != 4) - return (NO); /* only IPv4 addresses (SAW) */ - r = snprintf(hn, sizeof(hn), "%u.%u.%u.%u", - (unsigned char)h->h_addr[0], (unsigned char)h->h_addr[1], - (unsigned char)h->h_addr[2], (unsigned char)h->h_addr[3]); - if (r < 0 || r >= sizeof(hn)) - return (NO); - if (!strncmp(tok, hn, tok_len)) - return (YES); -#endif /* BROKEN_NETWORK_MATCH */ - } - return (NO); -} - -/* string_match - match a string against one token */ - -static int string_match(char *tok, char *string) -{ - - /* - * If the token has the magic value "ALL" the match always succeeds. - * Otherwise, return YES if the token fully matches the string. - */ - - if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ - return (YES); - } else if (strcasecmp(tok, string) == 0) { /* try exact match */ - return (YES); - } - return (NO); -} - -/* end of login_access.c */ - -int strcasecmp(const char *s1, const char *s2) -{ - while ((toupper(*s1)==toupper(*s2)) && (*s1) && (*s2)) {s1++; s2++;} - return(toupper(*s1)-toupper(*s2)); -} - -/* --- public account management functions --- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - const char *user=NULL; - char *from=NULL; - struct passwd *user_pw; - - /* set username */ - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - _log_err("cannot determine the user's name"); - return PAM_USER_UNKNOWN; - } - - /* remote host name */ - - if (pam_get_item(pamh, PAM_RHOST, (const void **)&from) - != PAM_SUCCESS) { - _log_err("cannot find the remote host name"); - return PAM_ABORT; - } - - if (from==NULL) { - - /* local login, set tty name */ - - if (pam_get_item(pamh, PAM_TTY, (const void **)&from) != PAM_SUCCESS - || from == NULL) { - D(("PAM_TTY not set, probing stdin")); - from = ttyname(STDIN_FILENO); - if (from == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); - return PAM_ABORT; - } - } - if (strncmp("/dev/",from,5) == 0) { /* strip leading /dev/ */ - from += 5; - } - - } - if ((user_pw=getpwnam(user))==NULL) return (PAM_USER_UNKNOWN); - if (login_access(user_pw,from)) return (PAM_SUCCESS); else { - _log_err("access denied for user `%s' from `%s'",user,from); - return (PAM_PERM_DENIED); - } -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_access_modstruct = { - "pam_access", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL -}; -#endif - diff --git a/contrib/libpam/modules/pam_cracklib/Makefile b/contrib/libpam/modules/pam_cracklib/Makefile deleted file mode 100644 index 668f2f8..0000000 --- a/contrib/libpam/modules/pam_cracklib/Makefile +++ /dev/null @@ -1,110 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10 -# - -ifndef FULL_LINUX_PAM_SOURCE_TREE -# -# here you should make default variable defines... -# -MKDIR=mkdir -p -LD_D=gcc -shared -Xlinker -x -INSTALL=install -SECUREDIR=/usr/lib/security -# -HAVE_CRACKLIB=yes -endif - -ifeq ($(HAVE_CRACKLIB),yes) - -TITLE=pam_cracklib -CRACKLIB=-lcrack -CRACKLIB_DICTPATH=/usr/lib/cracklib_dict -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef CRACKLIB_DICTPATH -CFLAGS+=-DCRACKLIB_DICTPATH=\"$(CRACKLIB_DICTPATH)\" -endif - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) Makefile - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(CRACKLIB) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else - -include ../dont_makefile - -endif diff --git a/contrib/libpam/modules/pam_cracklib/README b/contrib/libpam/modules/pam_cracklib/README deleted file mode 100644 index e4b0273..0000000 --- a/contrib/libpam/modules/pam_cracklib/README +++ /dev/null @@ -1,21 +0,0 @@ - -pam_cracklib: - check the passwd against dictionary words. - -RECOGNIZED ARGUMENTS: - debug verbose log - - type=XXX alter the message printed as a prompt to the user. - the message printed is in the form - "New XXX password: ". - Default XXX=UNIX - - retry=N Prompt user at most N times before returning with - error. Default N=1. - -MODULE SERVICES PROVIDED: - passwd chauthtok - -AUTHOR: - Cristian Gafton <gafton@sorosis.ro> - diff --git a/contrib/libpam/modules/pam_cracklib/pam_cracklib.c b/contrib/libpam/modules/pam_cracklib/pam_cracklib.c deleted file mode 100644 index 3400dfb..0000000 --- a/contrib/libpam/modules/pam_cracklib/pam_cracklib.c +++ /dev/null @@ -1,687 +0,0 @@ -/* pam_cracklib module */ - -/* - * 0.85. added six new options to use this with long passwords. - * 0.8. tidied output and improved D(()) usage for debugging. - * 0.7. added support for more obscure checks for new passwd. - * 0.6. root can reset user passwd to any values (it's only warned) - * 0.5. supports retries - 'retry=N' argument - * 0.4. added argument 'type=XXX' for 'New XXX password' prompt - * 0.3. Added argument 'debug' - * 0.2. new password is feeded to cracklib for verify after typed once - * 0.1. First release - */ - -/* - * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10 - * Long password support by Philip W. Dalrymple <pwd@mdtsoft.com> 1997/07/18 - * See the end of the file for Copyright Information - * - * Modification for long password systems (>8 chars). The original - * module had problems when used in a md5 password system in that it - * allowed too short passwords but required that at least half of the - * bytes in the new password did not appear in the old one. this - * action is still the default and the changes should not break any - * current user. This modification adds 6 new options, one to set the - * number of bytes in the new password that are not in the old one, - * the other five to control the length checking, these are all - * documented (or will be before anyone else sees this code) in the PAM - * S.A.G. in the section on the cracklib module. - */ - -#include <stdio.h> -#define __USE_BSD -#include <unistd.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <stdarg.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <ctype.h> - -extern char *FascistCheck(char *pw, const char *dictpath); - -#ifndef CRACKLIB_DICTPATH -#define CRACKLIB_DICTPATH "/usr/lib/cracklib_dict" -#endif - -#define PROMPT1 "New %s password: " -#define PROMPT2 "Retype new %s password: " -#define MISTYPED_PASS "Sorry, passwords do not match" - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-Cracklib", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ -#define PAM_DEBUG_ARG 0x0001 - -/* module data - AGM: please remove these static variables... PAM was - * designed to be reentrant based soley on a unique pamh... this - * breaks that. */ - -static int retry_times = 0; -static int diff_ok = 10; -static int min_length = 9; -static int dig_credit = 1; -static int up_credit = 1; -static int low_credit = 1; -static int oth_credit = 1; -static char prompt_type[BUFSIZ]; - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - char *ep = NULL; - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"type=",5)) - strcpy(prompt_type, *argv+5); - else if (!strncmp(*argv,"retry=",6)) { - retry_times = strtol(*argv+6,&ep,10); - if (!ep || (retry_times < 1)) - retry_times = 1; - } else if (!strncmp(*argv,"difok=",6)) { - diff_ok = strtol(*argv+6,&ep,10); - if (!ep || (diff_ok < 0)) - diff_ok = 10; - } else if (!strncmp(*argv,"minlen=",7)) { - min_length = strtol(*argv+7,&ep,10); - if (!ep || (min_length < 5)) - min_length = 5; - } else if (!strncmp(*argv,"dcredit=",8)) { - dig_credit = strtol(*argv+8,&ep,10); - if (!ep || (dig_credit < 0)) - dig_credit = 0; - } else if (!strncmp(*argv,"ucredit=",8)) { - up_credit = strtol(*argv+8,&ep,10); - if (!ep || (up_credit < 0)) - up_credit = 0; - } else if (!strncmp(*argv,"lcredit=",8)) { - low_credit = strtol(*argv+8,&ep,10); - if (!ep || (low_credit < 0)) - low_credit = 0; - } else if (!strncmp(*argv,"ocredit=",8)) { - oth_credit = strtol(*argv+8,&ep,10); - if (!ep || (oth_credit < 0)) - oth_credit = 0; - } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* Helper functions */ - -/* this is a front-end for module-application conversations */ -static int converse(pam_handle_t *pamh, int ctrl, int nargs, - struct pam_message **message, - struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); - - if ( retval == PAM_SUCCESS ) { - retval = conv->conv(nargs, (const struct pam_message **)message, - response, conv->appdata_ptr); - if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) { - _pam_log(LOG_DEBUG, "conversation failure [%s]", - pam_strerror(pamh, retval)); - } - } else { - _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]", - pam_strerror(pamh, retval)); - } - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, unsigned int ctrl, - int type, const char *text) -{ - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - int retval; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - resp = NULL; - - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (retval == PAM_SUCCESS) - _pam_drop_reply(resp, 1); - - return retval; -} - -/* use this to free strings. ESPECIALLY password strings */ -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - free(xx); - return NULL; -} - -/* - * can't be a palindrome - like `R A D A R' or `M A D A M' - */ -static int palindrome(const char *old, const char *new) -{ - int i, j; - - i = strlen (new); - - for (j = 0;j < i;j++) - if (new[i - j - 1] != new[j]) - return 0; - - return 1; -} - -/* - * more than half of the characters are different ones. - * or at least diff_ok are different - * NOTE that the defaults are NOT the same as befor this - * change. as long as there are at least 10 different bytes - * in a new password it will now pass even if the password - * is longer than 20 bytes (MD5) - */ - -static int similiar(const char *old, const char *new) -{ - int i, j; - - for (i = j = 0;new[i] && old[i];i++) - if (strchr (new, old[i])) - j++; - - if (j >= diff_ok || i >= j * 2) - return 0; - - return 1; -} - -/* - * a nice mix of characters. - */ -static int simple(const char *old, const char *new) -{ - int digits = 0; - int uppers = 0; - int lowers = 0; - int others = 0; - int size; - int i; - - for (i = 0;new[i];i++) { - if (isdigit (new[i])) - digits++; - else if (isupper (new[i])) - uppers++; - else if (islower (new[i])) - lowers++; - else - others++; - } - - /* - * The scam was this - a password of only one character type - * must be 8 letters long. Two types, 7, and so on. - * This is now changed, the base size and the credits or defaults - * see the docs on the module for info on these parameters, the - * defaults cause the effect to be the same as before the change - */ - - if (digits > dig_credit) - digits = dig_credit; - - if (uppers > up_credit) - uppers = up_credit; - - if (lowers > low_credit) - lowers = low_credit; - - if (others > oth_credit) - others = oth_credit; - - size = min_length; - size -= digits; - size -= uppers; - size -= lowers; - size -= others; - - if (size <= i) - return 0; - - return 1; -} - -static char * str_lower(char *string) -{ - char *cp; - - for (cp = string; *cp; cp++) - *cp = tolower(*cp); - return string; -} - -static const char * password_check(const char *old, const char *new) -{ - const char *msg = NULL; - char *oldmono, *newmono, *wrapped; - - if (strcmp(new, old) == 0) { - msg = "is the same as the old one"; - return msg; - } - - newmono = str_lower(x_strdup(new)); - oldmono = str_lower(x_strdup(old)); - wrapped = malloc(strlen(oldmono) * 2 + 1); - strcpy (wrapped, oldmono); - strcat (wrapped, oldmono); - - if (palindrome(oldmono, newmono)) - msg = "is a palindrome"; - - if (!msg && strcmp(oldmono, newmono) == 0) - msg = "case changes only"; - - if (!msg && similiar(oldmono, newmono)) - msg = "is too similiar to the old one"; - - if (!msg && simple(old, new)) - msg = "is too simple"; - - if (!msg && strstr(wrapped, newmono)) - msg = "is rotated"; - - memset(newmono, 0, strlen(newmono)); - memset(oldmono, 0, strlen(oldmono)); - memset(wrapped, 0, strlen(wrapped)); - free(newmono); - free(oldmono); - free(wrapped); - - return msg; -} - - -static int _pam_unix_approve_pass(pam_handle_t *pamh, - unsigned int ctrl, - const char *pass_old, - const char *pass_new) -{ - const char *msg = NULL; - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "bad authentication token"); - make_remark(pamh, ctrl, PAM_ERROR_MSG, - pass_new == NULL ? - "No password supplied":"Password unchanged" ); - return PAM_AUTHTOK_ERR; - } - - /* - * if one wanted to hardwire authentication token strength - * checking this would be the place - */ - msg = password_check(pass_old,pass_new); - if (msg) { - char remark[BUFSIZ]; - - memset(remark,0,sizeof(remark)); - sprintf(remark,"BAD PASSWORD: %s",msg); - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "new passwd fails strength check: %s", - msg); - make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); - return PAM_AUTHTOK_ERR; - }; - return PAM_SUCCESS; - -} - -/* The Main Thing (by Cristian Gafton, CEO at this module :-) - * (stolen from http://home.netscape.com) - */ -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - - retry_times = 1; - memset(prompt_type,0,sizeof(prompt_type)); - ctrl = _pam_parse(argc, argv); - - D(("called.")); - if (!prompt_type[0]) - strcpy(prompt_type,"UNIX"); - - if (flags & PAM_PRELIM_CHECK) { - /* Check for passwd dictionary */ - struct stat st; - char buf[sizeof(CRACKLIB_DICTPATH)+10]; - - D(("prelim check")); - - memset(buf,0,sizeof(buf)); /* zero the buffer */ - sprintf(buf,"%s.pwd",CRACKLIB_DICTPATH); - - if (!stat(buf,&st) && st.st_size) - return PAM_SUCCESS; - else { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"dict path '%s'[.pwd] is invalid", - CRACKLIB_DICTPATH); - return PAM_ABORT; - } - - /* Not reached */ - return PAM_SERVICE_ERR; - - } else if (flags & PAM_UPDATE_AUTHTOK) { - int retval; - char *token1, *token2, *oldtoken; - const char *item; - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - const char *cracklib_dictpath = CRACKLIB_DICTPATH; - char prompt[BUFSIZ]; - - D(("do update")); - retval = pam_get_item(pamh, PAM_OLDAUTHTOK, - (const void **)&oldtoken); - if (retval != PAM_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_ERR,"Can not get old passwd"); - oldtoken=NULL; - retval = PAM_SUCCESS; - } - - do { - /* - * make sure nothing inappropriate gets returned - */ - token1 = token2 = NULL; - - if (!retry_times) { - D(("returning %s because maxtries reached", - pam_strerror(pamh, retval))); - return retval; - } - - /* Planned modus operandi: - * Get a passwd. - * Verify it against cracklib. - * If okay get it a second time. - * Check to be the same with the first one. - * set PAM_AUTHTOK and return - */ - - /* Prepare to ask the user for the first time */ - memset(prompt,0,sizeof(prompt)); - sprintf(prompt,PROMPT1,prompt_type); - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = prompt; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (resp != NULL) { - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token1 = x_strdup(resp[0].resp); - if (token1 == NULL) { - _pam_log(LOG_NOTICE, - "could not recover authentication token 1"); - retval = PAM_AUTHTOK_RECOVER_ERR; - } - } - /* - * tidy up the conversation (resp_retcode) is ignored - */ - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) ? - PAM_AUTHTOK_RECOVER_ERR:retval ; - } - - if (retval != PAM_SUCCESS) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"unable to obtain a password"); - continue; - } - - D(("testing password, retval = %s", pam_strerror(pamh, retval))); - /* now test this passwd against cracklib */ - { - char *crack_msg; - char remark[BUFSIZ]; - - bzero(remark,sizeof(remark)); - D(("against cracklib")); - if ((crack_msg = FascistCheck(token1, cracklib_dictpath))) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"bad password: %s",crack_msg); - sprintf(remark,"BAD PASSWORD: %s", crack_msg); - make_remark(pamh, ctrl, PAM_ERROR_MSG, remark); - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - retval = PAM_AUTHTOK_ERR; - else - retval = PAM_SUCCESS; - } else { - /* check it for strength too... */ - D(("for strength")); - if (oldtoken) { - retval = _pam_unix_approve_pass(pamh,ctrl, - oldtoken,token1); - if (retval != PAM_SUCCESS) - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - retval = PAM_AUTHTOK_ERR; - else - retval = PAM_SUCCESS; - } - } - } - - D(("after testing: retval = %s", pam_strerror(pamh, retval))); - /* if cracklib/strength check said it is a bad passwd... */ - if ((retval != PAM_SUCCESS) && (retval != PAM_IGNORE)) { - int temp_unused; - - temp_unused = pam_set_item(pamh, PAM_AUTHTOK, NULL); - token1 = _pam_delete(token1); - continue; - } - - /* Now we have a good passwd. Ask for it once again */ - - bzero(prompt,sizeof(prompt)); - sprintf(prompt,PROMPT2,prompt_type); - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = prompt; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - if (resp != NULL) { - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token2 = x_strdup(resp[0].resp); - if (token2 == NULL) { - _pam_log(LOG_NOTICE, - "could not recover authentication token 2"); - retval = PAM_AUTHTOK_RECOVER_ERR; - } - } - /* - * tidy up the conversation (resp_retcode) is ignored - */ - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) ? - PAM_AUTHTOK_RECOVER_ERR:retval ; - } - - if (retval != PAM_SUCCESS) { - if (ctrl && PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG - ,"unable to obtain the password a second time"); - continue; - } - - /* Hopefully now token1 and token2 the same password ... */ - if (strcmp(token1,token2) != 0) { - /* tell the user */ - make_remark(pamh, ctrl, PAM_ERROR_MSG, MISTYPED_PASS); - token1 = _pam_delete(token1); - token2 = _pam_delete(token2); - pam_set_item(pamh, PAM_AUTHTOK, NULL); - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Password mistyped"); - retval = PAM_AUTHTOK_RECOVER_ERR; - continue; - } - - /* Yes, the password was typed correct twice - * we store this password as an item - */ - - retval = pam_set_item(pamh, PAM_AUTHTOK, token1); - /* clean it up */ - token1 = _pam_delete(token1); - token2 = _pam_delete(token2); - if ( - (retval != PAM_SUCCESS) || - ( - ( - retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item) - ) != PAM_SUCCESS - ) - ) { - _pam_log(LOG_CRIT, "error manipulating password"); - continue; - } - item = NULL; /* break link to password */ - return PAM_SUCCESS; - - } while (retry_times--); - - } else { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "UNKNOWN flags setting %02X",flags); - return PAM_SERVICE_ERR; - } - - /* Not reached */ - return PAM_SERVICE_ERR; -} - - - -#ifdef PAM_STATIC -/* static module data */ -struct pam_module _pam_cracklib_modstruct = { - "pam_cracklib", - NULL, - NULL, - NULL, - NULL, - NULL, - pam_sm_chauthtok -}; -#endif - -/* - * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - * The following copyright was appended for the long password support - * added with the libpam 0.58 release: - * - * Modificaton Copyright (c) Philip W. Dalrymple III <pwd@mdtsoft.com> - * 1997. All rights reserved - * - * THE MODIFICATION THAT PROVIDES SUPPORT FOR LONG PASSWORD TYPE CHECKING TO - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_deny/Makefile b/contrib/libpam/modules/pam_deny/Makefile deleted file mode 100644 index 02506cb..0000000 --- a/contrib/libpam/modules/pam_deny/Makefile +++ /dev/null @@ -1,125 +0,0 @@ -# -# $Id: Makefile,v 1.7 1997/04/05 06:43:41 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:43:41 morgan -# full-source-tree and fakeroot -# -# Revision 1.6 1997/02/15 19:04:27 morgan -# fixed email -# -# Revision 1.5 1996/11/10 20:11:48 morgan -# crossplatform support -# -# Revision 1.4 1996/09/05 06:50:12 morgan -# ld --> gcc -# -# Revision 1.3 1996/05/26 15:48:38 morgan -# make dynamic and static dirs -# -# Revision 1.2 1996/05/26 04:00:16 morgan -# changes for automated static/dynamic modules -# -# Revision 1.1 1996/03/16 17:47:36 morgan -# Initial revision -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 -# - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -# - -TITLE=pam_deny - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_deny/README b/contrib/libpam/modules/pam_deny/README deleted file mode 100644 index 4f7f6de..0000000 --- a/contrib/libpam/modules/pam_deny/README +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: README,v 1.1 1996/03/16 18:11:12 morgan Exp $ -# - -this module always fails, it ignores all options. diff --git a/contrib/libpam/modules/pam_deny/pam_deny.c b/contrib/libpam/modules/pam_deny/pam_deny.c deleted file mode 100644 index 76ba24d..0000000 --- a/contrib/libpam/modules/pam_deny/pam_deny.c +++ /dev/null @@ -1,94 +0,0 @@ -/* pam_permit module */ - -/* - * $Id: pam_deny.c,v 1.4 1997/02/15 19:05:15 morgan Exp $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - * $Log: pam_deny.c,v $ - * Revision 1.4 1997/02/15 19:05:15 morgan - * fixed email - * - * Revision 1.3 1996/06/02 08:06:19 morgan - * changes for new static protocol - * - * Revision 1.2 1996/05/26 04:01:12 morgan - * added static support - * - * Revision 1.1 1996/03/16 17:47:36 morgan - * Initial revision - * - */ - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> - -/* --- authentication management functions --- */ - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_AUTH_ERR; -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_CRED_UNAVAIL; -} - -/* --- account management functions --- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_ACCT_EXPIRED; -} - -/* --- password management --- */ - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_AUTHTOK_ERR; -} - -/* --- session management --- */ - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SYSTEM_ERR; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SYSTEM_ERR; -} - -/* end of module definition */ - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_deny_modstruct = { - "pam_deny", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; -#endif diff --git a/contrib/libpam/modules/pam_env/Makefile b/contrib/libpam/modules/pam_env/Makefile deleted file mode 100644 index df363bc..0000000 --- a/contrib/libpam/modules/pam_env/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -# -# $Id: Makefile,v 1.1 1997/04/05 06:42:35 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.1 1997/04/05 06:42:35 morgan -# Initial revision -# -# Revision 1.1 1997/01/04 20:32:52 morgan -# Initial revision -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/12/8 -# Adaptations by Dave Kinclea and Cristian Gafton -# - -TITLE=pam_env - -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/pam_env.conf -export CONFILE - -#ifeq ($(HAVE_PWDBLIB),yes) -#CFLAGS += -DWANT_PWDB -#EXTRALIB = -lpwdb -#endif - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(EXTRALIB) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(EXTRALIB) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_env/README b/contrib/libpam/modules/pam_env/README deleted file mode 100644 index d6e959c..0000000 --- a/contrib/libpam/modules/pam_env/README +++ /dev/null @@ -1,72 +0,0 @@ -# $Date: 1997/04/05 06:42:35 $ -# $Author: morgan $ -# $Id: README,v 1.1 1997/04/05 06:42:35 morgan Exp $ -# -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# -# The original idea for this came from Andrew G. Morgan ... -#<quote> -# Mmm. Perhaps you might like to write a pam_env module that reads a -# default environment from a file? I can see that as REALLY -# useful... Note it would be an "auth" module that returns PAM_IGNORE -# for the auth part and sets the environment returning PAM_SUCCESS in -# the setcred function... -#</quote> -# -# What I wanted was the REMOTEHOST variable set, purely for selfish -# reasons, and AGM didn't want it added to the SimpleApps login -# program (which is where I added the patch). So, my first concern is -# that variable, from there there are numerous others that might/would -# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... -# -# Of course, these are a different kind of variable than REMOTEHOST in -# that they are things that are likely to be configured by -# administrators rather than set by logging in, how to treat them both -# in the same config file? -# -# Here is my idea: -# -# Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the -# variable to some default value, if none is supplied then the empty -# string is assumed. The OVERRIDE option tells pam_env that it should -# enter in its value (overriding the default value) if there is one -# to use. OVERRIDE is not used, "" is assumed and no override will be -# done. -# -# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] -# -# (Possibly non-existent) environment variables may be used in values -# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may -# be used in values using the @{string} syntax. Both the $ and @ -# characters can be backslash escaped to be used as literal values -# values can be delimited with "", escaped " not supported. -# -# -# First, some special variables -# -# Set the REMOTEHOST variable for any hosts that are remote, default -# to "localhost" rather than not being set at all -REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} -# -# Set the DISPLAY variable if it seems reasonable -DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} -# -# -# Now some simple variables -# -PAGER DEFAULT=less -MANPAGER DEFAULT=less -LESS DEFAULT="M q e h15 z23 b80" -NNTPSERVER DEFAULT=localhost -PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ -:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 -# -# silly examples of escaped variables, just to show how they work. -# -DOLLAR DEFAULT=\$ -DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} -DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} -ATSIGN DEFAULT="" OVERRIDE=\@ diff --git a/contrib/libpam/modules/pam_env/install_conf b/contrib/libpam/modules/pam_env/install_conf deleted file mode 100755 index 4c60840..0000000 --- a/contrib/libpam/modules/pam_env/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./pam_env.conf-example -MODULE=pam_env - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_env/pam_env.c b/contrib/libpam/modules/pam_env/pam_env.c deleted file mode 100644 index bd0879c..0000000 --- a/contrib/libpam/modules/pam_env/pam_env.c +++ /dev/null @@ -1,779 +0,0 @@ -/* pam_mail module */ - -/* - * $Id: pam_env.c,v 1.1 1997/04/05 06:42:35 morgan Exp morgan $ - * - * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31 - * Inspired by Andrew Morgan <morgan@parc.power.net, who also supplied the - * template for this file (via pam_mail) - * - * $Log: pam_env.c,v $ - * Revision 1.1 1997/04/05 06:42:35 morgan - * Initial revision - * - * Revision 0.6 1997/02/04 17:58:27 kinch - * Debugging code cleaned up, lots added (whereever _log_err called) some removed - * - * Revision 0.5 1997/02/04 17:20:30 kinch - * Changed default config file - * Removed bogus message in pam_sm_authenticate() - * Added back support in pam_sm_session(), this could conceivably be used - * both as an auth_setcred and a session module - * - * Revision 0.4 1997/02/04 07:34:15 kinch - * Fixed dealing with escaped '$' and '@' characters - * This is now an pam_sm_setcred module to work closer to the RFC model - * though this whole thing seems to have little to do with Authentication - * - * Revision 0.3 1997/02/04 04:53:15 kinch - * Removed bogus space in PAM_ENV_SILENT - * Removed line that added a space when allowing for escaped newlines, that - * is not what we want at all, if we want a space, we can add one. - * Changed a PAM_ABORT to PAM_BUF_ERR for a malloc failure - * Changed bogus PAM_RUSER to PAM_RHOST - * - * Revision 0.2 1997/02/03 23:31:26 kinch - * Lots of D(()) debugging code added, probably too much actually. - * This now seems to work for all cases I can think of - * Lots of little code changes but nothing major and no function - * interface changes, largest change has to do with adding the - * logic to get "e hack to make it through all the code. Probably - * ought to have done this with a global flag for each of defval and - * override - it would have been cleaner. - * - * Revision 0.1 1997/02/03 01:39:06 kinch - * Initial code, it compiles cleanly but has not been tested at all. - * - */ - -#ifndef DEFAULT_CONF_FILE -#define DEFAULT_CONF_FILE "/etc/security/pam_env.conf" -#endif - -#ifdef linux -#define _GNU_SOURCE -#include <features.h> -#endif - -#include <ctype.h> -#include <errno.h> -#include <pwd.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#ifdef WANT_PWDB -#include <pwdb/pwdb_public.h> -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */ -#define PAM_SM_SESSION /* But I like to be friendly */ -#define PAM_SM_PASSWORD /* "" */ -#define PAM_SM_ACCOUNT /* "" */ - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* This little structure makes it easier to keep variables together */ - -typedef struct var { - char *name; - char *value; - char *defval; - char *override; -} VAR; - -#define BUF_SIZE 1024 -#define MAX_ENV 8192 - -#define GOOD_LINE 0 -#define BAD_LINE 100 /* This must be > the largest PAM_* error code */ - -#define DEFINE_VAR 101 -#define UNDEFINE_VAR 102 -#define ILLEGAL_VAR 103 - -static int _assemble_line(FILE *, char *, int); -static int _parse_line(char *, VAR *); -static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */ -static void _clean_var(VAR *); -static int _expand_arg(pam_handle_t *, char **); -static const char * _pam_get_item_byname(pam_handle_t *, const char *); -static int _define_var(pam_handle_t *, VAR *); -static int _undefine_var(pam_handle_t *, VAR *); - -/* This is a flag used to designate an empty string */ -static char quote='Z'; - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-env", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 -#define PAM_NEW_CONF_FILE 02 -#define PAM_ENV_SILENT 04 - -static int _pam_parse(int flags, int argc, const char **argv, char **conffile) -{ - int ctrl=0; - - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"conffile=",9)) { - *conffile = x_strdup(9+*argv); - if (*conffile != NULL) { - D(("new Configuration File: %s", *conffile)); - ctrl |= PAM_NEW_CONF_FILE; - } else { - _log_err(LOG_CRIT, - "Configuration file specification missing argument - ignored"); - } - } else { - _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile) -{ - int retval; - const char *file; - char buffer[BUF_SIZE]; - FILE *conf; - VAR Var, *var=&Var; - - var->name=NULL; var->defval=NULL; var->override=NULL; - D(("Called.")); - - if (ctrl & PAM_NEW_CONF_FILE) { - file = *conffile; - } else { - file = DEFAULT_CONF_FILE; - } - - D(("Config file name is: %s", file)); - - /* - * Lets try to open the config file, parse it and process - * any variables found. - */ - - if ((conf = fopen(file,"r")) == NULL) { - _log_err(LOG_ERR, "Unable to open config file: %s", - strerror(errno)); - return PAM_ABORT; - } - - /* _pam_assemble_line will provide a complete line from the config file, with all - * comments removed and any escaped newlines fixed up - */ - - while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) { - D(("Read line: %s", buffer)); - - if ((retval = _parse_line(buffer, var)) == GOOD_LINE) { - retval = _check_var(pamh, var); - - if (DEFINE_VAR == retval) { - retval = _define_var(pamh, var); - - } else if (UNDEFINE_VAR == retval) { - retval = _undefine_var(pamh, var); - } - } - if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval - && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; - - _clean_var(var); - - } /* while */ - - (void) fclose(conf); - - /* tidy up */ - _clean_var(var); /* We could have got here prematurely, this is safe though */ - _pam_overwrite(*conffile); - _pam_drop(*conffile); - file = NULL; - D(("Exit.")); - return (retval<0?PAM_ABORT:PAM_SUCCESS); -} - -/* - * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" - */ - -static int _assemble_line(FILE *f, char *buffer, int buf_len) -{ - char *p = buffer; - char *s, *os; - int used = 0; - - /* loop broken with a 'break' when a non-'\\n' ended line is read */ - - D(("called.")); - for (;;) { - if (used >= buf_len) { - /* Overflow */ - D(("_assemble_line: overflow")); - return -1; - } - if (fgets(p, buf_len - used, f) == NULL) { - if (used) { - /* Incomplete read */ - return -1; - } else { - /* EOF */ - return 0; - } - } - - /* skip leading spaces --- line may be blank */ - - s = p + strspn(p, " \n\t"); - if (*s && (*s != '#')) { - os = s; - - /* - * we are only interested in characters before the first '#' - * character - */ - - while (*s && *s != '#') - ++s; - if (*s == '#') { - *s = '\0'; - used += strlen(os); - break; /* the line has been read */ - } - - s = os; - - /* - * Check for backslash by scanning back from the end of - * the entered line, the '\n' has been included since - * normally a line is terminated with this - * character. fgets() should only return one though! - */ - - s += strlen(s); - while (s > os && ((*--s == ' ') || (*s == '\t') - || (*s == '\n'))); - - /* check if it ends with a backslash */ - if (*s == '\\') { - *s = '\0'; /* truncate the line here */ - used += strlen(os); - p = s; /* there is more ... */ - } else { - /* End of the line! */ - used += strlen(os); - break; /* this is the complete line */ - } - - } else { - /* Nothing in this line */ - /* Don't move p */ - } - } - - return used; -} - -static int _parse_line(char *buffer, VAR *var) -{ - /* - * parse buffer into var, legal syntax is - * VARIABLE [DEFAULT=[[string]] [OVERRIDE=[value]] - * - * Any other options defined make this a bad line, - * error logged and no var set - */ - - int length, quoteflg=0; - char *ptr, **valptr, *tmpptr; - - D(("Called buffer = <%s>", buffer)); - - length = strcspn(buffer," \t\n"); - - if ((var->name = malloc(length + 1)) == NULL) { - _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1); - return PAM_BUF_ERR; - } - - /* - * The first thing on the line HAS to be the variable name, - * it may be the only thing though. - */ - strncpy(var->name, buffer, length); - var->name[length] = '\0'; - D(("var->name = <%s>, length = %d", var->name, length)); - - /* - * Now we check for arguments, we only support two kinds and ('cause I am lazy) - * each one can actually be listed any number of times - */ - - ptr = buffer+length; - while ((length = strspn(ptr, " \t")) > 0) { - ptr += length; /* remove leading whitespace */ - D((ptr)); - if (strncmp(ptr,"DEFAULT=",8) == 0) { - ptr+=8; - D(("Default arg found: <%s>", ptr)); - valptr=&(var->defval); - } else if (strncmp(ptr, "OVERRIDE=", 9) == 0) { - ptr+=9; - D(("Override arg found: <%s>", ptr)); - valptr=&(var->override); - } else { - D(("Unrecognized options: <%s> - ignoring line", ptr)); - _log_err(LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr); - return BAD_LINE; - } - - if ('"' != *ptr) { /* Escaped quotes not supported */ - length = strcspn(ptr, " \t\n"); - tmpptr = ptr+length; - } else { - tmpptr = strchr(++ptr, '"'); - if (!tmpptr) { - D(("Unterminated quoted string: %s", ptr-1)); - _log_err(LOG_ERR, "Unterminated quoted string: %s", ptr-1); - return BAD_LINE; - } - length = tmpptr - ptr; - if (*++tmpptr && ' ' != *tmpptr && '\t' != *tmpptr && '\n' != *tmpptr) { - D(("Quotes must cover the entire string: <%s>", ptr)); - _log_err(LOG_ERR, "Quotes must cover the entire string: <%s>", ptr); - return BAD_LINE; - } - quoteflg++; - } - if (length) { - if ((*valptr = malloc(length + 1)) == NULL) { - D(("Couldn't malloc %d bytes", length+1)); - _log_err(LOG_ERR, "Couldn't malloc %d bytes", length+1); - return PAM_BUF_ERR; - } - (void)strncpy(*valptr,ptr,length); - (*valptr)[length]='\0'; - } else if (quoteflg--) { - *valptr = "e; /* a quick hack to handle the empty string */ - } - ptr = tmpptr; /* Start the search where we stopped */ - } /* while */ - - /* - * The line is parsed, all is well. - */ - - D(("Exit.")); - ptr = NULL; tmpptr = NULL; valptr = NULL; - return GOOD_LINE; -} - -static int _check_var(pam_handle_t *pamh, VAR *var) -{ - /* - * Examine the variable and determine what action to take. - * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take - * or a PAM_* error code if passed back from other routines - * - * if no DEFAULT provided, the empty string is assumed - * if no OVERRIDE provided, the empty string is assumed - * if DEFAULT= and OVERRIDE evaluates to the empty string, - * this variable should be undefined - * if DEFAULT="" and OVERRIDE evaluates to the empty string, - * this variable should be defined with no value - * if OVERRIDE=value and value turns into the empty string, DEFAULT is used - * - * If DEFINE_VAR is to be returned, the correct value to define will - * be pointed to by var->value - */ - - int retval; - - D(("Called.")); - - /* - * First thing to do is to expand any arguments, but only - * if they are not the special quote values (cause expand_arg - * changes memory). - */ - - if (var->defval && ("e != var->defval) && - ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { - return retval; - } - if (var->override && ("e != var->override) && - ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { - return retval; - } - - /* Now its easy */ - - if (var->override && *(var->override) && "e != var->override) { - /* if there is a non-empty string in var->override, we use it */ - D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); - var->value = var->override; - retval = DEFINE_VAR; - } else { - - var->value = var->defval; - if ("e == var->defval) { - /* - * This means that the empty string was given for defval value - * which indicates that a variable should be defined with no value - */ - *var->defval = '\0'; - D(("An empty variable: <%s>", var->name)); - retval = DEFINE_VAR; - } else if (var->defval) { - D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); - retval = DEFINE_VAR; - } else { - D(("UNDEFINE variable <%s>", var->name)); - retval = UNDEFINE_VAR; - } - } - - D(("Exit.")); - return retval; -} - -static int _expand_arg(pam_handle_t *pamh, char **value) -{ - const char *orig=*value, *tmpptr=NULL; - char *ptr; /* - * Sure would be nice to use tmpptr but it needs to be - * a constant so that the compiler will shut up when I - * call pam_getenv and _pam_get_item_byname -- sigh - */ - - char type, tmpval[BUF_SIZE]; /* No unexpanded variable can be bigger than BUF_SIZE */ - char tmp[MAX_ENV]; /* I know this shouldn't be hard-coded but it's so - * much easier this way */ - - D(("Remember to initialize tmp!")); - tmp[0] = '\0'; - - /* - * (possibly non-existent) environment variables can be used as values - * by prepending a "$" and wrapping in {} (ie: ${HOST}), can escape with "\" - * (possibly non-existent) PAM items can be used as values - * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape - * - */ - D(("Expanding <%s>",orig)); - while (*orig) { /* while there is some input to deal with */ - if ('\\' == *orig) { - ++orig; - if ('$' != *orig && '@' != *orig) { - D(("Unrecognized escaped character: <%c> - ignoring", *orig)); - _log_err(LOG_ERR, "Unrecognized escaped character: <%c> - ignoring", - *orig); - } else if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - continue; - } - if ('$' == *orig || '@' == *orig) { - if ('{' != *(orig+1)) { - D(("Expandable variables must be wrapped in {} <%s> - ignoring", orig)); - _log_err(LOG_ERR, "Expandable variables must be wrapped in {} <%s> - ignoring", - orig); - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } - continue; - } else { - D(("Expandable argument: <%s>", orig)); - type = *orig; - orig+=2; /* skip the ${ or @{ characters */ - ptr = strchr(orig, '}'); - if (ptr) { - *ptr++ = '\0'; - } else { - D(("Unterminated expandable variable: <%s>", orig-2)); - _log_err(LOG_ERR, "Unterminated expandable variable: <%s>", orig-2); - return PAM_ABORT; - } - strcpy(tmpval, orig); - orig=ptr; - /* - * so, we know we need to expand tmpval, it is either - * an environment variable or a PAM_ITEM. type will tell us which - */ - switch (type) { - - case '$': - D(("Expanding env var: <%s>",tmpval)); - tmpptr = pam_getenv(pamh, tmpval); - D(("Expanded to <%s>", tmpptr)); - break; - - case '@': - D(("Expanding pam item: <%s>",tmpval)); - tmpptr = _pam_get_item_byname(pamh, tmpval); - D(("Expanded to <%s>", tmpptr)); - break; - - default: - D(("Impossible error, type == <%c>", type)); - _log_err(LOG_CRIT, "Impossible error, type == <%c>", type); - return PAM_ABORT; - } /* switch */ - - if (tmpptr) { - if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) { - strcat(tmp, tmpptr); - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - } - } /* if ('{' != *orig++) */ - } else { /* if ( '$' == *orig || '@' == *orig) */ - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - } - } /* for (;*orig;) */ - - if (strlen(tmp) > strlen(*value)) { - free(*value); - if ((*value = malloc(strlen(tmp) +1)) == NULL) { - D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1)); - _log_err(LOG_ERR,"Couldn't malloc %d bytes for expanded var", - strlen(tmp)+1); - return PAM_BUF_ERR; - } - } - strcpy(*value, tmp); - memset(tmp,'\0',sizeof(tmp)); - D(("Exit.")); - - return PAM_SUCCESS; -} - -static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) -{ - /* - * This function just allows me to use names as given in the config - * file and translate them into the appropriate PAM_ITEM macro - */ - - int item; - const char *itemval; - - D(("Called.")); - if (strcmp(name, "PAM_USER") == 0) { - item = PAM_USER; - } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { - item = PAM_USER_PROMPT; - } else if (strcmp(name, "PAM_TTY") == 0) { - item = PAM_TTY; - } else if (strcmp(name, "PAM_RUSER") == 0) { - item = PAM_RUSER; - } else if (strcmp(name, "PAM_RHOST") == 0) { - item = PAM_RHOST; - } else { - D(("Unknown PAM_ITEM: <%s>", name)); - _log_err(LOG_ERR, "Unknown PAM_ITEM: <%s>", name); - return NULL; - } - - if (pam_get_item(pamh, item, (const void **)&itemval) != PAM_SUCCESS) { - D(("pam_get_item failed")); - return NULL; /* let pam_get_item() log the error */ - } - D(("Exit.")); - return itemval; -} - -static int _define_var(pam_handle_t *pamh, VAR *var) -{ - /* We have a variable to define, this is a simple function */ - - char *envvar; - int size, retval=PAM_SUCCESS; - - D(("Called.")); - size = strlen(var->name)+strlen(var->value)+2; - if ((envvar = malloc(size)) == NULL) { - D(("Malloc fail, size = %d", size)); - _log_err(LOG_ERR, "Malloc fail, size = %d", size); - return PAM_BUF_ERR; - } - (void) sprintf(envvar,"%s=%s",var->name,var->value); - retval = pam_putenv(pamh, envvar); - free(envvar); envvar=NULL; - D(("Exit.")); - return retval; -} - -static int _undefine_var(pam_handle_t *pamh, VAR *var) -{ - /* We have a variable to undefine, this is a simple function */ - - D(("Called and exit.")); - return pam_putenv(pamh, var->name); -} - -static void _clean_var(VAR *var) -{ - if (var->name) { - free(var->name); - } - if (var->defval && ("e != var->defval)) { - free(var->defval); - } - if (var->override && ("e != var->override)) { - free(var->override); - } - var->name = NULL; - var->value = NULL; /* never has memory specific to it */ - var->defval = NULL; - var->override = NULL; - return; -} - - - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return PAM_IGNORE; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval, ctrl; - char *conf_file=NULL; - - /* - * this module sets environment variables read in from a file - */ - - D(("Called.")); - ctrl = _pam_parse(flags, argc, argv, &conf_file); - - retval = _parse_config_file(pamh, ctrl, &conf_file); - - /* indicate success or failure */ - - D(("Exit.")); - return retval; -} - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - _log_err(LOG_NOTICE, "pam_sm_acct_mgmt called inappropriatly"); - return PAM_SERVICE_ERR; -} - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval, ctrl; - char *conf_file=NULL; - - /* - * this module sets environment variables read in from a file - */ - - D(("Called.")); - ctrl = _pam_parse(flags, argc, argv, &conf_file); - - retval = _parse_config_file(pamh, ctrl, &conf_file); - - /* indicate success or failure */ - - D(("Exit.")); - return retval; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc, - const char **argv) -{ - D(("Called and Exit")); - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - _log_err(LOG_NOTICE, "pam_sm_chauthtok called inappropriatly"); - return PAM_SERVICE_ERR; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_env_modstruct = { - "pam_env", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_env/pam_env.conf-example b/contrib/libpam/modules/pam_env/pam_env.conf-example deleted file mode 100644 index 388e8b6..0000000 --- a/contrib/libpam/modules/pam_env/pam_env.conf-example +++ /dev/null @@ -1,72 +0,0 @@ -# $Date: 1997/04/05 06:42:35 $ -# $Author: morgan $ -# $Id: pam_env.conf-example,v 1.1 1997/04/05 06:42:35 morgan Exp $ -# -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# -# The original idea for this came from Andrew G. Morgan ... -#<quote> -# Mmm. Perhaps you might like to write a pam_env module that reads a -# default environment from a file? I can see that as REALLY -# useful... Note it would be an "auth" module that returns PAM_IGNORE -# for the auth part and sets the environment returning PAM_SUCCESS in -# the setcred function... -#</quote> -# -# What I wanted was the REMOTEHOST variable set, purely for selfish -# reasons, and AGM didn't want it added to the SimpleApps login -# program (which is where I added the patch). So, my first concern is -# that variable, from there there are numerous others that might/would -# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... -# -# Of course, these are a different kind of variable than REMOTEHOST in -# that they are things that are likely to be configured by -# administrators rather than set by logging in, how to treat them both -# in the same config file? -# -# Here is my idea: -# -# Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the -# variable to some default value, if none is supplied then the empty -# string is assumed. The OVERRIDE option tells pam_env that it should -# enter in its value (overriding the default value) if there is one -# to use. OVERRIDE is not used, "" is assumed and no override will be -# done. -# -# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] -# -# (Possibly non-existent) environment variables may be used in values -# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may -# be used in values using the @{string} syntax. Both the $ and @ -# characters can be backslash escaped to be used as literal values -# values can be delimited with "", escaped " not supported. -# -# -# First, some special variables -# -# Set the REMOTEHOST variable for any hosts that are remote, default -# to "localhost" rather than not being set at all -#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} -# -# Set the DISPLAY variable if it seems reasonable -#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} -# -# -# Now some simple variables -# -#PAGER DEFAULT=less -#MANPAGER DEFAULT=less -#LESS DEFAULT="M q e h15 z23 b80" -#NNTPSERVER DEFAULT=localhost -#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ -#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 -# -# silly examples of escaped variables, just to show how they work. -# -#DOLLAR DEFAULT=\$ -#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} -#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} -#ATSIGN DEFAULT="" OVERRIDE=\@ diff --git a/contrib/libpam/modules/pam_filter/Makefile b/contrib/libpam/modules/pam_filter/Makefile deleted file mode 100644 index dbd6452..0000000 --- a/contrib/libpam/modules/pam_filter/Makefile +++ /dev/null @@ -1,150 +0,0 @@ -# -# $Id: Makefile,v 1.10 1997/04/05 06:41:09 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.10 1997/04/05 06:41:09 morgan -# fakeroot -# -# Revision 1.9 1997/02/15 18:58:48 morgan -# fixed bash syntax -# -# Revision 1.8 1997/01/04 20:24:29 morgan -# don't compile on solaris, make -> $(MAKE) -# -# Revision 1.7 1996/11/10 20:12:09 morgan -# cross platform support -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 -# - -ifeq ($(OS),solaris) - -include ../dont_makefile - -else - -TITLE=pam_filter -FILTERS=upperLOWER -FILTERSDIR=$(SUPLEMENTED)/pam_filter -export FILTERSDIR - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -# -# this is where we compile this module -# - -all: dirs $(LIBSHARED) $(LIBSTATIC) register filters - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -filters: - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i all ; \ - fi ; \ - done - - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i install ; \ - fi ; \ - done - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(INCLUDED) - $(INSTALL) -m 644 include/pam_filter.h $(FAKEROOT)$(INCLUDED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(INCLUDED)/pam_filter.h - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i remove ; \ - fi ; \ - done - -lclean: - rm -f $(LIBSHARED) $(LIBOBJD) $(LIBOBJS) core *~ - -clean: lclean - @for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i clean ; \ - fi ; \ - done - -extraclean: lclean - @rm -f *.a *.o *.so *.bak - for i in $(FILTERS) ; do \ - if [ -d $$i ]; then \ - $(MAKE) -C $$i extraclean ; \ - fi ; \ - done - -.c.o: - $(CC) $(CFLAGS) -c $< - -endif diff --git a/contrib/libpam/modules/pam_filter/README b/contrib/libpam/modules/pam_filter/README deleted file mode 100644 index 9d46a56..0000000 --- a/contrib/libpam/modules/pam_filter/README +++ /dev/null @@ -1,94 +0,0 @@ -# -# $Id: README,v 1.5 1996/12/01 02:53:08 morgan Exp $ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan <morgan@parc.power.net> -# - -This module is intended to be a platform for providing access to all -of the input/output that passes between the user and the application. -It is only suitable for tty-based and (stdin/stdout) applications. And -is only known to work on Linux based systems. - -The action of the module is dictated by the arguments it is given in -the pam.conf file. - -recognized flags are: - - debug print some information to syslog(3) - - new_term set the PAM_TTY item to the new filtered - terminal (the default is to set it - to be that of the users terminal) - - non_term don't try to set the PAM_TTY item - - run1/run2 these arguments indicate that the - module should separate the application - from the user and insert a filter - program between them. The pathname of - the filter program follows the 'runN' - argument. Arguments that follow this - pathname are passed as arguments to - the filter program. - - The distinction between run1 and run2 - is which of the two functions of - the given management-type triggers the - execution of the indicated filter. - - type: run1 run2 - ----- ---- ---- - - auth pam_sm_authenticate pam_sm_setcred - - account [ pam_sm_acct_mgmt (either is good) ] - - session pam_sm_open_session pam_sm_close_session - - password pam_sm_chauthtok/PRELIM pam_sm_chauthtok/UPDATE - -Note, in the case of 'password' PRELIM/UPDATE indicates which of the -two calls to pam_sm_chauthtok from libpam (not the application) will -trigger the filter. - -What a filter program should expect: ------------------------------------- - -Definitions for filter programs (which may be locally designed) are -contained in the <security/pam_filter.h> file. - -Arguments are not passed to the filter on the command line, since this -is plainly visible when a user types 'ps -a'. Instead they are passed -as the filter's environment. Other information is passed in this way -too. - -Here is a list of the environment variables that a filter should -expect: - - ARGS="filter_path_name argument list" - SERVICE="service_name" (as it appears in /etc/pam.conf) - USER="username" - TYPE="module_fn" (the name of the function in pam_filter.so - that invoked the filter) - -[This list is likely to grow. If you want something added, email me!] - -Among other things this module is intended to provide a useful means -of logging the activity of users in as discrete a manner as possible. - -Existing filters: ------------------ - -Currently, there is a single supplied filter (upperLOWER). The effect -of using this filter is to transpose upper and lower case letters -between the user and the application. This is really annoying when you -try the 'xsh' example application! ;) - -TODO: provide more filters... - Decide if providing stderr interception is really overkill. - -Andrew G. Morgan <morgan@parc.power.net> 1996/5/27 - diff --git a/contrib/libpam/modules/pam_filter/include/pam_filter.h b/contrib/libpam/modules/pam_filter/include/pam_filter.h deleted file mode 100644 index 3eb2730..0000000 --- a/contrib/libpam/modules/pam_filter/include/pam_filter.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * $Id: pam_filter.h,v 1.2 1997/02/15 19:09:09 morgan Exp $ - * - * this file is associated with the Linux-PAM filter module. - * it was written by Andrew G. Morgan <morgan@parc.power.net> - * - */ - -#ifndef PAM_FILTER_H -#define PAM_FILTER_H - -#include <sys/file.h> - -/* - * this will fail if there is some problem with these file descriptors - * being allocated by the pam_filter Linux-PAM module. The numbers - * here are thought safe, but the filter developer should use the - * macros, as these numbers are subject to change. - * - * The APPXXX_FILENO file descriptors are the STDIN/OUT/ERR_FILENO of the - * application. The filter uses the STDIN/OUT/ERR_FILENO's to converse - * with the user, passes (modified) user input to the application via - * APPIN_FILENO, and receives application output from APPOUT_FILENO/ERR. - */ - -#define APPIN_FILENO 3 /* write here to give application input */ -#define APPOUT_FILENO 4 /* read here to get application output */ -#define APPERR_FILENO 5 /* read here to get application errors */ - -#define APPTOP_FILE 6 /* used by select */ - -#endif diff --git a/contrib/libpam/modules/pam_filter/pam_filter.c b/contrib/libpam/modules/pam_filter/pam_filter.c deleted file mode 100644 index fc3d1f2..0000000 --- a/contrib/libpam/modules/pam_filter/pam_filter.c +++ /dev/null @@ -1,747 +0,0 @@ -/* - * $Id: pam_filter.c,v 1.9 1997/02/15 19:07:49 morgan Exp morgan $ - * - * $Log: pam_filter.c,v $ - * Revision 1.9 1997/02/15 19:07:49 morgan - * fixed email - * - * Revision 1.8 1996/11/10 20:59:23 morgan - * gcc warning removed - * - * Revision 1.7 1996/07/08 00:01:17 morgan - * set the PAM_TTY item now - * - * Revision 1.6 1996/06/02 08:08:19 morgan - * completely re-written - * - * - * written by Andrew Morgan <morgan@transmeta.com> with much help from - * Richard Stevens' UNIX Network Programming book. - */ - -#include <stdlib.h> -#include <syslog.h> -#include <unistd.h> -#include <fcntl.h> -#include <string.h> - -#include <stdio.h> -#include <sys/types.h> -#include <sys/wait.h> -#include <sys/time.h> -#include <sys/file.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <termio.h> - -#include <signal.h> - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> -#include <security/pam_filter.h> - -/* ------ some tokens used for convenience throughout this file ------- */ - -#define FILTER_DEBUG 01 -#define FILTER_RUN1 02 -#define FILTER_RUN2 04 -#define NEW_TERM 010 -#define NON_TERM 020 - -/* -------------------------------------------------------------------- */ - -/* log errors */ - -#include <stdarg.h> - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_filter", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#define TERMINAL_LEN 12 - -static int master(char *terminal) -/* - * try to open all of the terminals in sequence return first free one, - * or -1 - */ -{ - const char ptys[] = "pqrs", *pty = ptys; - const char hexs[] = "0123456789abcdef", *hex; - struct stat tstat; - int fd; - - strcpy(terminal, "/dev/pty??"); - - while (*pty) { /* step through four types */ - terminal[8] = *pty++; - terminal[9] = '0'; - if (stat(terminal,&tstat) < 0) { - _pam_log(LOG_WARNING, "unknown pseudo terminal; %s", terminal); - break; - } - for (hex = hexs; *hex; ) { /* step through 16 of these */ - terminal[9] = *hex++; - if ((fd = open(terminal, O_RDWR)) >= 0) { - return fd; - } - } - } - - /* no terminal found */ - - return -1; -} - -static int process_args(pam_handle_t *pamh - , int argc, const char **argv, const char *type - , char ***evp, const char **filtername) -{ - int ctrl=0; - - while (argc-- > 0) { - if (strcmp("debug",*argv) == 0) { - ctrl |= FILTER_DEBUG; - } else if (strcmp("new_term",*argv) == 0) { - ctrl |= NEW_TERM; - } else if (strcmp("non_term",*argv) == 0) { - ctrl |= NON_TERM; - } else if (strcmp("run1",*argv) == 0) { - ctrl |= FILTER_RUN1; - if (argc <= 0) { - _pam_log(LOG_ALERT,"no run filter supplied"); - } else - break; - } else if (strcmp("run2",*argv) == 0) { - ctrl |= FILTER_RUN2; - if (argc <= 0) { - _pam_log(LOG_ALERT,"no run filter supplied"); - } else - break; - } else { - _pam_log(LOG_ERR, "unrecognized option: %s (ignored)", *argv); - } - ++argv; /* step along list */ - } - - if (argc < 0) { - /* there was no reference to a filter */ - *filtername = NULL; - *evp = NULL; - } else { - char **levp; - const char *tmp; - int i,size; - - *filtername = *++argv; - if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG,"will run filter %s\n", *filtername); - } - - levp = (char **) malloc(5*sizeof(char *)); - if (levp == NULL) { - _pam_log(LOG_CRIT,"no memory for environment of filter"); - return -1; - } - - for (size=i=0; i<argc; ++i) { - size += strlen(argv[i])+1; - } - - /* the "ARGS" variable */ - -#define ARGS_OFFSET 5 /* sizeof("ARGS="); */ -#define ARGS_NAME "ARGS=" - - size += ARGS_OFFSET; - - levp[0] = (char *) malloc(size); - if (levp[0] == NULL) { - _pam_log(LOG_CRIT,"no memory for filter arguments"); - if (levp) { - free(levp); - } - return -1; - } - - strncpy(levp[0],ARGS_NAME,ARGS_OFFSET); - for (i=0,size=ARGS_OFFSET; i<argc; ++i) { - strcpy(levp[0]+size, argv[i]); - size += strlen(argv[i]); - levp[0][size++] = ' '; - } - levp[0][--size] = '\0'; /* <NUL> terminate */ - - /* the "SERVICE" variable */ - -#define SERVICE_OFFSET 8 /* sizeof("SERVICE="); */ -#define SERVICE_NAME "SERVICE=" - - pam_get_item(pamh, PAM_SERVICE, (const void **)&tmp); - size = SERVICE_OFFSET+strlen(tmp); - - levp[1] = (char *) malloc(size+1); - if (levp[1] == NULL) { - _pam_log(LOG_CRIT,"no memory for service name"); - if (levp) { - free(levp[0]); - free(levp); - } - return -1; - } - - strncpy(levp[1],SERVICE_NAME,SERVICE_OFFSET); - strcpy(levp[1]+SERVICE_OFFSET, tmp); - levp[1][size] = '\0'; /* <NUL> terminate */ - - /* the "USER" variable */ - -#define USER_OFFSET 5 /* sizeof("USER="); */ -#define USER_NAME "USER=" - - pam_get_user(pamh, &tmp, NULL); - if (tmp == NULL) { - tmp = "<unknown>"; - } - size = USER_OFFSET+strlen(tmp); - - levp[2] = (char *) malloc(size+1); - if (levp[2] == NULL) { - _pam_log(LOG_CRIT,"no memory for user's name"); - if (levp) { - free(levp[1]); - free(levp[0]); - free(levp); - } - return -1; - } - - strncpy(levp[2],USER_NAME,USER_OFFSET); - strcpy(levp[2]+USER_OFFSET, tmp); - levp[2][size] = '\0'; /* <NUL> terminate */ - - /* the "USER" variable */ - -#define TYPE_OFFSET 5 /* sizeof("TYPE="); */ -#define TYPE_NAME "TYPE=" - - size = TYPE_OFFSET+strlen(type); - - levp[3] = (char *) malloc(size+1); - if (levp[3] == NULL) { - _pam_log(LOG_CRIT,"no memory for type"); - if (levp) { - free(levp[2]); - free(levp[1]); - free(levp[0]); - free(levp); - } - return -1; - } - - strncpy(levp[3],TYPE_NAME,TYPE_OFFSET); - strcpy(levp[3]+TYPE_OFFSET, type); - levp[3][size] = '\0'; /* <NUL> terminate */ - - levp[4] = NULL; /* end list */ - - *evp = levp; - } - - if ((ctrl & FILTER_DEBUG) && *filtername) { - char **e; - - _pam_log(LOG_DEBUG,"filter[%s]: %s",type,*filtername); - _pam_log(LOG_DEBUG,"environment:"); - for (e=*evp; e && *e; ++e) { - _pam_log(LOG_DEBUG," %s",*e); - } - } - - return ctrl; -} - -static void free_evp(char *evp[]) -{ - int i; - - if (evp) - for (i=0; i<4; ++i) { - if (evp[i]) - free(evp[i]); - } - free(evp); -} - -static int set_filter(pam_handle_t *pamh, int flags, int ctrl - , const char **evp, const char *filtername) -{ - int status=-1; - char terminal[TERMINAL_LEN]; - struct termio stored_mode; /* initial terminal mode settings */ - int fd[2], child=0, child2=0, aterminal; - - if (filtername == NULL || *filtername != '/') { - _pam_log(LOG_ALERT, "filtername not permitted; require full path"); - return PAM_ABORT; - } - - if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO)) { - aterminal = 0; - } else { - aterminal = 1; - } - - if (aterminal) { - - /* open the master pseudo terminal */ - - fd[0] = master(terminal); - if (fd[0] < 0) { - _pam_log(LOG_CRIT,"no master terminal"); - return PAM_AUTH_ERR; - } - - /* set terminal into raw mode.. remember old mode so that we can - revert to it after the child has quit. */ - - /* this is termio terminal handling... */ - - if (ioctl(STDIN_FILENO, TCGETA, (char *) &stored_mode ) < 0) { - /* in trouble, so close down */ - close(fd[0]); - _pam_log(LOG_CRIT, "couldn't copy terminal mode"); - return PAM_ABORT; - } else { - struct termio t_mode = stored_mode; - - t_mode.c_iflag = 0; /* no input control */ - t_mode.c_oflag &= ~OPOST; /* no ouput post processing */ - - /* no signals, canonical input, echoing, upper/lower output */ - t_mode.c_lflag &= ~(ISIG|ICANON|ECHO|XCASE); - t_mode.c_cflag &= ~(CSIZE|PARENB); /* no parity */ - t_mode.c_cflag |= CS8; /* 8 bit chars */ - - t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */ - t_mode.c_cc[VTIME] = 0; /* 0/10th second for chars */ - - if (ioctl(STDIN_FILENO, TCSETA, (char *) &t_mode) < 0) { - close(fd[0]); - _pam_log(LOG_WARNING, "couldn't put terminal in RAW mode"); - return PAM_ABORT; - } - - /* - * NOTE: Unlike the stream socket case here the child - * opens the slave terminal as fd[1] *after* the fork... - */ - } - } else { - - /* - * not a terminal line so just open a stream socket fd[0-1] - * both set... - */ - - if ( socketpair(AF_UNIX, SOCK_STREAM, 0, fd) < 0 ) { - _pam_log(LOG_CRIT,"couldn't open a stream pipe"); - return PAM_ABORT; - } - } - - /* start child process */ - - if ( (child = fork()) < 0 ) { - - _pam_log(LOG_WARNING,"first fork failed"); - if (aterminal) { - (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode); - } - - return PAM_AUTH_ERR; - } - - if ( child == 0 ) { /* child process *is* application */ - - if (aterminal) { - - /* close the controlling tty */ - -#if defined(__hpux) && defined(O_NOCTTY) - int t = open("/dev/tty", O_RDWR|O_NOCTTY); -#else - int t = open("/dev/tty",O_RDWR); - if (t > 0) { - (void) ioctl(t, TIOCNOTTY, NULL); - close(t); - } -#endif /* defined(__hpux) && defined(O_NOCTTY) */ - - /* make this process it's own process leader */ - if (setsid() == -1) { - _pam_log(LOG_WARNING,"child cannot become new session"); - return PAM_ABORT; - } - - /* find slave's name */ - terminal[5] = 't'; /* want to open slave terminal */ - fd[1] = open(terminal, O_RDWR); - close(fd[0]); /* process is the child -- uses line fd[1] */ - - if (fd[1] < 0) { - _pam_log(LOG_WARNING,"cannot open slave terminal; %s" - ,terminal); - return PAM_ABORT; - } - - /* initialize the child's terminal to be the way the - parent's was before we set it into RAW mode */ - - if (ioctl(fd[1], TCSETA, (char *) &stored_mode) < 0) { - _pam_log(LOG_WARNING,"cannot set slave terminal mode; %s" - ,terminal); - close(fd[1]); - return PAM_ABORT; - } - - } else { - - /* nothing to do for a simple stream socket */ - - } - - /* re-assign the stdin/out to fd[1] <- (talks to filter). */ - - if ( dup2(fd[1],STDIN_FILENO) != STDIN_FILENO || - dup2(fd[1],STDOUT_FILENO) != STDOUT_FILENO || - dup2(fd[1],STDERR_FILENO) != STDERR_FILENO ) { - _pam_log(LOG_WARNING - ,"unable to re-assign STDIN/OUT/ERR...'s"); - close(fd[1]); - return PAM_ABORT; - } - - /* make sure that file descriptors survive 'exec's */ - - if ( fcntl(STDIN_FILENO, F_SETFD, 0) || - fcntl(STDOUT_FILENO,F_SETFD, 0) || - fcntl(STDERR_FILENO,F_SETFD, 0) ) { - _pam_log(LOG_WARNING - ,"unable to re-assign STDIN/OUT/ERR...'s"); - return PAM_ABORT; - } - - /* now the user input is read from the parent/filter: forget fd */ - - close(fd[1]); - - /* the current process is now aparently working with filtered - stdio/stdout/stderr --- success! */ - - return PAM_SUCCESS; - } - - /* - * process is the parent here. So we can close the application's - * input/output - */ - - close(fd[1]); - - /* Clear out passwords... there is a security problem here in - * that this process never executes pam_end. Consequently, any - * other sensitive data in this process is *not* explicitly - * overwritten, before the process terminates */ - - (void) pam_set_item(pamh, PAM_AUTHTOK, NULL); - (void) pam_set_item(pamh, PAM_OLDAUTHTOK, NULL); - - /* fork a copy of process to run the actual filter executable */ - - if ( (child2 = fork()) < 0 ) { - - _pam_log(LOG_WARNING,"filter fork failed"); - child2 = 0; - - } else if ( child2 == 0 ) { /* exec the child filter */ - - if ( dup2(fd[0],APPIN_FILENO) != APPIN_FILENO || - dup2(fd[0],APPOUT_FILENO) != APPOUT_FILENO || - dup2(fd[0],APPERR_FILENO) != APPERR_FILENO ) { - _pam_log(LOG_WARNING - ,"unable to re-assign APPIN/OUT/ERR...'s"); - close(fd[0]); - exit(1); - } - - /* make sure that file descriptors survive 'exec's */ - - if ( fcntl(APPIN_FILENO, F_SETFD, 0) == -1 || - fcntl(APPOUT_FILENO,F_SETFD, 0) == -1 || - fcntl(APPERR_FILENO,F_SETFD, 0) == -1 ) { - _pam_log(LOG_WARNING - ,"unable to retain APPIN/OUT/ERR...'s"); - close(APPIN_FILENO); - close(APPOUT_FILENO); - close(APPERR_FILENO); - exit(1); - } - - /* now the user input is read from the parent through filter */ - - execle(filtername, "<pam_filter>", NULL, evp); - - /* getting to here is an error */ - - _pam_log(LOG_ALERT, "filter: %s, not executable", filtername); - - } else { /* wait for either of the two children to exit */ - - while (child && child2) { /* loop if there are two children */ - int lstatus=0; - int chid; - - chid = wait(&lstatus); - if (chid == child) { - - if (WIFEXITED(lstatus)) { /* exited ? */ - status = WEXITSTATUS(lstatus); - } else if (WIFSIGNALED(lstatus)) { /* killed ? */ - status = -1; - } else - continue; /* just stopped etc.. */ - child = 0; /* the child has exited */ - - } else if (chid == child2) { - /* - * if the filter has exited. Let the child die - * naturally below - */ - if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus)) - child2 = 0; - } else { - - _pam_log(LOG_ALERT - ,"programming error <chid=%d,lstatus=%x>: " - __FILE__ " line %d" - , lstatus, __LINE__ ); - child = child2 = 0; - status = -1; - - } - } - } - - close(fd[0]); - - /* if there is something running, wait for it to exit */ - - while (child || child2) { - int lstatus=0; - int chid; - - chid = wait(&lstatus); - - if (child && chid == child) { - - if (WIFEXITED(lstatus)) { /* exited ? */ - status = WEXITSTATUS(lstatus); - } else if (WIFSIGNALED(lstatus)) { /* killed ? */ - status = -1; - } else - continue; /* just stopped etc.. */ - child = 0; /* the child has exited */ - - } else if (child2 && chid == child2) { - - if (WIFEXITED(lstatus) || WIFSIGNALED(lstatus)) - child2 = 0; - - } else { - - _pam_log(LOG_ALERT - ,"programming error <chid=%d,lstatus=%x>: " - __FILE__ " line %d" - , lstatus, __LINE__ ); - child = child2 = 0; - status = -1; - - } - } - - if (aterminal) { - /* reset to initial terminal mode */ - (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode); - } - - if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG,"parent process exited"); /* clock off */ - } - - /* quit the parent process, returning the child's exit status */ - - exit(status); -} - -static int set_the_terminal(pam_handle_t *pamh) -{ - const char *tty; - - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { - tty = ttyname(STDIN_FILENO); - if (tty == NULL) { - _pam_log(LOG_ERR, "couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _pam_log(LOG_ERR, "couldn't set tty name"); - return PAM_ABORT; - } - } - return PAM_SUCCESS; -} - -static int need_a_filter(pam_handle_t *pamh - , int flags, int argc, const char **argv - , const char *name, int which_run) -{ - int ctrl; - char **evp; - const char *filterfile; - int retval; - - ctrl = process_args(pamh, argc, argv, name, &evp, &filterfile); - if (ctrl == -1) { - return PAM_AUTHINFO_UNAVAIL; - } - - /* set the tty to the old or the new one? */ - - if (!(ctrl & NON_TERM) && !(ctrl & NEW_TERM)) { - retval = set_the_terminal(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "tried and failed to set PAM_TTY"); - } - } else { - retval = PAM_SUCCESS; /* nothing to do which is always a success */ - } - - if (retval == PAM_SUCCESS && (ctrl & which_run)) { - retval = set_filter(pamh, flags, ctrl - , (const char **)evp, filterfile); - } - - if (retval == PAM_SUCCESS - && !(ctrl & NON_TERM) && (ctrl & NEW_TERM)) { - retval = set_the_terminal(pamh); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR - , "tried and failed to set new terminal as PAM_TTY"); - } - } - - free_evp(evp); - - if (ctrl & FILTER_DEBUG) { - _pam_log(LOG_DEBUG, "filter/%s, returning %d", name, retval); - _pam_log(LOG_DEBUG, "[%s]", pam_strerror(pamh, retval)); - } - - return retval; -} - -/* ----------------- public functions ---------------- */ - -/* - * here are the advertised access points ... - */ - -/* ------------------ authentication ----------------- */ - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh - , int flags, int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "authenticate", FILTER_RUN1); -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv, "setcred", FILTER_RUN2); -} - -/* --------------- account management ---------------- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "setcred", FILTER_RUN1|FILTER_RUN2 ); -} - -/* --------------- session management ---------------- */ - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "open_session", FILTER_RUN1); -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return need_a_filter(pamh, flags, argc, argv - , "close_session", FILTER_RUN2); -} - -/* --------- updating authentication tokens --------- */ - - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - int runN; - - if (flags & PAM_PRELIM_CHECK) - runN = FILTER_RUN1; - else if (flags & PAM_UPDATE_AUTHTOK) - runN = FILTER_RUN2; - else { - _pam_log(LOG_ERR, "unknown flags for chauthtok (0x%X)", flags); - return PAM_TRY_AGAIN; - } - - return need_a_filter(pamh, flags, argc, argv, "chauthtok", runN); -} - -#ifdef PAM_STATIC - -/* ------------ stuff for static modules ------------ */ - -struct pam_module _pam_filter_modstruct = { - "pam_filter", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; - -#endif diff --git a/contrib/libpam/modules/pam_filter/upperLOWER/Makefile b/contrib/libpam/modules/pam_filter/upperLOWER/Makefile deleted file mode 100644 index 09b693b..0000000 --- a/contrib/libpam/modules/pam_filter/upperLOWER/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# -# $Id: Makefile,v 1.5 1997/04/05 06:41:35 morgan Exp $ -# -# $Log: Makefile,v $ -# Revision 1.5 1997/04/05 06:41:35 morgan -# fakeroot -# -# Revision 1.4 1997/01/04 20:25:04 morgan -# removed need for make -# -# Revision 1.3 1996/11/10 20:13:08 morgan -# email address -# -# Revision 1.2 1996/11/10 20:12:24 morgan -# cross platform support -# -# Revision 1.1 1996/06/02 08:17:02 morgan -# Initial revision -# -# -# This directory contains a pam_filter filter executable -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 -# - -TITLE=upperLOWER - -# - -OBJS = $(TITLE).o - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - -all: $(TITLE) - -$(TITLE): $(OBJS) - $(CC) -o $(TITLE) $(OBJS) - strip $(TITLE) - -install: - $(MKDIR) $(FAKEROOT)$(FILTERSDIR) - $(INSTALL) -m 511 $(TITLE) $(FAKEROOT)$(FILTERSDIR) - -remove: - cd $(FAKEROOT)$(FILTERSDIR) && rm -f $(TITLE) - -clean: - rm -f $(TITLE) $(OBJS) core *~ - -extraclean: clean - rm -f *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c b/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c deleted file mode 100644 index b375c07..0000000 --- a/contrib/libpam/modules/pam_filter/upperLOWER/upperLOWER.c +++ /dev/null @@ -1,160 +0,0 @@ -/* - * $Id: upperLOWER.c,v 1.1 1996/06/02 08:17:02 morgan Exp $ - * - * This is a sample filter program, for use with pam_filter (a module - * provided with Linux-PAM). This filter simply transposes upper and - * lower case letters, it is intended for demonstration purposes and - * it serves no purpose other than to annoy the user... - * - * $Log: upperLOWER.c,v $ - * Revision 1.1 1996/06/02 08:17:02 morgan - * Initial revision - * - */ - -#include <stdio.h> -#include <syslog.h> -#include <sys/time.h> -#include <sys/types.h> -#include <unistd.h> - -#include <security/pam_filter.h> - -/* ---------------------------------------------------------------- */ - -#include <stdarg.h> -#ifdef hpux -# define log_this syslog -#else -static void log_this(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("upperLOWER", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} -#endif - -#include <ctype.h> - -static void do_transpose(char *buffer,int len) -{ - int i; - for (i=0; i<len; ++i) { - if (islower(buffer[i])) { - buffer[i] = toupper(buffer[i]); - } else { - buffer[i] = tolower(buffer[i]); - } - } -} - -int main(int argc, char **argv, char **envp) -{ - char buffer[BUFSIZ]; - fd_set readers; - void (*before_user)(char *,int); - void (*before_app)(char *,int); - -#ifdef DEBUG - { - int i; - - fprintf(stderr,"environment :[\r\n"); - for (i=0; envp[i]; ++i) { - fprintf(stderr,"-> %s\r\n",envp[i]); - } - fprintf(stderr,"]: end\r\n"); - } -#endif - - if (argc != 1) { -#ifdef DEBUG - fprintf(stderr,"filter invoked as conventional executable\n"); -#else - log_this(LOG_ERR, "filter invoked as conventional executable"); -#endif - exit(1); - } - - before_user = before_app = do_transpose; /* assign filter functions */ - - /* enter a loop that deals with the input and output of the - user.. passing it to and from the application */ - - FD_ZERO(&readers); /* initialize reading mask */ - - for (;;) { - - FD_SET(APPOUT_FILENO, &readers); /* wake for output */ - FD_SET(APPERR_FILENO, &readers); /* wake for error */ - FD_SET(STDIN_FILENO, &readers); /* wake for input */ - - if ( select(APPTOP_FILE,&readers,NULL,NULL,NULL) < 0 ) { -#ifdef DEBUG - fprintf(stderr,"select failed\n"); -#else - log_this(LOG_WARNING,"select failed"); -#endif - break; - } - - /* application errors */ - - if ( FD_ISSET(APPERR_FILENO,&readers) ) { - int got = read(APPERR_FILENO, buffer, BUFSIZ); - if (got <= 0) { - break; - } else { - /* translate to give to real terminal */ - if (before_user != NULL) - before_user(buffer, got); - if ( write(STDERR_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't write %d bytes?!",got); - break; - } - } - } else if ( FD_ISSET(APPOUT_FILENO,&readers) ) { /* app output */ - int got = read(APPOUT_FILENO, buffer, BUFSIZ); - if (got <= 0) { - break; - } else { - /* translate to give to real terminal */ - if (before_user != NULL) - before_user(buffer, got); - if ( write(STDOUT_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't write %d bytes!?",got); - break; - } - } - } - - if ( FD_ISSET(STDIN_FILENO, &readers) ) { /* user input */ - int got = read(STDIN_FILENO, buffer, BUFSIZ); - if (got < 0) { - log_this(LOG_WARNING,"user input junked"); - break; - } else if (got) { - /* translate to give to application */ - if (before_app != NULL) - before_app(buffer, got); - if ( write(APPIN_FILENO, buffer, got) != got ) { - log_this(LOG_WARNING,"couldn't pass %d bytes!?",got); - break; - } - } else { - /* nothing received -- an error? */ - log_this(LOG_WARNING,"user input null?"); - break; - } - } - } - - exit(0); -} - - - diff --git a/contrib/libpam/modules/pam_ftp/Makefile b/contrib/libpam/modules/pam_ftp/Makefile deleted file mode 100644 index b5355c6..0000000 --- a/contrib/libpam/modules/pam_ftp/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# -# $Id: Makefile,v 1.2 1997/04/05 06:40:33 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.2 1997/04/05 06:40:33 morgan -# fakeroot -# -# Revision 1.1 1996/12/01 03:17:57 morgan -# Initial revision -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/11/14 -# - -TITLE=pam_ftp - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_ftp/README b/contrib/libpam/modules/pam_ftp/README deleted file mode 100644 index 597f912..0000000 --- a/contrib/libpam/modules/pam_ftp/README +++ /dev/null @@ -1,20 +0,0 @@ -# $Id: README,v 1.1 1996/12/01 03:17:57 morgan Exp $ -# - -This module is an authentication module that does not authenticate. -Instead it always returns PAM_IGNORE, indicating that it does not want -to affect the authentication process. - -Its purpose is to log a message to the syslog indicating the -pam_item's available at the time it was invoked. It is a diagnostic -tool. - -Recognized arguments: - - none - -module services provided: - - auth _authetication and _setcred (blank) - -Andrew Morgan diff --git a/contrib/libpam/modules/pam_ftp/pam_ftp.c b/contrib/libpam/modules/pam_ftp/pam_ftp.c deleted file mode 100644 index ca2d415..0000000 --- a/contrib/libpam/modules/pam_ftp/pam_ftp.c +++ /dev/null @@ -1,295 +0,0 @@ -/* pam_ftp module */ - -/* - * $Id: pam_ftp.c,v 1.2 1997/02/15 16:23:59 morgan Exp morgan $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - * $Log: pam_ftp.c,v $ - * Revision 1.2 1997/02/15 16:23:59 morgan - * fixed logging to avoid a fixed buffer size - * - * Revision 1.1 1996/12/01 03:17:57 morgan - * Initial revision - * - * - */ - -#define PLEASE_ENTER_PASSWORD "Password required for %s." -#define GUEST_LOGIN_PROMPT "Guest login ok, " \ -"send your complete e-mail address as password." - -/* the following is a password that "can't be correct" */ -#define BLOCK_PASSWORD "\177BAD PASSWPRD\177" - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <syslog.h> -#include <stdarg.h> -#include <string.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-ftp", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static int converse(pam_handle_t *pamh, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse\n")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function\n")); - - if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation\n")); - - return retval; /* propagate error status */ -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 -#define PAM_IGNORE_EMAIL 02 -#define PAM_NO_ANON 04 - -static int _pam_parse(int argc, const char **argv, char **users) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"users=",6)) { - *users = x_strdup(6+*argv); - if (*users == NULL) { - ctrl |= PAM_NO_ANON; - _pam_log(LOG_CRIT, "failed to duplicate user list - anon off"); - } - } else if (!strcmp(*argv,"ignore")) { - ctrl |= PAM_IGNORE_EMAIL; - } else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* - * check if name is in list or default list. place users name in *_user - * return 1 if listed 0 if not. - */ - -static int lookup(const char *name, char *list, const char **_user) -{ - int anon = 0; - - *_user = name; /* this is the default */ - if (list) { - const char *l; - char *x; - - x = list; - while ((l = strtok(x, ","))) { - x = NULL; - if (!strcmp(name, l)) { - *_user = list; - anon = 1; - } - } - } else { -#define MAX_L 2 - static const char *l[MAX_L] = { "ftp", "anonymous" }; - int i; - - for (i=0; i<MAX_L; ++i) { - if (!strcmp(l[i], name)) { - *_user = l[0]; - anon = 1; - break; - } - } - } - - return anon; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval, anon=0, ctrl; - const char *user; - char *users=NULL; - - /* - * this module checks if the user name is ftp or annonymous. If - * this is the case, it can set the PAM_RUSER to the entered email - * address and SUCCEEDS, otherwise it FAILS. - */ - - ctrl = _pam_parse(argc, argv, &users); - - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { - _pam_log(LOG_ERR, "no user specified"); - return PAM_USER_UNKNOWN; - } - - if (!(ctrl & PAM_NO_ANON)) { - anon = lookup(user, users, &user); - } - - if (anon) { - retval = pam_set_item(pamh, PAM_USER, (const void *)user); - if (retval != PAM_SUCCESS || user == NULL) { - _pam_log(LOG_ERR, "user resetting failed"); - return PAM_USER_UNKNOWN; - } - } - - /* - * OK. we require an email address for user or the user's password. - * - build conversation and get their input. - */ - - { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; - const char *token; - char *prompt=NULL; - int i=0; - - mesg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - if (anon) { - prompt = malloc(sizeof(PLEASE_ENTER_PASSWORD + strlen(user))); - sprintf(prompt, PLEASE_ENTER_PASSWORD, user); - msg[i].msg = prompt; - } else { - msg[i].msg = GUEST_LOGIN_PROMPT; - } - - retval = converse(pamh, ++i, mesg, &resp); - _pam_overwrite(prompt); - _pam_drop(prompt); - - if (retval != PAM_SUCCESS) { - if (resp != NULL) - _pam_drop_reply(resp,i); - return PAM_AUTHINFO_UNAVAIL; - } - - if (anon) { - /* XXX: Some effort should be made to verify this email address! */ - - if (!(ctrl & PAM_IGNORE_EMAIL)) { - token = strtok(resp->resp, "@"); - retval = pam_set_item(pamh, PAM_RUSER, token); - - if (token && retval != PAM_SUCCESS) { - token = strtok(NULL, "@"); - retval = pam_set_item(pamh, PAM_RHOST, token); - } - } - } else { - /* - * we have a password so set AUTHTOK - */ - - (void) pam_set_item(pamh, PAM_AUTHTOK, resp->resp); - - /* - * this module failed, but the next one might succeed with - * this password. - */ - - retval = PAM_AUTH_ERR; - } - - if (resp) { /* clean up */ - _pam_drop_reply(resp, i); - } - - /* success or failure */ - - return retval; - } -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_IGNORE; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_ftp_modstruct = { - "pam_ftp", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_group/Makefile b/contrib/libpam/modules/pam_group/Makefile deleted file mode 100644 index 5db53cc..0000000 --- a/contrib/libpam/modules/pam_group/Makefile +++ /dev/null @@ -1,114 +0,0 @@ -# -# $Id: Makefile,v 1.6 1997/04/05 06:39:56 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.6 1997/04/05 06:39:56 morgan -# fakeroot -# -# Revision 1.5 1997/01/04 20:28:47 morgan -# compile with and without libpwdb -# -# Revision 1.4 1996/11/10 20:13:18 morgan -# cross platform support -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/6/11 -# - -TITLE=pam_group -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/group.conf -export CONFILE - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -DEFS=-DCONFILE=\"$(CONFILE)\" -ifndef STATIC -ifeq ($(HAVE_PWDBLIB),yes) - DEFS+=-DWANT_PWDB - ELIBS=-lpwdb -endif -endif - -CFLAGS += $(DEFS) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(ELIBS) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(ELIBS) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(CONFILE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f ./.ignore_age - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_group/group.conf b/contrib/libpam/modules/pam_group/group.conf deleted file mode 100644 index bdd76adb..0000000 --- a/contrib/libpam/modules/pam_group/group.conf +++ /dev/null @@ -1,60 +0,0 @@ -## -## Note, to get this to work as it is currently typed you need -## -## 1. to run an application as root -## 2. add the following groups to the /etc/group file: -## floppy, games, sound -## -# -# *** Please note that giving group membership on a session basis is -# *** NOT inherently secure. If a user can create an executable that -# *** is setgid a group that they are infrequently given membership -# *** of, they can basically obtain group membership any time they -# *** like. Example: games are alowed between the hours of 6pm and 6am -# *** user joe logs in at 7pm writes a small C-program toplay.c that -# *** invokes their favorite shell, compiles it and does -# *** "chgrp games toplay; chmod g+s toplay". They are basically able -# *** to play games any time... You have been warned. AGM -# -# this is an example configuration file for the pam_group module. Its -# syntax is based on that of the pam_time module and (at some point in -# the distant past was inspired by the 'shadow' package) -# -# the syntax of the lines is as follows: -# -# services;ttys;users;times;groups -# -# white space is ignored and lines maybe extended with '\\n' (escaped -# newlines). From reading these comments, it is clear that -# text following a '#' is ignored to the end of the line. -# -# the first four fields are described in the pam_time directory. -# The only difference for these is how the time field is interpretted: -# it is used to indicate "when" these groups are to be given to the user. -# -# groups -# The (comma or space separated) list of groups that the user -# inherits membership of. These groups are added if the previous -# fields are satisfied by the user's request -# - -# -# Here is a simple example: running 'xsh' on tty* (any ttyXXX device), -# the user 'us' is given access to the floppy (through membership of -# the floppy group) -# - -#xsh;tty*&!ttyp*;us;Al0000-2400;floppy - -# -# another example: running 'xsh' on tty* (any ttyXXX device), -# the user 'sword' is given access to games (through membership of -# the floppy group) after work hours -# - -#xsh; tty* ;sword;!Wk0900-1800;games, sound -#xsh; tty* ;*;Al0900-1800;floppy - -# -# End of group.conf file -# diff --git a/contrib/libpam/modules/pam_group/install_conf b/contrib/libpam/modules/pam_group/install_conf deleted file mode 100755 index 03bb7ed..0000000 --- a/contrib/libpam/modules/pam_group/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./group.conf -MODULE=pam_group - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_group/pam_group.c b/contrib/libpam/modules/pam_group/pam_group.c deleted file mode 100644 index 9e2cf88..0000000 --- a/contrib/libpam/modules/pam_group/pam_group.c +++ /dev/null @@ -1,862 +0,0 @@ -/* pam_group module */ - -/* - * $Id: pam_group.c,v 1.7 1997/02/15 17:31:48 morgan Exp morgan $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/7/6 - * - * $Log: pam_group.c,v $ - * Revision 1.7 1997/02/15 17:31:48 morgan - * time parsing more robust - * - * Revision 1.6 1997/01/04 21:57:49 morgan - * fixed warning about setgroups not being defined - * - * Revision 1.5 1997/01/04 20:26:49 morgan - * can be compiled with and without libpwdb. fixed buffer underwriting - * pays attention to PAM_CRED flags(!) - * - * Revision 1.4 1996/12/01 02:54:37 morgan - * mostly debugging now uses D(()) - * - * Revision 1.3 1996/11/10 21:01:22 morgan - * compatability and pam_get_user changes - */ - -const static char rcsid[] = -"$Id: pam_group.c,v 1.7 1997/02/15 17:31:48 morgan Exp morgan $;\n" -"Version 0.5 for Linux-PAM\n" -"Copyright (c) Andrew G. Morgan 1996 <morgan@parc.power.net>\n"; - -#include <sys/file.h> -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <unistd.h> -#include <stdarg.h> -#include <time.h> -#include <syslog.h> -#include <string.h> - -#define __USE_BSD -#include <grp.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> - -#ifdef WANT_PWDB -#include <pwdb/pwdb_public.h> -#endif - -#define PAM_GROUP_CONF CONFILE /* from external define */ -#define PAM_GROUP_BUFLEN 1000 -#define FIELD_SEPARATOR ';' /* this is new as of .02 */ - -typedef enum { FALSE, TRUE } boolean; -typedef enum { AND, OR } operator; - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_group", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - -static void shift_bytes(char *mem, int from, int by) -{ - while (by-- > 0) { - *mem = mem[from]; - ++mem; - } -} - -static int read_field(int fd, char **buf, int *from, int *to) -{ - /* is buf set ? */ - - if (! *buf) { - *buf = (char *) malloc(PAM_GROUP_BUFLEN); - if (! *buf) { - _log_err("out of memory"); - return -1; - } - *from = *to = 0; - fd = open(PAM_GROUP_CONF, O_RDONLY); - } - - /* do we have a file open ? return error */ - - if (fd < 0 && *to <= 0) { - _log_err( PAM_GROUP_CONF " not opened"); - memset(*buf, 0, PAM_GROUP_BUFLEN); - _pam_drop(*buf); - return -1; - } - - /* check if there was a newline last time */ - - if ((*to > *from) && (*to > 0) - && ((*buf)[*from] == '\0')) { /* previous line ended */ - (*from)++; - (*buf)[0] = '\0'; - return fd; - } - - /* ready for more data: first shift the buffer's remaining data */ - - *to -= *from; - shift_bytes(*buf, *from, *to); - *from = 0; - (*buf)[*to] = '\0'; - - while (fd >= 0 && *to < PAM_GROUP_BUFLEN) { - int i; - - /* now try to fill the remainder of the buffer */ - - i = read(fd, *to + *buf, PAM_GROUP_BUFLEN - *to); - if (i < 0) { - _log_err("error reading " PAM_GROUP_CONF); - return -1; - } else if (!i) { - fd = -1; /* end of file reached */ - } else - *to += i; - - /* - * contract the buffer. Delete any comments, and replace all - * multiple spaces with single commas - */ - - i = 0; -#ifdef DEBUG_DUMP - D(("buffer=<%s>",*buf)); -#endif - while (i < *to) { - if ((*buf)[i] == ',') { - int j; - - for (j=++i; j<*to && (*buf)[j] == ','; ++j); - if (j!=i) { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - } - } - switch ((*buf)[i]) { - int j,c; - case '#': - for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); - if (j >= *to) { - (*buf)[*to = ++i] = '\0'; - } else if (c == '\n') { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - ++i; - } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); - return -1; - } - break; - case '\\': - if ((*buf)[i+1] == '\n') { - shift_bytes(i + *buf, 2, *to - (i+2)); - *to -= 2; - } - break; - case '!': - case ' ': - case '\t': - if ((*buf)[i] != '!') - (*buf)[i] = ','; - /* delete any trailing spaces */ - for (j=++i; j < *to && ( (c = (*buf)[j]) == ' ' - || c == '\t' ); ++j); - shift_bytes(i + *buf, j-i, (*to)-j ); - *to -= j-i; - break; - default: - ++i; - } - } - } - - (*buf)[*to] = '\0'; - - /* now return the next field (set the from/to markers) */ - { - int i; - - for (i=0; i<*to; ++i) { - switch ((*buf)[i]) { - case '#': - case '\n': /* end of the line/file */ - (*buf)[i] = '\0'; - *from = i; - return fd; - case FIELD_SEPARATOR: /* end of the field */ - (*buf)[i] = '\0'; - *from = ++i; - return fd; - } - } - *from = i; - (*buf)[*from] = '\0'; - } - - if (*to <= 0) { - D(("[end of text]")); - *buf = NULL; - } - return fd; -} - -/* read a member from a field */ - -static int logic_member(const char *string, int *at) -{ - int len,c,to; - int done=0; - int token=0; - - len=0; - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -typedef enum { VAL, OP } expect; - -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) -{ - boolean left=FALSE, right, not=FALSE; - operator oper=OR; - int at=0, l; - expect next=VAL; - - while ((l = logic_member(x,&at))) { - int c = x[at]; - - if (next == VAL) { - if (c == '!') - not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); - if (oper == AND) - left &= right; - else - left |= right; - next = OP; - } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); - return FALSE; - } - } else { /* OP */ - switch (c) { - case '&': - oper = AND; - break; - case '|': - oper = OR; - break; - default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); - D(("%c at %d",c,at)); - return FALSE; - } - next = VAL; - } - at += l; - } - - return left; -} - -static boolean is_same(const void *A, const char *b, int len, int rule) -{ - int i; - const char *a; - - a = A; - for (i=0; len > 0; ++i, --len) { - if (b[i] != a[i]) { - if (b[i++] == '*') { - return (!--len || !strncmp(b+i,a+strlen(a)-len,len)); - } else - return FALSE; - } - } - return ( !len ); -} - -typedef struct { - int day; /* array of 7 bits, one set for today */ - int minute; /* integer, hour*100+minute for now */ -} TIME; - -struct day { - const char *d; - int bit; -} static const days[11] = { - { "su", 01 }, - { "mo", 02 }, - { "tu", 04 }, - { "we", 010 }, - { "th", 020 }, - { "fr", 040 }, - { "sa", 0100 }, - { "wk", 076 }, - { "wd", 0101 }, - { "al", 0177 }, - { NULL, 0 } -}; - -static TIME time_now(void) -{ - struct tm *local; - time_t the_time; - TIME this; - - the_time = time((time_t *)0); /* get the current time */ - local = localtime(&the_time); - this.day = days[local->tm_wday].bit; - this.minute = local->tm_hour*100 + local->tm_min; - - D(("day: 0%o, time: %.4d", this.day, this.minute)); - return this; -} - -/* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) -{ - boolean not,pass; - int marked_day, time_start, time_end; - const TIME *at; - int i,j=0; - - at = AT; - D(("checking: 0%o/%.4d vs. %s", at->day, at->minute, times)); - - if (times == NULL) { - /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); - return FALSE; - } - - if (times[j] == '!') { - ++j; - not = TRUE; - } else { - not = FALSE; - } - - for (marked_day = 0; len > 0 && isalpha(times[j]); --len) { - int this_day=-1; - - D(("%c%c ?", times[j], times[j+1])); - for (i=0; days[i].d != NULL; ++i) { - if (tolower(times[j]) == days[i].d[0] - && tolower(times[j+1]) == days[i].d[1] ) { - this_day = days[i].bit; - break; - } - } - j += 2; - if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); - return FALSE; - } - marked_day ^= this_day; - } - if (marked_day == 0) { - _log_err("no day specified"); - return FALSE; - } - D(("day range = 0%o", marked_day)); - - time_start = 0; - for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) { - time_start *= 10; - time_start += times[i+j]-'0'; /* is this portable? */ - } - j += i; - - if (times[j] == '-') { - time_end = 0; - for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) { - time_end *= 10; - time_end += times[i+j]-'0'; /* is this portable? */ - } - j += i; - } else - time_end = -1; - - D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); - if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); - return TRUE; - } - D(("times(%d to %d)", time_start,time_end)); - D(("marked_day = 0%o", marked_day)); - - /* compare with the actual time now */ - - pass = FALSE; - if (time_start < time_end) { /* start < end ? --> same day */ - if ((at->day & marked_day) && (at->minute >= time_start) - && (at->minute < time_end)) { - D(("time is listed")); - pass = TRUE; - } - } else { /* spans two days */ - if ((at->day & marked_day) && (at->minute >= time_start)) { - D(("caught on first day")); - pass = TRUE; - } else { - marked_day <<= 1; - marked_day |= (marked_day & 0200) ? 1:0; - D(("next day = 0%o", marked_day)); - if ((at->day & marked_day) && (at->minute <= time_end)) { - D(("caught on second day")); - pass = TRUE; - } - } - } - - return (not ^ pass); -} - -static int find_member(const char *string, int *at) -{ - int len,c,to; - int done=0; - int token=0; - - len=0; - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || isdigit(c) || c == '_' || c == '*' - || c == '-') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -#define GROUP_BLK 10 -#define blk_size(len) (((len-1 + GROUP_BLK)/GROUP_BLK)*GROUP_BLK) - -static int mkgrplist(char *buf, gid_t **list, int len) -{ - int l,at=0; - int blks; - - blks = blk_size(len); - D(("cf. blks=%d and len=%d", blks,len)); - - while ((l = find_member(buf,&at))) { - int edge; - - if (len >= blks) { - gid_t *tmp; - - D(("allocating new block")); - tmp = (gid_t *) realloc((*list) - , sizeof(gid_t) * (blks += GROUP_BLK)); - if (tmp != NULL) { - (*list) = tmp; - } else { - _log_err("out of memory for group list"); - free(*list); - (*list) = NULL; - return -1; - } - } - - /* '\0' terminate the entry */ - - edge = (buf[at+l]) ? 1:0; - buf[at+l] = '\0'; - D(("found group: %s",buf+at)); - - /* this is where we convert a group name to a gid_t */ -#ifdef WANT_PWDB - { - int retval; - const struct pwdb *pw=NULL; - - retval = pwdb_locate("group", PWDB_DEFAULT, buf+at - , PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS) { - _log_err("bad group: %s; %s", buf+at, pwdb_strerror(retval)); - } else { - const struct pwdb_entry *pwe=NULL; - - D(("group %s exists", buf+at)); - retval = pwdb_get_entry(pw, "gid", &pwe); - if (retval == PWDB_SUCCESS) { - D(("gid = %d [%p]",* (const gid_t *) pwe->value,list)); - (*list)[len++] = * (const gid_t *) pwe->value; - pwdb_entry_delete(&pwe); /* tidy up */ - } else { - _log_err("%s group entry is bad; %s" - , pwdb_strerror(retval)); - } - pw = NULL; /* break link - cached for later use */ - } - } -#else - { - const struct group *grp; - - grp = getgrnam(buf+at); - if (grp == NULL) { - _log_err("bad group: %s", buf+at); - } else { - D(("group %s exists", buf+at)); - (*list)[len++] = grp->gr_gid; - } - } -#endif - - /* next entry along */ - - at += l + edge; - } - D(("returning with [%p/len=%d]->%p",list,len,*list)); - return len; -} - - -static int check_account(const char *service, const char *tty - , const char *user) -{ - int from=0,to=0,fd=-1; - char *buffer=NULL; - int count=0; - TIME here_and_now; - int retval=PAM_SUCCESS; - gid_t *grps; - int no_grps; - - /* - * first we get the current list of groups - the application - * will have previously done an initgroups(), or equivalent. - */ - - D(("counting supplementary groups")); - no_grps = getgroups(0, NULL); /* find the current number of groups */ - if (no_grps > 0) { - grps = calloc( blk_size(no_grps) , sizeof(gid_t) ); - D(("copying current list into grps [%d big]",blk_size(no_grps))); - (void) getgroups(no_grps, grps); -#ifdef DEBUG - { - int z; - for (z=0; z<no_grps; ++z) { - D(("gid[%d]=%d", z, grps[z])); - } - } -#endif - } else { - D(("no supplementary groups known")); - no_grps = 0; - grps = NULL; - } - - here_and_now = time_now(); /* find current time */ - - /* parse the rules in the configuration file */ - do { - int good=TRUE; - - /* here we get the service name field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - /* empty line .. ? */ - continue; - } - ++count; - D(("working on rule #%d",count)); - - good = logic_field(service, buffer, count, is_same); - D(("with service: %s", good ? "passes":"fails" )); - - /* here we get the terminal name field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no tty entry #%d", count); - continue; - } - good &= logic_field(tty, buffer, count, is_same); - D(("with tty: %s", good ? "passes":"fails" )); - - /* here we get the username field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no user entry #%d", count); - continue; - } - good &= logic_field(user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); - - /* here we get the time field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no time entry #%d", count); - continue; - } - - good &= logic_field(&here_and_now, buffer, count, check_time); - D(("with time: %s", good ? "passes":"fails" )); - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_GROUP_CONF "; no listed groups for rule #%d" - , count); - continue; - } - - /* - * so we have a list of groups, we need to turn it into - * something to send to setgroups(2) - */ - - if (good) { - D(("adding %s to gid list", buffer)); - good = mkgrplist(buffer, &grps, no_grps); - if (good < 0) { - no_grps = 0; - } else { - no_grps = good; - } - } - - /* check the line is terminated correctly */ - - fd = read_field(fd,&buffer,&from,&to); - if (buffer && buffer[0]) { - _log_err(PAM_GROUP_CONF "; poorly terminated rule #%d", count); - } - - if (good > 0) { - D(("rule #%d passed, added %d groups", count, good)); - } else if (good < 0) { - retval = PAM_BUF_ERR; - } else { - D(("rule #%d failed", count)); - } - - } while (buffer); - - /* now set the groups for the user */ - - if (no_grps > 0) { - int err; - D(("trying to set %d groups", no_grps)); -#ifdef DEBUG - for (err=0; err<no_grps; ++err) { - D(("gid[%d]=%d", err, grps[err])); - } -#endif - if ((err = setgroups(no_grps, grps))) { - D(("but couldn't set groups %d", err)); - _log_err("unable to set the group membership for user (err=%d)" - , err); - retval = PAM_CRED_ERR; - } - } - - if (grps) { /* tidy up */ - memset(grps, 0, sizeof(gid_t) * blk_size(no_grps)); - _pam_drop(grps); - no_grps = 0; - } - - return retval; -} - -/* --- public authentication management functions --- */ - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - return PAM_IGNORE; -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - const char *service=NULL, *tty=NULL; - const char *user=NULL; - int retval; - unsigned setting; - - /* only interested in establishing credentials */ - - setting = flags; - if (!(setting & PAM_ESTABLISH_CRED)) { - D(("ignoring call - not for establishing credentials")); - return PAM_SUCCESS; /* don't fail because of this */ - } - - /* set service name */ - - if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) - != PAM_SUCCESS || service == NULL) { - _log_err("cannot find the current service name"); - return PAM_ABORT; - } - - /* set username */ - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - _log_err("cannot determine the user's name"); - return PAM_USER_UNKNOWN; - } - - /* set tty name */ - - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { - D(("PAM_TTY not set, probing stdin")); - tty = ttyname(STDIN_FILENO); - if (tty == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); - return PAM_ABORT; - } - } - - if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ - tty += 5; - } - - /* good, now we have the service name, the user and the terminal name */ - - D(("service=%s", service)); - D(("user=%s", user)); - D(("tty=%s", tty)); - -#ifdef WANT_PWDB - - /* We initialize the pwdb library and check the account */ - retval = pwdb_start(); /* initialize */ - if (retval == PWDB_SUCCESS) { - retval = check_account(service,tty,user); /* get groups */ - (void) pwdb_end(); /* tidy up */ - } else { - D(("failed to initialize pwdb; %s", pwdb_strerror(retval))); - _log_err("unable to initialize libpwdb"); - retval = PAM_ABORT; - } - -#else /* WANT_PWDB */ - retval = check_account(service,tty,user); /* get groups */ -#endif /* WANT_PWDB */ - - return retval; -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_group_modstruct = { - "pam_group", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL -}; -#endif diff --git a/contrib/libpam/modules/pam_lastlog/Makefile b/contrib/libpam/modules/pam_lastlog/Makefile deleted file mode 100644 index e51a72d..0000000 --- a/contrib/libpam/modules/pam_lastlog/Makefile +++ /dev/null @@ -1,106 +0,0 @@ -# -# $Id: Makefile,v 1.2 1997/04/05 06:17:14 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.2 1997/04/05 06:17:14 morgan -# fakeroot fixed -# -# Revision 1.1 1997/01/04 20:29:28 morgan -# Initial revision -# -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/12/8 -# - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -TITLE=pam_lastlog - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_lastlog/pam_lastlog.c b/contrib/libpam/modules/pam_lastlog/pam_lastlog.c deleted file mode 100644 index 96714f6..0000000 --- a/contrib/libpam/modules/pam_lastlog/pam_lastlog.c +++ /dev/null @@ -1,469 +0,0 @@ -/* pam_lastlog module */ - -/* - * $Id: pam_lastlog.c,v 1.3 1997/04/05 06:18:21 morgan Exp morgan $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - * This module does the necessary work to display the last login - * time+date for this user, it then updates this entry for the - * present (login) service. - * - * $Log: pam_lastlog.c,v $ - * Revision 1.3 1997/04/05 06:18:21 morgan - * removed xstrdup - unused - * - * Revision 1.2 1997/02/15 17:18:21 morgan - * removed fixed buffer in logging - * - * Revision 1.1 1997/01/04 20:29:28 morgan - * Initial revision - * - */ - -#include <fcntl.h> -#include <time.h> -#ifdef HAVE_UTMP_H -# include <utmp.h> -#else -# include <lastlog.h> -#endif -#include <pwd.h> -#include <stdlib.h> -#include <stdarg.h> -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include <syslog.h> -#include <unistd.h> - -#ifdef WANT_PWDB -#include <pwdb/pwdb_public.h> /* use POSIX front end */ -#endif - -#if defined(hpux) || defined(sunos) || defined(solaris) -# ifndef _PATH_LASTLOG -# define _PATH_LASTLOG "/usr/adm/lastlog" -# endif /* _PATH_LASTLOG */ -# ifndef UT_HOSTSIZE -# define UT_HOSTSIZE 16 -# endif /* UT_HOSTSIZE */ -# ifndef UT_LINESIZE -# define UT_LINESIZE 12 -# endif /* UT_LINESIZE */ -#endif -#if defined(hpux) -struct lastlog { - time_t ll_time; - char ll_line[UT_LINESIZE]; - char ll_host[UT_HOSTSIZE]; /* same as in utmp */ -}; -#endif /* hpux */ - -/* XXX - time before ignoring lock. Is 1 sec enough? */ -#define LASTLOG_IGNORE_LOCK_TIME 1 - -#define DEFAULT_HOST "" /* "[no.where]" */ -#define DEFAULT_TERM "" /* "tt???" */ -#define LASTLOG_NEVER_WELCOME "Welcome to your new account!" -#define LASTLOG_INTRO "Last login:" -#define LASTLOG_TIME " %s" -#define _LASTLOG_HOST_FORMAT " from %%.%ds" -#define _LASTLOG_LINE_FORMAT " on %%.%ds" -#define LASTLOG_TAIL "" -#define LASTLOG_MAXSIZE (sizeof(LASTLOG_INTRO)+0 \ - +sizeof(LASTLOG_TIME)+strlen(the_time) \ - +sizeof(_LASTLOG_HOST_FORMAT)+UT_HOSTSIZE \ - +sizeof(_LASTLOG_LINE_FORMAT)+UT_LINESIZE \ - +sizeof(LASTLOG_TAIL)) - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_SESSION - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-lastlog", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define LASTLOG_DATE 01 /* display the date of the last login */ -#define LASTLOG_HOST 02 /* display the last host used (if set) */ -#define LASTLOG_LINE 04 /* display the last terminal used */ -#define LASTLOG_NEVER 010 /* display a welcome message for first login */ -#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ -#define LASTLOG_QUIET 040 /* keep quiet about things */ - -static int _pam_parse(int flags, int argc, const char **argv) -{ - int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE); - - /* does the appliction require quiet? */ - if (flags & PAM_SILENT) { - ctrl |= LASTLOG_QUIET; - } - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) { - ctrl |= LASTLOG_DEBUG; - } else if (!strcmp(*argv,"nodate")) { - ctrl |= ~LASTLOG_DATE; - } else if (!strcmp(*argv,"noterm")) { - ctrl |= ~LASTLOG_LINE; - } else if (!strcmp(*argv,"nohost")) { - ctrl |= ~LASTLOG_HOST; - } else if (!strcmp(*argv,"silent")) { - ctrl |= LASTLOG_QUIET; - } else if (!strcmp(*argv,"never")) { - ctrl |= LASTLOG_NEVER; - } else { - _log_err(LOG_ERR,"unknown option; %s",*argv); - } - } - - D(("ctrl = %o", ctrl)); - return ctrl; -} - -/* a front end for conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && (ctrl & LASTLOG_DEBUG) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, int ctrl, const char *remark) -{ - int retval; - - if (!(ctrl & LASTLOG_QUIET)) { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; - - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; - - retval = converse(pamh, ctrl, 1, mesg, &resp); - - msg[0].msg = NULL; - if (resp) { - _pam_drop_reply(resp, 1); - } - } else { - D(("keeping quiet")); - retval = PAM_SUCCESS; - } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; -} - -/* - * Values for the announce flags.. - */ - -static int last_login_date(pam_handle_t *pamh, int announce, uid_t uid) -{ - struct flock last_lock; - struct lastlog last_login; - int retval = PAM_SESSION_ERR; - int last_fd; - - /* obtain the last login date and all the relevant info */ - last_fd = open(_PATH_LASTLOG, O_RDWR); - if (last_fd < 0) { - D(("unable to open the %s file", _PATH_LASTLOG)); - if (announce & LASTLOG_DEBUG) { - _log_err(LOG_DEBUG, "unable to open %s file", _PATH_LASTLOG); - } - retval = PAM_PERM_DENIED; - } else { - int win; - - /* read the lastlogin file - for this uid */ - (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET); - - memset(&last_lock, 0, sizeof(last_lock)); - last_lock.l_type = F_RDLCK; - last_lock.l_whence = SEEK_SET; - last_lock.l_start = sizeof(last_login) * (off_t) uid; - last_lock.l_len = sizeof(last_login); - - if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) { - D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - _log_err(LOG_ALERT, "%s file is locked/read", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); - } - - win = ( read(last_fd, &last_login, sizeof(last_login)) - == sizeof(last_login) ); - - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - - if (!win) { - D(("First login for user uid=%d", _PATH_LASTLOG, uid)); - if (announce & LASTLOG_DEBUG) { - _log_err(LOG_DEBUG, "creating lastlog for uid %d", uid); - } - memset(&last_login, 0, sizeof(last_login)); - } - - /* rewind */ - (void) lseek(last_fd, sizeof(last_login) * (off_t) uid, SEEK_SET); - - if (!(announce & LASTLOG_QUIET)) { - if (last_login.ll_time) { - char *the_time; - char *remark; - - the_time = ctime(&last_login.ll_time); - the_time[-1+strlen(the_time)] = '\0'; /* delete '\n' */ - - remark = malloc(LASTLOG_MAXSIZE); - if (remark == NULL) { - D(("no memory for last login remark")); - retval = PAM_BUF_ERR; - } else { - int at; - - /* printing prefix */ - at = sprintf(remark, "%s", LASTLOG_INTRO); - - /* we want the date? */ - if (announce & LASTLOG_DATE) { - at += sprintf(remark+at, LASTLOG_TIME, the_time); - } - - /* we want & have the host? */ - if ((announce & LASTLOG_HOST) - && (last_login.ll_host[0] != '\0')) { - char format[2*sizeof(_LASTLOG_HOST_FORMAT)]; - - (void) sprintf(format, _LASTLOG_HOST_FORMAT - , UT_HOSTSIZE); - D(("format: %s", format)); - at += sprintf(remark+at, format, last_login.ll_host); - _pam_overwrite(format); - } - - /* we want and have the terminal? */ - if ((announce & LASTLOG_LINE) - && (last_login.ll_line[0] != '\0')) { - char format[2*sizeof(_LASTLOG_LINE_FORMAT)]; - - (void) sprintf(format, _LASTLOG_LINE_FORMAT - , UT_LINESIZE); - D(("format: %s", format)); - at += sprintf(remark+at, format, last_login.ll_line); - _pam_overwrite(format); - } - - /* display requested combo */ - sprintf(remark+at, "%s", LASTLOG_TAIL); - - retval = make_remark(pamh, announce, remark); - - /* free all the stuff malloced */ - _pam_overwrite(remark); - _pam_drop(remark); - } - } else if ((!last_login.ll_time) && (announce & LASTLOG_NEVER)) { - D(("this is the first time this user has logged in")); - retval = make_remark(pamh, announce, LASTLOG_NEVER_WELCOME); - } - } else { - D(("no text was requested")); - retval = PAM_SUCCESS; - } - - /* write latest value */ - { - const char *remote_host=NULL - , *terminal_line=DEFAULT_TERM; - - /* set this login date */ - D(("set the most recent login time")); - - (void) time(&last_login.ll_time); /* set the time */ - - /* set the remote host */ - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&remote_host); - if (remote_host == NULL) { - remote_host = DEFAULT_HOST; - } - - /* copy to last_login */ - strncpy(last_login.ll_host, remote_host - , sizeof(last_login.ll_host)); - remote_host = NULL; - - /* set the terminal line */ - (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal_line); - D(("terminal = %s", terminal_line)); - if (terminal_line == NULL) { - terminal_line = DEFAULT_TERM; - } else if ( !strncmp("/dev/", terminal_line, 5) ) { - /* strip leading "/dev/" from tty.. */ - terminal_line += 5; - } - D(("terminal = %s", terminal_line)); - - /* copy to last_login */ - strncpy(last_login.ll_line, terminal_line - , sizeof(last_login.ll_line)); - terminal_line = NULL; - - D(("locking last_log file")); - - /* now we try to lock this file-record exclusively; non-blocking */ - memset(&last_lock, 0, sizeof(last_lock)); - last_lock.l_type = F_WRLCK; - last_lock.l_whence = SEEK_SET; - last_lock.l_start = sizeof(last_login) * (off_t) uid; - last_lock.l_len = sizeof(last_login); - - if ( fcntl(last_fd, F_SETLK, &last_lock) < 0 ) { - D(("locking %s failed..(waiting a little)", _PATH_LASTLOG)); - _log_err(LOG_ALERT, "%s file is locked/write", _PATH_LASTLOG); - sleep(LASTLOG_IGNORE_LOCK_TIME); - } - - D(("writing to the last_log file")); - (void) write(last_fd, &last_login, sizeof(last_login)); - - last_lock.l_type = F_UNLCK; - (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ - D(("unlocked")); - - close(last_fd); /* all done */ - } - D(("all done with last login")); - } - - /* reset the last login structure */ - memset(&last_login, 0, sizeof(last_login)); - - return retval; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc - , const char **argv) -{ - int retval, ctrl; - const char *user; - const struct passwd *pwd; - uid_t uid; - - /* - * this module gets the uid of the PAM_USER. Uses it to display - * last login info and then updates the lastlog for that user. - */ - - ctrl = _pam_parse(flags, argc, argv); - - /* which user? */ - - retval = pam_get_item(pamh, PAM_USER, (const void **)&user); - if (retval != PAM_SUCCESS || user == NULL || *user == '\0') { - _log_err(LOG_NOTICE, "user unknown"); - return PAM_USER_UNKNOWN; - } - - /* what uid? */ - - pwd = getpwnam(user); - if (pwd == NULL) { - D(("couldn't identify user %s", user)); - return PAM_CRED_INSUFFICIENT; - } - uid = pwd->pw_uid; - pwd = NULL; /* tidy up */ - - /* process the current login attempt (indicate last) */ - - retval = last_login_date(pamh, ctrl, uid); - - /* indicate success or failure */ - - uid = -1; /* forget this */ - - return retval; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_lastlog_modstruct = { - "pam_lastlog", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_limits/Makefile b/contrib/libpam/modules/pam_limits/Makefile deleted file mode 100644 index f6a0e07..0000000 --- a/contrib/libpam/modules/pam_limits/Makefile +++ /dev/null @@ -1,102 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10 -# - -ifeq ($(OS),linux) -ifeq ($(HAVE_PWDBLIB),yes) -TITLE=pam_limits -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/limits.conf -export CONFILE - -CFLAGS+=-DLIMITS_FILE=\"$(CONFILE)\" - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -lpwdb -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else -include ../dont_makefile -endif -else -include ../dont_makefile -endif diff --git a/contrib/libpam/modules/pam_limits/README b/contrib/libpam/modules/pam_limits/README deleted file mode 100644 index 06a6857..0000000 --- a/contrib/libpam/modules/pam_limits/README +++ /dev/null @@ -1,87 +0,0 @@ - -pam_limits module: - Imposing user limits on login. - -THEORY OF OPERATION: - -First, make a root-only-readable file (/etc/limits by default or LIMITS_FILE -defined Makefile) that describes the resource limits you wish to impose. No -limits are imposed on UID 0 accounts. - -Each line describes a limit for a user in the form: - -<domain> <type> <item> <value> - -Where: -<domain> can be: - - an user name - - a group name, with @group syntax - - the wildcard *, for default entry - -<type> can have the two values: - - "soft" for enforcinf the soft limits - - "hard" for enforcing hard limits - -<item> can be one of the following: - - core - limits the core file size (KB) - - data - max data size (KB) - - fsize - maximum filesize (KB) - - memlock - max locked-in-memory address space (KB) - - nofile - max number of open files - - rss - max resident set size (KB) - - stack - max stack size (KB) - - cpu - max CPU time (MIN) - - nproc - max number of processes - - as - address space limit - - maxlogins - max number of logins for this user - - maxsyslogins - max number of logins on the system - -To completely disable limits for a user (or a group), a single dash (-) -will do (Example: 'bin -', '@admin -'). Please remember that individual -limits have priority over group limits, so if you impose no limits for admin -group, but one of the members in this group have a limits line, the user -will have its limits set according to this line. - -Also, please note that all limit settings are set PER LOGIN. They are -not global, nor are they permanent (the session only) - -In the LIMITS_FILE, the # character introduces a comment - the rest of the -line is ignored. - -The pam_limits module does its best to report configuration problems found -in LIMITS_FILE via syslog. - -EXAMPLE configuration file: -=========================== -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 - - -ARGUMENTS RECOGNIZED: - debug verbose logging - - conf=/path/to/file the limits configuration file if different from the - one set at compile time. - -MODULE SERVICES PROVIDED: - session _open_session and _close_session (blank) - -USAGE: - For the services you need resources limits (login for example) put a - the following line in /etc/pam.conf as the last line for that - service (usually after the pam_unix session line: - - login session required /lib/security/pam_limits.so - - Replace "login" for each service you are using this module, replace - "/lib/security" path with your real modules path. - -AUTHOR: - Cristian Gafton <gafton@redhat.com> - Thanks to Elliot Lee <sopwith@redhat.com> for his comments on - improving this module. diff --git a/contrib/libpam/modules/pam_limits/install_conf b/contrib/libpam/modules/pam_limits/install_conf deleted file mode 100755 index d92c1f9..0000000 --- a/contrib/libpam/modules/pam_limits/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./limits.skel -MODULE=pam_limits - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_limits/limits.skel b/contrib/libpam/modules/pam_limits/limits.skel deleted file mode 100644 index ea57e42..0000000 --- a/contrib/libpam/modules/pam_limits/limits.skel +++ /dev/null @@ -1,41 +0,0 @@ -# /etc/security/limits.conf -# -#Each line describes a limit for a user in the form: -# -#<domain> <type> <item> <value> -# -#Where: -#<domain> can be: -# - an user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# -#<type> can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -#<item> can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open files -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit -# - maxlogins - max number of logins for this user -# -#<domain> <type> <item> <value> -# - -#* soft core 0 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#@student - maxlogins 4 - -# End of file diff --git a/contrib/libpam/modules/pam_limits/pam_limits.c b/contrib/libpam/modules/pam_limits/pam_limits.c deleted file mode 100644 index 179c430..0000000 --- a/contrib/libpam/modules/pam_limits/pam_limits.c +++ /dev/null @@ -1,592 +0,0 @@ -/* - * pam_limits - impose resource limits when opening a user session - * - * 1.5 - Elliot Lee's "max system logins patch" - * 1.4 - addressed bug in configuration file parser - * 1.3 - modified the configuration file format - * 1.2 - added 'debug' and 'conf=' arguments - * 1.1 - added @group support - * 1.0 - initial release - Linux ONLY - * - * See end for Copyright information - */ - -#if !(defined(linux)) -#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! -#endif - -#include <stdio.h> -#include <unistd.h> -#define __USE_POSIX2 -#include <string.h> -#include <ctype.h> -#include <stdlib.h> -#include <syslog.h> -#include <stdarg.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/resource.h> -#include <utmp.h> -#ifndef UT_USER /* some systems have ut_name instead of ut_user */ -#define UT_USER ut_user -#endif - -/* Module defines */ -#define LINE_LENGTH 1024 - -#define LIMITS_DEF_USER 0 /* limit was set by an user entry */ -#define LIMITS_DEF_GROUP 1 /* limit was set by a group entry */ -#define LIMITS_DEF_DEFAULT 2 /* limit was set by an default entry */ -#define LIMITS_DEF_NONE 3 /* this limit was not set yet */ - -/* internal data */ -static char conf_file[BUFSIZ]; - -struct user_limits_struct { - int src_soft; - int src_hard; - struct rlimit limit; -}; - -static struct user_limits_struct limits[RLIM_NLIMITS]; -static int login_limit; /* the max logins limit */ -static int login_limit_def; /* which entry set the login limit */ -static int flag_numsyslogins; /* whether to limit logins only for a - specific user or to count all logins */ - -#define LIMIT_LOGIN RLIM_NLIMITS+1 -#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 -#define LIMIT_SOFT 1 -#define LIMIT_HARD 2 - -#define PAM_SM_SESSION - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> -#include <pwdb/pwdb_map.h> - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_limits", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"conf=",5)) - strcpy(conf_file,*argv+5); - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - - -/* limits stuff */ -#ifndef LIMITS_FILE -#define LIMITS_FILE "/etc/security/limits.conf" -#endif - -#define LIMIT_ERR 1 /* error setting a limit */ -#define LOGIN_ERR 2 /* too many logins err */ - -/* Counts the number of user logins and check against the limit*/ -static int check_logins(const char *name, int limit, int ctrl) -{ - struct utmp *ut; - unsigned int count; - - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "checking logins for '%s' / %d\n", name,limit); - } - - if (limit < 0) - return 0; /* no limits imposed */ - if (limit == 0) /* maximum 0 logins ? */ { - _pam_log(LOG_WARNING, "No logins allowed for '%s'\n", name); - return LOGIN_ERR; - } - - setutent(); - count = 0; - while((ut = getutent())) { -#ifdef USER_PROCESS - if (ut->ut_type != USER_PROCESS) - continue; -#endif - if (ut->UT_USER[0] == '\0') - continue; - if (!flag_numsyslogins - && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) - continue; - if (++count >= limit) - break; - } - endutent(); - if (count >= limit) { - if (name) { - _pam_log(LOG_WARNING, "Too many logins (max %d) for %s", - limit, name); - } else { - _pam_log(LOG_WARNING, "Too many system logins (max %d)", limit); - } - return LOGIN_ERR; - } - return 0; -} - -/* checks if a user is on a list of members of the GID 0 group */ -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* Checks if a user is a member of a group */ -static int is_on_group(const char *user_name, const char *group_name) -{ - struct passwd *pwd; - struct group *grp, *pgrp; - char uname[LINE_LENGTH], gname[LINE_LENGTH]; - - if (!strlen(user_name)) - return 0; - if (!strlen(group_name)) - return 0; - memset(uname, 0, sizeof(uname)); - strncpy(uname, user_name, LINE_LENGTH); - memset(gname, 0, sizeof(gname)); - strncpy(gname, group_name, LINE_LENGTH); - - setpwent(); - pwd = getpwnam(uname); - endpwent(); - if (!pwd) - return 0; - - /* the info about this group */ - setgrent(); - grp = getgrnam(gname); - endgrent(); - if (!grp) - return 0; - - /* first check: is a member of the group_name group ? */ - if (is_on_list(grp->gr_mem, uname)) - return 1; - - /* next check: user primary group is group_name ? */ - setgrent(); - pgrp = getgrgid(pwd->pw_gid); - endgrent(); - if (!pgrp) - return 0; - if (!strcmp(pgrp->gr_name, gname)) - return 1; - - return 0; -} - -static int init_limits(void) -{ - int retval = PAM_SUCCESS; - - D(("called.")); - - retval |= getrlimit(RLIMIT_CPU, &limits[RLIMIT_CPU].limit); - limits[RLIMIT_CPU].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_CPU].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_FSIZE, &limits[RLIMIT_FSIZE].limit); - limits[RLIMIT_FSIZE].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_FSIZE].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_DATA, &limits[RLIMIT_DATA].limit); - limits[RLIMIT_DATA].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_DATA].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_STACK, &limits[RLIMIT_STACK].limit); - limits[RLIMIT_STACK].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_STACK].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_CORE, &limits[RLIMIT_CORE].limit); - limits[RLIMIT_CORE].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_CORE].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_RSS, &limits[RLIMIT_RSS].limit); - limits[RLIMIT_RSS].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_RSS].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_NPROC, &limits[RLIMIT_NPROC].limit); - limits[RLIMIT_NPROC].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_NPROC].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_NOFILE, &limits[RLIMIT_NOFILE].limit); - limits[RLIMIT_NOFILE].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_NOFILE].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_MEMLOCK, &limits[RLIMIT_MEMLOCK].limit); - limits[RLIMIT_MEMLOCK].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_MEMLOCK].src_hard = LIMITS_DEF_NONE; - - retval |= getrlimit(RLIMIT_AS, &limits[RLIMIT_AS].limit); - limits[RLIMIT_AS].src_soft = LIMITS_DEF_NONE; - limits[RLIMIT_AS].src_hard = LIMITS_DEF_NONE; - - login_limit = -2; - login_limit_def = LIMITS_DEF_NONE; - return retval; -} - -static void process_limit(int source, const char *lim_type, - const char *lim_item, const char *lim_value, - int ctrl) -{ - int limit_item; - int limit_type = 0; - long limit_value; - char **endptr = (char **) &lim_value; - const char *value_orig = lim_value; - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "%s: processing(%d) %s %s %s\n", - __FUNCTION__,source,lim_type,lim_item,lim_value); - - if (strcmp(lim_item, "cpu") == 0) - limit_item = RLIMIT_CPU; - else if (strcmp(lim_item, "fsize") == 0) - limit_item = RLIMIT_FSIZE; - else if (strcmp(lim_item, "data") == 0) - limit_item = RLIMIT_DATA; - else if (strcmp(lim_item, "stack") == 0) - limit_item = RLIMIT_STACK; - else if (strcmp(lim_item, "core") == 0) - limit_item = RLIMIT_CORE; - else if (strcmp(lim_item, "rss") == 0) - limit_item = RLIMIT_RSS; - else if (strcmp(lim_item, "nproc") == 0) - limit_item = RLIMIT_NPROC; - else if (strcmp(lim_item, "nofile") == 0) - limit_item = RLIMIT_NOFILE; - else if (strcmp(lim_item, "memlock") == 0) - limit_item = RLIMIT_MEMLOCK; - else if (strcmp(lim_item, "as") == 0) - limit_item = RLIMIT_AS; - else if (strcmp(lim_item, "maxlogins") == 0) { - limit_item = LIMIT_LOGIN; - flag_numsyslogins = 0; - } else if (strcmp(lim_item, "maxsyslogins") == 0) { - limit_item = LIMIT_NUMSYSLOGINS; - flag_numsyslogins = 1; - } else { - _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item); - return; - } - - if (strcmp(lim_type,"soft")==0) - limit_type=LIMIT_SOFT; - else if (strcmp(lim_type, "hard")==0) - limit_type=LIMIT_HARD; - else if (strcmp(lim_type,"-")==0) - limit_type=LIMIT_SOFT | LIMIT_HARD; - else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) { - _pam_log(LOG_DEBUG,"unknown limit type '%s'", lim_type); - return; - } - - limit_value = strtol(lim_value, endptr, 10); - if (limit_value == 0 && value_orig == *endptr) { /* no chars read */ - if (strcmp(lim_value,"-") != 0) { - _pam_log(LOG_DEBUG,"wrong limit value '%s'", lim_value); - return; - } else - if (limit_item != LIMIT_LOGIN) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, - "'-' limit value valid for maxlogins type only"); - return; - } else - limit_value = -1; - } - - switch(limit_item) { - case RLIMIT_CPU: - limit_value *= 60; - break; - case RLIMIT_FSIZE: - case RLIMIT_DATA: - case RLIMIT_STACK: - case RLIMIT_CORE: - case RLIMIT_RSS: - case RLIMIT_MEMLOCK: - case RLIMIT_AS: - limit_value *= 1024; - break; - } - - if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS) { - if (limit_type & LIMIT_SOFT) - if (limits[limit_item].src_soft < source) - return; - else { - limits[limit_item].limit.rlim_cur = limit_value; - limits[limit_item].src_soft = source; - } - if (limit_type & LIMIT_HARD) - if (limits[limit_item].src_hard < source) - return; - else { - limits[limit_item].limit.rlim_max = limit_value; - limits[limit_item].src_hard = source; - } - } else - if (login_limit_def < source) - return; - else { - login_limit = limit_value; - login_limit_def = source; - } - - return; -} - -static int parse_config_file(const char *uname, int ctrl) -{ - FILE *fil; - char buf[LINE_LENGTH]; - -#define CONF_FILE (conf_file[0])?conf_file:LIMITS_FILE - /* check for the LIMITS_FILE */ - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"reading settings from '%s'", CONF_FILE); - fil = fopen(CONF_FILE, "r"); - if (fil == NULL) { - _pam_log (LOG_WARNING, "can not read settings from %s", CONF_FILE); - return PAM_SERVICE_ERR; - } -#undef CONF_FILE - - /* init things */ - memset(buf, 0, sizeof(buf)); - /* start the show */ - while (fgets(buf, LINE_LENGTH, fil) != NULL) { - char domain[LINE_LENGTH]; - char ltype[LINE_LENGTH]; - char item[LINE_LENGTH]; - char value[LINE_LENGTH]; - int i,j; - char *tptr; - - tptr = buf; - /* skip the leading white space */ - while (*tptr && isspace(*tptr)) - tptr++; - strcpy(buf, (const char *)tptr); - - /* Rip off the comments */ - tptr = strchr(buf,'#'); - if (tptr) - *tptr = '\0'; - /* Rip off the newline char */ - tptr = strchr(buf,'\n'); - if (tptr) - *tptr = '\0'; - /* Anything left ? */ - if (!strlen(buf)) { - memset(buf, 0, sizeof(buf)); - continue; - } - - memset(domain, 0, sizeof(domain)); - memset(ltype, 0, sizeof(ltype)); - memset(item, 0, sizeof(item)); - memset(value, 0, sizeof(value)); - - i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value); - for(j=0; j < strlen(domain); j++) - domain[j]=tolower(domain[j]); - for(j=0; j < strlen(ltype); j++) - ltype[j]=tolower(ltype[j]); - for(j=0; j < strlen(item); j++) - item[j]=tolower(item[j]); - for(j=0; j < strlen(value); j++) - value[j]=tolower(value[j]); - - if (i == 4) { /* a complete line */ - if (strcmp(uname, domain) == 0) /* this user have a limit */ - process_limit(LIMITS_DEF_USER, ltype, item, value, ctrl); - else if (domain[0]=='@') { - if (is_on_group(uname, domain+1)) - process_limit(LIMITS_DEF_GROUP, ltype, item, value, ctrl); - } else if (strcmp(domain, "*") == 0) - process_limit(LIMITS_DEF_DEFAULT, ltype, item, value, ctrl); - } else - _pam_log(LOG_DEBUG,"invalid line '%s'", buf); - } - fclose(fil); - return PAM_SUCCESS; -} - -static int setup_limits(const char * uname, int ctrl) -{ - int i; - int retval = PAM_SUCCESS; - - for (i=0; i<RLIM_NLIMITS; i++) { - if (limits[i].limit.rlim_cur > limits[i].limit.rlim_max) - limits[i].limit.rlim_cur = limits[i].limit.rlim_max; - retval |= setrlimit(i, &limits[i].limit); - } - - if (retval != PAM_SUCCESS) - retval = LIMIT_ERR; - if (login_limit > 0) { - if (check_logins(uname, login_limit, ctrl) == LOGIN_ERR) - retval |= LOGIN_ERR; - } else if (login_limit == 0) - retval |= LOGIN_ERR; - return retval; -} - -/* now the session stuff */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - char *user_name; - struct passwd *pwd; - int ctrl; - - D(("called.")); - - memset(conf_file, 0, sizeof(conf_file)); - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - setpwent(); - pwd = getpwnam(user_name); - endpwent(); - if (!pwd) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "open_session username '%s' does not exist", - user_name); - return PAM_SESSION_ERR; - } - - /* do not impose limits on UID 0 accounts */ - if (!pwd->pw_uid) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "user '%s' have UID 0 - no limits imposed", - user_name); - return PAM_SUCCESS; - } - - retval = init_limits(); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "can not initialize"); - return PAM_IGNORE; - } - - retval = parse_config_file(pwd->pw_name,ctrl); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "error parsing the configuration file"); - return PAM_IGNORE; - } - - retval = setup_limits(pwd->pw_name, ctrl); - if (retval & LOGIN_ERR) { - printf("\nToo many logins for '%s'\n",pwd->pw_name); - sleep(2); - return PAM_PERM_DENIED; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - /* nothing to do */ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_limits_modstruct = { - "pam_limits", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL -}; -#endif - -/* - * Copyright (c) Cristian Gafton, 1996-1997, <gafton@redhat.com> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_listfile/Makefile b/contrib/libpam/modules/pam_listfile/Makefile deleted file mode 100644 index 0294039..0000000 --- a/contrib/libpam/modules/pam_listfile/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -TITLE=pam_listfile - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_listfile/README b/contrib/libpam/modules/pam_listfile/README deleted file mode 100644 index b65e7db..0000000 --- a/contrib/libpam/modules/pam_listfile/README +++ /dev/null @@ -1,25 +0,0 @@ -SUMMARY: - pam_listfile: - Checks a specified item against a list in a file. - Options: - * item=[tty|user|rhost|ruser|group|shell] - * sense=[allow|deny] (action to take if found in file, - if the item is NOT found in the file, then - the opposite action is requested) - * file=/the/file/to/get/the/list/from - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * apply=[user|@group] - restrict the user class for which the restriction - apply. Note that with item=[user|ruser|group] this - does not make sense, but for item=[tty|rhost|shell] - it have a meaning. (Cristian Gafton) - - Also checks to make sure that the list file is a plain - file and not world writable. - - - Elliot Lee <sopwith@redhat.com>, Red Hat Software. - v0.9 August 16, 1996. - -BUGS: - Bugs? diff --git a/contrib/libpam/modules/pam_listfile/pam_listfile.c b/contrib/libpam/modules/pam_listfile/pam_listfile.c deleted file mode 100644 index e54b12a..0000000 --- a/contrib/libpam/modules/pam_listfile/pam_listfile.c +++ /dev/null @@ -1,436 +0,0 @@ -/* - * $Id: pam_listfile.c,v 1.6 1997/04/05 06:38:35 morgan Exp $ - * - * $Log: pam_listfile.c,v $ - * Revision 1.6 1997/04/05 06:38:35 morgan - * reformat mostly - * - * Revision 1.5 1997/02/15 17:29:41 morgan - * removed fixed length buffer in logging - * - * Revision 1.4 1997/01/04 20:32:10 morgan - * ammendments for pam_listfile handling - * - * Revision 1.3 1996/11/10 21:02:08 morgan - * compiles with .53 - * - * Revision 1.2 1996/09/05 06:22:58 morgan - * Michael's patches - * - */ - -/* - * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. - * July 25, 1996. - * This code shamelessly ripped from the pam_rootok module. - */ - -#ifdef linux -# define _SVID_SOURCE -# define _BSD_SOURCE -# define __USE_BSD -# define __USE_SVID -# define __USE_MISC -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <unistd.h> -#include <syslog.h> -#include <stdarg.h> -#include <string.h> -#include <pwd.h> -#include <grp.h> - -#ifdef DEBUG -#include <assert.h> -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-listfile", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* checks if a user is on a list of members */ -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* Checks if a user is a member of a group */ -static int is_on_group(const char *user_name, const char *group_name) -{ - struct passwd *pwd; - struct group *grp, *pgrp; - char uname[BUFSIZ], gname[BUFSIZ]; - - if (!strlen(user_name)) - return 0; - if (!strlen(group_name)) - return 0; - bzero(uname, sizeof(uname)); - strncpy(uname, user_name, BUFSIZ-1); - bzero(gname, sizeof(gname)); - strncpy(gname, group_name, BUFSIZ-1); - - setpwent(); - pwd = getpwnam(uname); - endpwent(); - if (!pwd) - return 0; - - /* the info about this group */ - setgrent(); - grp = getgrnam(gname); - endgrent(); - if (!grp) - return 0; - - /* first check: is a member of the group_name group ? */ - if (is_on_list(grp->gr_mem, uname)) - return 1; - - /* next check: user primary group is group_name ? */ - setgrent(); - pgrp = getgrgid(pwd->pw_gid); - endgrent(); - if (!pgrp) - return 0; - if (!strcmp(pgrp->gr_name, gname)) - return 1; - - return 0; -} - -/* --- authentication management functions (only) --- */ - -/* Extended Items that are not directly available via pam_get_item() */ -#define EI_GROUP (1 << 0) -#define EI_SHELL (1 << 1) - -/* Constants for apply= parameter */ -#define APPLY_TYPE_NULL 0 -#define APPLY_TYPE_NONE 1 -#define APPLY_TYPE_USER 2 -#define APPLY_TYPE_GROUP 3 - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - int retval, i, citem=0, extitem=0, onerr=PAM_SERVICE_ERR, sense=2; - const char *citemp; - char *ifname=NULL; - char aline[256]; - char mybuf[256],myval[256]; - struct stat fileinfo; - FILE *inf; - char apply_val[256]; - int apply_type; - - /* Stuff for "extended" items */ - struct passwd *userinfo; - struct group *grpinfo; - char *itemlist[256]; /* Maximum of 256 items */ - - D(("called.")); - - apply_type=APPLY_TYPE_NULL; - memset(apply_val,0,sizeof(apply_val)); - - for(i=0; i < argc; i++) { - { - char *junk; - junk = (char *) malloc(strlen(argv[i])+1); - if (junk == NULL) { - return PAM_BUF_ERR; - } - strcpy(junk,argv[i]); - strncpy(mybuf,strtok(junk,"="),255); - strncpy(myval,strtok(NULL,"="),255); - free(junk); - } - if(!strcmp(mybuf,"onerr")) - if(!strcmp(myval,"succeed")) - onerr = PAM_SUCCESS; - else if(!strcmp(myval,"fail")) - onerr = PAM_SERVICE_ERR; - else - return PAM_SERVICE_ERR; - else if(!strcmp(mybuf,"sense")) - if(!strcmp(myval,"allow")) - sense=0; - else if(!strcmp(myval,"deny")) - sense=1; - else - return onerr; - else if(!strcmp(mybuf,"file")) { - ifname = (char *)malloc(strlen(myval)+1); - strcpy(ifname,myval); - } else if(!strcmp(mybuf,"item")) - if(!strcmp(myval,"user")) - citem = PAM_USER; - else if(!strcmp(myval,"tty")) - citem = PAM_TTY; - else if(!strcmp(myval,"rhost")) - citem = PAM_RHOST; - else if(!strcmp(myval,"ruser")) - citem = PAM_RUSER; - else { /* These items are related to the user, but are not - directly gettable with pam_get_item */ - citem = PAM_USER; - if(!strcmp(myval,"group")) - extitem = EI_GROUP; - else if(!strcmp(myval,"shell")) - extitem = EI_SHELL; - else - citem = 0; - } else if(!strcmp(mybuf,"apply")) { - apply_type=APPLY_TYPE_NONE; - if (myval[0]=='@') { - apply_type=APPLY_TYPE_GROUP; - strncpy(apply_val,myval+1,sizeof(apply_val)-1); - } else { - apply_type=APPLY_TYPE_USER; - strncpy(apply_val,myval,sizeof(apply_val)-1); - } - } else { - _pam_log(LOG_ERR,"Unknown option: %s",mybuf); - return onerr; - } - } - - if(!citem) { - _pam_log(LOG_ERR,"Unknown item or item not specified"); - return onerr; - } else if(!ifname) { - _pam_log(LOG_ERR,"List filename not specified"); - return onerr; - } else if(sense == 2) { - _pam_log(LOG_ERR,"Unknown sense or sense not specified"); - return onerr; - } else if( - (apply_type==APPLY_TYPE_NONE) || - ((apply_type!=APPLY_TYPE_NULL) && (*apply_val=='\0')) - ) { - _pam_log(LOG_ERR,"Invalid usage for apply= parameter"); - return onerr; - } - - /* Check if it makes sense to use the apply= parameter */ - if (apply_type != APPLY_TYPE_NULL) { - if((citem==PAM_USER) || (citem==PAM_RUSER)) { - _pam_log(LOG_WARNING,"Non-sense use for apply= parameter"); - apply_type=APPLY_TYPE_NULL; - } - if(extitem && (extitem==EI_GROUP)) { - _pam_log(LOG_WARNING,"Non-sense use for apply= parameter"); - apply_type=APPLY_TYPE_NULL; - } - } - - /* Short-circuit - test if this session apply for this user */ - { - const char *user_name; - int rval; - - rval=pam_get_user(pamh,&user_name,NULL); - if((rval==PAM_SUCCESS) && user_name[0]) { - /* Got it ? Valid ? */ - if(apply_type==APPLY_TYPE_USER) { - if(strcmp(user_name, apply_val)) { - /* Does not apply to this user */ -#ifdef DEBUG - _pam_log(LOG_DEBUG,"don't apply: apply=%s, user=%s", - apply_val,user_name); -#endif /* DEBUG */ - return PAM_IGNORE; - } - } else if(apply_type==APPLY_TYPE_GROUP) { - if(!is_on_group(user_name,apply_val)) { - /* Not a member of apply= group */ -#ifdef DEBUG - _pam_log(LOG_DEBUG,"don't apply: %s not a member of group %s", - user_name,apply_val); -#endif /* DEBUG */ - return PAM_IGNORE; - } - } - } - } - - retval = pam_get_item(pamh,citem,(const void **)&citemp); - if(retval != PAM_SUCCESS) { - return onerr; - } - if((citem == PAM_USER) && !citemp) { - pam_get_user(pamh,&citemp,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - } - - if(!citemp || (strlen(citemp) <= 0)) { - /* The item was NULL - we are sure not to match */ - return sense?PAM_SUCCESS:PAM_AUTH_ERR; - } - - if(extitem) { - switch(extitem) { - case EI_GROUP: - setpwent(); - userinfo = getpwnam(citemp); - setgrent(); - grpinfo = getgrgid(userinfo->pw_gid); - itemlist[0] = x_strdup(grpinfo->gr_name); - setgrent(); - for (i=1; (i < sizeof(itemlist)/sizeof(itemlist[0])-1) && - (grpinfo = getgrent()); ) { - if (is_on_list(grpinfo->gr_mem,citemp)) { - itemlist[i++] = x_strdup(grpinfo->gr_name); - } - } - itemlist[i] = NULL; - endgrent(); - endpwent(); - break; - case EI_SHELL: - setpwent(); - userinfo = getpwnam(citemp); /* Assume that we have already gotten - PAM_USER in pam_get_item() - a valid - assumption since citem gets set to - PAM_USER in the extitem switch */ - citemp = userinfo->pw_shell; - endpwent(); - break; - default: - _pam_log(LOG_ERR,"Internal weirdness, unknown extended item %d", - extitem); - return onerr; - } - } -#ifdef DEBUG - _pam_log(LOG_INFO,"Got file = %s, item = %d, value = %s, sense = %d", - ifname, citem, citemp, sense); -#endif - if(lstat(ifname,&fileinfo)) { - _pam_log(LOG_ERR, - "Couldn't open %s",ifname); - return onerr; - } - - if((fileinfo.st_mode & S_IWOTH) - || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ERR, - "%s is either world writable or not a normal file", - ifname); - return PAM_AUTH_ERR; - } - - inf = fopen(ifname,"r"); - if(inf == NULL) { /* Check that we opened it successfully */ - if (onerr == PAM_SERVICE_ERR) { - /* Only report if it's an error... */ - _pam_log(LOG_ERR, "Error opening %s", ifname); - } - return onerr; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ -#ifdef DEBUG - assert(PAM_SUCCESS == 0); - assert(PAM_AUTH_ERR != 0); -#endif - if(extitem == EI_GROUP) { - while((fgets(aline,255,inf) != NULL) - && retval) { - if(aline[strlen(aline) - 1] == '\n') - aline[strlen(aline) - 1] = '\0'; - for(i=0;itemlist[i];) - /* If any of the items match, strcmp() == 0, and we get out - of this loop */ - retval = (strcmp(aline,itemlist[i++]) && retval); - } - for(i=0;itemlist[i];) - free(itemlist[i++]); - } else { - while((fgets(aline,255,inf) != NULL) - && retval) { - if(aline[strlen(aline) - 1] == '\n') - aline[strlen(aline) - 1] = '\0'; - retval = strcmp(aline,citemp); - } - } - fclose(inf); - free(ifname); - if(retval) { -#ifdef DEBUG - syslog(LOG_INFO,"Returning %d, retval = %d", - sense?PAM_AUTH_ERR:PAM_SUCCESS, retval); -#endif - return sense?PAM_SUCCESS:PAM_AUTH_ERR; - } - else { -#ifdef DEBUG - syslog(LOG_INFO,"Returning %d, retval = %d", - sense?PAM_SUCCESS:PAM_AUTH_ERR, retval); -#endif - return sense?PAM_AUTH_ERR:PAM_SUCCESS; - } -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_listfile_modstruct = { - "pam_listfile", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ - diff --git a/contrib/libpam/modules/pam_mail/Makefile b/contrib/libpam/modules/pam_mail/Makefile deleted file mode 100644 index 5a402ea..0000000 --- a/contrib/libpam/modules/pam_mail/Makefile +++ /dev/null @@ -1,107 +0,0 @@ -# -# $Id: Makefile,v 1.3 1997/04/05 06:37:45 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.3 1997/04/05 06:37:45 morgan -# fakeroot -# -# Revision 1.2 1997/02/15 16:07:22 morgan -# optional libpwdb compilation -# -# Revision 1.1 1997/01/04 20:32:52 morgan -# Initial revision -# -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/12/8 -# - -TITLE=pam_mail - -ifndef STATIC -ifeq ($(HAVE_PWDBLIB),yes) -CFLAGS += -DWANT_PWDB -EXTRALIB = -lpwdb -endif -endif - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(EXTRALIB) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) $(EXTRALIB) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_mail/pam_mail.c b/contrib/libpam/modules/pam_mail/pam_mail.c deleted file mode 100644 index 15160f3..0000000 --- a/contrib/libpam/modules/pam_mail/pam_mail.c +++ /dev/null @@ -1,401 +0,0 @@ -/* pam_mail module */ - -/* - * $Id: pam_mail.c,v 1.2 1997/02/15 16:06:14 morgan Exp morgan $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * $HOME additions by David Kinchlea <kinch@kinch.ark.com> 1997/1/7 - * - * $Log: pam_mail.c,v $ - * Revision 1.2 1997/02/15 16:06:14 morgan - * session -> setcred, also added "~"=$HOME - * - * Revision 1.1 1997/01/04 20:33:02 morgan - * Initial revision - */ - -#define DEFAULT_MAIL_DIRECTORY "/var/spool/mail" -#define MAIL_FILE_FORMAT "%s/%s" -#define MAIL_ENV_NAME "MAIL" -#define MAIL_ENV_FORMAT MAIL_ENV_NAME "=%s" -#define YOUR_MAIL_FORMAT "You have %s mail in %s" - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <ctype.h> -#include <pwd.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#ifdef WANT_PWDB -#include <pwdb/pwdb_public.h> -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* some syslogging */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-mail", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 -#define PAM_NO_LOGIN 02 -#define PAM_LOGOUT_TOO 04 -#define PAM_NEW_MAIL_DIR 010 -#define PAM_MAIL_SILENT 020 -#define PAM_NO_ENV 040 -#define PAM_HOME_MAIL 0100 -#define PAM_EMPTY_TOO 0200 - -static int _pam_parse(int flags, int argc, const char **argv, char **maildir) -{ - int ctrl=0; - - if (flags & PAM_SILENT) { - ctrl |= PAM_MAIL_SILENT; - } - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"dir=",4)) { - *maildir = x_strdup(4+*argv); - if (*maildir != NULL) { - D(("new mail directory: %s", *maildir)); - ctrl |= PAM_NEW_MAIL_DIR; - } else { - _log_err(LOG_CRIT, - "failed to duplicate mail directory - ignored"); - } - } else if (!strcmp(*argv,"close")) { - ctrl |= PAM_LOGOUT_TOO; - } else if (!strcmp(*argv,"nopen")) { - ctrl |= PAM_NO_LOGIN; - } else if (!strcmp(*argv,"noenv")) { - ctrl |= PAM_NO_ENV; - } else if (!strcmp(*argv,"empty")) { - ctrl |= PAM_EMPTY_TOO; - } else { - _log_err(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* a front end for conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && (PAM_DEBUG_ARG & ctrl) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int get_folder(pam_handle_t *pamh, int ctrl - , char **path_mail, char **folder_p) -{ - int retval; - const char *user, *path; - char *folder; - const struct passwd *pwd=NULL; - - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS || user == NULL) { - _log_err(LOG_ERR, "no user specified"); - return PAM_USER_UNKNOWN; - } - - if (ctrl & PAM_NEW_MAIL_DIR) { - path = *path_mail; - if (*path == '~') { /* support for $HOME delivery */ - pwd = getpwnam(user); - if (pwd == NULL) { - _log_err(LOG_ERR, "user [%s] unknown", user); - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - return PAM_USER_UNKNOWN; - } - /* - * "~/xxx" and "~xxx" are treated as same - */ - if (!*++path || (*path == '/' && !*++path)) { - _log_err(LOG_ALERT, "badly formed mail path [%s]", *path_mail); - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - return PAM_ABORT; - } - ctrl |= PAM_HOME_MAIL; - } - } else { - path = DEFAULT_MAIL_DIRECTORY; - } - - /* put folder together */ - - if (ctrl & PAM_HOME_MAIL) { - folder = malloc(sizeof(MAIL_FILE_FORMAT) - +strlen(pwd->pw_dir)+strlen(path)); - } else { - folder = malloc(sizeof(MAIL_FILE_FORMAT)+strlen(path)+strlen(user)); - } - - if (folder != NULL) { - if (ctrl & PAM_HOME_MAIL) { - sprintf(folder, MAIL_FILE_FORMAT, pwd->pw_dir, path); - } else { - sprintf(folder, MAIL_FILE_FORMAT, path, user); - } - D(("folder =[%s]", folder)); - } - - /* tidy up */ - - _pam_overwrite(*path_mail); - _pam_drop(*path_mail); - user = NULL; - - if (folder == NULL) { - _log_err(LOG_CRIT, "out of memory for mail folder"); - return PAM_BUF_ERR; - } - - *folder_p = folder; - folder = NULL; - - return PAM_SUCCESS; -} - -static const char *get_mail_status(int ctrl, const char *folder) -{ - const char *type; - struct stat mail_st; - - if (stat(folder, &mail_st) == 0 && mail_st.st_size > 0) { - type = (mail_st.st_atime < mail_st.st_mtime) ? "new":"old" ; - } else if (ctrl & PAM_EMPTY_TOO) { - type = "no"; - } else { - type = NULL; - } - - memset(&mail_st, 0, sizeof(mail_st)); - D(("user has %s mail in %s folder", type, folder)); - return type; -} - -static int report_mail(pam_handle_t *pamh, int ctrl - , const char *type, const char *folder) -{ - int retval; - - if (!(ctrl & PAM_MAIL_SILENT)) { - char *remark; - - remark = malloc(sizeof(YOUR_MAIL_FORMAT)+strlen(type)+strlen(folder)); - if (remark == NULL) { - retval = PAM_BUF_ERR; - } else { - struct pam_message msg[1], *mesg[1]; - struct pam_response *resp=NULL; - - sprintf(remark, YOUR_MAIL_FORMAT, type, folder); - - mesg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = remark; - - retval = converse(pamh, ctrl, 1, mesg, &resp); - - _pam_overwrite(remark); - _pam_drop(remark); - if (resp) - _pam_drop_reply(resp, 1); - } - } else { - D(("keeping quiet")); - retval = PAM_SUCCESS; - } - - D(("returning %s", pam_strerror(pamh, retval))); - return retval; -} - -/* --- authentication management functions (only) --- */ - -/* - * Cannot use mail to authenticate yourself - */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_IGNORE; -} - -/* - * MAIL is a "credential" - */ - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc - , const char **argv) -{ - int retval, ctrl; - char *path_mail=NULL, *folder; - const char *type; - - /* - * this module (un)sets the MAIL environment variable, and checks if - * the user has any new mail. - */ - - ctrl = _pam_parse(flags, argc, argv, &path_mail); - - /* Do we have anything to do? */ - - if (!(flags & (PAM_ESTABLISH_CRED|PAM_DELETE_CRED))) { - return PAM_SUCCESS; - } - - /* which folder? */ - - retval = get_folder(pamh, ctrl, &path_mail, &folder); - if (retval != PAM_SUCCESS) { - D(("failed to find folder")); - return retval; - } - - /* set the MAIL variable? */ - - if (!(ctrl & PAM_NO_ENV) && (flags & PAM_ESTABLISH_CRED)) { - char *tmp; - - tmp = malloc(strlen(folder)+sizeof(MAIL_ENV_FORMAT)); - if (tmp != NULL) { - sprintf(tmp, MAIL_ENV_FORMAT, folder); - D(("setting env: %s", tmp)); - retval = pam_putenv(pamh, tmp); - _pam_overwrite(tmp); - _pam_drop(tmp); - if (retval != PAM_SUCCESS) { - _pam_overwrite(folder); - _pam_drop(folder); - _log_err(LOG_CRIT, "unable to set " MAIL_ENV_NAME " variable"); - return retval; - } - } else { - _log_err(LOG_CRIT, "no memory for " MAIL_ENV_NAME " variable"); - _pam_overwrite(folder); - _pam_drop(folder); - return retval; - } - } else { - D(("not setting " MAIL_ENV_NAME " variable")); - } - - /* - * OK. we've got the mail folder... what about its status? - */ - - if (((flags & PAM_ESTABLISH_CRED) && !(ctrl & PAM_NO_LOGIN)) - || ((flags & PAM_DELETE_CRED) && (ctrl & PAM_LOGOUT_TOO))) { - type = get_mail_status(ctrl, folder); - if (type != NULL) { - retval = report_mail(pamh, ctrl, type, folder); - type = NULL; - } - } - - /* - * Delete environment variable? - */ - - if (flags & PAM_DELETE_CRED) { - (void) pam_putenv(pamh, MAIL_ENV_NAME); - } - - _pam_overwrite(folder); /* clean up */ - _pam_drop(folder); - - /* indicate success or failure */ - - return retval; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_mail_modstruct = { - "pam_mail", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_nologin/README b/contrib/libpam/modules/pam_nologin/README deleted file mode 100644 index ab7ccd7..0000000 --- a/contrib/libpam/modules/pam_nologin/README +++ /dev/null @@ -1,12 +0,0 @@ -# $Id: README,v 1.1 1996/10/25 03:19:36 morgan Exp $ -# - -This module always lets root in; it lets other users in only if the file -/etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's -contents are displayed to the user. - -module services provided: - - auth _authentication and _setcred (blank) - -Michael K. Johnson diff --git a/contrib/libpam/modules/pam_nologin/pam_nologin.c b/contrib/libpam/modules/pam_nologin/pam_nologin.c deleted file mode 100644 index 2788dcf..0000000 --- a/contrib/libpam/modules/pam_nologin/pam_nologin.c +++ /dev/null @@ -1,124 +0,0 @@ -/* pam_nologin module */ - -/* - * $Id: pam_nologin.c,v 1.4 1997/04/05 06:36:47 morgan Exp morgan $ - * - * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24 - * - * $Log: pam_nologin.c,v $ - * Revision 1.4 1997/04/05 06:36:47 morgan - * display message when the user is unknown - * - * Revision 1.3 1996/12/01 03:00:54 morgan - * added prototype to conversation, gave static structure name of module - * - * Revision 1.2 1996/11/10 21:02:31 morgan - * compile against .53 - * - * Revision 1.1 1996/10/25 03:19:36 morgan - * Initial revision - * - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <pwd.h> - -#include <security/_pam_macros.h> -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval = PAM_SUCCESS; - int fd; - const char *username; - char *mtmp=NULL; - struct passwd *user_pwd; - struct pam_conv *conversation; - struct pam_message message; - struct pam_message *pmessage = &message; - struct pam_response *resp = NULL; - struct stat st; - - if ((fd = open("/etc/nologin", O_RDONLY, 0)) >= 0) { - /* root can still log in; lusers cannot */ - if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) - || !username) { - return PAM_SERVICE_ERR; - } - user_pwd = getpwnam(username); - if (user_pwd && user_pwd->pw_uid == 0) { - message.msg_style = PAM_TEXT_INFO; - } else { - if (!user_pwd) { - retval = PAM_USER_UNKNOWN; - } else { - retval = PAM_AUTH_ERR; - } - message.msg_style = PAM_ERROR_MSG; - } - - /* fill in message buffer with contents of /etc/nologin */ - if (fstat(fd, &st) < 0) /* give up trying to display message */ - return retval; - message.msg = mtmp = malloc(st.st_size+1); - /* if malloc failed... */ - if (!message.msg) return retval; - read(fd, mtmp, st.st_size); - mtmp[st.st_size] = '\000'; - - /* Use conversation function to give user contents of /etc/nologin */ - pam_get_item(pamh, PAM_CONV, (const void **)&conversation); - conversation->conv(1, (const struct pam_message **)&pmessage, - &resp, conversation->appdata_ptr); - free(mtmp); - if (resp) - _pam_drop_reply(resp, 1); - } - - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_nologin_modstruct = { - "pam_nologin", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_permit/Makefile b/contrib/libpam/modules/pam_permit/Makefile deleted file mode 100644 index 823b624..0000000 --- a/contrib/libpam/modules/pam_permit/Makefile +++ /dev/null @@ -1,126 +0,0 @@ -# -# $Id: Makefile,v 1.8 1997/04/05 06:33:25 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.8 1997/04/05 06:33:25 morgan -# fakeroot -# -# Revision 1.7 1997/02/15 19:02:27 morgan -# updated email address -# -# Revision 1.6 1996/11/10 20:14:34 morgan -# cross platform support -# -# Revision 1.5 1996/09/05 06:32:45 morgan -# ld --> gcc -# -# Revision 1.4 1996/05/26 15:49:25 morgan -# make dynamic and static dirs -# -# Revision 1.3 1996/05/26 04:04:26 morgan -# automated static support -# -# Revision 1.2 1996/03/16 17:56:38 morgan -# tidied up -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 -# - -# Convenient defaults for compiling independently of the full source -# tree. -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -endif - -# -# - -TITLE=pam_permit - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(TARGET_ARCH) -c $< -o $@ - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_permit/README b/contrib/libpam/modules/pam_permit/README deleted file mode 100644 index da179a3..0000000 --- a/contrib/libpam/modules/pam_permit/README +++ /dev/null @@ -1,4 +0,0 @@ -# $Id: README,v 1.1 1996/03/16 18:12:51 morgan Exp $ -# - -this module always returns PAM_SUCCESS, it ignores all options. diff --git a/contrib/libpam/modules/pam_permit/pam_permit.c b/contrib/libpam/modules/pam_permit/pam_permit.c deleted file mode 100644 index 1bdd564..0000000 --- a/contrib/libpam/modules/pam_permit/pam_permit.c +++ /dev/null @@ -1,122 +0,0 @@ -/* pam_permit module */ - -/* - * $Id: pam_permit.c,v 1.5 1997/02/15 19:03:15 morgan Exp $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - * $Log: pam_permit.c,v $ - * Revision 1.5 1997/02/15 19:03:15 morgan - * fixed email address - * - * Revision 1.4 1997/02/15 16:03:10 morgan - * force a name for user - * - * Revision 1.3 1996/06/02 08:10:14 morgan - * updated for new static protocol - * - */ - -#define DEFAULT_USER "nobody" - -#include <stdio.h> - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* --- authentication management functions --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval; - const char *user=NULL; - - /* - * authentication requires we know who the user wants to be - */ - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) { - D(("get user returned error: %s", pam_strerror(pamh,retval))); - return retval; - } - if (user == NULL || *user == '\0') { - D(("username not known")); - pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); - } - user = NULL; /* clean up */ - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* --- account management functions --- */ - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* --- password management --- */ - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* --- session management --- */ - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_permit_modstruct = { - "pam_permit", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif diff --git a/contrib/libpam/modules/pam_pwdb/BUGS b/contrib/libpam/modules/pam_pwdb/BUGS deleted file mode 100644 index 397f367..0000000 --- a/contrib/libpam/modules/pam_pwdb/BUGS +++ /dev/null @@ -1,8 +0,0 @@ -$Id: BUGS,v 1.2 1996/09/05 06:36:16 morgan Exp $ - -$Log: BUGS,v $ -Revision 1.2 1996/09/05 06:36:16 morgan -revised for .52 to be released - - -As of Linux-PAM-0.52 this is new. No known bugs yet. diff --git a/contrib/libpam/modules/pam_pwdb/CHANGELOG b/contrib/libpam/modules/pam_pwdb/CHANGELOG deleted file mode 100644 index 0cb2187..0000000 --- a/contrib/libpam/modules/pam_pwdb/CHANGELOG +++ /dev/null @@ -1,10 +0,0 @@ -$Header: /home/morgan/pam/Linux-PAM-0.52/modules/pam_unix/RCS/CHANGELOG,v 1.1 1996/08/29 13:23:29 morgan Exp $ - -Tue Apr 23 12:28:09 EDT 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu) - - * PAM_DISALLOW_NULL_AUTHTOK implemented in the authentication module - * pam_sm_open_session() and pam_sm_close_session() implemented - A new "trace" flag added to flags of /etc/pam.conf. Using this - flag system administrator is able to make pam_unix module provide - very extensive audit trail sent so syslog with LOG_AUTHPRIV level. - * pam_sm_set_cred() is done diff --git a/contrib/libpam/modules/pam_pwdb/Makefile b/contrib/libpam/modules/pam_pwdb/Makefile deleted file mode 100644 index 7428bb4..0000000 --- a/contrib/libpam/modules/pam_pwdb/Makefile +++ /dev/null @@ -1,155 +0,0 @@ -# $Id: Makefile,v 1.7 1997/04/05 06:28:50 morgan Exp morgan $ -# -# This Makefile controls a build process of the pam_unix module -# for Linux-PAM. You should not modify this Makefile. -# -# rewritten to compile new module Andrew Morgan -# <morgan@parc.power.net> 1996/11/6 -# - -# -# Note, the STATIC module is commented out because it doesn't work. -# please fix! -# - -ifndef FULL_LINUX_PAM_SOURCE_TREE -export DYNAMIC=-DPAM_DYNAMIC -export CC=gcc -export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ - -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ - -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ - -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ - -Wshadow -pedantic -fPIC -export MKDIR=mkdir -p -export LD_D=gcc -shared -Xlinker -x -export HAVE_PWDBLIB=yes -endif - -ifeq ($(HAVE_PWDBLIB),yes) - -TITLE=pam_pwdb -CHKPWD=pwdb_chkpwd - -# compilation flags -EXTRAS= -# extra object files -PLUS= -# extra files that may be needed to be created -CREATE= - -# NOTE: this module links dynamically to the libpwdb library. -EXTRALS += -lpwdb -EXTRAS += -DCHKPWD_HELPER=\"$(SUPLEMENTED)/$(CHKPWD)\" - -########################### don't edit below ########################## - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) -LIBDEPS = pam_unix_acct.-c pam_unix_auth.-c pam_unix_passwd.-c \ - pam_unix_sess.-c pam_unix_pwupd.-c support.-c bigcrypt.-c - -PLUS += md5.o md5_crypt.o -CFLAGS += $(EXTRAS) - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -all: info dirs $(PLUS) $(LIBSHARED) $(LIBSTATIC) register $(CHKPWD) - -dynamic/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS) - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/$(LIBOBJ) : $(LIBSRC) $(LIBDEPS) -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -info: - @echo - @echo "*** Building PAM_pwdb module..." - @echo - -$(CHKPWD): pwdb_chkpwd.o md5.o md5_crypt.o - $(CC) -o $(CHKPWD) $^ -lpwdb - -pwdb_chkpwd.o: pwdb_chkpwd.c pam_unix_md.-c bigcrypt.-c - -dirs: -ifdef DYNAMIC - @$(MKDIR) ./dynamic -endif -#ifdef STATIC -# @$(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(PLUS) $(EXTRALS) -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) $(PLUS) $(EXTRALS) -#endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SUPLEMENTED) - $(INSTALL) -m 4555 -o root -g root $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED) - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(SUPLEMENTED)/$(CHKPWD) - -clean: - rm -f $(CHKPWD) $(LIBOBJD) $(LIBOBJS) $(MOREDELS) core *~ *.o *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak - -else - -include ../dont_makefile - -endif - -##################################################################### -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:28:50 morgan -# fakeroot -# -# Revision 1.6 1997/02/15 17:25:32 morgan -# update for .56 . extra commands for new helper binary -# -# Revision 1.5 1997/01/04 20:39:08 morgan -# conditional on having libpwdb -# -# Revision 1.4 1996/12/01 03:02:03 morgan -# changed banner, removed linking libraries -# -# Revision 1.3 1996/11/10 20:14:42 morgan -# cross platform support -# -# Revision 1.2 1996/09/05 06:36:49 morgan -# options added and use of LD altered -# -# Revision 1.1 1996/08/29 13:23:29 morgan -# Initial revision -# -# diff --git a/contrib/libpam/modules/pam_pwdb/README b/contrib/libpam/modules/pam_pwdb/README deleted file mode 100644 index 351a706..0000000 --- a/contrib/libpam/modules/pam_pwdb/README +++ /dev/null @@ -1,41 +0,0 @@ -This is the pam_unix module. It has been significantly rewritten since -.51 was released (due mostly to the efforts of Cristian Gafton), and -now takes more options and correctly updates vanilla UNIX/shadow/md5 -passwords. - -[Please read the source and make a note of all the warnings there, as -the license suggests -- use at your own risk.] - -So far as I am concerned this module is now pretty stable. If you find -any bugs, PLEASE tell me! <morgan@parc.power.net> - -Options recognized by this module are as follows: - - debug - log more debugging info - audit - a little more extreme than debug - use_first_pass - don't prompt the user for passwords - take them from PAM_ items instead - try_first_pass - don't prompt the user for the passwords - unless PAM_(OLD)AUTHTOK is unset - use_authtok - like try_first_pass, but *fail* if the new - PAM_AUTHTOK has not been previously set. - (intended for stacking password modules only) - not_set_pass - don't set the PAM_ items with the passwords - used by this module. - shadow - try to maintian a shadow based system. - unix - when changing passwords, they are placed - in the /etc/passwd file - md5 - when a user changes their password next, - encrypt it with the md5 algorithm. - bigcrypt - when a user changes their password next, - excrypt it with the DEC C2-algorithm(0). - nodelay - used to prevent failed authentication - resulting in a delay of about 1 second. - -There is some support for building a shadow file on-the-fly from an -/etc/passwd file. This is VERY alpha. If you want to play with it you -should read the source to find the appropriate #define that you will -need. - ---------------------- -Andrew Morgan <morgan@parc.power.net> diff --git a/contrib/libpam/modules/pam_pwdb/TODO b/contrib/libpam/modules/pam_pwdb/TODO deleted file mode 100644 index 23eb4c1..0000000 --- a/contrib/libpam/modules/pam_pwdb/TODO +++ /dev/null @@ -1,34 +0,0 @@ -$Id: TODO,v 1.3 1996/11/10 21:03:21 morgan Exp $ - - * get NIS working - * .. including "nonis" argument - * add helper binary - -Wed Sep 4 23:40:09 PDT 1996 Andrew G. Morgan - - * verify that it works for everyone - * look more seriously at the issue of generating a shadow - system on the fly - * add some more password flavors - -Thu Aug 29 06:26:42 PDT 1996 Andrew G. Morgan - - * check that complete rewrite works! ;^) - * complete shadow support to the password changing code. - Also some code needed here for session managment? - (both pam.conf argument to turn it on/off, and some - conditional compilation.) - * md5 passwords... - * make the exclusive nature of the arguments work. That is, - only recognize the flags when appropriate. - -Wed May 8 19:08:49 EDT 1996 Alexander O. Yuriev - - * support.c should go. - -Tue Apr 23 21:43:55 EDT 1996 Alexander O. Yuriev - - * pam_sm_chauth_tok() should be written - * QUICK FIX: pam_sm_setcred() probably returns incorrect error code - - diff --git a/contrib/libpam/modules/pam_pwdb/bigcrypt.-c b/contrib/libpam/modules/pam_pwdb/bigcrypt.-c deleted file mode 100644 index 321f249..0000000 --- a/contrib/libpam/modules/pam_pwdb/bigcrypt.-c +++ /dev/null @@ -1,114 +0,0 @@ -/* - * This function implements the "bigcrypt" algorithm specifically for - * Linux-PAM. - * - * This algorithm is algorithm 0 (default) shipped with the C2 secure - * implementation of Digital UNIX. - * - * Disclaimer: This work is not based on the source code to Digital - * UNIX, nor am I connected to Digital Equipment Corp, in any way - * other than as a customer. This code is based on published - * interfaces and reasonable guesswork. - * - * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8 - * characters or less. Each block is encrypted using the standard UNIX - * libc crypt function. The result of the encryption for one block - * provides the salt for the suceeding block. - * - * Restrictions: The buffer used to hold the encrypted result is - * statically allocated. (see MAX_PASS_LEN below). This is necessary, - * as the returned pointer points to "static data that are overwritten - * by each call", (XPG3: XSI System Interface + Headers pg 109), and - * this is a drop in replacement for crypt(); - * - * Andy Phillips <atp@mssl.ucl.ac.uk> - */ - -/* - * Max cleartext password length in segments of 8 characters this - * function can deal with (16 segments of 8 chars= max 128 character - * password). - */ - -#define MAX_PASS_LEN 16 -#define SEGMENT_SIZE 8 -#define SALT_SIZE 2 -#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE) -#define ESEGMENT_SIZE 11 -#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1) - -static char *bigcrypt(const char *key, const char *salt) -{ - static char dec_c2_cryptbuf[CBUF_SIZE]; /* static storage area */ - - unsigned long int keylen,n_seg,j; - char *cipher_ptr,*plaintext_ptr,*tmp_ptr,*salt_ptr; - char keybuf[KEYBUF_SIZE+1]; - - D(("called with key='%s', salt='%s'.", key, salt)); - - /* reset arrays */ - memset(keybuf, 0, KEYBUF_SIZE+1); - memset(dec_c2_cryptbuf, 0, CBUF_SIZE); - - /* fill KEYBUF_SIZE with key */ - strncpy(keybuf, key, KEYBUF_SIZE); - - /* deal with case that we are doing a password check for a - conventially encrypted password: the salt will be - SALT_SIZE+ESEGMENT_SIZE long. */ - if (strlen(salt) == (SALT_SIZE+ESEGMENT_SIZE)) - keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */ - - keylen = strlen(keybuf); - - if (!keylen) { - n_seg = 1; - } else { - /* work out how many segments */ - n_seg = 1 + ((keylen-1)/SEGMENT_SIZE); - } - - if (n_seg > MAX_PASS_LEN) - n_seg = MAX_PASS_LEN; /* truncate at max length */ - - /* set up some pointers */ - cipher_ptr = dec_c2_cryptbuf; - plaintext_ptr = keybuf; - - /* do the first block with supplied salt */ - tmp_ptr = crypt(plaintext_ptr,salt); /* libc crypt() */ - - /* and place in the static area */ - strncpy(cipher_ptr, tmp_ptr, 13); - cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; - plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */ - - /* change the salt (1st 2 chars of previous block) - this was found - by dowsing */ - - salt_ptr = cipher_ptr - ESEGMENT_SIZE; - - /* so far this is identical to "return crypt(key, salt);", if - there is more than one block encrypt them... */ - - if (n_seg > 1) { - for (j=2; j <= n_seg; j++) { - - tmp_ptr = crypt(plaintext_ptr, salt_ptr); - - /* skip the salt for seg!=0 */ - strncpy(cipher_ptr, (tmp_ptr+SALT_SIZE), ESEGMENT_SIZE); - - cipher_ptr += ESEGMENT_SIZE; - plaintext_ptr += SEGMENT_SIZE; - salt_ptr = cipher_ptr - ESEGMENT_SIZE; - } - } - - D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf)); - - /* this is the <NUL> terminated encrypted password */ - - return dec_c2_cryptbuf; -} diff --git a/contrib/libpam/modules/pam_pwdb/md5.c b/contrib/libpam/modules/pam_pwdb/md5.c deleted file mode 100644 index fdfbdd8..0000000 --- a/contrib/libpam/modules/pam_pwdb/md5.c +++ /dev/null @@ -1,259 +0,0 @@ -/* $Id: md5.c,v 1.1 1996/09/05 06:43:31 morgan Exp $ - * - * This code implements the MD5 message-digest algorithm. - * The algorithm is due to Ron Rivest. This code was - * written by Colin Plumb in 1993, no copyright is claimed. - * This code is in the public domain; do with it what you wish. - * - * Equivalent code is available from RSA Data Security, Inc. - * This code has been tested against that, and is equivalent, - * except that you don't need to include two pages of legalese - * with every copy. - * - * To compute the message digest of a chunk of bytes, declare an - * MD5Context structure, pass it to MD5Init, call MD5Update as - * needed on buffers full of bytes, and then call MD5Final, which - * will fill a supplied 16-byte array with the digest. - * - * $Log: md5.c,v $ - * Revision 1.1 1996/09/05 06:43:31 morgan - * Initial revision - * - */ - -#include <string.h> -#include "md5.h" - -#ifndef HIGHFIRST -#define byteReverse(buf, len) /* Nothing */ -#else -void byteReverse(unsigned char *buf, unsigned longs); - -#ifndef ASM_MD5 -/* - * Note: this code is harmless on little-endian machines. - */ -void byteReverse(unsigned char *buf, unsigned longs) -{ - uint32 t; - do { - t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | - ((unsigned) buf[1] << 8 | buf[0]); - *(uint32 *) buf = t; - buf += 4; - } while (--longs); -} -#endif -#endif - -/* - * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious - * initialization constants. - */ -void MD5Init(struct MD5Context *ctx) -{ - ctx->buf[0] = 0x67452301U; - ctx->buf[1] = 0xefcdab89U; - ctx->buf[2] = 0x98badcfeU; - ctx->buf[3] = 0x10325476U; - - ctx->bits[0] = 0; - ctx->bits[1] = 0; -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void MD5Update(struct MD5Context *ctx, unsigned const char *buf, unsigned len) -{ - uint32 t; - - /* Update bitcount */ - - t = ctx->bits[0]; - if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) - ctx->bits[1]++; /* Carry from low to high */ - ctx->bits[1] += len >> 29; - - t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ - - /* Handle any leading odd-sized chunks */ - - if (t) { - unsigned char *p = (unsigned char *) ctx->in + t; - - t = 64 - t; - if (len < t) { - memcpy(p, buf, len); - return; - } - memcpy(p, buf, t); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32 *) ctx->in); - buf += t; - len -= t; - } - /* Process data in 64-byte chunks */ - - while (len >= 64) { - memcpy(ctx->in, buf, 64); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32 *) ctx->in); - buf += 64; - len -= 64; - } - - /* Handle any remaining bytes of data. */ - - memcpy(ctx->in, buf, len); -} - -/* - * Final wrapup - pad to 64-byte boundary with the bit pattern - * 1 0* (64-bit count of bits processed, MSB-first) - */ -void MD5Final(unsigned char digest[16], struct MD5Context *ctx) -{ - unsigned count; - unsigned char *p; - - /* Compute number of bytes mod 64 */ - count = (ctx->bits[0] >> 3) & 0x3F; - - /* Set the first char of padding to 0x80. This is safe since there is - always at least one byte free */ - p = ctx->in + count; - *p++ = 0x80; - - /* Bytes of padding needed to make 64 bytes */ - count = 64 - 1 - count; - - /* Pad out to 56 mod 64 */ - if (count < 8) { - /* Two lots of padding: Pad the first block to 64 bytes */ - memset(p, 0, count); - byteReverse(ctx->in, 16); - MD5Transform(ctx->buf, (uint32 *) ctx->in); - - /* Now fill the next block with 56 bytes */ - memset(ctx->in, 0, 56); - } else { - /* Pad block to 56 bytes */ - memset(p, 0, count - 8); - } - byteReverse(ctx->in, 14); - - /* Append length in bits and transform */ - ((uint32 *) ctx->in)[14] = ctx->bits[0]; - ((uint32 *) ctx->in)[15] = ctx->bits[1]; - - MD5Transform(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); - memcpy(digest, ctx->buf, 16); - memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */ -} - -#ifndef ASM_MD5 - -/* The four core functions - F1 is optimized somewhat */ - -/* #define F1(x, y, z) (x & y | ~x & z) */ -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) - -/* This is the central step in the MD5 algorithm. */ -#define MD5STEP(f, w, x, y, z, data, s) \ - ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x ) - -/* - * The core of the MD5 algorithm, this alters an existing MD5 hash to - * reflect the addition of 16 longwords of new data. MD5Update blocks - * the data and converts bytes into longwords for this routine. - */ -void MD5Transform(uint32 buf[4], uint32 const in[16]) -{ - register uint32 a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -#endif diff --git a/contrib/libpam/modules/pam_pwdb/md5.h b/contrib/libpam/modules/pam_pwdb/md5.h deleted file mode 100644 index 4949ade..0000000 --- a/contrib/libpam/modules/pam_pwdb/md5.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef MD5_H -#define MD5_H - -#ifdef __alpha -typedef unsigned int uint32; -#else -typedef unsigned long uint32; -#endif - -struct MD5Context { - uint32 buf[4]; - uint32 bits[2]; - unsigned char in[64]; -}; - -void MD5Init(struct MD5Context *); -void MD5Update(struct MD5Context *, unsigned const char *, unsigned); -void MD5Final(unsigned char digest[16], struct MD5Context *); -void MD5Transform(uint32 buf[4], uint32 const in[16]); -int i64c(int i); - -char *crypt_md5(const char *pw, const char *salt); - -/* -* This is needed to make RSAREF happy on some MS-DOS compilers. -*/ - -typedef struct MD5Context MD5_CTX; - -#endif /* MD5_H */ diff --git a/contrib/libpam/modules/pam_pwdb/md5_crypt.c b/contrib/libpam/modules/pam_pwdb/md5_crypt.c deleted file mode 100644 index 88be13b..0000000 --- a/contrib/libpam/modules/pam_pwdb/md5_crypt.c +++ /dev/null @@ -1,164 +0,0 @@ -/* $Id: md5_crypt.c,v 1.1 1996/09/05 06:43:31 morgan Exp $ - * - * ---------------------------------------------------------------------------- - * "THE BEER-WARE LICENSE" (Revision 42): - * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you think - * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp - * ---------------------------------------------------------------------------- - * - * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp - * - * $Log: md5_crypt.c,v $ - * Revision 1.1 1996/09/05 06:43:31 morgan - * Initial revision - * - */ - -#include <string.h> -#include "md5.h" - -static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - -static void -to64(char *s, unsigned long v, int n) -{ - while (--n >= 0) { - *s++ = itoa64[v&0x3f]; - v >>= 6; - } -} - -/* - * i64c - convert an integer to a radix 64 character - */ -int i64c(int i) -{ - if (i < 0) - return ('.'); - else if (i > 63) - return ('z'); - if (i == 0) - return ('.'); - if (i == 1) - return ('/'); - if (i >= 2 && i <= 11) - return ('0' - 2 + i); - if (i >= 12 && i <= 37) - return ('A' - 12 + i); - if (i >= 38 && i <= 63) - return ('a' - 38 + i); - return ('\0'); -} - -/* - * UNIX password - * - * Use MD5 for what it is best at... - */ - -char * crypt_md5(const char *pw, const char *salt) -{ - const char *magic = "$1$"; - /* This string is magic for this algorithm. Having - * it this way, we can get get better later on */ - static char passwd[120], *p; - static const char *sp,*ep; - unsigned char final[16]; - int sl,pl,i,j; - MD5_CTX ctx,ctx1; - unsigned long l; - - /* Refine the Salt first */ - sp = salt; - - /* If it starts with the magic string, then skip that */ - if(!strncmp(sp,magic,strlen(magic))) - sp += strlen(magic); - - /* It stops at the first '$', max 8 chars */ - for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++) - continue; - - /* get the length of the true salt */ - sl = ep - sp; - - MD5Init(&ctx); - - /* The password first, since that is what is most unknown */ - MD5Update(&ctx,(unsigned const char *)pw,strlen(pw)); - - /* Then our magic string */ - MD5Update(&ctx,(unsigned const char *)magic,strlen(magic)); - - /* Then the raw salt */ - MD5Update(&ctx,(unsigned const char *)sp,sl); - - /* Then just as many characters of the MD5(pw,salt,pw) */ - MD5Init(&ctx1); - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Update(&ctx1,(unsigned const char *)sp,sl); - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Final(final,&ctx1); - for(pl = strlen(pw); pl > 0; pl -= 16) - MD5Update(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl); - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - /* Then something really weird... */ - for (j=0,i = strlen(pw); i ; i >>= 1) - if(i&1) - MD5Update(&ctx, (unsigned const char *)final+j, 1); - else - MD5Update(&ctx, (unsigned const char *)pw+j, 1); - - /* Now make the output string */ - strcpy(passwd,magic); - strncat(passwd,sp,sl); - strcat(passwd,"$"); - - MD5Final(final,&ctx); - - /* - * and now, just to make sure things don't run too fast - * On a 60 Mhz Pentium this takes 34 msec, so you would - * need 30 seconds to build a 1000 entry dictionary... - */ - for(i=0;i<1000;i++) { - MD5Init(&ctx1); - if(i & 1) - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - else - MD5Update(&ctx1,(unsigned const char *)final,16); - - if(i % 3) - MD5Update(&ctx1,(unsigned const char *)sp,sl); - - if(i % 7) - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - - if(i & 1) - MD5Update(&ctx1,(unsigned const char *)final,16); - else - MD5Update(&ctx1,(unsigned const char *)pw,strlen(pw)); - MD5Final(final,&ctx1); - } - - p = passwd + strlen(passwd); - - l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4; - l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4; - l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4; - l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4; - l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4; - l = final[11] ; to64(p,l,2); p += 2; - *p = '\0'; - - /* Don't leave anything around in vm they could use. */ - memset(final,0,sizeof final); - - return passwd; -} - diff --git a/contrib/libpam/modules/pam_pwdb/pam_pwdb.c b/contrib/libpam/modules/pam_pwdb/pam_pwdb.c deleted file mode 100644 index a612f74..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_pwdb.c +++ /dev/null @@ -1,257 +0,0 @@ -/* - * $Id: pam_pwdb.c,v 1.3 1997/01/04 20:38:33 morgan Exp morgan $ - * - * This is the single file that will be compiled for pam_unix. - * it includes each of the modules that have beed defined in the .-c - * files in this directory. - * - * It is a little ugly to do it this way, but it is a simple way of - * defining static functions only once, and yet keeping the separate - * files modular. If you can think of something better, please email - * Andrew Morgan <morgan@linux.kernel.org> - * - * See the end of this file for Copyright information. - */ - -/* - * $Log: pam_pwdb.c,v $ - * Revision 1.3 1997/01/04 20:38:33 morgan - * this is not the unix module! - * - * Revision 1.2 1996/12/01 03:03:43 morgan - * debugging code uses _pam_malloc - * - * Revision 1.1 1996/11/10 21:21:24 morgan - * Initial revision - * - * Revision 1.3 1996/09/05 06:44:33 morgan - * more debugging, fixed static structure name - * - * Revision 1.2 1996/09/01 01:05:12 morgan - * Cristian Gafton's patches. - * - * Revision 1.1 1996/08/29 13:22:19 morgan - * Initial revision - * - */ - -static const char rcsid[] = -"$Id: pam_pwdb.c,v 1.3 1997/01/04 20:38:33 morgan Exp morgan $\n" -" - PWDB Pluggable Authentication module. <morgan@linux.kernel.org>" -; - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <sys/types.h> -#include <stdarg.h> -#include <stdlib.h> -#include <stdio.h> -#include <errno.h> -#include <string.h> -#include <syslog.h> -#include <time.h> /* for time() */ -#include <fcntl.h> -#include <ctype.h> - -#define _SVID_SOURCE -#define __USE_BSD -#define _BSD_COMPAT -#include <sys/time.h> -#include <unistd.h> - -#include <pwdb/pwdb_public.h> - -/* indicate the following groups are defined */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/_pam_macros.h> -#include <security/pam_modules.h> - -#ifndef LINUX_PAM -#include <security/pam_appl.h> -#endif /* LINUX_PAM */ - -#include "./support.-c" - -/* - * PAM framework looks for these entry-points to pass control to the - * authentication module. - */ - -#include "./pam_unix_auth.-c" - -PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_auth( pamh, ctrl ); - pwdb_end(); - - return retval; -} - -PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags - , int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_set_credentials(pamh, ctrl) ; - pwdb_end(); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * account management module. - */ - -#include "./pam_unix_acct.-c" - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_acct_mgmt(pamh, ctrl); - pwdb_end(); - - D(("done.")); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * session module. - */ - -#include "./pam_unix_sess.-c" - -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_open_session(pamh, ctrl); - pwdb_end(); - - return retval; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_close_session(pamh, ctrl); - pwdb_end(); - - return retval; -} - -/* - * PAM framework looks for these entry-points to pass control to the - * password changing module. - */ - -#include "./pam_unix_passwd.-c" - -PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - D(("called.")); - - pwdb_start(); - ctrl = set_ctrl(flags, argc, argv); - retval = _unix_chauthtok(pamh, ctrl); - pwdb_end(); - - return retval; -} - -/* static module data */ - -#ifdef PAM_STATIC -struct pam_module _pam_pwdb_modstruct = { - "pam_pwdb", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif - -/* - * Copyright (c) Andrew G. Morgan, 1996. All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c deleted file mode 100644 index dbd1385..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_acct.-c +++ /dev/null @@ -1,292 +0,0 @@ -/* - * $Id: pam_unix_acct.-c,v 1.6 1997/01/04 20:37:15 morgan Exp morgan $ - * - * $Log: pam_unix_acct.-c,v $ - * Revision 1.6 1997/01/04 20:37:15 morgan - * extra debugging - * - * Revision 1.5 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.4 1996/11/10 21:03:57 morgan - * pwdb conversion - * - * Revision 1.3 1996/09/05 06:45:45 morgan - * tidied shadow acct management - * - * Revision 1.2 1996/09/01 01:13:14 morgan - * Cristian Gafton's patches - * - * Revision 1.1 1996/08/29 13:27:51 morgan - * Initial revision - * - * - * See end of file for copyright information - */ - -static const char rcsid_acct[] = -"$Id: pam_unix_acct.-c,v 1.6 1997/01/04 20:37:15 morgan Exp morgan $\n" -" - PAM_PWDB account management <gafton@redhat.com>"; - -/* the shadow suite has accout managment.. */ - -static int _shadow_acct_mgmt_exp(pam_handle_t *pamh, unsigned int ctrl, - const struct pwdb *pw, const char *uname) -{ - const struct pwdb_entry *pwe = NULL; - time_t curdays; - int last_change, max_change; - int retval; - - D(("called.")); - - /* Now start the checks */ - - curdays = time(NULL)/(60*60*24); /* today */ - - /* First: has account expired ? (CG) - * - expire < curdays - * - or (last_change + max_change + defer_change) < curdays - * - in both cases, deny access - */ - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "expire", &pwe); - if (retval == PWDB_SUCCESS) { - int expire; - - expire = *( (const int *) pwe->value ); - (void) pwdb_entry_delete(&pwe); /* no longer needed */ - - if ((curdays > expire) && (expire > 0)) { - - _log_err(LOG_NOTICE - , "acct: account %s has expired (account expired)" - , uname); - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your account has expired; " - "please contact your system administrator"); - - D(("account expired")); - return PAM_ACCT_EXPIRED; - } - } - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "last_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - last_change = *( (const int *) pwe->value ); - } else { - last_change = curdays; - } - (void) pwdb_entry_delete(&pwe); - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "max_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - max_change = *( (const int *) pwe->value ); - } else { - max_change = -1; - } - (void) pwdb_entry_delete(&pwe); - - D(("pwdb_get_entry")); - retval = pwdb_get_entry(pw, "defer_change", &pwe); - if (retval == PWDB_SUCCESS) { - int defer_change; - - defer_change = *( (const int *) pwe->value ); - (void) pwdb_entry_delete(&pwe); - - if ((curdays > (last_change + max_change + defer_change)) - && (max_change != -1) && (defer_change != -1) - && (last_change > 0)) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_NOTICE, "acct: account %s has expired " - "(failed to change password)", uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your password has expired; " - "please see your system administrator"); - - D(("account expired2")); - return PAM_ACCT_EXPIRED; - } - } - - /* Now test if the password is expired, but the user still can - * change their password. (CG) - * - last_change = 0 - * - last_change + max_change < curdays - */ - - D(("when was the last change")); - if (last_change == 0) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_NOTICE - , "acct: expired password for user %s (root enforced)" - , uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "You are required to change your password immediately" - ); - - D(("need a new password")); - return PAM_NEW_AUTHTOK_REQD; - } - - if (((last_change + max_change) < curdays) && - (max_change < 99999) && (max_change > 0)) { - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG - , "acct: expired password for user %s (password aged)" - , uname); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG - , "Your password has expired; please change it!"); - - D(("need a new password 2")); - return PAM_NEW_AUTHTOK_REQD; - } - - /* - * Now test if the password is about to expire (CG) - * - last_change + max_change - curdays <= warn_change - */ - - retval = pwdb_get_entry(pw, "warn_change", &pwe); - if ( retval == PWDB_SUCCESS ) { - int warn_days, daysleft; - - daysleft = last_change + max_change - curdays; - warn_days = *((const int *) pwe->value); - (void) pwdb_entry_delete(&pwe); - - if ((daysleft <= warn_days) && (warn_days > 0)) { - char *s; - - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG - , "acct: password for user %s will expire in %d days" - , uname, daysleft); - } - -#define LocalComment "Warning: your password will expire in %d day%s" - if ((s = (char *) malloc(30+sizeof(LocalComment))) == NULL) { - _log_err(LOG_CRIT, "malloc failure in " __FILE__); - retval = PAM_BUF_ERR; - } else { - - sprintf(s, LocalComment, daysleft, daysleft == 1 ? "":"s"); - - make_remark(pamh, ctrl, PAM_TEXT_INFO, s); - free(s); - } -#undef LocalComment - } - } else { - retval = PAM_SUCCESS; - } - - D(("all done")); - return retval; -} - - -/* - * this function checks for the account details. The user may not be - * permitted to log in at this time etc.. Within the context of - * vanilla Unix, this function simply does nothing. The shadow suite - * added password/account expiry, but PWDB takes care of this - * transparently. - */ - -static int _unix_acct_mgmt(pam_handle_t *pamh, unsigned int ctrl) -{ - const struct pwdb *pw = NULL; - - char *uname=NULL; - int retval; - - D(("called.")); - - /* identify user */ - - retval = pam_get_item(pamh,PAM_USER,(const void **)&uname); - D(("user = `%s'", uname)); - if (retval != PAM_SUCCESS || uname == NULL) { - _log_err(LOG_ALERT - , "acct; could not identify user (from uid=%d)" - , getuid()); - return PAM_USER_UNKNOWN; - } - - /* get database information for user */ - - retval = pwdb_locate("user", PWDB_DEFAULT, uname, PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS || pw == NULL) { - - _log_err(LOG_ALERT, "acct; %s (%s from uid=%d)" - , pwdb_strerror(retval), uname, getuid()); - if ( pw ) { - (void) pwdb_delete(&pw); - } - return PAM_USER_UNKNOWN; - } - - /* now check the user's times etc.. */ - - retval = _shadow_acct_mgmt_exp(pamh, ctrl, pw, uname); - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "expiry check failed for '%s'", uname); - } - - /* Done with pw */ - - (void) pwdb_delete(&pw); - - /* all done */ - - D(("done.")); - return retval; -} - -/* - * Copyright (c) Elliot Lee, 1996. - * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996. - * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c deleted file mode 100644 index 4a1eed0..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_auth.-c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * $Id: pam_unix_auth.-c,v 1.4 1996/12/01 03:05:54 morgan Exp $ - * - * $Log: pam_unix_auth.-c,v $ - * Revision 1.4 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.3 1996/11/10 21:04:29 morgan - * pwdb conversion - * - * Revision 1.2 1996/09/05 06:46:53 morgan - * fixed comments. Added check for null passwd. - * changed data item name - * - * Revision 1.1 1996/08/29 13:27:51 morgan - * Initial revision - * - * See end of file for Copyright information. - */ - -static const char rcsid_auth[] = -"$Id: pam_unix_auth.-c,v 1.4 1996/12/01 03:05:54 morgan Exp $: pam_unix_auth.-c,v 1.2 1996/09/05 06:46:53 morgan Exp morgan $\n" -" - PAM_PWDB authentication functions. <morgan@parc.power.net>"; - -/* - * _unix_auth() is a front-end for UNIX/shadow authentication - * - * First, obtain the password from the user. Then use a - * routine in 'support.-c' to authenticate the user. - */ - -#define _UNIX_AUTHTOK "-UN*X-PASS" - -static int _unix_auth(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - const char *name, *p; - - D(("called.")); - - /* get the user'name' */ - - retval = _unix_get_user(pamh, ctrl, NULL, &name); - if (retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "auth could not identify user"); - } - return retval; - } - - /* if this user does not have a password... */ - - if ( _unix_blankpasswd(ctrl, name) ) { - D(("user '%s' has blank passwd", name)); - name = NULL; - return PAM_SUCCESS; - } - - /* get this user's authentication token */ - - retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL - , _UNIX_AUTHTOK, &p); - if (retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "auth could not identify password for [%s]" - , name); - name = NULL; - return retval; - } - - /* verify the password of this user */ - - retval = _unix_verify_password(pamh, name, p, ctrl); - name = p = NULL; - - return retval; -} - -/* - * This function is for setting unix credentials. Sun has indicated - * that there are *NO* authentication credentials for unix. The - * obvious credentials would be the group membership of the user as - * listed in the /etc/group file. However, Sun indicates that it is - * the responsibility of the application to set these. - */ - -static int _unix_set_credentials(pam_handle_t *pamh, unsigned int ctrl) -{ - D(("called <empty function> returning.")); - - return PAM_SUCCESS; -} - -/******************************************************************** - * Copyright (c) Alexander O. Yuriev, 1996. - * Copyright (c) Andrew G. Morgan <morgan@parc.power.net> 1996 - * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996, 1997 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c deleted file mode 100644 index cd90b0f..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_md.-c +++ /dev/null @@ -1,55 +0,0 @@ -/* - * This function is a front-end for the message digest algorithms used - * to compute the user's encrypted passwords. No reversible encryption - * is used here and I intend to keep it that way. - * - * While there are many sources of encryption outside the United - * States, it *may* be illegal to re-export reversible encryption - * computer code. Until such time as it is legal to export encryption - * software freely from the US, please do not send me any. (AGM) - */ - -/* this should have been defined in a header file.. Why wasn't it? AGM */ -extern char *crypt(const char *key, const char *salt); - -#include "md5.h" -#include "bigcrypt.-c" - -struct cfns { - const char *salt; - int len; - char * (* mdfn)(const char *key, const char *salt); -}; - -/* array of non-standard digest algorithms available */ - -#define N_MDS 1 -const static struct cfns cfn_list[N_MDS] = { - { "$1$", 3, crypt_md5 }, -}; - -static char *_pam_md(const char *key, const char *salt) -{ - char *x,*e=NULL; - int i; - - D(("called with key='%s', salt='%s'", key, salt)); - - /* check for non-standard salts */ - - for (i=0; i<N_MDS; ++i) { - if ( !strncmp(cfn_list[i].salt, salt, cfn_list[i].len) ) { - e = cfn_list[i].mdfn(key, salt); - break; - } - } - - if ( i >= N_MDS ) { - e = bigcrypt(key, salt); /* (defaults to standard algorithm) */ - } - - x = x_strdup(e); /* put e in malloc()ed memory */ - _pam_overwrite(e); /* clean up */ - return x; /* this must be deleted elsewhere */ -} - diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c deleted file mode 100644 index 402f7f3..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_passwd.-c +++ /dev/null @@ -1,371 +0,0 @@ -/* $Id: pam_unix_passwd.-c,v 1.6 1997/04/05 06:31:06 morgan Exp morgan $ */ - -/* - * $Log: pam_unix_passwd.-c,v $ - * Revision 1.6 1997/04/05 06:31:06 morgan - * mostly a reformat. - * - * Revision 1.5 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.4 1996/11/10 21:04:51 morgan - * pwdb conversion - * - * Revision 1.3 1996/09/05 06:48:15 morgan - * A lot has changed. I'd recommend you study the diff. - * - * Revision 1.2 1996/09/01 16:33:27 morgan - * Cristian Gafton's changes - * - * Revision 1.1 1996/08/29 13:21:27 morgan - * Initial revision - * - */ - -static const char rcsid_pass[] = -"$Id: pam_unix_passwd.-c,v 1.6 1997/04/05 06:31:06 morgan Exp morgan $\n" -" - PAM_PWDB password module <morgan@parc.power.net>" -; - -#include "pam_unix_pwupd.-c" - -/* passwd/salt conversion macros */ - -#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.') -#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.') - -/* data tokens */ - -#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS" -#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" - -/* Implementation */ - -/* - * FUNCTION: _pam_unix_chauthtok() - * - * this function works in two passes. The first, when UNIX__PRELIM is - * set, obtains the previous password. It sets the PAM_OLDAUTHTOK item - * or stores it as a data item. The second function obtains a new - * password (verifying if necessary, that the user types it the same a - * second time.) depending on the 'ctrl' flags this new password may - * be stored in the PAM_AUTHTOK item or a private data item. - * - * Having obtained a new password. The function updates the - * /etc/passwd (and optionally the /etc/shadow) file(s). - * - * Provision is made for the creation of a blank shadow file if none - * is available, but one is required to update the shadow file -- the - * intention being for shadow passwords to be seamlessly implemented - * from the generic UNIX scheme. -- THIS BIT IS PRE-ALPHA.. and included - * in this release (.52) mostly for the purpose of discussion. - */ - -static int _unix_chauthtok(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - unsigned int lctrl; - - /* <DO NOT free() THESE> */ - const char *user; - const char *pass_old, *pass_new; - /* </DO NOT free() THESE> */ - - D(("called")); - - /* - * First get the name of a user - */ - - retval = _unix_get_user( pamh, ctrl, "Username: ", &user ); - if ( retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "password - could not identify user"); - } - return retval; - } - - if ( on(UNIX__PRELIM, ctrl) ) { - /* - * obtain and verify the current password (OLDAUTHTOK) for - * the user. - */ - - char *Announce; - - D(("prelim check")); - - if ( _unix_blankpasswd(ctrl, user) ) { - - return PAM_SUCCESS; - - } else if ( off(UNIX__IAMROOT, ctrl) ) { - - /* instruct user what is happening */ -#define greeting "Changing password for " - Announce = (char *) malloc(sizeof(greeting)+strlen(user)); - if (Announce == NULL) { - _log_err(LOG_CRIT, "password - out of memory"); - return PAM_BUF_ERR; - } - (void) strcpy(Announce, greeting); - (void) strcpy(Announce+sizeof(greeting)-1, user); -#undef greeting - - lctrl = ctrl; - set(UNIX__OLD_PASSWD, lctrl); - retval = _unix_read_password( pamh, lctrl - , Announce - , "(current) UNIX password: " - , NULL - , _UNIX_OLD_AUTHTOK - , &pass_old ); - free(Announce); - - if ( retval != PAM_SUCCESS ) { - _log_err(LOG_NOTICE - , "password - (old) token not obtained"); - return retval; - } - - /* verify that this is the password for this user */ - - retval = _unix_verify_password(pamh, user, pass_old, ctrl); - } else { - D(("process run by root so do nothing this time around")); - pass_old = NULL; - retval = PAM_SUCCESS; /* root doesn't have too */ - } - - if ( retval != PAM_SUCCESS ) { - D(("Authentication failed")); - pass_old = NULL; - return retval; - } - - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old); - pass_old = NULL; - if ( retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK"); - } - - } else if ( on( UNIX__UPDATE, ctrl ) ) { - /* tpass is used below to store the _pam_md() return; it - * should be _pam_delete()'d. */ - - char *tpass=NULL; - - /* - * obtain the proposed password - */ - - D(("do update")); - - /* - * get the old token back. NULL was ok only if root [at this - * point we assume that this has already been enforced on a - * previous call to this function]. - */ - - if ( off(UNIX_NOT_SET_PASS, ctrl) ) { - retval = pam_get_item(pamh, PAM_OLDAUTHTOK - , (const void **)&pass_old); - } else { - retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK - , (const void **)&pass_old); - if (retval == PAM_NO_MODULE_DATA) { - retval = PAM_SUCCESS; - pass_old = NULL; - } - } - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "user not authenticated"); - return retval; - } - - D(("get new password now")); - - lctrl = ctrl; - - /* - * use_authtok is to force the use of a previously entered - * password -- needed for pluggable password strength checking - */ - - if ( on(UNIX_USE_AUTHTOK, lctrl) ) { - set(UNIX_USE_FIRST_PASS, lctrl); - } - - retval = _unix_read_password( pamh, lctrl - , NULL - , "Enter new UNIX password: " - , "Retype new UNIX password: " - , _UNIX_NEW_AUTHTOK - , &pass_new ); - - if ( retval != PAM_SUCCESS ) { - if ( on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_ALERT - , "password - new password not obtained"); - } - pass_old = NULL; /* tidy up */ - return retval; - } - - D(("returned to _unix_chauthtok")); - - /* - * At this point we know who the user is and what they - * propose as their new password. Verify that the new - * password is acceptable. - */ - - if (pass_new[0] == '\0') { /* "\0" password = NULL */ - pass_new = NULL; - } - - retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new); - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "new password not acceptable"); - pass_new = pass_old = NULL; /* tidy up */ - return retval; - } - - /* - * By reaching here we have approved the passwords and must now - * rebuild the password database file. - */ - - /* - * First we encrypt the new password. - * - * XXX - this is where we might need some code for RADIUS types - * of password handling... no encryption needed.. - */ - - if ( on(UNIX_MD5_PASS, ctrl) ) { - - /* - * Code lifted from Marek Michalkiewicz's shadow suite. (CG) - * removed use of static variables (AGM) - */ - - struct timeval tv; - MD5_CTX ctx; - unsigned char result[16]; - char *cp = (char *)result; - unsigned char tmp[16]; - int i; - - MD5Init(&ctx); - gettimeofday(&tv, (struct timezone *) 0); - MD5Update(&ctx, (void *) &tv, sizeof tv); - i = getpid(); - MD5Update(&ctx, (void *) &i, sizeof i); - i = clock(); - MD5Update(&ctx, (void *) &i, sizeof i); - MD5Update(&ctx, result, sizeof result); - MD5Final(tmp, &ctx); - strcpy(cp, "$1$"); /* magic for the MD5 */ - cp += strlen(cp); - for (i = 0; i < 8; i++) - *cp++ = i64c(tmp[i] & 077); - *cp = '\0'; - - /* no longer need cleartext */ - pass_new = tpass = _pam_md(pass_new, (const char *)result); - - } else { - /* - * Salt manipulation is stolen from Rick Faith's passwd - * program. Sorry Rick :) -- alex - */ - - time_t tm; - char salt[3]; - - time(&tm); - salt[0] = bin_to_ascii(tm & 0x3f); - salt[1] = bin_to_ascii((tm >> 6) & 0x3f); - salt[2] = '\0'; - - if ( off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8 ) { - /* to avoid using the _extensions_ of the bigcrypt() - function we truncate the newly entered password */ - char *temp = malloc(9); - - if (temp == NULL) { - _log_err(LOG_CRIT, "out of memory for password"); - pass_new = pass_old = NULL; /* tidy up */ - return PAM_BUF_ERR; - } - - /* copy first 8 bytes of password */ - strncpy(temp, pass_new, 8); - temp[8] = '\0'; - - /* no longer need cleartext */ - pass_new = tpass = _pam_md( temp, salt ); - - _pam_delete(temp); /* tidy up */ - } else { - /* no longer need cleartext */ - pass_new = tpass = _pam_md( pass_new, salt ); - } - } - - D(("password processed")); - - /* update the password database(s) -- race conditions..? */ - - retval = unix_update_db(pamh, ctrl, user, pass_old, pass_new); - pass_old = pass_new = NULL; - - } else { /* something has broken with the module */ - - _log_err(LOG_ALERT, "password received unknown request"); - retval = PAM_ABORT; - - } - - return retval; -} - -/* ****************************************************************** - * Copyright (c) Alexander O. Yuriev (alex@bach.cis.temple.edu), 1996. - * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996, 1997. - * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c deleted file mode 100644 index d50031d..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_pwupd.-c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * $Id: pam_unix_pwupd.-c,v 1.4 1997/01/04 20:35:32 morgan Exp morgan $ - * - * This file contains the routines to update the passwd databases. - * - * $Log: pam_unix_pwupd.-c,v $ - * Revision 1.4 1997/01/04 20:35:32 morgan - * minor comment change - * - * Revision 1.3 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.2 1996/11/10 21:05:09 morgan - * pwdb conversion - * - * - */ - -/* Implementation */ - -static int unix_update_db(pam_handle_t *pamh, int ctrl, const char *user, - const char *pass_old, const char *pass_new) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - pwdb_flag flag; - int retval, i; - - D(("called.")); - - /* obtain default user record */ - - retval = pwdb_locate("user", PWDB_DEFAULT, user, PWDB_ID_UNKNOWN, &pw); - if (retval == PWDB_PASS_PHRASE_REQD) { - retval = pwdb_set_entry(pw, "pass_phrase" - , pass_old, 1+strlen(pass_old) - , NULL, NULL, 0); - if (retval == PWDB_SUCCESS) - retval = pwdb_locate("user", pw->source, user - , PWDB_ID_UNKNOWN, &pw); - } - pass_old = NULL; - - if ( retval != PWDB_SUCCESS ) { - _log_err(LOG_ALERT, "cannot identify user %s (uid=%d)" - , user, getuid() ); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_USER_UNKNOWN; - } - - /* check that we can update all of the default databases */ - - retval = pwdb_flags("user", pw->source, &flag); - - if ( retval != PWDB_SUCCESS || ( pwdb_on(flag,PWDB_F_NOUPDATE) ) ) { - _log_err(LOG_ERR, "cannot update default database for user %s" - , user ); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_PERM_DENIED; - } - - /* If there was one, we delete the "last_change" entry */ - retval = pwdb_get_entry(pw, "last_change", &pwe); - if (retval == PWDB_SUCCESS) { - (void) pwdb_entry_delete(&pwe); - pwdb_set_entry(pw, "last_change", NULL, -1, NULL, NULL, 0); - } - - /* - * next check for pam.conf specified databases: shadow etc... [In - * other words, pam.conf indicates which database the password is - * to be subsequently placed in: this is password migration]. - */ - - if ( on(UNIX__SET_DB, ctrl) ) { - const char *db_token; - pwdb_type pt = _PWDB_MAX_TYPES; - - if ( on(UNIX_UNIX, ctrl) ) { - db_token = "U"; /* XXX - should be macro */ - pt = PWDB_UNIX; - } else if ( on(UNIX_SHADOW, ctrl) ) { - db_token = "x"; /* XXX - should be macro */ - pt = PWDB_SHADOW; - } else if ( on(UNIX_RADIUS, ctrl) ) { - db_token = "R"; /* XXX - is this ok? */ - pt = PWDB_RADIUS; - } else { - _log_err(LOG_ALERT - , "cannot determine database to use for authtok"); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_ABORT; /* we're in trouble */ - } - - /* - * Attempt to update the indicated database (only) - */ - - { - pwdb_type tpt[2]; - tpt[0] = pt; - tpt[1] = _PWDB_MAX_TYPES; - - /* Can we set entry in database? */ - retval = pwdb_flags("user", tpt, &flag); - if (retval == PWDB_SUCCESS && !pwdb_on(flag,PWDB_F_NOUPDATE)) { - /* YES. This database is available.. */ - - /* Only update if it is not already in the default list */ - for (i=0; pw->source[i] != _PWDB_MAX_TYPES - && pw->source[i] != pt ; ++i); - if (pw->source[i] == _PWDB_MAX_TYPES) { - const struct pwdb *tpw=NULL; - - /* copy database entry */ - if ((retval = pwdb_new(&tpw, 10)) != PWDB_SUCCESS - || (retval = pwdb_merge(tpw, pw, PWDB_TRUE)) - != PWDB_SUCCESS) { - _log_err(LOG_CRIT, "failed to obtain new pwdb: %s" - , pwdb_strerror(retval)); - retval = PAM_ABORT; - } else - retval = PAM_SUCCESS; - - /* set db_token */ - if (retval == PAM_SUCCESS) { - retval = pwdb_set_entry(tpw, "defer_pass", db_token - , 1+strlen(db_token) - , NULL, NULL, 0); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "set defer_pass -> %s" - , pwdb_strerror(retval)); - retval = PAM_PERM_DENIED; - } else - retval = PAM_SUCCESS; - } - - /* update specific database */ - if (retval == PAM_SUCCESS) { - retval = pwdb_replace("user", tpt - , user, PWDB_ID_UNKNOWN, &tpw); - if (retval != PWDB_SUCCESS) { - const char *service=NULL; - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_ALERT - , "(%s) specified database failed: %s" - , service - , pwdb_strerror(retval)); - retval = PAM_PERM_DENIED; - } else { - retval = PAM_SUCCESS; - } - } - - /* clean up temporary pwdb */ - if (tpw) - (void) pwdb_delete(&tpw); - } - - /* we can properly adopt new defer_pass */ - if (retval == PAM_SUCCESS) { - /* failing here will mean we go back to former - password location */ - (void) pwdb_set_entry(pw, "defer_pass", db_token - , 1+strlen(db_token), NULL, NULL, 0); - } - } - } - } - - /* - * the password will now be placed in appropriate (perhaps original) db - */ - - retval = pwdb_get_entry(pw, "uid", &pwe); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "no uid!? (%s); %s", user, pwdb_strerror(retval)); - pass_new = NULL; - if (pw) - (void) pwdb_delete(&pw); - return PAM_USER_UNKNOWN; - } - - /* insert the passwd into the 'pw' structure */ - - retval = pwdb_set_entry(pw, "passwd", pass_new, 1+strlen(pass_new) - , NULL, NULL, 0); - pass_new = NULL; - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "set2 failed; %s", pwdb_strerror(retval)); - if (pw) - (void) pwdb_delete(&pw); - return PAM_AUTHTOK_LOCK_BUSY; - } - - retval = pwdb_replace("user", pw->source, user - , *((uid_t *)pwe->value), &pw); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "user (%s/%d) update failed; %s" - , user, *((uid_t *)pwe->value), pwdb_strerror(retval)); - if (pw) - (void) pwdb_delete(&pw); - (void) pwdb_entry_delete(&pwe); - return PAM_ABORT; - } - - if (retval != PWDB_SUCCESS) { - - _log_err(LOG_ALERT, "user (%s/%d) update failed; %s" - , user, *((uid_t *)pwe->value), pwdb_strerror(retval)); - retval = PAM_ABORT; - - } else { - /* password updated */ - - _log_err(LOG_INFO, "password for (%s/%d) changed by (%s/%d)" - , user, *((uid_t *)pwe->value), getlogin(), getuid()); - retval = PAM_SUCCESS; - } - - /* tidy up */ - - (void) pwdb_entry_delete(&pwe); - if (pw) - (void) pwdb_delete(&pw); - - return retval; -} - -/* ****************************************************************** - * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996,1997. - * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997. - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c b/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c deleted file mode 100644 index 49ce96c..0000000 --- a/contrib/libpam/modules/pam_pwdb/pam_unix_sess.-c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * $Id: pam_unix_sess.-c,v 1.4 1996/12/01 03:05:54 morgan Exp morgan $ - * - * $Log: pam_unix_sess.-c,v $ - * Revision 1.4 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.3 1996/11/10 21:05:33 morgan - * pwdb conversion - * - * Revision 1.2 1996/09/05 06:49:02 morgan - * more informative logging - * - * Revision 1.1 1996/08/29 13:27:51 morgan - * Initial revision - * - * - * See end for Copyright information - */ - -static const char rcsid_sess[] = -"$Id: pam_unix_sess.-c,v 1.4 1996/12/01 03:05:54 morgan Exp morgan $\n" -" - PAM_PWDB session management. morgan@parc.power.net"; - -/* Define internal functions */ - -static int _unix_open_session(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - char *user_name, *service; - - D(("called.")); - - retval = pam_get_item( pamh, PAM_USER, (void *) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( service == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "open_session - error recovering service"); - return PAM_SESSION_ERR; - } - - _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)" - , service, user_name - , getlogin() == NULL ? "":getlogin(), getuid() ); - - return PAM_SUCCESS; -} - -static int _unix_close_session(pam_handle_t *pamh, unsigned int ctrl) -{ - int retval; - char *user_name, *service; - - D(("called.")); - - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "close_session - error recovering username"); - return PAM_SESSION_ERR; - } - - retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( service == NULL || retval != PAM_SUCCESS ) { - _log_err(LOG_CRIT, "close_session - error recovering service"); - return PAM_SESSION_ERR; - } - - _log_err(LOG_INFO, "(%s) session closed for user %s" - , service, user_name ); - - return PAM_SUCCESS; -} - -/* - * Copyright (c) Alexander O. Yuriev, 1996. All rights reserved. - * Copyright (c) Andrew G. Morgan, 1996, <morgan@parc.power.net> - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c b/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c deleted file mode 100644 index 6332eaa..0000000 --- a/contrib/libpam/modules/pam_pwdb/pwdb_chkpwd.c +++ /dev/null @@ -1,208 +0,0 @@ -/* - * $Id: pwdb_chkpwd.c,v 1.1 1997/02/15 17:26:18 morgan Exp $ - * - * This program is designed to run setuid(root) or with sufficient - * privilege to read all of the unix password databases. It is designed - * to provide a mechanism for the current user (defined by this - * process' real uid) to verify their own password. - * - * The password is read from the standard input. The exit status of - * this program indicates whether the user is authenticated or not. - * - * Copyright information is located at the end of the file. - * - * $Log: pwdb_chkpwd.c,v $ - * Revision 1.1 1997/02/15 17:26:18 morgan - * Initial revision - * - * Revision 1.1 1996/11/10 21:20:51 morgan - * Initial revision - * - */ - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> - -#include <security/_pam_macros.h> - -#define MAXPASS 200 /* the maximum length of a password */ - -#define UNIX_PASSED (PWDB_SUCCESS) -#define UNIX_FAILED (PWDB_SUCCESS+1) - -#include <pwdb/pwdb_public.h> - -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pwdb_chkpwd", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#include "pam_unix_md.-c" - -static int _unix_verify_passwd(const char *salt, const char *p) -{ - char *pp=NULL; - int retval; - - if (p == NULL) { - if (*salt == '\0') { - retval = UNIX_PASSED; - } else { - retval = UNIX_FAILED; - } - } else { - pp = _pam_md(p, salt); - p = NULL; /* no longer needed here */ - - if ( strcmp( pp, salt ) == 0 ) { - retval = UNIX_PASSED; - } else { - retval = UNIX_FAILED; - } - } - - /* clean up */ - { - char *tp = pp; - if (pp != NULL) { - while(tp && *tp) - *tp++ = '\0'; - free(pp); - pp = tp = NULL; - } - } - - return retval; -} - -void main(void) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - char pass[MAXPASS+1]; - int npass; - int retval=UNIX_FAILED; - - /* - * we establish that this program is running with non-tty stdin. - * this is to discourage casual use. It does *NOT* prevent an - * intruder from repeatadly running this program to determine the - * password of the current user (brute force attack, but one for - * which the attacker must already have gained access to the user's - * account). - */ - - if ( isatty(STDIN_FILENO) ) { - _log_err(LOG_NOTICE - , "inappropriate use of PWDB helper binary [UID=%d]" - , getuid() ); - fprintf(stderr, - "This program is not designed for running in this way\n" - "-- the system administrator has been informed\n"); - exit(UNIX_FAILED); - } - - /* - * determine the current user's name: - */ - - retval = pwdb_start(); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "failed to open pwdb"); - retval = UNIX_FAILED; - } - if (retval != UNIX_FAILED) { - retval = pwdb_locate("user", PWDB_DEFAULT, PWDB_NAME_UNKNOWN - , getuid(), &pw); - } - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "could not identify user"); - while (pwdb_end() != PWDB_SUCCESS); - exit(UNIX_FAILED); - } - - /* read the password from stdin (a pipe from the pam_pwdb module) */ - - npass = read(STDIN_FILENO, pass, MAXPASS); - - if (npass < 0) { /* is it a valid password? */ - _log_err(LOG_DEBUG, "no password supplied"); - retval = UNIX_FAILED; - } else if (npass >= MAXPASS-1) { - _log_err(LOG_DEBUG, "password too long"); - retval = UNIX_FAILED; - } else if (pwdb_get_entry(pw, "passwd", &pwe) != PWDB_SUCCESS) { - _log_err(LOG_WARNING, "password not found"); - retval = UNIX_FAILED; - } else { - if (npass <= 0) { - /* the password is NULL */ - - retval = _unix_verify_passwd((const char *)(pwe->value), NULL); - } else { - /* does pass agree with the official one? */ - - pass[npass] = '\0'; /* NUL terminate */ - retval = _unix_verify_passwd((const char *)(pwe->value), pass); - } - } - - memset(pass, '\0', MAXPASS); /* clear memory of the password */ - while (pwdb_end() != PWDB_SUCCESS); - - /* return pass or fail */ - - exit(retval); -} - -/* - * Copyright (c) Andrew G. Morgan, 1997. All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_pwdb/support.-c b/contrib/libpam/modules/pam_pwdb/support.-c deleted file mode 100644 index 71e212d..0000000 --- a/contrib/libpam/modules/pam_pwdb/support.-c +++ /dev/null @@ -1,910 +0,0 @@ -/* - * $Id: support.-c,v 1.7 1997/04/05 06:32:06 morgan Exp morgan $ - * - * $Log: support.-c,v $ - * Revision 1.7 1997/04/05 06:32:06 morgan - * new option and also deleted _readto - * - * Revision 1.6 1997/02/15 17:27:20 morgan - * added helper binary to password checking - * - * Revision 1.5 1996/12/01 03:05:54 morgan - * debugging with _pam_macros.h - * - * Revision 1.4 1996/11/10 21:06:07 morgan - * pwdb conversion - * - * Copyright information at end of file. - */ - -/* - * here is the string to inform the user that the new passwords they - * typed were not the same. - */ - -#define MISTYPED_PASS "Sorry, passwords do not match" - -/* type definition for the control options */ - -typedef struct { - const char *token; - unsigned int mask; /* shall assume 32 bits of flags */ - unsigned int flag; -} UNIX_Ctrls; - -/* - * macro to determine if a given flag is on - */ - -#define on(x,ctrl) (unix_args[x].flag & ctrl) - -/* - * macro to determine that a given flag is NOT on - */ - -#define off(x,ctrl) (!on(x,ctrl)) - -/* - * macro to turn on/off a ctrl flag manually - */ - -#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag) -#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag)) - -/* the generic mask */ - -#define _ALL_ON_ (~0U) - -/* end of macro definitions definitions for the control flags */ - -/* ****************************************************************** * - * ctrl flags proper.. - */ - -/* - * here are the various options recognized by the unix module. They - * are enumerated here and then defined below. Internal arguments are - * given NULL tokens. - */ - -#define UNIX__OLD_PASSWD 0 /* internal */ -#define UNIX__VERIFY_PASSWD 1 /* internal */ -#define UNIX__IAMROOT 2 /* internal */ - -#define UNIX_AUDIT 3 /* print more things than debug.. - some information may be sensitive */ -#define UNIX_USE_FIRST_PASS 4 -#define UNIX_TRY_FIRST_PASS 5 -#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */ - -#define UNIX__PRELIM 7 /* internal */ -#define UNIX__UPDATE 8 /* internal */ -#define UNIX__NONULL 9 /* internal */ -#define UNIX__QUIET 10 /* internal */ -#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */ -#define UNIX_SHADOW 12 /* signal shadow on */ -#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */ -#define UNIX__NULLOK 14 /* Null token ok */ -#define UNIX_RADIUS 15 /* wish to use RADIUS for password */ -#define UNIX__SET_DB 16 /* internal - signals redirect to db */ -#define UNIX_DEBUG 17 /* send more info to syslog(3) */ -#define UNIX_NODELAY 18 /* admin does not want a fail-delay */ -#define UNIX_UNIX 19 /* wish to use /etc/passwd for pwd */ -#define UNIX_BIGCRYPT 20 /* use DEC-C2 crypt()^x function */ -/* -------------- */ -#define UNIX_CTRLS_ 21 /* number of ctrl arguments defined */ - - -static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = { -/* symbol token name ctrl mask ctrl * - * ------------------ ------------------ -------------- ---------- */ - -/* UNIX__OLD_PASSWD */ { NULL, _ALL_ON_, 01 }, -/* UNIX__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 }, -/* UNIX__IAMROOT */ { NULL, _ALL_ON_, 04 }, -/* UNIX_AUDIT */ { "audit", _ALL_ON_, 010 }, -/* UNIX_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(060), 020 }, -/* UNIX_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(060), 040 }, -/* UNIX_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 0100 }, -/* UNIX__PRELIM */ { NULL, _ALL_ON_^(0600), 0200 }, -/* UNIX__UPDATE */ { NULL, _ALL_ON_^(0600), 0400 }, -/* UNIX__NONULL */ { NULL, _ALL_ON_, 01000 }, -/* UNIX__QUIET */ { NULL, _ALL_ON_, 02000 }, -/* UNIX_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 04000 }, -/* UNIX_SHADOW */ { "shadow", _ALL_ON_^(0140000), 010000 }, -/* UNIX_MD5_PASS */ { "md5", _ALL_ON_^(02000000), 020000 }, -/* UNIX__NULLOK */ { "nullok", _ALL_ON_^(01000), 0 }, -/* UNIX_RADIUS */ { "radius", _ALL_ON_^(0110000), 040000 }, -/* UNIX__SET_DB */ { NULL, _ALL_ON_, 0100000 }, -/* UNIX_DEBUG */ { "debug", _ALL_ON_, 0200000 }, -/* UNIX_NODELAY */ { "nodelay", _ALL_ON_, 0400000 }, -/* UNIX_UNIX */ { "unix", _ALL_ON_^(050000), 01000000 }, -/* UNIX_BIGCRYPT */ { "bigcrypt", _ALL_ON_^(020000), 02000000 }, -}; - -#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) - -/* syslogging function for errors and other information */ - -static void _log_err(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM_pwdb", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* this is a front-end for module-application conversations */ - -static int converse(pam_handle_t *pamh, int ctrl, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - D(("begin to converse")); - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) { - - retval = conv->conv(nargs, ( const struct pam_message ** ) message - , response, conv->appdata_ptr); - - D(("returned from application's conversation function")); - - if (retval != PAM_SUCCESS && on(UNIX_DEBUG,ctrl) ) { - _log_err(LOG_DEBUG, "conversation failure [%s]" - , pam_strerror(pamh, retval)); - } - - } else { - _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" - , pam_strerror(pamh, retval)); - } - - D(("ready to return from module conversation")); - - return retval; /* propagate error status */ -} - -static int make_remark(pam_handle_t *pamh, unsigned int ctrl - , int type, const char *text) -{ - int retval=PAM_SUCCESS; - - if ( off(UNIX__QUIET, ctrl) ) { - struct pam_message *pmsg[1], msg[1]; - struct pam_response *resp; - - pmsg[0] = &msg[0]; - msg[0].msg = text; - msg[0].msg_style = type; - - resp = NULL; - retval = converse(pamh, ctrl, 1, pmsg, &resp); - - if (resp) { - _pam_drop_reply(resp, 1); - } - } - return retval; -} - -/* - * set the control flags for the UNIX module. - */ - -static int set_ctrl(int flags, int argc, const char **argv) -{ - unsigned int ctrl; - - D(("called.")); - - ctrl = UNIX_DEFAULTS; /* the default selection of options */ - - /* set some flags manually */ - - if ( getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK) ) { - set(UNIX__IAMROOT, ctrl); - } - if ( flags & PAM_UPDATE_AUTHTOK ) { - set(UNIX__UPDATE, ctrl); - } - if ( flags & PAM_PRELIM_CHECK ) { - set(UNIX__PRELIM, ctrl); - } - if ( flags & PAM_DISALLOW_NULL_AUTHTOK ) { - set(UNIX__NONULL, ctrl); - } - if ( flags & PAM_SILENT ) { - set(UNIX__QUIET, ctrl); - } - - /* now parse the arguments to this module */ - - while (argc-- > 0) { - int j; - - D(("pam_pwdb arg: %s",*argv)); - - for (j=0; j<UNIX_CTRLS_; ++j) { - if (unix_args[j].token - && ! strcmp(*argv, unix_args[j].token) ) { - break; - } - } - - if ( j >= UNIX_CTRLS_ ) { - _log_err(LOG_ERR, "unrecognized option [%s]",*argv); - } else { - ctrl &= unix_args[j].mask; /* for turning things off */ - ctrl |= unix_args[j].flag; /* for turning things on */ - } - - ++argv; /* step to next argument */ - } - - /* these are used for updating passwords in specific places */ - - if (on(UNIX_SHADOW,ctrl) || on(UNIX_RADIUS,ctrl) || on(UNIX_UNIX,ctrl)) { - set(UNIX__SET_DB, ctrl); - } - - /* auditing is a more sensitive version of debug */ - - if ( on(UNIX_AUDIT,ctrl) ) { - set(UNIX_DEBUG, ctrl); - } - - /* return the set of flags */ - - D(("done.")); - return ctrl; -} - -/* use this to free strings. ESPECIALLY password strings */ - -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - _pam_drop(xx); - return NULL; -} - -static void _cleanup(pam_handle_t *pamh, void *x, int error_status) -{ - x = _pam_delete( (char *) x ); -} - -/* ************************************************************** * - * Useful non-trivial functions * - * ************************************************************** */ - -#include "pam_unix_md.-c" - -/* - * the following is used to keep track of the number of times a user fails - * to authenticate themself. - */ - -#define FAIL_PREFIX "-UN*X-FAIL-" -#define UNIX_MAX_RETRIES 3 - -struct _pam_failed_auth { - char *user; /* user that's failed to be authenticated */ - char *name; /* attempt from user with name */ - int id; /* uid of name'd user */ - int count; /* number of failures so far */ -}; - -#ifndef PAM_DATA_REPLACE -#error "Need to get an updated libpam 0.52 or better" -#endif - -static void _cleanup_failures(pam_handle_t *pamh, void *fl, int err) -{ - int quiet; - const char *service=NULL; - struct _pam_failed_auth *failure; - - D(("called")); - - quiet = err & PAM_DATA_SILENT; /* should we log something? */ - err &= PAM_DATA_REPLACE; /* are we just replacing data? */ - failure = (struct _pam_failed_auth *) fl; - - if ( failure != NULL ) { - - if ( !quiet && !err ) { /* under advisement from Sun,may go away */ - - /* log the number of authentication failures */ - if ( failure->count != 0 ) { - (void) pam_get_item(pamh, PAM_SERVICE - , (const void **)&service); - _log_err(LOG_NOTICE - , "%d authentication failure%s; %s(uid=%d) -> " - "%s for %s service" - , failure->count, failure->count==1 ? "":"s" - , failure->name - , failure->id - , failure->user - , service == NULL ? "**unknown**":service - ); - if ( failure->count > UNIX_MAX_RETRIES ) { - _log_err(LOG_ALERT - , "service(%s) ignoring max retries; %d > %d" - , service == NULL ? "**unknown**":service - , failure->count - , UNIX_MAX_RETRIES ); - } - } - } - failure->user = _pam_delete(failure->user); /* tidy up */ - failure->name = _pam_delete(failure->name); /* tidy up */ - free(failure); - } -} - -/* - * verify the password of a user - */ - -#include <sys/types.h> -#include <sys/wait.h> - -static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd) -{ - int retval, child, fds[2]; - - D(("called.")); - /* create a pipe for the password */ - if (pipe(fds) != 0) { - D(("could not make pipe")); - return PAM_AUTH_ERR; - } - - /* fork */ - child = fork(); - if (child == 0) { - static char *args[] = { NULL, NULL }; - static char *envp[] = { NULL }; - - /* XXX - should really tidy up PAM here too */ - while (pwdb_end() == PWDB_SUCCESS); - - /* reopen stdin as pipe */ - close(fds[1]); - dup2(fds[0], STDIN_FILENO); - - /* exec binary helper */ - args[0] = x_strdup(CHKPWD_HELPER); - execve(CHKPWD_HELPER, args, envp); - - /* should not get here: exit with error */ - D(("helper binary is not available")); - exit(PWDB_SUCCESS+1); - } else if (child > 0) { - /* wait for child */ - close(fds[0]); - if (passwd != NULL) { /* send the password to the child */ - write(fds[1], passwd, strlen(passwd)+1); - passwd = NULL; - } else { - write(fds[1], "", 1); /* blank password */ - } - close(fds[1]); - (void) waitpid(child, &retval, 0); /* wait for helper to complete */ - retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR; - } else { - D(("fork failed")); - retval = PAM_AUTH_ERR; - } - - D(("returning %d", retval)); - return retval; -} - -static int _unix_verify_password(pam_handle_t *pamh, const char *name - , const char *p, unsigned int ctrl) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - - const char *salt; - char *pp; - char *data_name; - int retval; - - D(("called")); - -#ifdef HAVE_PAM_FAIL_DELAY - if ( off(UNIX_NODELAY, ctrl) ) { - D(("setting delay")); - (void) pam_fail_delay(pamh, 1000000); /* 1 sec delay for on failure */ - } -#endif - - /* locate the entry for this user */ - - D(("locating user's record")); - retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw); - if (retval == PWDB_PASS_PHRASE_REQD) { - /* - * give the password to the pwdb library. It may be needed to - * access the database - */ - - retval = pwdb_set_entry( pw, "pass_phrase", p, 1+strlen(p) - , NULL, NULL, 0); - if (retval != PWDB_SUCCESS) { - _log_err(LOG_ALERT, "find pass; %s", pwdb_strerror(retval)); - (void) pwdb_delete(&pw); - p = NULL; - return PAM_CRED_INSUFFICIENT; - } - - retval = pwdb_locate("user", pw->source, name, PWDB_ID_UNKNOWN, &pw); - } - - if (retval != PWDB_SUCCESS) { - D(("user's record unavailable")); - if ( on(UNIX_AUDIT, ctrl) ) { - /* this might be a typo and the user has given a password - instead of a username. Careful with this. */ - _log_err(LOG_ALERT, "check pass; user (%s) unknown", name); - } else { - _log_err(LOG_ALERT, "check pass; user unknown"); - } - (void) pwdb_delete(&pw); - p = NULL; - return PAM_USER_UNKNOWN; - } - - /* - * courtesy of PWDB the password for the user is stored in - * encrypted form in the "passwd" entry of pw. - */ - - retval = pwdb_get_entry(pw, "passwd", &pwe); - if (retval != PWDB_SUCCESS) { - if (geteuid()) { - /* we are not root perhaps this is the reason? Run helper */ - D(("running helper binary")); - retval = pwdb_run_helper_binary(pamh, p); - } else { - retval = PAM_AUTHINFO_UNAVAIL; - _log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval)); - } - (void) pwdb_delete(&pw); - p = NULL; - return retval; - } - salt = (const char *) pwe->value; - - /* - * XXX: Cristian, the above is not the case for RADIUS(?) Some - * lines should be added for RADIUS to verify the password in - * clear text... - */ - - if ( ( !salt ) && ( !p ) ) { - - /* the stored password is NULL */ - - (void) pwdb_entry_delete(&pwe); - (void) pwdb_delete(&pw); - - if ( off(UNIX__NONULL, ctrl ) ) { /* this means we've succeeded */ - return PAM_SUCCESS; - } else { - return PAM_AUTH_ERR; - } - } - - pp = _pam_md(p, salt); - p = NULL; /* no longer needed here */ - - data_name = (char *) malloc(sizeof(FAIL_PREFIX)+strlen(name)); - if ( data_name == NULL ) { - _log_err(LOG_CRIT, "no memory for data-name"); - } - strcpy(data_name, FAIL_PREFIX); - strcpy(data_name + sizeof(FAIL_PREFIX)-1, name); - - /* the moment of truth -- do we agree with the password? */ - - if ( strcmp( pp, salt ) == 0 ) { - - retval = PAM_SUCCESS; - if (data_name) { /* reset failures */ - pam_set_data(pamh, data_name, NULL, _cleanup_failures); - } - - } else { - - retval = PAM_AUTH_ERR; - if (data_name != NULL) { - struct _pam_failed_auth *new=NULL; - const struct _pam_failed_auth *old=NULL; - - /* get a failure recorder */ - - new = (struct _pam_failed_auth *) - malloc(sizeof(struct _pam_failed_auth)); - - if (new != NULL) { - - /* any previous failures for this user ? */ - pam_get_data(pamh, data_name, (const void **)&old ); - - if (old != NULL) { - new->count = old->count +1; - if (new->count >= UNIX_MAX_RETRIES) { - retval = PAM_MAXTRIES; - } - } else { - new->count = 1; - } - new->user = x_strdup(name); - new->id = getuid(); - new->name = x_strdup(getlogin() ? getlogin():"" ); - - pam_set_data(pamh, data_name, new, _cleanup_failures); - - } else { - _log_err(LOG_CRIT, "no memory for failure recorder"); - } - } - - } - - (void) pwdb_entry_delete(&pwe); - (void) pwdb_delete(&pw); - salt = NULL; - _pam_delete(data_name); - _pam_delete(pp); - - return retval; -} - -/* - * this function obtains the name of the current user and ensures - * that the PAM_USER item is set to this value - */ - -static int _unix_get_user(pam_handle_t *pamh, unsigned int ctrl - , const char *prompt, const char **user) -{ - int retval; - - D(("called")); - - retval = pam_get_user(pamh, user, prompt); - if (retval != PAM_SUCCESS) { - D(("trouble reading username")); - return retval; - } - - /* - * Various libraries at various times have had bugs related to - * '+' or '-' as the first character of a user name. Don't take - * any chances here. Require that the username starts with an - * alphanumeric character. - */ - - if (!isalnum(**user)) { - if (on(UNIX_DEBUG,ctrl) || **user) { - _log_err(LOG_ERR, "bad username [%s]", *user); - } - return PAM_USER_UNKNOWN; - } - - if (retval == PAM_SUCCESS && on(UNIX_DEBUG,ctrl)) { - _log_err(LOG_DEBUG, "username [%s] obtained", *user); - } - - return retval; -} - -/* - * _unix_blankpasswd() is a quick check for a blank password - * - * returns TRUE if user does not have a password - * - to avoid prompting for one in such cases (CG) - */ - -static int _unix_blankpasswd(unsigned int ctrl, const char *name) -{ - const struct pwdb *pw=NULL; - const struct pwdb_entry *pwe=NULL; - int retval; - - D(("called")); - - /* - * This function does not have to be too smart if something goes - * wrong, return FALSE and let this case to be treated somewhere - * else (CG) - */ - - if ( on(UNIX__NONULL, ctrl) ) - return 0; /* will fail but don't let on yet */ - - /* find the user's database entry */ - - retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw); - if (retval != PWDB_SUCCESS || pw == NULL ) { - - retval = 0; - - } else { - - /* Does this user have a password? */ - - retval = pwdb_get_entry(pw, "passwd", &pwe); - if ( retval != PWDB_SUCCESS || pwe == NULL ) - retval = 0; - else if ( pwe->value == NULL || ((char *)pwe->value)[0] == '\0' ) - retval = 1; - else - retval = 0; - - } - - /* tidy up */ - - if ( pw ) { - (void) pwdb_delete(&pw); - if ( pwe ) - (void) pwdb_entry_delete(&pwe); - } - - return retval; -} - -/* - * obtain a password from the user - */ - -static int _unix_read_password( pam_handle_t *pamh - , unsigned int ctrl - , const char *comment - , const char *prompt1 - , const char *prompt2 - , const char *data_name - , const char **pass ) -{ - int authtok_flag; - int retval; - const char *item; - char *token; - - D(("called")); - - /* - * make sure nothing inappropriate gets returned - */ - - *pass = token = NULL; - - /* - * which authentication token are we getting? - */ - - authtok_flag = on(UNIX__OLD_PASSWD,ctrl) ? PAM_OLDAUTHTOK:PAM_AUTHTOK ; - - /* - * should we obtain the password from a PAM item ? - */ - - if ( on(UNIX_TRY_FIRST_PASS,ctrl) || on(UNIX_USE_FIRST_PASS,ctrl) ) { - retval = pam_get_item(pamh, authtok_flag, (const void **) &item); - if (retval != PAM_SUCCESS ) { - /* very strange. */ - _log_err(LOG_ALERT - , "pam_get_item returned error to unix-read-password" - ); - return retval; - } else if (item != NULL) { /* we have a password! */ - *pass = item; - item = NULL; - return PAM_SUCCESS; - } else if (on(UNIX_USE_FIRST_PASS,ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ - } else if (on(UNIX_USE_AUTHTOK, ctrl) - && off(UNIX__OLD_PASSWD, ctrl)) { - return PAM_AUTHTOK_RECOVER_ERR; - } - } - - /* - * getting here implies we will have to get the password from the - * user directly. - */ - - { - struct pam_message msg[3],*pmsg[3]; - struct pam_response *resp; - int i, replies; - - /* prepare to converse */ - - if ( comment != NULL && off(UNIX__QUIET, ctrl) ) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; - msg[0].msg = comment; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt1; - replies = 1; - - if ( prompt2 != NULL ) { - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = prompt2; - ++replies; - } - - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, ctrl, i, pmsg, &resp); - - if (resp != NULL) { - - /* interpret the response */ - - if (retval == PAM_SUCCESS) { /* a good conversation */ - - token = x_strdup(resp[i-replies].resp); - if (token != NULL) { - if (replies == 2) { - - /* verify that password entered correctly */ - if (!resp[i-1].resp - || strcmp(token,resp[i-1].resp)) { - token = _pam_delete(token); /* mistyped */ - retval = PAM_AUTHTOK_RECOVER_ERR; - make_remark(pamh, ctrl - , PAM_ERROR_MSG, MISTYPED_PASS); - } - } - - } else { - _log_err(LOG_NOTICE - , "could not recover authentication token"); - } - - } - - /* - * tidy up the conversation (resp_retcode) is ignored - * -- what is it for anyway? AGM - */ - - _pam_drop_reply(resp, i); - - } else { - retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR:retval ; - } - } - - if (retval != PAM_SUCCESS) { - if ( on(UNIX_DEBUG,ctrl) ) - _log_err(LOG_DEBUG,"unable to obtain a password"); - return retval; - } - - /* 'token' is the entered password */ - - if ( off(UNIX_NOT_SET_PASS, ctrl) ) { - - /* we store this password as an item */ - - retval = pam_set_item(pamh, authtok_flag, token); - token = _pam_delete(token); /* clean it up */ - if ( retval != PAM_SUCCESS - || (retval = pam_get_item(pamh, authtok_flag - , (const void **)&item)) - != PAM_SUCCESS ) { - - _log_err(LOG_CRIT, "error manipulating password"); - return retval; - - } - - } else { - /* - * then store it as data specific to this module. pam_end() - * will arrange to clean it up. - */ - - retval = pam_set_data(pamh, data_name, (void *) token, _cleanup); - if (retval != PAM_SUCCESS) { - _log_err(LOG_CRIT, "error manipulating password data [%s]" - , pam_strerror(pamh, retval) ); - token = _pam_delete(token); - return retval; - } - item = token; - token = NULL; /* break link to password */ - } - - *pass = item; - item = NULL; /* break link to password */ - - return PAM_SUCCESS; -} - -static int _pam_unix_approve_pass(pam_handle_t *pamh - , unsigned int ctrl - , const char *pass_old - , const char *pass_new) -{ - D(("&new=%p, &old=%p",pass_old,pass_new)); - D(("new=[%s]",pass_new)); - D(("old=[%s]",pass_old)); - - if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) { - if ( on(UNIX_DEBUG, ctrl) ) { - _log_err(LOG_DEBUG, "bad authentication token"); - } - make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? - "No password supplied":"Password unchanged" ); - return PAM_AUTHTOK_ERR; - } - - /* - * if one wanted to hardwire authentication token strength - * checking this would be the place - AGM - */ - - return PAM_SUCCESS; -} - -/* ****************************************************************** * - * Copyright (c) Andrew G. Morgan, <morgan@parc.power.net> 1996. - * Copyright (c) Alex O. Yuriev, 1996. - * Copyright (c) Cristian Gafton 1996. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/contrib/libpam/modules/pam_radius/Makefile b/contrib/libpam/modules/pam_radius/Makefile deleted file mode 100644 index a74b911..0000000 --- a/contrib/libpam/modules/pam_radius/Makefile +++ /dev/null @@ -1,99 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10 -# -# STATIC modules are not supported -# - -TITLE=pam_radius -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/radius.conf -export CONFILE - -ifeq ($(HAVE_PWDBLIB),yes) - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o - -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/%.o : %.c -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -#ifdef STATIC -# $(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -lpwdb -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) -lpwdb -#endif - -install: all -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else - -include ../dont_makefile - -endif diff --git a/contrib/libpam/modules/pam_radius/README b/contrib/libpam/modules/pam_radius/README deleted file mode 100644 index 253308f..0000000 --- a/contrib/libpam/modules/pam_radius/README +++ /dev/null @@ -1,58 +0,0 @@ - -pam_radius module: - RADIUS session module. - -WHAT IT DOES: - This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only option -supported is the use of the RADIUS server as an accounting server. There are -few things which needs to be cleared out first in the PAM project until one -will be able to use this module and expect it to magically start pppd in -response to a RADIUS server command to use PPP for this user, or to initiate -a telnet connection to another host, or to hang and call back the user using -parameters provided in the RADIUS server response. Most of these things are -better suited for the radius login application. I hope to make available -Real Soon (tm) patches for the login apps to make it work this way. - - -ARGUMENTS RECOGNIZED: - debug verbose logging - -MODULE SERVICES PROVIDED: - session _open_session and _close_session - - When opening a session, this module sends an Accounting-Start -message to the RADIUS server, which will log/update/whatever a database for -this user. On close, an Accounting-Stop message is sent to the RADIUS -server. - -This module have no other pre-requisites for making it work. One can install -a RADIUS server just for fun and use it as a centralized accounting server and -forget about wtmp/last/sac&comp :-) - -USAGE: - For the services you need this module (login for example) put - the following line in /etc/pam.conf as the last line for that - service (usually after the pam_unix session line): - - login session required /lib/security/pam_radius.so - - Replace "login" for each service you are using this module. - - This module make extensive use of the API provided in libpwdb - 0.54preB or later. By default, it will read the radius server - configuration (hostname and secret) from /etc/raddb/server. This is - a default compiled into libpwdb, and curently there is no way to - modify this default without recompiling libpwdb. I am working on - extending the radius support from libpwdb to provide a possibility - to make this runtime-configurable. - - Also please note that libpwdb will require also the RADIUS - dictionary to be present (/etc/raddb/dictionary). - -TODO: - The work is far from complete. Deal with "real" session things. - -AUTHOR: - Cristian Gafton <gafton@redhat.com> - diff --git a/contrib/libpam/modules/pam_radius/pam_radius.c b/contrib/libpam/modules/pam_radius/pam_radius.c deleted file mode 100644 index b412edf..0000000 --- a/contrib/libpam/modules/pam_radius/pam_radius.c +++ /dev/null @@ -1,193 +0,0 @@ -/* - * pam_radius - * Process an user session according to a RADIUS server response - * - * 1.0 - initial release - Linux ONLY - * 1.1 - revised and reorganized for libpwdb 0.54preB or higher - * - removed the conf= parameter, since we use libpwdb exclusively now - * - * See end for Copyright information - */ - -#if !(defined(linux)) -#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!! -#endif - -/* Module defines */ -#define BUFFER_SIZE 1024 -#define LONG_VAL_PTR(ptr) ((*(ptr)<<24)+(*((ptr)+1)<<16)+(*((ptr)+2)<<8)+(*((ptr)+3))) - -#define PAM_SM_SESSION - -#include "pam_radius.h" - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -static time_t session_time; - -/* we need to save these from open_session to close_session, since - * when close_session will be called we won't be root anymore and - * won't be able to access again the radius server configuration file - * -- cristiang */ - -static RADIUS_SERVER rad_server; -static char hostname[BUFFER_SIZE]; -static char secret[BUFFER_SIZE]; - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_radius", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* now the session stuff */ -PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - char *user_name; - int ctrl; - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "starting RADIUS user session for '%s'", - user_name); - - retval = get_server_entries(hostname, secret); - if ((retval != PWDB_RADIUS_SUCCESS) || - !strlen(hostname) || !strlen(secret)) { - _pam_log(LOG_CRIT, "Could not determine the radius server to talk to"); - return PAM_IGNORE; - } - session_time = time(NULL); - rad_server.hostname = hostname; - rad_server.secret = secret; - retval = radius_acct_start(rad_server, user_name); - if (retval != PWDB_RADIUS_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server"); - return PAM_IGNORE; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl; - char *user_name; - int retval; - - ctrl = _pam_parse(argc, argv); - retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( user_name == NULL || retval != PAM_SUCCESS ) { - _pam_log(LOG_CRIT, "open_session - error recovering username"); - return PAM_SESSION_ERR; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "closing RADIUS user session for '%s'", - user_name); - - if (!strlen(hostname) || !strlen(secret)) { - _pam_log(LOG_CRIT, "Could not determine the radius server to talk to"); - return PAM_IGNORE; - } - retval = radius_acct_stop(rad_server, user_name, - time(NULL) - session_time); - if (retval != PWDB_RADIUS_SUCCESS) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG, "ERROR communicating with the RADIUS server"); - return PAM_IGNORE; - } - - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_radius_modstruct = { - "pam_radius", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL -}; -#endif - -/* - * Copyright (c) Cristian Gafton, 1996, <gafton@redhat.com> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/contrib/libpam/modules/pam_radius/pam_radius.h b/contrib/libpam/modules/pam_radius/pam_radius.h deleted file mode 100644 index 72b1da8..0000000 --- a/contrib/libpam/modules/pam_radius/pam_radius.h +++ /dev/null @@ -1,35 +0,0 @@ - -#ifndef PAM_RADIUS_H -#define PAM_RADIUS_H - -#define _GNU_SOURCE -#include <features.h> - -#include <stdio.h> -#define __USE_POSIX2 - -#include <stdlib.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/resource.h> - -#include <unistd.h> -#include <string.h> -#include <ctype.h> -#include <syslog.h> -#include <stdarg.h> -#include <utmp.h> -#include <time.h> -#include <netdb.h> - -#include <netinet/in.h> -#include <rpcsvc/ypclnt.h> -#include <rpc/rpc.h> - -#include <pwdb/radius.h> -#include <pwdb/pwdb_radius.h> - -/******************************************************************/ - -#endif /* PAM_RADIUS_H */ diff --git a/contrib/libpam/modules/pam_rhosts/Makefile b/contrib/libpam/modules/pam_rhosts/Makefile deleted file mode 100644 index 93addbb..0000000 --- a/contrib/libpam/modules/pam_rhosts/Makefile +++ /dev/null @@ -1,94 +0,0 @@ -# This Makefile controls a build process of the pam_rhosts modules -# for Linux-PAM. You should not modify this Makefile. - -LIBAUTHOBJ = pam_rhosts_auth.o -LIBAUTHSRC = pam_rhosts_auth.c -LIBSESSOBJ = -LIBSESSSRC = -LIBPASSWDSRC = -LIBPASSWDOBJ = -LIBOBJ = $(LIBAUTHOBJ) $(LIBSESSOBJ) $(LIBPASSWDOBJ) -LIBSRC = $(LIBAUTHSRC) $(LIBSESSSRC) $(LIBPASSWDSRC) - -ifdef STATIC -LIBSTATIC = libpam_rhosts.o -LIBOBJS = $(addprefix static/,$(LIBOBJ)) -endif - -ifdef DYNAMIC -LIBSESSSH = -LIBAUTHSH = pam_rhosts_auth.so -LIBPASSWDSH = -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBSHARED = $(LIBSESSSH) $(LIBAUTHSH) $(LIBPASSWDSH) -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; \ - ./register_static pam_rhosts_auth pam_rhosts/libpam_rhosts.o ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -endif - -ifdef DYNAMIC -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -endif - -ifdef STATIC -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) - -endif - -#.c.o: -# $(CC) -c $(CFLAGS) $< - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -# tidy up - -remove: - cd $(FAKEROOT)$(SECUREDIR) && rm -f $(LIBSHARED) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) a.out core *~ - -extraclean: - rm -f *.a *.out *.o *.so *.bak dynamic/* static/* - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ diff --git a/contrib/libpam/modules/pam_rhosts/README b/contrib/libpam/modules/pam_rhosts/README deleted file mode 100644 index 527dfd3..0000000 --- a/contrib/libpam/modules/pam_rhosts/README +++ /dev/null @@ -1,57 +0,0 @@ -arguments recognized: - -"no_hosts_equiv" -"no_rhosts" -"debug" -"nowarn" -"suppress" -"promiscuous" - -.rhosts/hosts.equiv format: - -There are positive entries, when one is matched authentication -succeeds and terminates. There are negative entries, when one is -matched authentication fails and terminates. Thus order is -significant. - -Entry hosts.equiv .rhosts -<host> All users on <host> are ok Same username from <host> is ok -<host> <user> <user> from <host> is ok ditto --<host> No users from <host> are ok ditto -<host> -<user> <user> from <host> is not ok ditto - -<host> can be ip (IPv4) numbers. - -Netgroups may be used in either host or user fields, and then applies -to all hosts, or users, in the netgroup. The syntax is - - +@<ng> - -The entries - - <host> +@<ng> - +@<ng> +@<ng> - +@<ng> <user> - -means exactly what you think it does. Negative entries are of the -form - - -@<ng> - -When the "promiscuous" option is given the special character + may be -used as a wildcard in any field. - - + Allow anyone from any host to connect. DANGEROUS. - + + Ditto. - + <user> Allow the user to connect from anywhere. DANGEROUS. - <host> + Allow any user from the host. Dangerous. - -These, perhaps more usefull, forms of the + form is also disallowed -unless "promiscuous" is specified: - - + -<user> Disallow the user from any host - + -@<ng> Disallow all members of the netgroup from any host - -When "promiscuous" is not specified a '+' is handled as a negative -match. - diff --git a/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c b/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c deleted file mode 100644 index 10dfcf7..0000000 --- a/contrib/libpam/modules/pam_rhosts/pam_rhosts_auth.c +++ /dev/null @@ -1,788 +0,0 @@ -/*---------------------------------------------------------------------- - * Modified for Linux-PAM by Al Longyear <longyear@netcom.com> 96/5/5 - * Modifications, Cristian Gafton 97/2/8 - * Modifications, Peter Allgeyer 97/3 - * Modifications (netgroups and fixes), Nicolai Langfeldt 97/3/21 - * Security fix: 97/10/2 - gethostbyname called repeatedly without care - * Modification (added privategroup option) Andrew <morgan@transmeta.com> - *---------------------------------------------------------------------- - * Copyright (c) 1983, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define _BSD_SOURCE - -#define USER_RHOSTS_FILE "/.rhosts" /* prefixed by user's home dir */ - -#ifdef linux -#include <endian.h> -#endif - -#include <sys/types.h> -#include <sys/uio.h> -#include <string.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netdb.h> /* This is supposed(?) to contain the following */ -int innetgr(const char *, const char *, const char *,const char *); - -#include <stdio.h> -#include <errno.h> -#include <sys/time.h> -#include <arpa/inet.h> - -#ifndef MAXDNAME -#define MAXDNAME 256 -#endif - -#include <stdarg.h> -#include <ctype.h> - -#include <net/if.h> -#ifdef linux -# include <linux/sockios.h> -# ifndef __USE_MISC -# define __USE_MISC -# include <sys/fsuid.h> -# endif /* __USE_MISC */ -#endif - -#include <pwd.h> -#include <grp.h> -#include <sys/file.h> -#include <sys/signal.h> -#include <sys/stat.h> -#include <syslog.h> -#ifndef _PATH_HEQUIV -#define _PATH_HEQUIV "/etc/hosts.equiv" -#endif /* _PATH_HEQUIV */ - -#define PAM_SM_AUTH /* only defines this management group */ - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -/* to the best of my knowledge, all modern UNIX boxes have 32 bit integers */ -#define U32 unsigned int - - -/* - * Options for this module - */ - -struct _options { - int opt_no_hosts_equiv; - int opt_no_rhosts; - int opt_debug; - int opt_nowarn; - int opt_disallow_null_authtok; - int opt_silent; - int opt_promiscuous; - int opt_suppress; - int opt_private_group; - const char *last_error; -}; - -/* logging */ -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("pam_rhosts_auth", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -static void set_option (struct _options *opts, const char *arg) -{ - if (strcmp(arg, "no_hosts_equiv") == 0) { - opts->opt_no_hosts_equiv = 1; - return; - } - - if (strcmp(arg, "no_rhosts") == 0) { - opts->opt_no_rhosts = 1; - return; - } - - if (strcmp(arg, "debug") == 0) { - D(("debugging enabled")); - opts->opt_debug = 1; - return; - } - - if (strcmp(arg, "no_warn") == 0) { - opts->opt_nowarn = 1; - return; - } - - if (strcmp(arg, "promiscuous") == 0) { - opts->opt_promiscuous = 1; /* used to permit '+' in ...hosts file */ - return; - } - - if (strcmp(arg, "suppress") == 0) { - opts->opt_suppress = 1; /* used to suppress failure warning message */ - return; - } - - if (strcmp(arg, "privategroup") == 0) { - opts->opt_private_group = 1; /* used to permit group write on .rhosts - file if group has same name as owner */ - return; - } - - /* - * All other options are ignored at the present time. - */ - _pam_log(LOG_WARNING, "unrecognized option '%s'", arg); -} - -static void set_parameters (struct _options *opts, int flags, - int argc, const char **argv) -{ - opts->opt_silent = flags & PAM_SILENT; - opts->opt_disallow_null_authtok = flags & PAM_DISALLOW_NULL_AUTHTOK; - - while (argc-- > 0) { - set_option (opts, *argv); - ++argv; - } -} - -/* - * Obtain the name of the remote host. Currently, this is simply by - * requesting the contents of the PAM_RHOST item. - */ - -static int pam_get_rhost(pam_handle_t *pamh, const char **rhost - , const char *prompt) -{ - int retval; - const char *current; - - retval = pam_get_item (pamh, PAM_RHOST, (const void **)¤t); - if (retval != PAM_SUCCESS) - return retval; - - if (current == NULL) { - return PAM_AUTH_ERR; - } - *rhost = current; - - return retval; /* pass on any error from conversation */ -} - -/* - * Obtain the name of the remote user. Currently, this is simply by - * requesting the contents of the PAM_RUSER item. - */ - -static int pam_get_ruser(pam_handle_t *pamh, const char **ruser - , const char *prompt) -{ - int retval; - const char *current; - - retval = pam_get_item (pamh, PAM_RUSER, (const void **)¤t); - if (retval != PAM_SUCCESS) - return retval; - - if (current == NULL) { - return PAM_AUTH_ERR; - } - *ruser = current; - - return retval; /* pass on any error from conversation */ -} - -/* - * Returns 1 if positive match, 0 if no match, -1 if negative match. - */ - -static int -__icheckhost (pam_handle_t *pamh, struct _options *opts, U32 raddr - , register char *lhost, const char *rhost) -{ - struct hostent *hp; - U32 laddr; - int negate=1; /* Multiply return with this to get -1 instead of 1 */ - char **pp, *user; - - /* Check nis netgroup. We assume that pam has done all needed - paranoia checking before we are handed the rhost */ - if (strncmp("+@",lhost,2) == 0) - return(innetgr(&lhost[2],rhost,NULL,NULL)); - - if (strncmp("-@",lhost,2) == 0) - return(-innetgr(&lhost[2],rhost,NULL,NULL)); - - /* -host */ - if (strncmp("-",lhost,1) == 0) { - negate=-1; - lhost++; - } else if (strcmp("+",lhost) == 0) { - (void) pam_get_item(pamh, PAM_USER, (const void **)&user); - D(("user %s has a `+' host entry", user)); - if (opts->opt_promiscuous) - return (1); /* asking for trouble, but ok.. */ - /* If not promiscuous: handle as negative */ - return (-1); - } - - /* Try for raw ip address first. */ - if (isdigit(*lhost) && (long)(laddr = inet_addr(lhost)) != -1) - return (negate*(! (raddr ^ laddr))); - - /* Better be a hostname. */ - hp = gethostbyname(lhost); - if (hp == NULL) - return (0); - - /* Spin through ip addresses. */ - for (pp = hp->h_addr_list; *pp; ++pp) - if (!memcmp (&raddr, *pp, sizeof (U32))) - return (negate); - - /* No match. */ - return (0); -} - -/* Returns 1 on positive match, 0 on no match, -1 on negative match */ - -static int __icheckuser(pam_handle_t *pamh, struct _options *opts - , const char *luser, const char *ruser - , const char *rhost) -{ - /* - luser is user entry from .rhosts/hosts.equiv file - ruser is user id on remote host - rhost is the remote host name - */ - char *user; - - /* [-+]@netgroup */ - if (strncmp("+@",luser,2) == 0) - return (innetgr(&luser[2],NULL,ruser,NULL)); - - if (strncmp("-@",luser,2) == 0) - return (-innetgr(&luser[2],NULL,ruser,NULL)); - - /* -user */ - if (strncmp("-",luser,1) == 0) - return(-(strcmp(&luser[1],ruser) == 0)); - - /* + */ - if (strcmp("+",luser) == 0) { - (void) pam_get_item(pamh, PAM_USER, (const void **)&user); - _pam_log(LOG_WARNING, "user %s has a `+' user entry", user); - if (opts->opt_promiscuous) - return(1); - /* If not promiscuous we handle it as a negative match */ - return(-1); - } - - /* simple string match */ - return (strcmp(ruser, luser) == 0); -} - -/* - * Returns 1 for blank lines (or only comment lines) and 0 otherwise - */ - -static int __isempty(char *p) -{ - while (*p && isspace(*p)) { - ++p; - } - - return (*p == '\0' || *p == '#') ? 1:0 ; -} - -/* - * Returns 0 if positive match, 1 if _not_ ok. - */ - -static int -__ivaliduser (pam_handle_t *pamh, struct _options *opts, - FILE *hostf, U32 raddr, - const char *luser, const char *ruser, const char *rhost) -{ - register const char *user; - register char *p; - int hcheck, ucheck; - char buf[MAXHOSTNAMELEN + 128]; /* host + login */ - - buf[sizeof (buf)-1] = '\0'; /* terminate line */ - - while (fgets(buf, sizeof(buf), hostf) != NULL) { /* hostf file line */ - p = buf; /* from beginning of file.. */ - - /* Skip empty or comment lines */ - if (__isempty(p)) { - continue; - } - - /* Skip lines that are too long. */ - if (strchr(p, '\n') == NULL) { - int ch = getc(hostf); - - while (ch != '\n' && ch != EOF) - ch = getc(hostf); - continue; - } - - /* - * If there is a hostname at the start of the line. Set it to - * lower case. A leading ' ' or '\t' indicates no hostname - */ - - for (;*p && !isspace(*p); ++p) { - *p = tolower(*p); - } - - /* - * next we want to find the permitted name for the remote user - */ - - if (*p == ' ' || *p == '\t') { - - /* <nul> terminate hostname and skip spaces */ - for (*p++='\0'; *p && isspace(*p); ++p); - - user = p; /* this is the user's name */ - while (*p && !isspace(*p)) - ++p; /* find end of user's name */ - } else - user = p; - - *p = '\0'; /* <nul> terminate username (+host?) */ - - /* buf -> host(?) ; user -> username(?) */ - - /* First check host part */ - hcheck=__icheckhost(pamh, opts, raddr, buf, rhost); - - if (hcheck<0) - return(1); - - if (hcheck) { - /* Then check user part */ - if (! (*user)) - user = luser; - - ucheck=__icheckuser(pamh, opts, user, ruser, rhost); - - /* Positive 'host user' match? */ - if (ucheck>0) - return(0); - - /* Negative 'host -user' match? */ - if (ucheck<0) - return(1); - - /* Neither, go on looking for match */ - } - } - - return (1); -} - -/* - * New .rhosts strategy: We are passed an ip address. We spin through - * hosts.equiv and .rhosts looking for a match. When the .rhosts only - * has ip addresses, we don't have to trust a nameserver. When it - * contains hostnames, we spin through the list of addresses the nameserver - * gives us and look for a match. - * - * Returns 0 if ok, -1 if not ok. - */ - -static int -pam_iruserok(pam_handle_t *pamh, - struct _options *opts, U32 raddr, int superuser, - const char *ruser, const char *luser, const char *rhost) -{ - const char *cp; - struct stat sbuf; - struct passwd *pwd; - FILE *hostf; - uid_t uid; - int answer; - char pbuf[MAXPATHLEN]; /* potential buffer overrun */ - - if ( !superuser && !opts->opt_no_hosts_equiv ) { - - /* try to open system hosts.equiv file */ - hostf = fopen (_PATH_HEQUIV, "r"); - if (hostf) { - answer = __ivaliduser(pamh, opts, hostf, raddr, luser - , ruser, rhost); - (void) fclose(hostf); - if (answer == 0) - return 0; /* remote host is equivalent to localhost */ - } /* else { - No hosts.equiv file on system. - } */ - } - - if ( opts->opt_no_rhosts ) - return 1; - - /* - * Identify user's local .rhosts file - */ - - pwd = getpwnam(luser); - if (pwd == NULL) { - /* - * luser is assumed to be valid because of an earlier check for uid = 0 - * we don't log this error twice. However, this shouldn't happen ! - * --cristiang - */ - return(1); - } - - /* check for buffer overrun */ - if (strlen(pwd->pw_dir) + sizeof(USER_RHOSTS_FILE) + 2 >= MAXPATHLEN) { - if (opts->opt_debug) - _pam_log(LOG_DEBUG,"home directory for `%s' is too long", luser); - return 1; /* to dangerous to try */ - } - - (void) strcpy(pbuf, pwd->pw_dir); - (void) strcat(pbuf, USER_RHOSTS_FILE); - - /* - * Change effective uid while _reading_ .rhosts. (not just - * opening). If root and reading an NFS mounted file system, - * can't read files that are 0600 as .rhosts files should be. - */ - - /* We are root, this will not fail */ -#ifdef linux - /* If we are on linux the better way is setfsuid */ - uid = setfsuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); -#else - uid = geteuid(); - (void) seteuid(pwd->pw_uid); - hostf = fopen(pbuf, "r"); -#endif - - if (hostf == NULL) { - if (opts->opt_debug) - _pam_log(LOG_DEBUG,"Could not open %s file",pbuf); - answer = 1; - goto exit_function; - } - - /* - * If not a regular file, or is owned by someone other than - * user or root or if writeable by anyone but the owner, quit. - */ - - cp = NULL; - if (lstat(pbuf, &sbuf) < 0 || !S_ISREG(sbuf.st_mode)) - cp = ".rhosts not regular file"; - else if (fstat(fileno(hostf), &sbuf) < 0) - cp = ".rhosts fstat failed"; - else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid) - cp = "bad .rhosts owner"; - else if (sbuf.st_mode & S_IWOTH) - cp = ".rhosts writable by other!"; - else if (sbuf.st_mode & S_IWGRP) { - - /* private group caveat */ - if (opts->opt_private_group) { - struct group *grp = getgrgid(sbuf.st_gid); - - if (NULL == grp || NULL == grp->gr_name - || strcmp(luser,grp->gr_name)) { - cp = ".rhosts writable by public group"; - } else if (grp->gr_mem) { - int gcount; - - /* require at most one member (luser) of this group */ - for (gcount=0; grp->gr_mem[gcount]; ++gcount) { - if (strcmp(grp->gr_mem[gcount], luser)) { - gcount = -1; - break; - } - } - if (gcount < 0) { - cp = ".rhosts writable by other members of group"; - } - } - } else { - cp = ".rhosts writable by group"; - } - - } /* It is _NOT_ safe to append an else here... Do so prior to - * S_IWGRP check */ - - /* If there were any problems, quit. */ - if (cp) { - opts->last_error = cp; - answer = 1; - goto exit_function; - } - - answer = __ivaliduser (pamh, opts, hostf, raddr, luser, ruser, rhost); - -exit_function: - /* - * Go here to exit after the fsuid/euid has been adjusted so that - * they are reset before we exit. - */ - -#ifdef linux - setfsuid(uid); -#else - (void)seteuid(uid); -#endif - - if (hostf != NULL) - (void) fclose(hostf); - - return answer; -} - -static int -pam_ruserok (pam_handle_t *pamh, - struct _options *opts, const char *rhost, int superuser, - const char *ruser, const char *luser) -{ - struct hostent *hp; - int answer = 1; /* default to failure */ - U32 *addrs; - int n, i; - - opts->last_error = (char *) 0; - hp = gethostbyname(rhost); /* identify host */ - - if (hp != NULL) { - /* First of all check the address length */ - if (hp->h_length != 4) { - _pam_log(LOG_ALERT, "pam_rhosts module can't work with not IPv4 " - "addresses"); - return 1; /* not allowed */ - } - - /* loop though address list */ - for (n = 0; hp->h_addr_list[n]; n++); - D(("rhosts: %d addresses", n)); - - if (n) { - addrs = calloc (n, hp->h_length); - for (i = 0; i < n; i++) - memcpy (addrs+i, hp->h_addr_list[i], hp->h_length); - - for (i = 0; i < n && answer; i++) { - D(("rhosts: address %d is %04x", i, addrs[i])); - answer = pam_iruserok(pamh, opts, addrs[i], superuser, - ruser, luser, rhost); - /* answer == 0 means success */ - } - - free (addrs); - } - } - - return answer; -} - -/* - * Internal function to do authentication - */ - -static int _pam_auth_rhosts (pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - int retval; - const char *luser; - const char *ruser,*rhost; - struct _options opts; - int as_root = 0; - /* - * Look at the options and set the flags accordingly. - */ - memset (&opts, 0, sizeof (opts)); - set_parameters (&opts, flags, argc, argv); - /* - * Obtain the parameters for the various items - */ - for (;;) { /* abuse loop to avoid goto */ - - /* get the remotehost */ - retval = pam_get_rhost(pamh, &rhost, NULL); - (void) pam_set_item(pamh, PAM_RHOST, rhost); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) { - _pam_log(LOG_DEBUG, "could not get the remote host name"); - } - break; - } - - /* get the remote user */ - retval = pam_get_ruser(pamh, &ruser, NULL); - (void) pam_set_item(pamh, PAM_RUSER, ruser); - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) - _pam_log(LOG_DEBUG, "could not get the remote username"); - break; - } - - /* get the local user */ - retval = pam_get_user(pamh, &luser, NULL); - - if (retval != PAM_SUCCESS) { - if (opts.opt_debug) - _pam_log(LOG_DEBUG, "could not determine name of local user"); - break; - } - - /* check if the luser uid == 0... --cristiang */ - { - struct passwd *luser_pwd; - - luser_pwd = getpwnam(luser); - if (luser_pwd == NULL) { - if (opts.opt_debug) - _pam_log(LOG_DEBUG, "user '%s' unknown to this system", - luser); - retval = PAM_AUTH_ERR; - break; - } - if (luser_pwd->pw_uid == 0) - as_root = 1; - luser_pwd = NULL; /* forget */ - } -/* - * Validate the account information. - */ - if (pam_ruserok (pamh, &opts, rhost, as_root, ruser, luser) != 0) { - if ( !opts.opt_suppress ) { - _pam_log(LOG_WARNING, "denied to %s@%s as %s: %s", - ruser, rhost, luser, (opts.last_error==NULL) ? - "access not allowed":opts.last_error); - } - retval = PAM_AUTH_ERR; - } else { - _pam_log(LOG_NOTICE, "allowed to %s@%s as %s", - ruser, rhost, luser); - } - break; - } - - return retval; -} - -/* --- authentication management functions --- */ - -PAM_EXTERN -int pam_sm_authenticate (pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - int retval; - - if (sizeof(U32) != 4) { - _pam_log (LOG_ALERT, "pam_rhosts module can\'t work on this hardware " - "(yet)"); - return PAM_AUTH_ERR; - } - sethostent(1); - retval = _pam_auth_rhosts (pamh, flags, argc, argv); - endhostent(); - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc, - const char **argv) -{ - return PAM_SUCCESS; -} - -/* end of module definition */ - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_rhosts_auth_modstruct = { - "pam_rhosts_auth", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* - * $Log: pam_rhosts_auth.c,v $ - * Revision 1.12 1997/09/27 14:34:01 morgan - * fixed comment and renamed iruserok to pam_iruserok. - * - * Revision 1.11 1997/04/05 06:26:39 morgan - * fairly major fixes and enhancements (see CHANGELOG for 0.57 release) - * - * Revision 1.10 1997/02/09 02:09:30 morgan - * - implementation of 'debug' argument (Cristian Gafton) - * - we check for uid=0 accounts instead of hardcoded 'root' (Cristian Gafton) - * - * Revision 1.9 1996/12/01 03:09:47 morgan - * *** empty log message *** - * - * Revision 1.8 1996/11/12 06:08:59 morgan - * Oliver Crow's "rootok" patch plus a little clean up of set_option - * (AGM) - * - * Revision 1.7 1996/11/10 20:15:56 morgan - * cross platform support - * - * Revision 1.6 1996/08/09 05:46:29 morgan - * removed code for manually setting the remote username etc.. - * - */ diff --git a/contrib/libpam/modules/pam_rootok/Makefile b/contrib/libpam/modules/pam_rootok/Makefile deleted file mode 100644 index b378708..0000000 --- a/contrib/libpam/modules/pam_rootok/Makefile +++ /dev/null @@ -1,111 +0,0 @@ -# -# $Id: Makefile,v 1.7 1997/04/05 06:25:20 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:25:20 morgan -# fakeroot -# -# Revision 1.6 1997/02/15 19:15:50 morgan -# fixed email -# -# Revision 1.5 1996/11/10 20:16:10 morgan -# cross platform support -# -# Revision 1.4 1996/09/05 06:29:36 morgan -# ld --> gcc -# -# Revision 1.3 1996/05/26 15:47:46 morgan -# make dynamic/static dirs! -# -# Revision 1.2 1996/05/26 04:04:53 morgan -# automated static support -# -# Revision 1.1 1996/05/05 17:14:15 morgan -# Initial revision -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/5/5 -# - -TITLE=pam_rootok - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_rootok/README b/contrib/libpam/modules/pam_rootok/README deleted file mode 100644 index d7010dd..0000000 --- a/contrib/libpam/modules/pam_rootok/README +++ /dev/null @@ -1,18 +0,0 @@ -# $Id: README,v 1.1 1996/05/10 04:15:31 morgan Exp $ -# - -this module is an authentication module that performs one task: if the -id of the user is '0' then it returns 'PAM_SUCCESS' with the -'sufficient' /etc/pam.conf control flag it can be used to allow -password free access to some service for 'root' - -Recognized arguments: - - debug write a message to syslog indicating success or - failure. - -module services provided: - - auth _authetication and _setcred (blank) - -Andrew Morgan diff --git a/contrib/libpam/modules/pam_rootok/pam_rootok.c b/contrib/libpam/modules/pam_rootok/pam_rootok.c deleted file mode 100644 index 21327d4..0000000 --- a/contrib/libpam/modules/pam_rootok/pam_rootok.c +++ /dev/null @@ -1,118 +0,0 @@ -/* pam_rootok module */ - -/* - * $Id: pam_rootok.c,v 1.5 1997/02/15 17:32:47 morgan Exp $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - * $Log: pam_rootok.c,v $ - * Revision 1.5 1997/02/15 17:32:47 morgan - * removed fixed syslog buffer - * - * Revision 1.4 1996/12/01 03:10:14 morgan - * reformatted - * - * Revision 1.3 1996/06/02 08:11:01 morgan - * updated for new static protocol - * - */ - -#include <stdio.h> -#include <unistd.h> -#include <syslog.h> -#include <stdarg.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-rootok", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - - -/* argument parsing */ - -#define PAM_DEBUG_ARG 01 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int ctrl; - int retval = PAM_AUTH_ERR; - - ctrl = _pam_parse(argc, argv); - if (getuid() == 0) - retval = PAM_SUCCESS; - - if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_DEBUG, "authetication %s" - , retval==PAM_SUCCESS ? "succeeded":"failed" ); - } - - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_rootok_modstruct = { - "pam_rootok", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_securetty/Makefile b/contrib/libpam/modules/pam_securetty/Makefile deleted file mode 100644 index d8a09ea..0000000 --- a/contrib/libpam/modules/pam_securetty/Makefile +++ /dev/null @@ -1,83 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -TITLE=pam_securetty - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< diff --git a/contrib/libpam/modules/pam_securetty/README b/contrib/libpam/modules/pam_securetty/README deleted file mode 100644 index 1df095c..0000000 --- a/contrib/libpam/modules/pam_securetty/README +++ /dev/null @@ -1,9 +0,0 @@ -pam_securetty: - Allows root logins only if the user is logging in on a - "secure" tty, as defined by the listing in /etc/securetty - - Also checks to make sure that /etc/securetty is a plain - file and not world writable. - - - Elliot Lee <sopwith@redhat.com>, Red Hat Software. - July 25, 1996. diff --git a/contrib/libpam/modules/pam_securetty/pam_securetty.c b/contrib/libpam/modules/pam_securetty/pam_securetty.c deleted file mode 100644 index 369fb03..0000000 --- a/contrib/libpam/modules/pam_securetty/pam_securetty.c +++ /dev/null @@ -1,204 +0,0 @@ -/* pam_securetty module */ - -#define SECURETTY_FILE "/etc/securetty" -#define TTY_PREFIX "/dev/" - -/* - * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. - * July 25, 1996. - * This code shamelessly ripped from the pam_rootok module. - * Slight modifications AGM. 1996/12/3 - * $Log: pam_securetty.c,v $ - * Revision 1.7 1997/04/05 06:24:23 morgan - * changed return value on user unknown error - * - * Revision 1.6 1997/02/15 17:30:36 morgan - * removed fixed length syslog buffer - * - * Revision 1.5 1997/02/09 02:22:24 morgan - * added "debug" flag handling (Cristian Gafton) - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <unistd.h> -#include <syslog.h> -#include <stdarg.h> -#include <pwd.h> -#include <strings.h> - -#define PAM_SM_AUTH - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-securetty", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval = PAM_AUTH_ERR; - const char *username; - char *uttyname; - char ttyfileline[256]; - struct stat ttyfileinfo; - struct passwd *user_pwd; - FILE *ttyfile; - int ctrl; - - /* parse the arguments */ - ctrl = _pam_parse(argc, argv); - - retval = pam_get_item(pamh,PAM_USER,(const void **)&username); - if (retval == PAM_SUCCESS) - retval = pam_get_item(pamh,PAM_TTY,(const void **)&uttyname); - if (retval != PAM_SUCCESS || uttyname == NULL) { - /* If we couldn't get the username or the tty return error */ - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "can not determine tty I'm running on !"); - return PAM_SERVICE_ERR; - } - - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) - uttyname += sizeof(TTY_PREFIX)-1; - - /* If we didn't get a username, get one */ - if(!username || (strlen(username) <= 0)) { - /* Don't let them use a NULL username... */ - (void) pam_set_item(pamh, PAM_USER, NULL); - pam_get_user(pamh,&username,NULL); - if (retval != PAM_SUCCESS || username == NULL || *username == '\0') { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, - "can not determine username for this service!"); - return PAM_SERVICE_ERR; - } - } - - user_pwd = getpwnam(username); - if (user_pwd == NULL) - return PAM_IGNORE; - else if (user_pwd->pw_uid != 0) /* If the user is not root, - securetty's does not apply to them */ - return PAM_SUCCESS; - - if(stat(SECURETTY_FILE,&ttyfileinfo)) { - _pam_log(LOG_NOTICE, - "Couldn't open " SECURETTY_FILE); - return PAM_SUCCESS; /* for compatibility with old securetty handling, - this needs to succeed. But we still log the - error. */ - } - - if((ttyfileinfo.st_mode & S_IWOTH) - || !S_ISREG(ttyfileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ERR, SECURETTY_FILE - " is either world writable or not a normal file"); - return PAM_AUTH_ERR; - } - - ttyfile = fopen(SECURETTY_FILE,"r"); - if(ttyfile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening " SECURETTY_FILE); - return PAM_SERVICE_ERR; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ - while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) - && retval) { - if(ttyfileline[strlen(ttyfileline) - 1] == '\n') - ttyfileline[strlen(ttyfileline) - 1] = '\0'; - retval = strcmp(ttyfileline,uttyname); - } - fclose(ttyfile); - if(retval) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", - uttyname); - retval = PAM_AUTH_ERR; - } - if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) - _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", - username, uttyname); - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_securetty_modstruct = { - "pam_securetty", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_shells/Makefile b/contrib/libpam/modules/pam_shells/Makefile deleted file mode 100644 index 121b19a..0000000 --- a/contrib/libpam/modules/pam_shells/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# - -TITLE=pam_shells - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_shells/README b/contrib/libpam/modules/pam_shells/README deleted file mode 100644 index cbd5bfb..0000000 --- a/contrib/libpam/modules/pam_shells/README +++ /dev/null @@ -1,10 +0,0 @@ -pam_shells: - Authentication is granted if the users shell is listed in - /etc/shells. If no shell is in /etc/passwd (empty), the - /bin/sh is used (following ftpd's convention). - - Also checks to make sure that /etc/shells is a plain - file and not world writable. - - - Erik Troan <ewt@redhat.com>, Red Hat Software. - August 5, 1996. diff --git a/contrib/libpam/modules/pam_shells/pam_shells.c b/contrib/libpam/modules/pam_shells/pam_shells.c deleted file mode 100644 index edc9134..0000000 --- a/contrib/libpam/modules/pam_shells/pam_shells.c +++ /dev/null @@ -1,131 +0,0 @@ -/* pam_securetty module */ - -#define SHELL_FILE "/etc/shells" - -/* - * by Erik Troan <ewt@redhat.com>, Red Hat Software. - * August 5, 1996. - * This code shamelessly ripped from the pam_securetty module. - */ - -#include <pwd.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <sys/stat.h> -#include <syslog.h> -#include <unistd.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-shells", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int retval = PAM_AUTH_ERR; - const char *userName; - char *userShell; - char shellFileLine[256]; - struct stat sb; - struct passwd * pw; - FILE * shellFile; - - retval = pam_get_user(pamh,&userName,NULL); - if(retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - - if(!userName || (strlen(userName) <= 0)) { - /* Don't let them use a NULL username... */ - pam_get_user(pamh,&userName,NULL); - if (retval != PAM_SUCCESS) - return PAM_SERVICE_ERR; - } - - pw = getpwnam(userName); - if (!pw) - return PAM_AUTH_ERR; /* user doesn't exist */ - userShell = pw->pw_shell; - - if(stat(SHELL_FILE,&sb)) { - _pam_log(LOG_ERR, SHELL_FILE, " cannot be stat'd (it probably does " - "not exist)"); - return PAM_AUTH_ERR; /* must have /etc/shells */ - } - - if((sb.st_mode & S_IWOTH) || !S_ISREG(sb.st_mode)) { - _pam_log(LOG_ERR, - SHELL_FILE " is either world writable or not a normal file"); - return PAM_AUTH_ERR; - } - - shellFile = fopen(SHELL_FILE,"r"); - if(shellFile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening " SHELL_FILE); - return PAM_SERVICE_ERR; - } - /* There should be no more errors from here on */ - retval=PAM_AUTH_ERR; - /* This loop assumes that PAM_SUCCESS == 0 - and PAM_AUTH_ERR != 0 */ - while((fgets(shellFileLine,255,shellFile) != NULL) - && retval) { - if (shellFileLine[strlen(shellFileLine) - 1] == '\n') - shellFileLine[strlen(shellFileLine) - 1] = '\0'; - retval = strcmp(shellFileLine, userShell); - } - fclose(shellFile); - if(retval) - retval = PAM_AUTH_ERR; - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_shells_modstruct = { - "pam_shells", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_stress/Makefile b/contrib/libpam/modules/pam_stress/Makefile deleted file mode 100644 index 52e8e21..0000000 --- a/contrib/libpam/modules/pam_stress/Makefile +++ /dev/null @@ -1,109 +0,0 @@ -# -# $Id: Makefile,v 1.7 1997/04/05 06:23:08 morgan Exp $ -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.7 1997/04/05 06:23:08 morgan -# fakeroot -# -# Revision 1.6 1997/02/15 19:05:55 morgan -# fixed email -# -# Revision 1.5 1996/11/10 20:17:55 morgan -# cross platform support -# -# Revision 1.4 1996/09/05 06:31:09 morgan -# ld --> gcc -# -# Revision 1.3 1996/05/26 15:50:43 morgan -# make dynamic and static dirs -# -# Revision 1.2 1996/05/26 04:11:56 morgan -# automated static support -# -# -# - -TITLE=pam_stress - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_stress/README b/contrib/libpam/modules/pam_stress/README deleted file mode 100644 index 1cb7c14..0000000 --- a/contrib/libpam/modules/pam_stress/README +++ /dev/null @@ -1,66 +0,0 @@ -# -# $Id: README,v 1.7 1997/02/15 19:07:08 morgan Exp $ -# -# This describes the behavior of this module with respect to the -# /etc/pam.conf file. -# -# writen by Andrew Morgan <morgan@parc.power.net> -# - -This module recognizes the following arguments. - -debug put lots of information in syslog. - *NOTE* this option writes passwords to syslog, so - don't use anything sensitive when testing. - -no_warn don't give warnings about things (otherwise warnings are issued - via the conversation function) - -use_first_pass don't prompt for a password, for pam_sm_authentication - function just use item PAM_AUTHTOK. - -try_first_pass don't prompt for a password unless there has been no - previous authentication token (item PAM_AUTHTOK is NULL) - -rootok This is intended for the pam_sm_chauthtok function and - it instructs this function to permit root to change - the user's password without entering the old password. - -The following arguments are acted on by the module. They are intended -to make the module give the impression of failing as a fully -functioning module might. - -expired an argument intended for the account and chauthtok module - parts. It instructs the module to act as if the user's - password has expired - -fail_1 this instructs the module to make its first function fail. - -fail_2 this instructs the module to make its second function (if there - is one) fail. - - The function break up is indicated in the Module - Developers' Guide. Listed here it is: - - service function 1 function 2 - ------- ---------- ---------- - auth pam_sm_authenticate pam_sm_setcred - password pam_sm_chauthtok - session pam_sm_open_session pam_sm_close_session - account pam_sm_acct_mgmt - -prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK. - -required for pam_sm_chauthtok, means fail if the user hasn't already - been authenticated by this module. (See stress_new_pwd data - item below.) - -# -# data strings that this module uses are the following: -# - -data name value(s) Comments ---------- -------- -------- -stress_new_pwd yes tells pam_sm_chauthtok that - pam_sm_acct_mgmt says we need a new - password diff --git a/contrib/libpam/modules/pam_stress/pam_stress.c b/contrib/libpam/modules/pam_stress/pam_stress.c deleted file mode 100644 index 5015418..0000000 --- a/contrib/libpam/modules/pam_stress/pam_stress.c +++ /dev/null @@ -1,581 +0,0 @@ -/* pam_stress module */ - -/* $Id: pam_stress.c,v 1.12 1997/02/15 19:06:30 morgan Exp morgan $ - * - * created by Andrew Morgan <morgan@parc.power.net> 1996/3/12 - * - * $Log: pam_stress.c,v $ - * Revision 1.12 1997/02/15 19:06:30 morgan - * fixed email - * - * Revision 1.11 1997/02/15 17:33:24 morgan - * removed fixed syslog buffer - * - * Revision 1.10 1996/12/01 03:11:35 morgan - * using _pam_macros.h now - * - * Revision 1.9 1996/11/10 20:18:10 morgan - * changes for .53 compilation - * - * Revision 1.8 1996/09/05 06:31:59 morgan - * changed return value of wipe_up from int to void - * - * Revision 1.7 1996/06/02 08:12:28 morgan - * updated for new static protocol, added STRESS to various user prompts - * and added rootok flag for pam_sm_chauthtok to look out for - * - */ - -#include <stdlib.h> -#include <stdio.h> -#include <syslog.h> -#include <stdarg.h> -#include <string.h> -#include <unistd.h> - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -static char *_strdup(const char *x) -{ - char *new; - new = malloc(strlen(x)+1); - strcpy(new,x); - return new; -} - -/* log errors */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-stress", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* ---------- */ - -/* an internal function to turn all possible test arguments into bits - of a ctrl number */ - -/* generic options */ - -#define PAM_ST_DEBUG 01 -#define PAM_ST_NO_WARN 02 -#define PAM_ST_USE_PASS1 04 -#define PAM_ST_TRY_PASS1 010 -#define PAM_ST_ROOTOK 020 - -/* simulation options */ - -#define PAM_ST_EXPIRED 040 -#define PAM_ST_FAIL_1 0100 -#define PAM_ST_FAIL_2 0200 -#define PAM_ST_PRELIM 0400 -#define PAM_ST_REQUIRE_PWD 01000 - -/* some syslogging */ - -static void _pam_report(int ctrl, const char *name, int flags, - int argc, const char **argv) -{ - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG, "CALLED: %s", name); - _pam_log(LOG_DEBUG, "FLAGS : 0%o%s", flags, - (flags & PAM_SILENT) ? " (silent)":""); - _pam_log(LOG_DEBUG, "CTRL = 0%o",ctrl); - _pam_log(LOG_DEBUG, "ARGV :"); - while (argc--) { - _pam_log(LOG_DEBUG, " \"%s\"", *argv++); - } - } -} - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_ST_DEBUG; - else if (!strcmp(*argv,"no_warn")) - ctrl |= PAM_ST_NO_WARN; - else if (!strcmp(*argv,"use_first_pass")) - ctrl |= PAM_ST_USE_PASS1; - else if (!strcmp(*argv,"try_first_pass")) - ctrl |= PAM_ST_TRY_PASS1; - else if (!strcmp(*argv,"rootok")) - ctrl |= PAM_ST_ROOTOK; - - /* simulation options */ - - else if (!strcmp(*argv,"expired")) /* signal password needs - renewal */ - ctrl |= PAM_ST_EXPIRED; - else if (!strcmp(*argv,"fail_1")) /* instruct fn 1 to fail */ - ctrl |= PAM_ST_FAIL_1; - else if (!strcmp(*argv,"fail_2")) /* instruct fn 2 to fail */ - ctrl |= PAM_ST_FAIL_2; - else if (!strcmp(*argv,"prelim")) /* instruct pam_sm_setcred - to fail on first call */ - ctrl |= PAM_ST_PRELIM; - else if (!strcmp(*argv,"required")) /* module is fussy about the - user being authenticated */ - ctrl |= PAM_ST_REQUIRE_PWD; - - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - -static int converse(pam_handle_t *pamh, int nargs - , struct pam_message **message - , struct pam_response **response) -{ - int retval; - struct pam_conv *conv; - - if ((retval = pam_get_item(pamh,PAM_CONV,(const void **)&conv)) - == PAM_SUCCESS) { - retval = conv->conv(nargs, (const struct pam_message **) message - , response, conv->appdata_ptr); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR,"(pam_stress) converse returned %d",retval); - _pam_log(LOG_ERR,"that is: %s",pam_strerror(pamh, retval)); - } - } else { - _pam_log(LOG_ERR,"(pam_stress) converse failed to get pam_conv"); - } - - return retval; -} - -/* authentication management functions */ - -static int stress_get_password(pam_handle_t *pamh, int flags - , int ctrl, char **password) -{ - char *pass; - - if ( (ctrl & (PAM_ST_TRY_PASS1|PAM_ST_USE_PASS1)) - && (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass) - == PAM_SUCCESS) - && (pass != NULL) ) { - pass = _strdup(pass); - } else if ((ctrl & PAM_ST_USE_PASS1)) { - _pam_log(LOG_WARNING, "pam_stress: no forwarded password"); - return PAM_PERM_DENIED; - } else { /* we will have to get one */ - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - int retval; - - /* set up conversation call */ - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = "STRESS Password: "; - resp = NULL; - - if ((retval = converse(pamh,1,pmsg,&resp)) != PAM_SUCCESS) { - return retval; - } - - if (resp) { - if ((resp[0].resp == NULL) && (ctrl & PAM_ST_DEBUG)) { - _pam_log(LOG_DEBUG, - "pam_sm_authenticate: NULL authtok given"); - } - if ((flags & PAM_DISALLOW_NULL_AUTHTOK) - && resp[0].resp == NULL) { - free(resp); - return PAM_AUTH_ERR; - } - - pass = resp[0].resp; /* remember this! */ - - resp[0].resp = NULL; - } else if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_authenticate: no error reported"); - _pam_log(LOG_DEBUG,"getting password, but NULL returned!?"); - return PAM_CONV_ERR; - } - free(resp); - } - - *password = pass; /* this *MUST* be free()'d by this module */ - - return PAM_SUCCESS; -} - -/* function to clean up data items */ - -static void wipe_up(pam_handle_t *pamh, void *data, int error) -{ - free(data); -} - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - const char *username; - int retval=PAM_SUCCESS; - char *pass; - int ctrl; - - D(("called.")); - - ctrl = _pam_parse(argc,argv); - _pam_report(ctrl, "pam_sm_authenticate", flags, argc, argv); - - /* try to get the username */ - - retval = pam_get_user(pamh, &username, "username: "); - if ((ctrl & PAM_ST_DEBUG) && (retval == PAM_SUCCESS)) { - _pam_log(LOG_DEBUG, "pam_sm_authenticate: username = %s", username); - } else if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: failed to get username"); - return retval; - } - - /* now get the password */ - - retval = stress_get_password(pamh,flags,ctrl,&pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: " - "failed to get a password"); - return retval; - } - - /* try to set password item */ - - retval = pam_set_item(pamh,PAM_AUTHTOK,pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_WARNING, "pam_sm_authenticate: " - "failed to store new password"); - _pam_overwrite(pass); - free(pass); - return retval; - } - - /* clean up local copy of password */ - - _pam_overwrite(pass); - free(pass); - pass = NULL; - - /* if we are debugging then we print the password */ - - if (ctrl & PAM_ST_DEBUG) { - (void) pam_get_item(pamh,PAM_AUTHTOK,(const void **)&pass); - _pam_log(LOG_DEBUG, - "pam_st_authenticate: password entered is: [%s]\n",pass); - pass = NULL; - } - - /* if we signal a fail for this function then fail */ - - if ((ctrl & PAM_ST_FAIL_1) && retval == PAM_SUCCESS) - return PAM_PERM_DENIED; - - return retval; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl, "pam_sm_setcred", flags, argc, argv); - - if (ctrl & PAM_ST_FAIL_2) - return PAM_CRED_ERR; - - return PAM_SUCCESS; -} - -/* account management functions */ - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_acct_mgmt", flags, argc, argv); - - if (ctrl & PAM_ST_FAIL_1) - return PAM_PERM_DENIED; - else if (ctrl & PAM_ST_EXPIRED) { - void *text = malloc(sizeof("yes")+1); - strcpy(text,"yes"); - pam_set_data(pamh,"stress_new_pwd",text,wipe_up); - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_acct_mgmt: need a new password"); - } - return PAM_NEW_AUTHTOK_REQD; - } - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - char *username,*service; - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_open_session", flags, argc, argv); - - if ((pam_get_item(pamh, PAM_USER, (const void **) &username) - != PAM_SUCCESS) - || (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) - != PAM_SUCCESS)) { - _pam_log(LOG_WARNING,"pam_sm_open_session: for whom?"); - return PAM_SESSION_ERR; - } - - _pam_log(LOG_NOTICE,"pam_stress: opened [%s] session for user [%s]" - , service, username); - - if (ctrl & PAM_ST_FAIL_1) - return PAM_SESSION_ERR; - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - const char *username,*service; - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_close_session", flags, argc, argv); - - if ((pam_get_item(pamh, PAM_USER, (const void **)&username) - != PAM_SUCCESS) - || (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) - != PAM_SUCCESS)) { - _pam_log(LOG_WARNING,"pam_sm_close_session: for whom?"); - return PAM_SESSION_ERR; - } - - _pam_log(LOG_NOTICE,"pam_stress: closed [%s] session for user [%s]" - , service, username); - - if (ctrl & PAM_ST_FAIL_2) - return PAM_SESSION_ERR; - - return PAM_SUCCESS; -} - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - int retval; - int ctrl = _pam_parse(argc,argv); - - D(("called. [post parsing]")); - - _pam_report(ctrl,"pam_sm_chauthtok", flags, argc, argv); - - /* this function should be called twice by the Linux-PAM library */ - - if (flags & PAM_PRELIM_CHECK) { /* first call */ - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: prelim check"); - } - if (ctrl & PAM_ST_PRELIM) - return PAM_TRY_AGAIN; - - return PAM_SUCCESS; - } else if (flags & PAM_UPDATE_AUTHTOK) { /* second call */ - struct pam_message msg[3],*pmsg[3]; - struct pam_response *resp; - const char *text; - char *txt=NULL; - int i; - - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: alter password"); - } - - if (ctrl & PAM_ST_FAIL_1) - return PAM_AUTHTOK_LOCK_BUSY; - - if ( !(ctrl && PAM_ST_EXPIRED) - && (flags & PAM_CHANGE_EXPIRED_AUTHTOK) - && (pam_get_data(pamh,"stress_new_pwd",(const void **)&text) - != PAM_SUCCESS || strcmp(text,"yes"))) { - return PAM_SUCCESS; /* the token has not expired */ - } - - /* the password should be changed */ - - if ((ctrl & PAM_ST_REQUIRE_PWD) - && !(getuid() == 0 && (ctrl & PAM_ST_ROOTOK)) - ) { /* first get old one? */ - char *pass; - - if (ctrl & PAM_ST_DEBUG) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: getting old password"); - } - retval = stress_get_password(pamh,flags,ctrl,&pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: no password obtained"); - return retval; - } - retval = pam_set_item(pamh, PAM_OLDAUTHTOK, pass); - if (retval != PAM_SUCCESS) { - _pam_log(LOG_DEBUG - ,"pam_sm_chauthtok: could not set OLDAUTHTOK"); - _pam_overwrite(pass); - free(pass); - return retval; - } - _pam_overwrite(pass); - free(pass); - } - - /* set up for conversation */ - - if (!(flags & PAM_SILENT)) { - char *username; - - if ( pam_get_item(pamh, PAM_USER, (const void **)&username) - || username == NULL ) { - _pam_log(LOG_ERR,"no username set"); - return PAM_USER_UNKNOWN; - } - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_TEXT_INFO; -#define _LOCAL_STRESS_COMMENT "Changing STRESS password for " - txt = (char *) malloc(sizeof(_LOCAL_STRESS_COMMENT) - +strlen(username)+1); - strcpy(txt, _LOCAL_STRESS_COMMENT); -#undef _LOCAL_STRESS_COMMENT - strcat(txt, username); - msg[0].msg = txt; - i = 1; - } else { - i = 0; - } - - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = "Enter new STRESS password: "; - pmsg[i] = &msg[i]; - msg[i].msg_style = PAM_PROMPT_ECHO_OFF; - msg[i++].msg = "Retype new STRESS password: "; - resp = NULL; - - retval = converse(pamh,i,pmsg,&resp); - if (txt) { - free(txt); - txt = NULL; /* clean up */ - } - if (retval != PAM_SUCCESS) { - return retval; - } - - if (resp == NULL) { - _pam_log(LOG_ERR, "pam_sm_chauthtok: no response from conv"); - return PAM_CONV_ERR; - } - - /* store the password */ - - if (resp[i-2].resp && resp[i-1].resp) { - if (strcmp(resp[i-2].resp,resp[i-1].resp)) { - /* passwords are not the same; forget and return error */ - - _pam_drop_reply(resp, i); - - if (!(flags & PAM_SILENT) && !(ctrl & PAM_ST_NO_WARN)) { - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_ERROR_MSG; - msg[0].msg = "Verification mis-typed; " - "password unchaged"; - resp = NULL; - (void) converse(pamh,1,pmsg,&resp); - if (resp) { - _pam_drop_reply(resp, 1); - } - } - return PAM_AUTHTOK_ERR; - } - - if (pam_get_item(pamh,PAM_AUTHTOK,(const void **)&text) - == PAM_SUCCESS) { - (void) pam_set_item(pamh,PAM_OLDAUTHTOK,text); - text = NULL; - } - (void) pam_set_item(pamh,PAM_AUTHTOK,resp[0].resp); - } else { - _pam_log(LOG_DEBUG,"pam_sm_chauthtok: problem with resp"); - retval = PAM_SYSTEM_ERR; - } - - _pam_drop_reply(resp, i); /* clean up the passwords */ - } else { - _pam_log(LOG_ERR,"pam_sm_chauthtok: this must be a Linux-PAM error"); - return PAM_SYSTEM_ERR; - } - - return retval; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_stress_modstruct = { - "pam_stress", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok -}; - -#endif diff --git a/contrib/libpam/modules/pam_tally/Makefile b/contrib/libpam/modules/pam_tally/Makefile deleted file mode 100644 index ec17ff3..0000000 --- a/contrib/libpam/modules/pam_tally/Makefile +++ /dev/null @@ -1,93 +0,0 @@ -# -# $Id: Makefile,v 1.1 1997/04/05 06:19:04 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.1 1997/04/05 06:19:04 morgan -# Initial revision -# -# - -TITLE=pam_tally - -# -## Should add some more rules to make the application too. -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_tally/README b/contrib/libpam/modules/pam_tally/README deleted file mode 100644 index aaa8512..0000000 --- a/contrib/libpam/modules/pam_tally/README +++ /dev/null @@ -1,51 +0,0 @@ - -SUMMARY: - pam_tally: - - Maintains a count of attempted accesses, can reset count on success, - can deny access if too many attempts fail. - - Options: - - * onerr=[succeed|fail] (if something weird happens - such as unable to open the file, what to do?) - * file=/where/to/keep/counts (default /var/log/faillog) - - (auth) - * no_magic_root (root DOES increment counter. Use for - daemon-based stuff, like telnet/rsh/login) - - (account) - * deny=n (deny access if tally for this user exceeds n; - The presence of deny=n changes the default for - reset/no_reset to reset, unless the user trying to - gain access is root and the no_magic_root option - has NOT been specified.) - - * no_magic_root (access attempts by root DON'T ignore deny. - Use this for daemon-based stuff, like telnet/rsh/login) - * even_deny_root_account (Root can become unavailable. BEWARE. - Note that magic root trying to gain root bypasses this, - but normal users can be locked out.) - - * reset (reset count to 0 on successful entry, even for - magic root) - * no_reset (don't reset count on successful entry) - This is the default unless deny exists and the - user attempting access is NOT magic root. - - Also checks to make sure that the list file is a plain - file and not world writable. - - - Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd. - v0.1 5 March 1997 - -BUGS: - -pam_tally is very dependant on getpw*(): a database of usernames -would be much more flexible. - -The (4.0 Redhat) utilities seem to do funny things with uid, and I'm -not wholly sure I understood what I should have been doing anyway so -the `keep a count of current logins' bit has been #ifdef'd out and you -can only reset the counter on successful authentication, for now. diff --git a/contrib/libpam/modules/pam_tally/pam_tally.c b/contrib/libpam/modules/pam_tally/pam_tally.c deleted file mode 100644 index a1b65c0..0000000 --- a/contrib/libpam/modules/pam_tally/pam_tally.c +++ /dev/null @@ -1,634 +0,0 @@ -/* - * pam_tally.c - * - * Revision history? :) 0.1 - */ - - -/* By Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd. - * 5 March 1997 - * - * Stuff stolen from pam_rootok and pam_listfile - */ - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdio.h> -#include <strings.h> -#include <unistd.h> -#include <stdarg.h> -#include <syslog.h> -#include <pwd.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/param.h> - -#ifndef TRUE -#define TRUE 1L -#define FALSE 0L -#endif - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -/* #define PAM_SM_SESSION */ -/* #define PAM_SM_PASSWORD */ - -#include <security/pam_modules.h> - -/*---------------------------------------------------------------------*/ - -#define DEFAULT_LOGFILE "/var/log/faillog" -#define MODULE_NAME "pam_tally" - -enum TALLY_RESET { - TALLY_RESET_DEFAULT, - TALLY_RESET_RESET, - TALLY_RESET_NO_RESET -}; - -#define tally_t unsigned short int -#define TALLY_FMT "%hu" -#define TALLY_HI ((tally_t)~0L) - -#define UID_FMT "%hu" - -#ifndef FILENAME_MAX -# define FILENAME_MAX MAXPATHLEN -#endif - -/*---------------------------------------------------------------------*/ - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - va_start(args, format); - -#ifdef MAIN - vfprintf(stderr,format,args); -#else - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - closelog(); -#endif - va_end(args); -} - -/*---------------------------------------------------------------------*/ - -/* --- Support function: get uid (and optionally username) from PAM or - cline_user --- */ - -#ifdef MAIN -static char *cline_user=0; /* cline_user is used in the administration prog */ -#endif - -static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp ) - { - const char *user; - struct passwd *pw; - -#ifdef MAIN - user = cline_user; -#else - pam_get_user( pamh, &user, NULL ); -#endif - - if ( !user || !*user ) { - _pam_log(LOG_ERR, MODULE_NAME ": pam_get_uid; user?"); - return PAM_AUTH_ERR; - } - - if ( ! ( pw = getpwnam( user ) ) ) { - _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user); - return PAM_USER_UNKNOWN; - } - - if ( uid ) *uid = pw->pw_uid; - if ( userp ) *userp = user; - return PAM_SUCCESS; - } - -/*---------------------------------------------------------------------*/ - -/* --- Support function: open/create tallyfile and return tally for uid --- */ - -/* If on entry *tally==TALLY_HI, tallyfile is opened READONLY */ -/* Otherwise, if on entry tallyfile doesn't exist, creation is attempted. */ - -static int get_tally( tally_t *tally, - uid_t uid, - const char *filename, - FILE **TALLY ) - { - struct stat fileinfo; - int lstat_ret = lstat(filename,&fileinfo); - - if ( lstat_ret && *tally!=TALLY_HI ) { - if ( ( *TALLY=fopen(filename, "a") ) ) { - /* Create file, or append-open in pathological case. */ - _pam_log(LOG_ALERT, "Couldn't create %s",filename); - return PAM_AUTH_ERR; - } - fclose(*TALLY); - lstat_ret = lstat(filename,&fileinfo); - } - - if ( lstat_ret ) { - _pam_log(LOG_ALERT, "Couldn't stat %s",filename); - return PAM_AUTH_ERR; - } - - if((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ALERT, - "%s is either world writable or not a normal file", - filename); - return PAM_AUTH_ERR; - } - - if ( ! ( *TALLY = fopen(filename,(*tally!=TALLY_HI)?"r+":"r") ) ) { - _pam_log(LOG_ALERT, "Error opening %s for update", filename); - -/* Discovering why account service fails: e/uid are target user. - * - * perror(MODULE_NAME); - * fprintf(stderr,"uid %d euid %d\n",getuid(), geteuid()); - */ - return PAM_AUTH_ERR; - } - - if ( fseek( *TALLY, uid * sizeof (tally_t), SEEK_SET ) ) { - _pam_log(LOG_ALERT, "fseek failed %s", filename); - return PAM_AUTH_ERR; - } - - if ( ( fread(tally, sizeof(tally_t), 1, *TALLY) )==0 ) { - *tally=0; /* Assuming a gappy filesystem */ - } - return PAM_SUCCESS; - } - -/*---------------------------------------------------------------------*/ - -/* --- Support function: update and close tallyfile with tally!=TALLY_HI --- */ - -static int set_tally( tally_t tally, - uid_t uid, - const char *filename, - FILE **TALLY ) - { - if ( tally!=TALLY_HI ) - { - if ( fseek( *TALLY, uid * sizeof(tally_t), SEEK_SET ) ) { - _pam_log(LOG_ALERT, "fseek failed %s", filename); - return PAM_AUTH_ERR; - } - - if ( fwrite(&tally, sizeof(tally_t), 1, *TALLY)==0 ) { - _pam_log(LOG_ALERT, "tally update (fputc) failed.", filename); - return PAM_AUTH_ERR; - } - } - - if ( fclose(*TALLY) ) { - _pam_log(LOG_ALERT, "tally update (fclose) failed.", filename); - return PAM_AUTH_ERR; - } - *TALLY=NULL; - return PAM_SUCCESS; - } - -/*---------------------------------------------------------------------*/ - -/* --- PAM bits --- */ - -#ifndef MAIN - -#define PAM_FUNCTION(name) \ - PAM_EXTERN int name (pam_handle_t *pamh,int flags,int argc,const char **argv) - -#define RETURN_ERROR(i) return ((fail_on_error)?(i):(PAM_SUCCESS)) - -/*---------------------------------------------------------------------*/ - -/* --- tally bump function: bump tally for uid by (signed) inc --- */ - -static int tally_bump (int inc, - pam_handle_t *pamh, - int flags, - int argc, - const char **argv) { - uid_t uid; - - int - fail_on_error = FALSE; - tally_t - tally = 0; /* !TALLY_HI --> Log opened for update */ - - char - no_magic_root = FALSE; - - char - filename[ FILENAME_MAX ] = DEFAULT_LOGFILE; - - /* Should probably decode the parameters before anything else. */ - - { - for ( ; argc-- > 0; ++argv ) { - - /* generic options.. um, ignored. :] */ - - if ( ! strcmp( *argv, "no_magic_root" ) ) { - no_magic_root = TRUE; - } - else if ( ! strncmp( *argv, "file=", 5 ) ) { - char const - *from = (*argv)+5; - char - *to = filename; - if ( *from!='/' || strlen(from)>FILENAME_MAX-1 ) { - _pam_log(LOG_ERR, - MODULE_NAME ": filename not /rooted or too long; ", - *argv); - RETURN_ERROR( PAM_AUTH_ERR ); - } - while ( ( *to++ = *from++ ) ); - } - else if ( ! strcmp( *argv, "onerr=fail" ) ) { - fail_on_error=TRUE; - } - else if ( ! strcmp( *argv, "onerr=succeed" ) ) { - fail_on_error=FALSE; - } - else { - _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv); - } - } /* for() */ - } - - { - FILE - *TALLY = NULL; - const char - *user = NULL; - - int i=pam_get_uid(pamh, &uid, &user); - if ( i != PAM_SUCCESS ) RETURN_ERROR( i ); - - i=get_tally( &tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - - if ( no_magic_root || getuid() ) { /* no_magic_root kills uid test */ - - tally+=inc; - - if ( tally==TALLY_HI ) { /* Overflow *and* underflow. :) */ - tally-=inc; - _pam_log(LOG_ALERT,"Tally %sflowed for user %s", - (inc<0)?"under":"over",user); - } - } - - i=set_tally( tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - } - - return PAM_SUCCESS; -} - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -#ifdef PAM_SM_AUTH - -PAM_FUNCTION( pam_sm_authenticate ) { - return tally_bump( 1, pamh, flags, argc, argv); -} - -/* --- Seems to need this function. Ho hum. --- */ - -PAM_FUNCTION( pam_sm_setcred ) { return PAM_SUCCESS; } - -#endif - -/*---------------------------------------------------------------------*/ - -/* --- session management functions (only) --- */ - -/* - * Unavailable until .so files can be suid - */ - -#ifdef PAM_SM_SESSION - -/* To maintain a balance-tally of successful login/outs */ - -PAM_FUNCTION( pam_sm_open_session ) { - return tally_bump( 1, pamh, flags, argc, argv); -} - -PAM_FUNCTION( pam_sm_close_session ) { - return tally_bump(-1, pamh, flags, argc, argv); -} - -#endif - -/*---------------------------------------------------------------------*/ - -/* --- authentication management functions (only) --- */ - -#ifdef PAM_SM_AUTH - -/* To lock out a user with an unacceptably high tally */ - -PAM_FUNCTION( pam_sm_acct_mgmt ) { - uid_t - uid; - - int - fail_on_error = FALSE; - tally_t - deny = 0; - tally_t - tally = 0; /* !TALLY_HI --> Log opened for update */ - - char - no_magic_root = FALSE, - even_deny_root_account = FALSE; - - const char - *user = NULL; - - enum TALLY_RESET - reset = TALLY_RESET_DEFAULT; - - char - filename[ FILENAME_MAX ] = DEFAULT_LOGFILE; - - /* Should probably decode the parameters before anything else. */ - - { - for ( ; argc-- > 0; ++argv ) { - - /* generic options.. um, ignored. :] */ - - if ( ! strcmp( *argv, "no_magic_root" ) ) { - no_magic_root = TRUE; - } - else if ( ! strcmp( *argv, "even_deny_root_account" ) ) { - even_deny_root_account = TRUE; - } - else if ( ! strcmp( *argv, "reset" ) ) { - reset = TALLY_RESET_RESET; - } - else if ( ! strcmp( *argv, "no_reset" ) ) { - reset = TALLY_RESET_NO_RESET; - } - else if ( ! strncmp( *argv, "file=", 5 ) ) { - char const - *from = (*argv)+5; - char - *to = filename; - if ( *from != '/' || strlen(from) > FILENAME_MAX-1 ) { - _pam_log(LOG_ERR, - MODULE_NAME ": filename not /rooted or too long; ", - *argv); - RETURN_ERROR( PAM_AUTH_ERR ); - } - while ( ( *to++ = *from++ ) ); - } - else if ( ! strncmp( *argv, "deny=", 5 ) ) { - if ( sscanf((*argv)+5,TALLY_FMT,&deny) != 1 ) { - _pam_log(LOG_ERR,"bad number supplied; %s",*argv); - RETURN_ERROR( PAM_AUTH_ERR ); - } - } - else if ( ! strcmp( *argv, "onerr=fail" ) ) { - fail_on_error=TRUE; - } - else if ( ! strcmp( *argv, "onerr=succeed" ) ) { - fail_on_error=FALSE; - } - else { - _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv); - } - } /* for() */ - } - - { - FILE *TALLY=0; - int i=pam_get_uid(pamh, &uid, &user); - if ( i != PAM_SUCCESS ) RETURN_ERROR( i ); - - i=get_tally( &tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - - if ( no_magic_root || getuid() ) { /* no_magic_root kills uid test */ - - /* To deny or not to deny; that is the question */ - - if ( - ( deny != 0 ) && /* deny==0 means no deny */ - ( tally > deny ) && /* tally>deny means exceeded */ - ( even_deny_root_account || uid ) /* even_deny stops uid check */ - ) { - _pam_log(LOG_NOTICE,"user %s ("UID_FMT") tally "TALLY_FMT", deny "TALLY_FMT, - user, uid, tally, deny); - return PAM_AUTH_ERR; /* Only unconditional failure */ - } - - /* resets for explicit reset - * or by default if deny exists and not magic-root - */ - - if ( ( reset == TALLY_RESET_RESET ) || - ( reset == TALLY_RESET_DEFAULT && deny ) ) { tally=0; } - } - else /* is magic root */ { - - /* Magic root skips deny test... */ - - /* Magic root only resets on explicit reset, regardless of deny */ - - if ( reset == TALLY_RESET_RESET ) { tally=0; } - } - - i=set_tally( tally, uid, filename, &TALLY ); - if ( i != PAM_SUCCESS ) { if (TALLY) fclose(TALLY); RETURN_ERROR( i ); } - } - - return PAM_SUCCESS; -} - -#endif /* #ifdef PAM_SM_AUTH */ - -/*-----------------------------------------------------------------------*/ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_tally_modstruct = { - MODULE_NAME, -#ifdef PAM_SM_AUTH - pam_sm_authenticate, - pam_sm_setcred, -#else - NULL, - NULL, -#endif -#ifdef PAM_SM_ACCOUNT - pam_sm_acct_mgmt, -#else - NULL, -#endif -#ifdef PAM_SM_SESSION - pam_sm_open_session, - pam_sm_close_session, -#else - NULL, - NULL, -#endif -#ifdef PAM_SM_PASSWORD - pam_sm_chauthtok, -#else - NULL, -#endif -}; - -#endif /* #ifdef PAM_STATIC */ - -/*-----------------------------------------------------------------------*/ - -#else /* #ifndef MAIN */ - -static const char *cline_filename = DEFAULT_LOGFILE; -static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */ -static int cline_quiet = 0; - -/* - * Not going to link with pamlib just for these.. :) - */ - -static const char * pam_errors( int i ) { - switch (i) { - case PAM_AUTH_ERR: return "Authentication error"; - case PAM_SERVICE_ERR: return "Service error"; - case PAM_USER_UNKNOWN: return "Unknown user"; - default: return "Unknown error"; - } -} - -static int getopts( int argc, char **argv ) { - const char *pname = *argv; - for ( ; *argv ; (void)(*argv && ++argv) ) { - if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; - else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7; - else if ( !strcmp (*argv,"--user") ) cline_user=*++argv; - else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7; - else if ( !strcmp (*argv,"--reset") ) cline_reset=0; - else if ( !strncmp(*argv,"--reset=",8)) { - if ( sscanf(*argv+8,TALLY_FMT,&cline_reset) != 1 ) - fprintf(stderr,"%s: Bad number given to --reset=\n",pname), exit(0); - } - else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; - else { - fprintf(stderr,"%s: Unrecognised option %s\n",pname,*argv); - return FALSE; - } - } - return TRUE; -} - -int main ( int argc, char **argv ) { - - if ( ! getopts( argc, argv+1 ) ) { - printf("%s: [--file rooted-filename] [--user username] " - "[--reset[=n]] [--quiet]\n", - *argv); - exit(0); - } - - /* - * Major difference between individual user and all users: - * --user just handles one user, just like PAM. - * --user=* handles all users, sniffing cline_filename for nonzeros - */ - - if ( cline_user ) { - uid_t uid; - tally_t tally=cline_reset; - FILE *TALLY=0; - int i=pam_get_uid( NULL, &uid, NULL); - if ( i != PAM_SUCCESS ) { - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - - i=get_tally( &tally, uid, cline_filename, &TALLY ); - if ( i != PAM_SUCCESS ) { - if (TALLY) fclose(TALLY); - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - - if ( !cline_quiet ) - printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",cline_user,uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - - i=set_tally( cline_reset, uid, cline_filename, &TALLY ); - if ( i != PAM_SUCCESS ) { - if (TALLY) fclose(TALLY); - fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); - exit(0); - } - } - else /* !cline_user (ie, operate on all users) */ { - FILE *TALLY=fopen(cline_filename, "r"); - uid_t uid=0; - if ( !TALLY ) perror(*argv), exit(0); - - for ( ; !feof(TALLY); uid++ ) { - tally_t tally; - struct passwd *pw; - if ( ! fread(&tally, sizeof(tally_t), 1, TALLY) || ! tally ) continue; - - if ( ( pw=getpwuid(uid) ) ) { - printf("User %s\t("UID_FMT")\t%s "TALLY_FMT"\n",pw->pw_name,uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - } - else { - printf("User [NONAME]\t("UID_FMT")\t%s "TALLY_FMT"\n",uid, - (cline_reset!=TALLY_HI)?"had":"has",tally); - } - } - fclose(TALLY); - if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { - fprintf(stderr,"%s: Can't reset all users to non-zero\n",*argv); - } - else if ( !cline_reset ) { - TALLY=fopen(cline_filename, "w"); - if ( !TALLY ) perror(*argv), exit(0); - fclose(TALLY); - } - } - return 0; -} - - -#endif diff --git a/contrib/libpam/modules/pam_time/Makefile b/contrib/libpam/modules/pam_time/Makefile deleted file mode 100644 index bc297d4..0000000 --- a/contrib/libpam/modules/pam_time/Makefile +++ /dev/null @@ -1,121 +0,0 @@ -# -# $Id: Makefile,v 1.6 1997/04/05 06:22:32 morgan Exp morgan $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.6 1997/04/05 06:22:32 morgan -# fakeroot -# -# Revision 1.5 1997/02/15 19:16:16 morgan -# fixed email -# -# Revision 1.4 1996/11/10 20:18:21 morgan -# cross platform support -# -# Revision 1.3 1996/09/05 06:27:37 morgan -# ld --> gcc -# -# Revision 1.2 1996/08/09 05:48:19 morgan -# inherit installation files from parent -# -# Revision 1.1 1996/07/07 23:42:48 morgan -# Initial revision -# -# Revision 1.1 1996/06/24 05:48:49 morgan -# Initial revision -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/6/11 -# - -TITLE=pam_time -CONFD=$(CONFIGED)/security -export CONFD -CONFILE=$(CONFD)/time.conf -export CONFILE - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -DEFS=-DCONFILE=\"$(CONFILE)\" - -CFLAGS += $(DEFS) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all -ifdef DYNAMIC - $(MKDIR) $(FAKEROOT)$(SECUREDIR) - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - $(MKDIR) $(FAKEROOT)$(SCONFIGED) - bash -f ./install_conf - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - rm -f $(FAKEROOT)$(CONFILE) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - rm -f ./.ignore_age - -extraclean: clean - rm -f *.a *.o *.so *.bak - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_time/README b/contrib/libpam/modules/pam_time/README deleted file mode 100644 index 0c3f976..0000000 --- a/contrib/libpam/modules/pam_time/README +++ /dev/null @@ -1,37 +0,0 @@ -$Id: README,v 1.3 1997/01/04 20:42:43 morgan Exp $ - -This is a help file for the pam_time module. It explains the need for -pam_time and also the syntax of the /etc/security/time.conf file. -[a lot of the syntax is freely adapted from the porttime file of the -shadow suite.] - -1. Introduction -=============== - -It is desirable to restrict access to a system and or specific -applications at various times of the day and on specific days or over -various terminal lines. - -The pam_time module is intended to offer a configurable module that -satisfies this purpose, within the context of Linux-PAM. - -2. the /etc/security/time.conf file -=================================== - -This file is the configuration script for defining time/port access -control to the system/applications. - -Its syntax is described in the sample ./time.conf provided in this -directory. - -unrecognised rules are ignored (but an error is logged to syslog(3)) - --------------------- -Bugs to Andrew <morgan@parc.power.net> or the list <pam-list@redhat.com> - -######################################################################## -# $Log: README,v $ -# Revision 1.3 1997/01/04 20:42:43 morgan -# I want email on parc now -# -#
\ No newline at end of file diff --git a/contrib/libpam/modules/pam_time/install_conf b/contrib/libpam/modules/pam_time/install_conf deleted file mode 100755 index 051d8b7..0000000 --- a/contrib/libpam/modules/pam_time/install_conf +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -CONFILE=$FAKEROOT"$CONFILE" -IGNORE_AGE=./.ignore_age -QUIET_INSTALL=../../.quiet_install -CONF=./time.conf -MODULE=pam_time - -echo - -if [ -f "$QUIET_INSTALL" ]; then - if [ ! -f "$CONFILE" ]; then - yes="y" - else - yes="skip" - fi -elif [ -f "$IGNORE_AGE" ]; then - echo "you don't want to be bothered with the age of your $CONFILE file" - yes="n" -elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then - if [ -f "$CONFILE" ]; then - echo "An older $MODULE configuration file already exists ($CONFILE)" - echo "Do you wish to copy the $CONF file in this distribution" - echo "to $CONFILE ? (y/n) [skip] " - read yes - else - yes="y" - fi -else - yes="skip" -fi - -if [ "$yes" = "y" ]; then - mkdir -p $FAKEROOT$CONFD - echo " copying $CONF to $CONFILE" - cp $CONF $CONFILE -else - echo " Skipping $CONF installation" - if [ "$yes" = "n" ]; then - touch "$IGNORE_AGE" - fi -fi - -echo - -exit 0 diff --git a/contrib/libpam/modules/pam_time/pam_time.c b/contrib/libpam/modules/pam_time/pam_time.c deleted file mode 100644 index 489c1d7..0000000 --- a/contrib/libpam/modules/pam_time/pam_time.c +++ /dev/null @@ -1,614 +0,0 @@ -/* pam_time module */ - -/* - * $Id: pam_time.c,v 1.7 1997/02/15 17:32:21 morgan Exp $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/6/22 - * (File syntax and much other inspiration from the shadow package - * shadow-960129) - * - * $Log: pam_time.c,v $ - * Revision 1.7 1997/02/15 17:32:21 morgan - * time parsing more robust - * - * Revision 1.6 1997/01/04 20:43:15 morgan - * fixed buffer underflow, reformatted to 4 spaces - * - */ - -const static char rcsid[] = -"$Id: pam_time.c,v 1.7 1997/02/15 17:32:21 morgan Exp $;\n" -"\t\tVersion 0.22 for Linux-PAM\n" -"Copyright (C) Andrew G. Morgan 1996 <morgan@parc.power.net>\n"; - -#include <sys/file.h> -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <unistd.h> -#include <stdarg.h> -#include <time.h> -#include <syslog.h> -#include <string.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> - -#define PAM_TIME_CONF CONFILE /* from external define */ -#define PAM_TIME_BUFLEN 1000 -#define FIELD_SEPARATOR ';' /* this is new as of .02 */ - -typedef enum { FALSE, TRUE } boolean; -typedef enum { AND, OR } operator; - -/* - * here, we make definitions for the externally accessible functions - * in this file (these definitions are required for static modules - * but strongly encouraged generally) they are used to instruct the - * modules include file to define their prototypes. - */ - -#define PAM_SM_ACCOUNT - -#include <security/_pam_macros.h> -#include <security/pam_modules.h> - -/* --- static functions for checking whether the user should be let in --- */ - -static void _log_err(const char *format, ... ) -{ - va_list args; - - va_start(args, format); - openlog("pam_time", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_CRIT, format, args); - va_end(args); - closelog(); -} - -static void shift_bytes(char *mem, int from, int by) -{ - while (by-- > 0) { - *mem = mem[from]; - ++mem; - } -} - -static int read_field(int fd, char **buf, int *from, int *to) -{ - /* is buf set ? */ - - if (! *buf) { - *buf = (char *) malloc(PAM_TIME_BUFLEN); - if (! *buf) { - _log_err("out of memory"); - D(("no memory")); - return -1; - } - *from = *to = 0; - fd = open(PAM_TIME_CONF, O_RDONLY); - } - - /* do we have a file open ? return error */ - - if (fd < 0 && *to <= 0) { - _log_err( PAM_TIME_CONF " not opened"); - memset(*buf, 0, PAM_TIME_BUFLEN); - _pam_drop(*buf); - return -1; - } - - /* check if there was a newline last time */ - - if ((*to > *from) && (*to > 0) - && ((*buf)[*from] == '\0')) { /* previous line ended */ - (*from)++; - (*buf)[0] = '\0'; - return fd; - } - - /* ready for more data: first shift the buffer's remaining data */ - - *to -= *from; - shift_bytes(*buf, *from, *to); - *from = 0; - (*buf)[*to] = '\0'; - - while (fd >= 0 && *to < PAM_TIME_BUFLEN) { - int i; - - /* now try to fill the remainder of the buffer */ - - i = read(fd, *to + *buf, PAM_TIME_BUFLEN - *to); - if (i < 0) { - _log_err("error reading " PAM_TIME_CONF); - return -1; - } else if (!i) { - fd = -1; /* end of file reached */ - } else - *to += i; - - /* - * contract the buffer. Delete any comments, and replace all - * multiple spaces with single commas - */ - - i = 0; -#ifdef DEBUG_DUMP - D(("buffer=<%s>",*buf)); -#endif - while (i < *to) { - if ((*buf)[i] == ',') { - int j; - - for (j=++i; j<*to && (*buf)[j] == ','; ++j); - if (j!=i) { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - } - } - switch ((*buf)[i]) { - int j,c; - case '#': - for (j=i; j < *to && (c = (*buf)[j]) != '\n'; ++j); - if (j >= *to) { - (*buf)[*to = ++i] = '\0'; - } else if (c == '\n') { - shift_bytes(i + (*buf), j-i, (*to) - j); - *to -= j-i; - ++i; - } else { - _log_err("internal error in " __FILE__ - " at line %d", __LINE__ ); - return -1; - } - break; - case '\\': - if ((*buf)[i+1] == '\n') { - shift_bytes(i + *buf, 2, *to - (i+2)); - *to -= 2; - } - break; - case '!': - case ' ': - case '\t': - if ((*buf)[i] != '!') - (*buf)[i] = ','; - /* delete any trailing spaces */ - for (j=++i; j < *to && ( (c = (*buf)[j]) == ' ' - || c == '\t' ); ++j); - shift_bytes(i + *buf, j-i, (*to)-j ); - *to -= j-i; - break; - default: - ++i; - } - } - } - - (*buf)[*to] = '\0'; - - /* now return the next field (set the from/to markers) */ - { - int i; - - for (i=0; i<*to; ++i) { - switch ((*buf)[i]) { - case '#': - case '\n': /* end of the line/file */ - (*buf)[i] = '\0'; - *from = i; - return fd; - case FIELD_SEPARATOR: /* end of the field */ - (*buf)[i] = '\0'; - *from = ++i; - return fd; - } - } - *from = i; - (*buf)[*from] = '\0'; - } - - if (*to <= 0) { - D(("[end of text]")); - *buf = NULL; - } - - return fd; -} - -/* read a member from a field */ - -static int logic_member(const char *string, int *at) -{ - int len,c,to; - int done=0; - int token=0; - - len=0; - to=*at; - do { - c = string[to++]; - - switch (c) { - - case '\0': - --to; - done = 1; - break; - - case '&': - case '|': - case '!': - if (token) { - --to; - } - done = 1; - break; - - default: - if (isalpha(c) || c == '*' || isdigit(c) || c == '_' - || c == '-' || c == '.') { - token = 1; - } else if (token) { - --to; - done = 1; - } else { - ++*at; - } - } - } while (!done); - - return to - *at; -} - -typedef enum { VAL, OP } expect; - -static boolean logic_field(const void *me, const char *x, int rule, - boolean (*agrees)(const void *, const char * - , int, int)) -{ - boolean left=FALSE, right, not=FALSE; - operator oper=OR; - int at=0, l; - expect next=VAL; - - while ((l = logic_member(x,&at))) { - int c = x[at]; - - if (next == VAL) { - if (c == '!') - not = !not; - else if (isalpha(c) || c == '*') { - right = not ^ agrees(me, x+at, l, rule); - if (oper == AND) - left &= right; - else - left |= right; - next = OP; - } else { - _log_err("garbled syntax; expected name (rule #%d)", rule); - return FALSE; - } - } else { /* OP */ - switch (c) { - case '&': - oper = AND; - break; - case '|': - oper = OR; - break; - default: - _log_err("garbled syntax; expected & or | (rule #%d)" - , rule); - D(("%c at %d",c,at)); - return FALSE; - } - next = VAL; - } - at += l; - } - - return left; -} - -static boolean is_same(const void *A, const char *b, int len, int rule) -{ - int i; - const char *a; - - a = A; - for (i=0; len > 0; ++i, --len) { - if (b[i] != a[i]) { - if (b[i++] == '*') { - return (!--len || !strncmp(b+i,a+strlen(a)-len,len)); - } else - return FALSE; - } - } - return ( !len ); -} - -typedef struct { - int day; /* array of 7 bits, one set for today */ - int minute; /* integer, hour*100+minute for now */ -} TIME; - -struct day { - const char *d; - int bit; -} static const days[11] = { - { "su", 01 }, - { "mo", 02 }, - { "tu", 04 }, - { "we", 010 }, - { "th", 020 }, - { "fr", 040 }, - { "sa", 0100 }, - { "wk", 076 }, - { "wd", 0101 }, - { "al", 0177 }, - { NULL, 0 } -}; - -static TIME time_now(void) -{ - struct tm *local; - time_t the_time; - TIME this; - - the_time = time((time_t *)0); /* get the current time */ - local = localtime(&the_time); - this.day = days[local->tm_wday].bit; - this.minute = local->tm_hour*100 + local->tm_min; - - D(("day: 0%o, time: %.4d", this.day, this.minute)); - return this; -} - -/* take the current date and see if the range "date" passes it */ -static boolean check_time(const void *AT, const char *times, int len, int rule) -{ - boolean not,pass; - int marked_day, time_start, time_end; - const TIME *at; - int i,j=0; - - at = AT; - D(("chcking: 0%o/%.4d vs. %s", at->day, at->minute, times)); - - if (times == NULL) { - /* this should not happen */ - _log_err("internal error: " __FILE__ " line %d", __LINE__); - return FALSE; - } - - if (times[j] == '!') { - ++j; - not = TRUE; - } else { - not = FALSE; - } - - for (marked_day = 0; len > 0 && isalpha(times[j]); --len) { - int this_day=-1; - - D(("%c%c ?", times[j], times[j+1])); - for (i=0; days[i].d != NULL; ++i) { - if (tolower(times[j]) == days[i].d[0] - && tolower(times[j+1]) == days[i].d[1] ) { - this_day = days[i].bit; - break; - } - } - j += 2; - if (this_day == -1) { - _log_err("bad day specified (rule #%d)", rule); - return FALSE; - } - marked_day ^= this_day; - } - if (marked_day == 0) { - _log_err("no day specified"); - return FALSE; - } - D(("day range = 0%o", marked_day)); - - time_start = 0; - for (i=0; len > 0 && i < 4 && isdigit(times[i+j]); ++i, --len) { - time_start *= 10; - time_start += times[i+j]-'0'; /* is this portable? */ - } - j += i; - - if (times[j] == '-') { - time_end = 0; - for (i=1; len > 0 && i < 5 && isdigit(times[i+j]); ++i, --len) { - time_end *= 10; - time_end += times[i+j]-'0'; /* is this portable */ - } - j += i; - } else - time_end = -1; - - D(("i=%d, time_end=%d, times[j]='%c'", i, time_end, times[j])); - if (i != 5 || time_end == -1) { - _log_err("no/bad times specified (rule #%d)", rule); - return TRUE; - } - D(("times(%d to %d)", time_start,time_end)); - D(("marked_day = 0%o", marked_day)); - - /* compare with the actual time now */ - - pass = FALSE; - if (time_start < time_end) { /* start < end ? --> same day */ - if ((at->day & marked_day) && (at->minute >= time_start) - && (at->minute < time_end)) { - D(("time is listed")); - pass = TRUE; - } - } else { /* spans two days */ - if ((at->day & marked_day) && (at->minute >= time_start)) { - D(("caught on first day")); - pass = TRUE; - } else { - marked_day <<= 1; - marked_day |= (marked_day & 0200) ? 1:0; - D(("next day = 0%o", marked_day)); - if ((at->day & marked_day) && (at->minute <= time_end)) { - D(("caught on second day")); - pass = TRUE; - } - } - } - - return (not ^ pass); -} - -static int check_account(const char *service - , const char *tty, const char *user) -{ - int from=0,to=0,fd=-1; - char *buffer=NULL; - int count=0; - TIME here_and_now; - int retval=PAM_SUCCESS; - - here_and_now = time_now(); /* find current time */ - do { - boolean good=TRUE,intime; - - /* here we get the service name field */ - - fd = read_field(fd,&buffer,&from,&to); - - if (!buffer || !buffer[0]) { - /* empty line .. ? */ - continue; - } - ++count; - - good = logic_field(service, buffer, count, is_same); - D(("with service: %s", good ? "passes":"fails" )); - - /* here we get the terminal name field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no tty entry #%d", count); - continue; - } - good &= logic_field(tty, buffer, count, is_same); - D(("with tty: %s", good ? "passes":"fails" )); - - /* here we get the username field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no user entry #%d", count); - continue; - } - good &= logic_field(user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); - - /* here we get the time field */ - - fd = read_field(fd,&buffer,&from,&to); - if (!buffer || !buffer[0]) { - _log_err(PAM_TIME_CONF "; no time entry #%d", count); - continue; - } - - intime = logic_field(&here_and_now, buffer, count, check_time); - D(("with time: %s", intime ? "passes":"fails" )); - - fd = read_field(fd,&buffer,&from,&to); - if (buffer && buffer[0]) { - _log_err(PAM_TIME_CONF "; poorly terminated rule #%d", count); - continue; - } - - if (good && !intime) { - /* - * for security parse whole file.. also need to ensure - * that the buffer is free()'d and the file is closed. - */ - retval = PAM_PERM_DENIED; - } else { - D(("rule passed")); - } - } while (buffer); - - return retval; -} - -/* --- public account management functions --- */ - -PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - const char *service=NULL, *tty=NULL; - const char *user=NULL; - - /* set service name */ - - if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) - != PAM_SUCCESS || service == NULL) { - _log_err("cannot find the current service name"); - return PAM_ABORT; - } - - /* set username */ - - if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL - || *user == '\0') { - _log_err("cannot determine the user's name"); - return PAM_USER_UNKNOWN; - } - - /* set tty name */ - - if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS - || tty == NULL) { - D(("PAM_TTY not set, probing stdin")); - tty = ttyname(STDIN_FILENO); - if (tty == NULL) { - _log_err("couldn't get the tty name"); - return PAM_ABORT; - } - if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { - _log_err("couldn't set tty name"); - return PAM_ABORT; - } - } - - if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ - tty += 5; - } - - /* good, now we have the service name, the user and the terminal name */ - - D(("service=%s", service)); - D(("user=%s", user)); - D(("tty=%s", tty)); - - return check_account(service,tty,user); -} - -/* end of module definition */ - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_time_modstruct = { - "pam_time", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL -}; -#endif diff --git a/contrib/libpam/modules/pam_time/time.conf b/contrib/libpam/modules/pam_time/time.conf deleted file mode 100644 index d2062fd..0000000 --- a/contrib/libpam/modules/pam_time/time.conf +++ /dev/null @@ -1,64 +0,0 @@ -# this is an example configuration file for the pam_time module. Its syntax -# was initially based heavily on that of the shadow package (shadow-960129). -# -# the syntax of the lines is as follows: -# -# services;ttys;users;times -# -# white space is ignored and lines maybe extended with '\\n' (escaped -# newlines). As should be clear from reading these comments, -# text following a '#' is ignored to the end of the line. -# -# the combination of individual users/terminals etc is a logic list -# namely individual tokens that are optionally prefixed with '!' (logical -# not) and separated with '&' (logical and) and '|' (logical or). -# -# services -# is a logic list of PAM service names that the rule applies to. -# -# ttys -# is a logic list of terminal names that this rule applies to. -# -# users -# is a logic list of users to whom this rule applies. -# -# NB. For these items the simple wildcard '*' may be used only once. -# -# times -# the format here is a logic list of day/time-range -# entries the days are specified by a sequence of two character -# entries, MoTuSa for example is Monday Tuesday and Saturday. Note -# that repeated days are unset MoMo = no day, and MoWk = all weekdays -# bar Monday. The two character combinations accepted are -# -# Mo Tu We Th Fr Sa Su Wk Wd Al -# -# the last two being week-end days and all 7 days of the week -# respectively. As a final example, AlFr means all days except Friday. -# -# each day/time-range can be prefixed with a '!' to indicate "anything -# but" -# -# The time-range part is two 24-hour times HHMM separated by a hyphen -# indicating the start and finish time (if the finish time is smaller -# than the start time it is deemed to apply on the following day). -# -# for a rule to be active, ALL of service+ttys+users must be satisfied -# by the applying process. -# - -# -# Here is a simple example: running blank on tty* (any ttyXXX device), -# the users 'you' and 'me' are denied service all of the time -# - -#blank;tty* & !ttyp*;you|me;!Al0000-2400 - -# Another silly example, user 'root' is denied xsh access -# from pseudo terminals at the weekend and on mondays. - -#xsh;ttyp*;root;!WdMo0000-2400 - -# -# End of example file. -#
\ No newline at end of file diff --git a/contrib/libpam/modules/pam_unix/CHANGELOG b/contrib/libpam/modules/pam_unix/CHANGELOG deleted file mode 100644 index 37e4c85..0000000 --- a/contrib/libpam/modules/pam_unix/CHANGELOG +++ /dev/null @@ -1,6 +0,0 @@ -$Id: CHANGELOG,v 1.1 1996/11/09 19:42:41 morgan Exp $ - -$Log: CHANGELOG,v $ -Revision 1.1 1996/11/09 19:42:41 morgan -Initial revision - diff --git a/contrib/libpam/modules/pam_unix/Makefile b/contrib/libpam/modules/pam_unix/Makefile deleted file mode 100644 index ad1f47f..0000000 --- a/contrib/libpam/modules/pam_unix/Makefile +++ /dev/null @@ -1,155 +0,0 @@ -# $Header$ -# -# This Makefile controls a build process of the pam_unix modules -# for Linux-PAM. You should not modify this Makefile. -# -# $Log$ -# Revision 1.1.1.2 1998/06/03 03:43:56 adam -# Import from archive -# -# Revision 1.3 1998/05/31 23:48:13 adam -# Link crypt library as necessary. -# -# Revision 1.3 1997/04/05 06:20:58 morgan -# fakeroot and also lockpwdf is in libc now -# -# Revision 1.2 1996/11/10 20:18:59 morgan -# cross platform support -# -# Revision 1.1 1996/11/09 19:44:16 morgan -# Initial revision -# -# - -######################################################################## -# some options... uncomment to take effect -######################################################################## - -# do you want shadow? -USE_SHADOW=-D"HAVE_SHADOW_H" - -# do you want cracklib? -ifeq ($(HAVE_CRACKLIB),yes) -USE_CRACKLIB=-D"USE_CRACKLIB" -endif - -# do you want to use lckpwdf? -USE_LCKPWDF=-D"USE_LCKPWDF" - -# do you need to include the locking functions in the source? -#NEED_LCKPWDF=-D"NEED_LCKPWDF" - -######################################################################## - -CFLAGS += $(USE_SHADOW) $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) - -ifdef DYNAMIC -LIBSESSSH = pam_unix_session.so -LIBAUTHSH = pam_unix_auth.so -LIBPASSWDSH = pam_unix_passwd.so -LIBACCOUNT = pam_unix_acct.so -endif - -ifdef STATIC -LIBSTATIC = libpam_unix.o -endif - -ifdef USE_CRACKLIB -CRACKLIB = -lcrack -endif - -LIBAUTHOBJ = pam_unix_auth.o support.o -LIBAUTHSRC = pam_unix_auth.c support.c -LIBSESSOBJ = pam_unix_sess.o -LIBSESSSRC = pam_unix_sess.c -LIBPASSWDSRC = pam_unix_passwd.c -LIBPASSWDOBJ = pam_unix_passwd.o -LIBACCOUNTSRC = pam_unix_acct.c -LIBACCOUNTOBJ = pam_unix_acct.o -LIBOBJ = $(LIBAUTHOBJ) $(LIBSESSOBJ) $(LIBPASSWDOBJ) $(LIBACCOUNTOBJ) -LIBSRC = $(LIBAUTHSRC) $(LIBSESSSRC) $(LIBPASSWDSRC) $(LIBACCOUNTSRC) - -LIBSHARED = $(LIBSESSSH) $(LIBAUTHSH) $(LIBPASSWDSH) $(LIBACCOUNT) - -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) -c $< -o $@ - -static/%.o: %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) -c $< -o $@ - - -########################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -info: - @echo - @echo "*** Building pam-unix(alpha) module of the framework..." - @echo - -all: dirs info $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - mkdir -p ./dynamic -endif -ifdef STATIC - mkdir -p ./static -endif - -register: -ifdef STATIC - ( cd .. ; \ - ./register_static pam_unix_auth pam_unix/$(LIBSTATIC) ; \ - ./register_static pam_unix_acct "" ; \ - ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBAUTHSH): $(LIBAUTHSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBAUTHOBJ)) -lcrypt - -$(LIBSESSSH): $(LIBSESSSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBSESSOBJ)) - -$(LIBPASSWDSH): $(LIBPASSWDSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBPASSWDOBJ)) $(CRACKLIB) -lcrypt - -$(LIBACCOUNT): $(LIBACCOUNTSRC) $(LIBOBJD) - $(LD_D) -o $@ $(addprefix dynamic/,$(LIBACCOUNTOBJ)) -endif - - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - mkdir -p $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - install -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - cd $(FAKEROOT)$(SECUREDIR) && rm -f $(LIBSHARED) - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) a.out core *~ - -extraclean: clean - rm -f *.a *.out *.o *.so *.bak - -.c.o: - $(CC) -c $(CFLAGS) $< - diff --git a/contrib/libpam/modules/pam_unix/README b/contrib/libpam/modules/pam_unix/README deleted file mode 100644 index 082e996..0000000 --- a/contrib/libpam/modules/pam_unix/README +++ /dev/null @@ -1,39 +0,0 @@ -This is the README for pam_unix in Linux-PAM-0.53. --------------------------------------------------- - -pam_unix comes as four separate modules: - -pam_unix_auth: authentication module providing - pam_authenticate() and pam_setcred() hooks - - NO options are recognized. Credential facilities are trivial - (function simply returns) - -pam_unix_sess: session module, providing session logging - - "debug" and "trace" arguments are accepted, which indicate the - logging-level for syslog. - - "debug" -> LOG_DEBUG [ also default ] - "trace" -> LOG_AUTHPRIV - -pam_unix_acct: account management, providing shadow account - managment features, password aging etc.. - - NO options are recognized. Account managment trivial without - shadow active. - -pam_unix_passwd: password updating facilities providing - cracklib password strength checking facilities. - - if compiled, the default behavior is to check passwords - strictly using CrackLib. This behavior can be turned off - with the argument - - "strict=false" - - invalid arguments are logged to syslog. - ------------------------------- -- Andrew 1996/11/9 ------------------------------- diff --git a/contrib/libpam/modules/pam_unix/pam_unix_acct.c b/contrib/libpam/modules/pam_unix/pam_unix_acct.c deleted file mode 100644 index 5c0546a..0000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_acct.c +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright Elliot Lee, 1996. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* pam_unix_acct.c module, different track */ - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#define __USE_MISC -#include <pwd.h> -#include <sys/types.h> -#include <syslog.h> -#include <unistd.h> -#ifdef HAVE_SHADOW_H -#include <shadow.h> -#endif -#include <time.h> - -#define PAM_SM_ACCOUNT - -#ifndef LINUX -# include <security/pam_appl.h> -#endif - -#define _PAM_EXTERN_FUNCTIONS -#include <security/pam_modules.h> - -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ -#ifdef HAVE_SHADOW_H - const char *uname; - int retval; - time_t curdays; - struct spwd *spent; - struct passwd *pwent; - - setpwent(); - setspent(); - retval = pam_get_item(pamh,PAM_USER,(const void **)&uname); - if(retval != PAM_SUCCESS || uname == NULL) { - return PAM_SUCCESS; /* Couldn't get username, just ignore this - (i.e. they don't have any expiry info available */ - } - pwent = getpwnam(uname); - if(!pwent) - return PAM_USER_UNKNOWN; - if(strcmp(pwent->pw_passwd,"x")) - return PAM_SUCCESS; /* They aren't using shadow passwords & expiry - info */ - spent = getspnam(uname); - if(!spent) - return PAM_SUCCESS; /* Couldn't get username from shadow, just ignore this - (i.e. they don't have any expiry info available */ - curdays = time(NULL)/(60*60*24); - if((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact)) - && (spent->sp_max != -1) && (spent->sp_inact != -1)) - return PAM_ACCT_EXPIRED; - if((curdays > spent->sp_expire) && (spent->sp_expire != -1)) - return PAM_ACCT_EXPIRED; - endspent(); - endpwent(); -#endif - return PAM_SUCCESS; -} - - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_acct_modstruct = { - "pam_unix_acct", - NULL, - NULL, - pam_sm_acct_mgmt, - NULL, - NULL, - NULL, -}; -#endif diff --git a/contrib/libpam/modules/pam_unix/pam_unix_auth.c b/contrib/libpam/modules/pam_unix/pam_unix_auth.c deleted file mode 100644 index 65c2229..0000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_auth.c +++ /dev/null @@ -1,309 +0,0 @@ -/* $Header: /home/morgan/pam/Linux-PAM-0.59/modules/pam_unix/RCS/pam_unix_auth.c,v 1.1 1996/11/09 19:44:35 morgan Exp morgan $ */ - -/* - * Copyright Alexander O. Yuriev, 1996. All rights reserved. - * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de> - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * $Log: pam_unix_auth.c,v $ - * - * Revision 1.9 1996/05/26 04:13:04 morgan - * added static support - * - * Revision 1.8 1996/05/21 03:51:58 morgan - * added "const" to rcsid[] definition - * - * Revision 1.7 1996/04/19 03:25:57 alex - * minor corrections. - * - * Revision 1.6 1996/04/17 01:05:05 alex - * _pam_auth_unix() cleaned up - non-authentication code is made into funcs - * and mostly moved out to support.c. - * - * Revision 1.5 1996/04/16 21:12:46 alex - * unix authentication works on Bach again. This is a tranitional stage. - * I really don't like that _pam_unix_auth() grew into a monster that does - * prompts etc etc. They should go into other functions. - * - * Revision 1.4 1996/04/07 08:06:12 morgan - * tidied up a little - * - * Revision 1.3 1996/04/07 07:34:07 morgan - * added conversation support. Now the module is capable of obtaining a - * username and a password all by itself. - * - * Revision 1.2 1996/03/29 02:31:19 morgan - * Marek Michalkiewicz's small patches for shadow support. - * - * Revision 1.1 1996/03/09 09:10:57 morgan - * Initial revision - * - */ - -#ifdef linux -# define _GNU_SOURCE -# include <features.h> -#endif - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#define __USE_BSD -#include <unistd.h> -#include <pwd.h> -#include <sys/types.h> - -#ifndef NDEBUG - -#include <syslog.h> - -#endif /* NDEBUG */ - -#ifdef HAVE_SHADOW_H - -#include <shadow.h> - -#endif /* HAVE_SHADOW_H */ - -#ifndef LINUX - -#include <security/pam_appl.h> - -#endif /* LINUX */ - -#define _PAM_EXTERN_FUNCTIONS -#include <security/pam_modules.h> - -static const char rcsid[] = "$Id: pam_unix_auth.c,v 1.1 1996/11/09 19:44:35 morgan Exp morgan $ pam_unix authentication functions. alex@bach.cis.temple.edu"; - -/* Define function phototypes */ - -extern char *crypt(const char *key, const char *salt); /* This should have - been in unistd.h - but it is not */ -extern int converse( pam_handle_t *pamh, - int nargs, - struct pam_message **message, - struct pam_response **response ); - -extern int _set_auth_tok( pam_handle_t *pamh, - int flags, int argc, - const char **argv ); - -static int _pam_auth_unix( pam_handle_t *pamh, - int flags, int argc, - const char **argv ); - -static int _pam_set_credentials_unix ( pam_handle_t *pamh, - int flags, - int argc, - const char ** argv ) ; - - -/* Fun starts here :) - * - * _pam_auth_unix() actually performs UNIX/shadow authentication - * - * First, if shadow support is available, attempt to perform - * authentication using shadow passwords. If shadow is not - * available, or user does not have a shadow password, fallback - * onto a normal UNIX authentication - */ - -static int _pam_auth_unix( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int retval; - struct passwd *pw; - const char *name; - char *p, *pp; - const char *salt; - -#ifdef HAVE_SHADOW_H - - struct spwd *sp; - -#endif - - /* get the user'name' */ - - if ( (retval = pam_get_user( pamh, &name, "login: ") ) != PAM_SUCCESS ) - return retval; - - /* - * at some point we will have to make this module pay - * attention to arguments, like 'pam_first_pass' etc... - */ - - pw = getpwnam ( name ); - -#ifndef __FreeBSD__ - /* For NIS+, root cannot get password for lesser user */ - if (pw) { - uid_t save_euid, save_uid; - - save_uid = getuid (); - save_euid = geteuid(); - if (setreuid (0,pw->pw_uid) >= 0) { - pw = getpwnam ( name ); - setreuid (save_uid,save_euid); - } - } -#endif - - if ( pw && (!pw->pw_passwd || pw->pw_passwd[0] == '\0') && - !(flags & PAM_DISALLOW_NULL_AUTHTOK)) { - return PAM_SUCCESS; - } - pam_get_item( pamh, PAM_AUTHTOK, (void*) &p ); - - if ( !p ) - { - retval = _set_auth_tok( pamh, flags, argc, argv ); - if ( retval != PAM_SUCCESS ) - return retval; - } - - /* - We have to call pam_get_item() again because value of p should - change - */ - - pam_get_item( pamh, PAM_AUTHTOK, (void*) &p ); - - - if (pw) - { - -#ifdef HAVE_SHADOW_H - - /* - * Support for shadow passwords on Linux and SVR4-based - * systems. Shadow passwords are optional on Linux - if - * there is no shadow password, use the non-shadow one. - */ - - sp = getspnam( name ); - if (sp && (!strcmp(pw->pw_passwd,"x"))) - { - /* TODO: check if password has expired etc. */ - salt = sp->sp_pwdp; - } - else -#endif - salt = pw->pw_passwd; - } - else - return PAM_USER_UNKNOWN; - - /* The 'always-encrypt' method does not make sense in PAM - because the framework requires return of a different - error code for non-existant users -- alex */ - - if ( ( !pw->pw_passwd ) && ( !p ) ) - if ( flags && PAM_DISALLOW_NULL_AUTHTOK ) - return PAM_SUCCESS; - else - return PAM_AUTH_ERR; - - pp = crypt(p, salt); - - if ( strcmp( pp, salt ) == 0 ) - return PAM_SUCCESS; - - return PAM_AUTH_ERR; -} - -/* - * The only thing _pam_set_credentials_unix() does is initialization of - * UNIX group IDs. - * - * Well, everybody but me on linux-pam is convinced that it should not - * initialize group IDs, so I am not doing it but don't say that I haven't - * warned you. -- AOY - */ - -static int _pam_set_credentials_unix ( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) - -{ /* FIX ME: incorrect error code */ - - return PAM_SUCCESS; /* This is a wrong result code. From what I - remember from reafing one of the guides - there's an error-level saying 'N/A func' - -- AOY - */ -} - -/* - * PAM framework looks for these entry-points to pass control to the - * authentication module. - */ - -PAM_EXTERN -int pam_sm_authenticate( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - return _pam_auth_unix( pamh, flags, argc, argv ); -} - -PAM_EXTERN -int pam_sm_setcred( pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - return _pam_set_credentials_unix ( pamh, flags, argc, argv ) ; -} - - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_unix_auth_modstruct = { - "pam_unix_auth", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; -#endif diff --git a/contrib/libpam/modules/pam_unix/pam_unix_passwd.c b/contrib/libpam/modules/pam_unix/pam_unix_passwd.c deleted file mode 100644 index de1345e..0000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_passwd.c +++ /dev/null @@ -1,813 +0,0 @@ - -/* Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software. - Copyright (C) 1996. */ - -/* - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - How it works: - Gets in username (has to be done) from the calling program - Does authentication of user (only if we are not running as root) - Gets new password/checks for sanity - Sets it. - */ - -#define PAM_SM_PASSWORD - -/* #define DEBUG 1 */ - -#include <stdio.h> -#include <sys/time.h> -#define _BSD_SOURCE -#define _SVID_SOURCE -#include <errno.h> -#define __USE_BSD -#define _BSD_SOURCE -#include <pwd.h> -#include <sys/types.h> - -/* why not defined? */ -void setpwent(void); -void endpwent(void); -int chmod(const char *path, mode_t mode); -struct passwd *fgetpwent(FILE *stream); -int putpwent(const struct passwd *p, FILE *stream); - -#include <unistd.h> -char *crypt(const char *key, const char *salt); -#ifdef USE_CRACKLIB -#include <crack.h> -#endif -#include <ctype.h> -#include <stdlib.h> -#include <stdio.h> -#include <syslog.h> -#include <string.h> -#include <stdarg.h> -#include <malloc.h> -#include <security/_pam_macros.h> - -#ifndef LINUX /* AGM added this as of 0.2 */ -#include <security/pam_appl.h> -#endif /* ditto */ -#include <security/pam_modules.h> -#ifdef HAVE_SHADOW_H -#include <shadow.h> -#endif - -#define MAX_PASSWD_TRIES 3 -#define OLD_PASSWORD_PROMPT "Password: " -#define NEW_PASSWORD_PROMPT "New password: " -#define AGAIN_PASSWORD_PROMPT "New password (again): " -#define PW_TMPFILE "/etc/npasswd" -#define SH_TMPFILE "/etc/nshadow" -#define CRACKLIB_DICTS "/usr/lib/cracklib_dict" - -/* Various flags for the getpass routine to send back in... */ -#define PPW_EXPIRED 1 -#define PPW_EXPIRING 2 -#define PPW_WILLEXPIRE 4 -#define PPW_NOSUCHUSER 8 -#define PPW_SHADOW 16 -#define PPW_TOOEARLY 32 -#define PPW_ERROR 64 - -#ifndef DO_TEST -#define STATIC static -#else -#define STATIC -#endif -/* Sets a password for the specified user to the specified password - Returns flags PPW_*, or'd. */ -STATIC int _do_setpass(char *forwho, char *towhat, int flags); -/* Gets a password for the specified user - Returns flags PPW_*, or'd. */ -STATIC int _do_getpass(char *forwho, char **theirpass); -/* Checks whether the password entered is same as listed in the database - 'entered' should not be crypt()'d or anything (it should be as the - user entered it...), 'listed' should be as it is listed in the - password database file */ -STATIC int _do_checkpass(const char *entered, char *listed); - -/* sends a one-way message to the user, either error or info... */ -STATIC int conv_sendmsg(struct pam_conv *aconv, const char *message, int style); -/* sends a message and returns the results of the conversation */ -STATIC int conv_getitem(struct pam_conv *aconv, char *message, int style, - char **result); - -PAM_EXTERN -int pam_sm_chauthtok( pam_handle_t *pamh, - int flags, - int argc, - const char **argv); - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-unix_passwd", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -#ifdef NEED_LCKPWDF -/* This is a hack, but until libc and glibc both include this function - * by default (libc only includes it if nys is not being used, at the - * moment, and glibc doesn't appear to have it at all) we need to have - * it here, too. :-( - * - * This should not become an official part of PAM. - * - * BEGIN_HACK -*/ - -/* - * lckpwdf.c -- prevent simultaneous updates of password files - * - * Before modifying any of the password files, call lckpwdf(). It may block - * for up to 15 seconds trying to get the lock. Return value is 0 on success - * or -1 on failure. When you are done, call ulckpwdf() to release the lock. - * The lock is also released automatically when the process exits. Only one - * process at a time may hold the lock. - * - * These functions are supposed to be conformant with AT&T SVID Issue 3. - * - * Written by Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, - * public domain. - */ - -#include <fcntl.h> -#include <signal.h> - -#define LOCKFILE "/etc/.pwd.lock" -#define TIMEOUT 15 - -static int lockfd = -1; - -static int -set_close_on_exec(int fd) -{ - int flags = fcntl(fd, F_GETFD, 0); - if (flags == -1) - return -1; - flags |= FD_CLOEXEC; - return fcntl(fd, F_SETFD, flags); -} - -static int -do_lock(int fd) -{ - struct flock fl; - - memset(&fl, 0, sizeof fl); - fl.l_type = F_WRLCK; - fl.l_whence = SEEK_SET; - return fcntl(fd, F_SETLKW, &fl); -} - -static void -alarm_catch(int sig) -{ -/* does nothing, but fcntl F_SETLKW will fail with EINTR */ -} - -static int lckpwdf(void) -{ - struct sigaction act, oldact; - sigset_t set, oldset; - - if (lockfd != -1) - return -1; - - lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600); - if (lockfd == -1) - return -1; - if (set_close_on_exec(lockfd) == -1) - goto cleanup_fd; - - memset(&act, 0, sizeof act); - act.sa_handler = alarm_catch; - act.sa_flags = 0; - sigfillset(&act.sa_mask); - if (sigaction(SIGALRM, &act, &oldact) == -1) - goto cleanup_fd; - - sigemptyset(&set); - sigaddset(&set, SIGALRM); - if (sigprocmask(SIG_UNBLOCK, &set, &oldset) == -1) - goto cleanup_sig; - - alarm(TIMEOUT); - if (do_lock(lockfd) == -1) - goto cleanup_alarm; - alarm(0); - sigprocmask(SIG_SETMASK, &oldset, NULL); - sigaction(SIGALRM, &oldact, NULL); - return 0; - -cleanup_alarm: - alarm(0); - sigprocmask(SIG_SETMASK, &oldset, NULL); -cleanup_sig: - sigaction(SIGALRM, &oldact, NULL); -cleanup_fd: - close(lockfd); - lockfd = -1; - return -1; -} - -static int -ulckpwdf(void) -{ - unlink(LOCKFILE); - if (lockfd == -1) - return -1; - - if (close(lockfd) == -1) { - lockfd = -1; - return -1; - } - lockfd = -1; - return 0; -} -/* END_HACK */ -#endif - -#define PAM_FAIL_CHECK if(retval != PAM_SUCCESS) { return retval; } - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - char *usrname, *curpass, *newpass; /* pointers to the username, - current password, and new password */ - - struct pam_conv *appconv; /* conversation with the app */ - struct pam_message msg, *pmsg; /* Misc for conversations */ - struct pam_response *resp; - - int retval=0; /* Gets the return values for all our function calls */ - unsigned int pflags=0; /* Holds the flags from our getpass & setpass - functions */ - - const char *cmiscptr; /* Utility variables, used for different purposes at - different times */ - char *miscptr; /* Utility variables, used for different purposes at - different times */ - unsigned int miscint; - int fascist = 1; /* Be fascist by default. If compiled with cracklib, - call cracklib. Otherwise just check length... */ - - char argbuf[256],argval[256]; - int i; - - - retval = pam_get_item(pamh,PAM_CONV,(const void **) &appconv); - PAM_FAIL_CHECK; - - retval = pam_get_item(pamh,PAM_USER,(const void **) &usrname); - PAM_FAIL_CHECK; - if(flags & PAM_PRELIM_CHECK) { - pflags = _do_getpass(usrname,&miscptr); - if(pflags & PPW_NOSUCHUSER) - return PAM_USER_UNKNOWN; - else if(pflags & ~(PPW_SHADOW|PPW_EXPIRING|PPW_WILLEXPIRE)) - return PAM_AUTHTOK_ERR; - else - return PAM_SUCCESS; - } /* else... */ -#ifdef DEBUG - fprintf(stderr,"Got username of %s\n",usrname); -#endif - if((usrname == NULL) || (strlen(usrname) < 1)) { - /* The app is supposed to get us the username! */ - retval = PAM_USER_UNKNOWN; - PAM_FAIL_CHECK; - } - - for(i=0; i < argc; i++) { - { - char *tmp = x_strdup(argv[i]); - strncpy(argbuf,strtok(tmp ,"="),255); - strncpy(argval,strtok(NULL,"="),255); - free(tmp); - } - - /* For PC functionality use "strict" -- historically "fascist" */ - if(!strcmp(argbuf,"strict") || !strcmp(argbuf, "fascist")) - - if(!strcmp(argval,"true")) - fascist = 1; - else if(!strcmp(argval,"false")) - fascist = 0; - else - return PAM_SERVICE_ERR; - else { - _pam_log(LOG_ERR,"Unknown option: %s",argbuf); - return PAM_SERVICE_ERR; - } - } - - - /* Now we have all the initial information we need from the app to - set things up (we assume that getting the username succeeded...) */ - retval = pam_get_item(pamh,PAM_OLDAUTHTOK,(const void **) &curpass); - PAM_FAIL_CHECK; - if(getuid()) { /* If this is being run by root, we don't need to get their - old password. - note */ - /* If we haven't been given a password yet, prompt for one... */ - miscint=0; - while((curpass == NULL) && (miscint++ < MAX_PASSWD_TRIES)) { - pflags = _do_getpass(usrname,&miscptr); - if(pflags & PPW_NOSUCHUSER) - return PAM_USER_UNKNOWN; /* If the user that was passed in doesn't - exist, say so and exit (app passes in - username) */ - - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = OLD_PASSWORD_PROMPT; - resp = NULL; - - retval = appconv->conv(1, (const struct pam_message **) &pmsg, - &resp, appconv->appdata_ptr); - - PAM_FAIL_CHECK; - curpass = resp->resp; - free (resp); - if(_do_checkpass(curpass?curpass:"",miscptr)) { - int abortme = 0; - - /* password is incorrect... */ - if (curpass && curpass[0] == '\0') { - /* ...and it was zero-length; user wishes to abort change */ - abortme = 1; - } - if (curpass) { free (curpass); } - curpass = NULL; - if (abortme) { - conv_sendmsg(appconv,"Password change aborted.",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - } - } - - if(curpass == NULL) - return PAM_AUTH_ERR; /* They didn't seem to enter the right password - for three tries - error */ - pam_set_item(pamh, PAM_OLDAUTHTOK, (void *)curpass); - } else { -#ifdef DEBUG - fprintf(stderr,"I am ROOT!\n"); -#endif - pflags = _do_getpass(usrname,&curpass); - if(curpass == NULL) - curpass = x_strdup(""); - } - if(pflags & PPW_TOOEARLY) { - conv_sendmsg(appconv,"You must wait longer to change your password", - PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - if(pflags & PPW_WILLEXPIRE) - conv_sendmsg(appconv,"Your password is about to expire",PAM_TEXT_INFO); - else if(pflags & PPW_EXPIRED) - return PAM_ACCT_EXPIRED; /* If their account has expired, we can't auth - them to change their password */ - if(!(pflags & PPW_EXPIRING) && (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - return PAM_SUCCESS; - /* If we haven't been given a password yet, prompt for one... */ - miscint=0; - pam_get_item(pamh,PAM_AUTHTOK,(const void **)&newpass); - cmiscptr = NULL; - while((newpass == NULL) && (miscint++ < MAX_PASSWD_TRIES)) { - - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = NEW_PASSWORD_PROMPT; - resp = NULL; - - retval = appconv->conv(1, (const struct pam_message **) &pmsg, - &resp, appconv->appdata_ptr); - - PAM_FAIL_CHECK; - newpass = resp->resp; - free (resp); - -#ifdef DEBUG - if(newpass) - fprintf(stderr,"Got password of %s\n",newpass); - else - fprintf(stderr,"No new password...\n"); -#endif - if (newpass[0] == '\0') { free (newpass); newpass = (char *) 0; } - cmiscptr=NULL; - if(newpass) { -#ifdef USE_CRACKLIB - if(fascist && getuid()) - cmiscptr = FascistCheck(newpass,CRACKLIB_DICTS); -#else - if(fascist && getuid() && strlen(newpass) < 6) - cmiscptr = "You must choose a longer password"; -#endif - if(curpass) - if(!strcmp(curpass,newpass)) { - cmiscptr="You must choose a new password."; - newpass=NULL; - } - } else { - /* We want to abort the password change */ - conv_sendmsg(appconv,"Password change aborted",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - if(!cmiscptr) { - /* We ask them to enter their password again... */ - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - msg.msg = AGAIN_PASSWORD_PROMPT; - resp = NULL; - - retval = appconv->conv(1, (const struct pam_message **) &pmsg, - &resp, appconv->appdata_ptr); - - PAM_FAIL_CHECK; - miscptr = resp->resp; - free (resp); - if (miscptr[0] == '\0') { free (miscptr); miscptr = (char *) 0; } - if(!miscptr) { /* Aborting password change... */ - conv_sendmsg(appconv,"Password change aborted",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } - if(!strcmp(newpass,miscptr)) { - miscptr=NULL; - break; - } - conv_sendmsg(appconv,"You must enter the same password twice.", - PAM_ERROR_MSG); - miscptr=NULL; - newpass=NULL; - } - else { - conv_sendmsg(appconv,cmiscptr,PAM_ERROR_MSG); - newpass = NULL; - } - } - if(cmiscptr) { - /* conv_sendmsg(appconv,cmiscptr,PAM_ERROR_MSG); */ - return PAM_AUTHTOK_ERR; - } else if(newpass == NULL) - return PAM_AUTHTOK_ERR; /* They didn't seem to enter the right password - for three tries - error */ -#ifdef DEBUG - printf("Changing password for sure!\n"); -#endif - /* From now on, we are bound and determined to get their password - changed :-) */ - pam_set_item(pamh, PAM_AUTHTOK, (void *)newpass); - retval = _do_setpass(usrname,newpass,pflags); -#ifdef DEBUG - fprintf(stderr,"retval was %d\n",retval); -#endif - if(retval & ~PPW_SHADOW) { - conv_sendmsg(appconv,"Error: Password NOT changed",PAM_ERROR_MSG); - return PAM_AUTHTOK_ERR; - } else { - conv_sendmsg(appconv,"Password changed",PAM_TEXT_INFO); - return PAM_SUCCESS; - } -} - -/* _do_checkpass() returns 0 on success, non-0 on failure */ -STATIC int _do_checkpass(const char *entered, char *listed) -{ - char salt[3]; - if ((strlen(listed) == 0) &&(strlen(entered) == 0)) { - /* no password in database; no password entered */ - return (0); - } - salt[0]=listed[0]; salt[1]=listed[1]; salt[2]='\0'; - return strcmp(crypt(entered,salt),listed); -} - -STATIC char mksalt(int seed) { - int num = seed % 64; - - if (num < 26) - return 'a' + num; - else if (num < 52) - return 'A' + (num - 26); - else if (num < 62) - return '0' + (num - 52); - else if (num == 63) - return '.'; - else - return '/'; -} - -STATIC int _do_setpass(char *forwho, char *towhat,int flags) -{ - struct passwd *pwd=NULL, *tmpent=NULL; - FILE *pwfile,*opwfile; - char thesalt[3]; - int retval=0; - struct timeval time1; - int err = 0; -#ifdef HAVE_SHADOW_H - struct spwd *spwdent=NULL, *stmpent=NULL; -#endif - if(flags & PPW_SHADOW) { retval |= PPW_SHADOW; } - gettimeofday(&time1, NULL); - srand(time1.tv_usec); - thesalt[0]=mksalt(rand()); - thesalt[1]=mksalt(rand()); - thesalt[2]='\0'; - - /* lock the entire password subsystem */ -#ifdef USE_LCKPWDF - lckpwdf(); -#endif - setpwent(); - pwd = getpwnam(forwho); -#ifdef DEBUG - printf("Got %p, for %s (salt %s)\n",pwd, - forwho,thesalt); -#endif - if(pwd == NULL) - return PPW_NOSUCHUSER; - endpwent(); - -#ifdef HAVE_SHADOW_H - if(flags & PPW_SHADOW) { - spwdent = getspnam(forwho); - if(spwdent == NULL) - return PPW_NOSUCHUSER; - spwdent->sp_pwdp = towhat; - spwdent->sp_lstchg = time(NULL)/(60*60*24); - pwfile = fopen(SH_TMPFILE,"w"); - opwfile = fopen("/etc/shadow","r"); - if(pwfile == NULL || opwfile == NULL) - return PPW_ERROR; - chown(SH_TMPFILE,0,0); - chmod(SH_TMPFILE,0600); - stmpent=fgetspent(opwfile); - while(stmpent) { - if(!strcmp(stmpent->sp_namp,forwho)) { - stmpent->sp_pwdp = crypt(towhat,thesalt); - stmpent->sp_lstchg = time(NULL)/(60*60*24); -#ifdef DEBUG - fprintf(stderr,"Set password %s for %s\n",stmpent->sp_pwdp, - forwho); -#endif - } - if (putspent(stmpent,pwfile)) { - fprintf(stderr, "error writing entry to shadow file: %s\n", - strerror(errno)); - err = 1; - retval = PPW_ERROR; - break; - } - stmpent=fgetspent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - fprintf(stderr, "error writing entries to shadow file: %s\n", - strerror(errno)); - retval = PPW_ERROR; - err = 1; - } - - if (!err) - rename(SH_TMPFILE,"/etc/shadow"); - else - unlink(SH_TMPFILE); - } else { - pwd->pw_passwd = towhat; - pwfile = fopen(PW_TMPFILE,"w"); - opwfile = fopen("/etc/passwd","r"); - if(pwfile == NULL || opwfile == NULL) - return PPW_ERROR; - chown(PW_TMPFILE,0,0); - chmod(PW_TMPFILE,0644); - tmpent=fgetpwent(opwfile); - while(tmpent) { - if(!strcmp(tmpent->pw_name,forwho)) { - tmpent->pw_passwd = crypt(towhat,thesalt); - } - if (putpwent(tmpent,pwfile)) { - fprintf(stderr, "error writing entry to password file: %s\n", - strerror(errno)); - err = 1; - retval = PPW_ERROR; - break; - } - tmpent=fgetpwent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - fprintf(stderr, "error writing entries to password file: %s\n", - strerror(errno)); - retval = PPW_ERROR; - err = 1; - } - - if (!err) - rename(PW_TMPFILE,"/etc/passwd"); - else - unlink(PW_TMPFILE); - } -#else - pwd->pw_passwd = towhat; - pwfile = fopen(PW_TMPFILE,"w"); - opwfile = fopen("/etc/passwd","r"); - if(pwfile == NULL || opwfile == NULL) - return PPW_ERROR; - chown(PW_TMPFILE,0,0); - chmod(PW_TMPFILE,0644); - tmpent=fgetpwent(opwfile); - while(tmpent) { - if(!strcmp(tmpent->pw_name,forwho)) { - tmpent->pw_passwd = crypt(towhat,thesalt); - } - if (putpwent(tmpent,pwfile)) { - fprintf(stderr, "error writing entry to shadow file: %s\n", - strerror(errno)); - err = 1; - retval = PPW_ERROR; - break; - } - tmpent=fgetpwent(opwfile); - } - fclose(opwfile); - - if (fclose(pwfile)) { - fprintf(stderr, "error writing entries to password file: %s\n", - strerror(errno)); - retval = PPW_ERROR; - err = 1; - } - - if (!err) - rename(PW_TMPFILE,"/etc/passwd"); - else - unlink(PW_TMPFILE); -#endif - /* unlock the entire password subsystem */ -#ifdef USE_LCKPWDF - ulckpwdf(); -#endif - return retval; -} - -STATIC int _do_getpass(char *forwho, char **theirpass) -{ - struct passwd *pwd=NULL; /* Password and shadow password */ -#ifdef HAVE_SHADOW_H - struct spwd *spwdent=NULL; /* file entries for the user */ - time_t curdays; -#endif - int retval=0; - /* UNIX passwords area */ - setpwent(); - pwd = getpwnam(forwho); /* Get password file entry... */ - endpwent(); - if(pwd == NULL) - return PPW_NOSUCHUSER; /* We don't need to do the rest... */ -#ifdef HAVE_SHADOW_H - if(!strcmp(pwd->pw_passwd,"x")) { - /* ...and shadow password file entry for this user, if shadowing - is enabled */ - retval |= PPW_SHADOW; - setspent(); - spwdent = getspnam(forwho); - endspent(); - if(spwdent == NULL) - return PPW_NOSUCHUSER; - *theirpass = x_strdup(spwdent->sp_pwdp); - - /* We have the user's information, now let's check if their account - has expired (60 * 60 * 24 = number of seconds in a day) */ - - /* Get the current number of days since 1970 */ - curdays = time(NULL)/(60*60*24); - if((curdays < (spwdent->sp_lstchg + spwdent->sp_min)) - && (spwdent->sp_min != -1)) - retval |= PPW_TOOEARLY; - else if((curdays - > (spwdent->sp_lstchg + spwdent->sp_max + spwdent->sp_inact)) - && (spwdent->sp_max != -1) && (spwdent->sp_inact != -1)) - /* Their password change has been put off too long, - OR their account has just plain expired */ - retval |= PPW_EXPIRED; - else if((curdays > (spwdent->sp_lstchg + spwdent->sp_max)) - && (spwdent->sp_max != -1)) - /* Their passwd needs to be changed */ - retval |= PPW_EXPIRING; - else if((curdays > (spwdent->sp_lstchg - + spwdent->sp_max - spwdent->sp_warn)) - && (spwdent->sp_max != -1) && (spwdent->sp_warn != -1)) - retval |= PPW_WILLEXPIRE; -/* if(spwdent->sp_lstchg < 0) - retval &= ~(PPW_WILLEXPIRE | PPW_EXPIRING | PPW_EXPIRED); - if(spwdent->sp_max < 0) - retval &= ~(PPW_EXPIRING | PPW_EXPIRED); */ - } else { - *theirpass = (char *)x_strdup(pwd->pw_passwd); - } - -#else - *theirpass = (char *) x_strdup(pwd->pw_passwd); -#endif - - return retval; -} - -STATIC int conv_sendmsg(struct pam_conv *aconv, const char *message, int style) -{ - struct pam_message msg,*pmsg; - struct pam_response *resp; - int retval; - - /* Get the password from the user... */ - pmsg = &msg; - - msg.msg_style = style; - msg.msg = message; - resp = NULL; - - retval = aconv->conv(1, (const struct pam_message **) &pmsg, - &resp, aconv->appdata_ptr); - if (resp) { - _pam_drop_reply(resp, 1); - } - return retval; -} - - -STATIC int conv_getitem(struct pam_conv *aconv, char *message, int style, - char **result) -{ - struct pam_message msg,*pmsg; - struct pam_response *resp; - int retval; - - D(("called.")); - - /* Get the password from the user... */ - pmsg = &msg; - msg.msg_style = style; - msg.msg = message; - resp = NULL; - - retval = aconv->conv(1, (const struct pam_message **) &pmsg, - &resp, aconv->appdata_ptr); - if(retval != PAM_SUCCESS) - return retval; - if(resp != NULL) { - *result = resp->resp; free(resp); - return PAM_SUCCESS; - } - else - return PAM_SERVICE_ERR; -} diff --git a/contrib/libpam/modules/pam_unix/pam_unix_sess.c b/contrib/libpam/modules/pam_unix/pam_unix_sess.c deleted file mode 100644 index 319b2ed..0000000 --- a/contrib/libpam/modules/pam_unix/pam_unix_sess.c +++ /dev/null @@ -1,181 +0,0 @@ -/* - * $Header: /home/morgan/pam/Linux-PAM-0.53/modules/pam_unix/RCS/pam_unix_sess.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ - */ - -/* - * Copyright Alexander O. Yuriev, 1996. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * $Log: pam_unix_sess.c,v $ - * Revision 1.1 1996/11/09 19:44:35 morgan - * Initial revision - * - * Revision 1.4 1996/05/21 03:55:17 morgan - * added "const" to definition of rcsid[] - * - * Revision 1.3 1996/04/23 16:32:28 alex - * nothing really got changed. - * - * Revision 1.2 1996/04/19 03:23:33 alex - * session code implemented. account management moved into pam_unix_acct.c - * - */ - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <pwd.h> - -#ifndef LINUX /* AGM added this as of 0.2 */ - - #include <security/pam_appl.h> - -#endif /* ditto */ - -#include <security/pam_modules.h> -#include <syslog.h> -#include <unistd.h> -#ifndef LOG_AUTHPRIV -#define LOG_AUTHPRIV LOG_AUTH -#endif - -static const char rcsid[] = "$Id: pam_unix_sess.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ pam_unix session management. alex@bach.cis.temple.edu"; - -/* Define internal functions */ - -static int _get_log_level( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -int _pam_unix_open_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -int _pam_unix_close_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -/* Implementation */ - -static int _get_log_level( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int i = argc; - int log_level = LOG_DEBUG; - - while ( i-- ) - { - if ( strcmp( *argv, "debug" ) == 0 ) - log_level = LOG_DEBUG; - else if ( strcmp ( *argv, "trace" ) == 0 ) - log_level = LOG_AUTHPRIV; - argv++; - } - - return log_level; -} - -int _pam_unix_open_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int log_level; - char *user_name, *service; - - - log_level = _get_log_level( pamh, flags, argc, argv ); - - pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( !user_name ) - return PAM_CONV_ERR; /* How did we get authenticated with - no username?! */ - - pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( !service ) - return PAM_CONV_ERR; - - syslog ( log_level, - "pam_unix authentication session started, user %s, service %s\n", - user_name, service ); - - return PAM_SUCCESS; -} - -int _pam_unix_close_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - int log_level; - char *user_name, *service; - - log_level = _get_log_level( pamh, flags, argc, argv ); - - pam_get_item( pamh, PAM_USER, (void*) &user_name ); - if ( !user_name ) - return PAM_CONV_ERR; /* How did we get authenticated with - no username?! */ - - pam_get_item( pamh, PAM_SERVICE, (void*) &service ); - if ( !service ) - return PAM_CONV_ERR; - - syslog ( log_level, - "pam_unix authentication session finished, user %s, service %s\n", - user_name, service ); - - return PAM_SUCCESS; -} - -int pam_sm_open_session( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ) -{ - return _pam_unix_open_session( pamh, flags, argc, argv ) ; -} - -int pam_sm_close_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - return _pam_unix_close_session( pamh, flags, argc, argv ) ; -} - diff --git a/contrib/libpam/modules/pam_unix/support.c b/contrib/libpam/modules/pam_unix/support.c deleted file mode 100644 index a2fafcd..0000000 --- a/contrib/libpam/modules/pam_unix/support.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * $Header: /home/morgan/pam/Linux-PAM-0.53/modules/pam_unix/RCS/support.c,v 1.1 1996/11/09 19:44:35 morgan Exp $ - */ - -/* - * Copyright Andrew Morgan, 1996. All rights reserved. - * Modified by Alexander O. Yuriev - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * $Log: support.c,v $ - * Revision 1.1 1996/11/09 19:44:35 morgan - * Initial revision - * - * Revision 1.1 1996/04/17 01:11:08 alex - * Initial revision - * - */ - -#include <stdlib.h> /* define NULL */ - -#ifndef LINUX - - #include <security/pam_appl.h> - -#endif /* LINUX */ - -#include <security/pam_modules.h> - - -#ifndef NDEBUG - - #include <syslog.h> - -#endif /* NDEBUG */ - - -/* Phototype declarations */ - -int converse( pam_handle_t *pamh, - int nargs, - struct pam_message **message, - struct pam_response **response ); - -int _set_auth_tok( pam_handle_t *pamh, - int flags, - int argc, - const char **argv ); - -/* Implementation */ - -int converse( pam_handle_t *pamh, - int nargs, - struct pam_message **message, - struct pam_response **response ) - -{ - int retval; - struct pam_conv *conv; - - retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ; - if ( retval == PAM_SUCCESS ) - { - retval = conv->conv( nargs, - ( const struct pam_message ** ) message, - response, - conv->appdata_ptr ); - } - return retval; -} - -/***************************************************************************/ -/* prompt user for a using conversation calls */ -/***************************************************************************/ - -int _set_auth_tok( pam_handle_t *pamh, - int flags, int argc, - const char **argv ) -{ - int retval; - char *p; - - struct pam_message msg[1],*pmsg[1]; - struct pam_response *resp; - - /* set up conversation call */ - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = "Password: "; - resp = NULL; - - if ( ( retval = converse( pamh, 1 , pmsg, &resp ) ) != PAM_SUCCESS ) - return retval; - - if ( resp ) - { - if ( ( flags & PAM_DISALLOW_NULL_AUTHTOK ) && - resp[0].resp == NULL ) - { - free( resp ); - return PAM_AUTH_ERR; - } - - p = resp[ 0 ].resp; - - /* This could be a memory leak. If resp[0].resp - is malloc()ed, then it has to be free()ed! - -- alex - */ - - resp[ 0 ].resp = NULL; - - } - else - return PAM_CONV_ERR; - - free( resp ); - pam_set_item( pamh, PAM_AUTHTOK, p ); - return PAM_SUCCESS; -} diff --git a/contrib/libpam/modules/pam_warn/Makefile b/contrib/libpam/modules/pam_warn/Makefile deleted file mode 100644 index 167af5a..0000000 --- a/contrib/libpam/modules/pam_warn/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# -# $Id: Makefile,v 1.2 1997/04/05 06:20:16 morgan Exp $ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# $Log: Makefile,v $ -# Revision 1.2 1997/04/05 06:20:16 morgan -# fixed fakeroot -# -# Revision 1.1 1996/12/01 03:12:22 morgan -# Initial revision -# -# -# Created by Andrew Morgan <morgan@parc.power.net> 1996/11/14 -# - -TITLE=pam_warn - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -static/%.o : %.c - $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -ifdef STATIC -LIBSTATIC = lib$(TITLE).o -endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -ifdef STATIC - $(MKDIR) ./static -endif - -register: -ifdef STATIC - ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) -endif - -ifdef STATIC -$(LIBOBJS): $(LIBSRC) - -$(LIBSTATIC): $(LIBOBJS) - $(LD) -r -o $@ $(LIBOBJS) -endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - diff --git a/contrib/libpam/modules/pam_warn/README b/contrib/libpam/modules/pam_warn/README deleted file mode 100644 index f45b271..0000000 --- a/contrib/libpam/modules/pam_warn/README +++ /dev/null @@ -1,23 +0,0 @@ -# $Id: README,v 1.1 1996/12/01 03:12:22 morgan Exp $ -# - -This module is an authentication module that does not authenticate. -Instead it always returns PAM_IGNORE, indicating that it does not want -to affect the authentication process. - -Its purpose is to log a message to the syslog indicating the -pam_item's available at the time it was invoked. It is a diagnostic -tool. - -Recognized arguments: - - <none> - -module services provided: - - auth _autheticate and _setcred (blank) - password _chauthtok [mapped to _authenticate] - - -Andrew Morgan -1996/11/14 diff --git a/contrib/libpam/modules/pam_warn/pam_warn.c b/contrib/libpam/modules/pam_warn/pam_warn.c deleted file mode 100644 index 2a0a23d..0000000 --- a/contrib/libpam/modules/pam_warn/pam_warn.c +++ /dev/null @@ -1,112 +0,0 @@ -/* pam_warn module */ - -/* - * $Id: pam_warn.c,v 1.2 1997/02/15 17:19:08 morgan Exp $ - * - * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 - * - * $Log: pam_warn.c,v $ - * Revision 1.2 1997/02/15 17:19:08 morgan - * corrected many bugs and removed fixed buffer logging - * - * Revision 1.1 1996/12/01 03:12:22 morgan - * Initial revision - * - * - */ - -#include <stdio.h> -#include <unistd.h> -#include <syslog.h> -#include <stdarg.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-warn", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc - , const char **argv) -{ - const char *service=NULL, *user=NULL, *terminal=NULL - , *rhost=NULL, *ruser=NULL; - - (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service); - (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal); - _pam_log(LOG_NOTICE, "service: %s [on terminal: %s]" - , service ? service : "<unknown>" - , terminal ? terminal : "<unknown>" - ); - (void) pam_get_user(pamh, &user, "Who are you? "); - (void) pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); - _pam_log(LOG_NOTICE, "user: (uid=%d) -> %s [remote: %s@%s]" - , getuid() - , user ? user : "<unknown>" - , ruser ? ruser : "?nobody" - , rhost ? rhost : "?nowhere" - ); - - /* we are just a fly on the wall */ - - return PAM_IGNORE; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - , const char **argv) -{ - return PAM_IGNORE; -} - -/* password updating functions */ - -PAM_EXTERN -int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc - , const char **argv) -{ - /* map to the authentication function... */ - - return pam_sm_authenticate(pamh, flags, argc, argv); -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_warn_modstruct = { - "pam_warn", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - pam_sm_chauthtok, -}; - -#endif - -/* end of module definition */ diff --git a/contrib/libpam/modules/pam_wheel/Makefile b/contrib/libpam/modules/pam_wheel/Makefile deleted file mode 100644 index 553e321..0000000 --- a/contrib/libpam/modules/pam_wheel/Makefile +++ /dev/null @@ -1,94 +0,0 @@ -# -# This Makefile controls a build process of $(TITLE) module for -# Linux-PAM. You should not modify this Makefile (unless you know -# what you are doing!). -# -# Created by Cristian Gafton <gafton@sorosis.ro> 1996/09/10 -# - -ifeq ($(HAVE_PWDBLIB),yes) - -TITLE=pam_wheel -CFLAGS += -DHAVE_PWDBLIB - -# - -LIBSRC = $(TITLE).c -LIBOBJ = $(TITLE).o -LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) -#LIBOBJS = $(addprefix static/,$(LIBOBJ)) - -EXTRALS = -lpwdb - -dynamic/%.o : %.c - $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - -#static/%.o : %.c -# $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ - - -ifdef DYNAMIC -LIBSHARED = $(TITLE).so -endif - -#ifdef STATIC -#LIBSTATIC = lib$(TITLE).o -#endif - -####################### don't edit below ####################### - -dummy: - - @echo "**** This is not a top-level Makefile " - exit - -all: dirs $(LIBSHARED) $(LIBSTATIC) register - -dirs: -ifdef DYNAMIC - $(MKDIR) ./dynamic -endif -#ifdef STATIC -# $(MKDIR) ./static -#endif - -register: -#ifdef STATIC -# ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) -#endif - -ifdef DYNAMIC -$(LIBOBJD): $(LIBSRC) - -$(LIBSHARED): $(LIBOBJD) - $(LD_D) -o $@ $(LIBOBJD) $(EXTRALS) -endif - -#ifdef STATIC -#$(LIBOBJS): $(LIBSRC) -# -#$(LIBSTATIC): $(LIBOBJS) -# $(LD) -r -o $@ $(LIBOBJS) $(EXTRALS) -#endif - -install: all - $(MKDIR) $(FAKEROOT)$(SECUREDIR) -ifdef DYNAMIC - $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) -endif - -remove: - rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so - -clean: - rm -f $(LIBOBJD) $(LIBOBJS) core *~ *.so - -extraclean: clean - rm -f *.a *.o *.so *.bak dynamic/* static/* - -.c.o: - $(CC) $(CFLAGS) -c $< - -else -include ../dont_makefile -endif diff --git a/contrib/libpam/modules/pam_wheel/README b/contrib/libpam/modules/pam_wheel/README deleted file mode 100644 index 336bb31..0000000 --- a/contrib/libpam/modules/pam_wheel/README +++ /dev/null @@ -1,33 +0,0 @@ - -pam_wheel: - only permit root authentication too members of wheel group - -RECOGNIZED ARGUMENTS: - debug write a message to syslog indicating success or - failure. - - use_uid the check for wheel membership will be done against - the current uid instead of the original one - (useful when jumping with su from one account to - another for example) - - trust the pam_wheel module will return PAM_SUCCESS instead - of PAM_IGNORE if the user is a member of the wheel - group (thus with a little play stacking the modules - the wheel members may be able to su to root without - being prompted for a passwd). - - deny Reverse the sense of the auth operation: if the user - is trying to get UID 0 access and is a member of the - wheel group, deny access (well, kind of nonsense, but - for use in conjunction with 'group' argument... :-) - - group=xxxx Instead of checking the GID 0 group, use the xxxx - group to perform the authentification. - -MODULE SERVICES PROVIDED: - auth _authetication and _setcred (blank) - -AUTHOR: - Cristian Gafton <gafton@sorosis.ro> - diff --git a/contrib/libpam/modules/pam_wheel/pam_wheel.c b/contrib/libpam/modules/pam_wheel/pam_wheel.c deleted file mode 100644 index db262d8..0000000 --- a/contrib/libpam/modules/pam_wheel/pam_wheel.c +++ /dev/null @@ -1,277 +0,0 @@ -/* pam_wheel module */ - -/* - * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10 - * See the end of the file for Copyright Information - * - * - * 1.2 - added 'deny' and 'group=' options - * 1.1 - added 'trust' option - * 1.0 - the code is working for at least another person, so... :-) - * 0.1 - use vsyslog instead of vfprintf/syslog in _pam_log - * - return PAM_IGNORE on success (take care of sloppy sysadmins..) - * - use pam_get_user instead of pam_get_item(...,PAM_USER,...) - * - a new arg use_uid to auth the current uid instead of the - * initial (logged in) one. - * 0.0 - first release - * - * TODO: - * - try to use make_remark from pam_unix/support.c - * - consider returning on failure PAM_FAIL_NOW if the user is not - * a wheel member. - */ - -#include <stdio.h> -#define __USE_BSD -#include <unistd.h> -#include <string.h> -#include <syslog.h> -#include <stdarg.h> -#include <sys/types.h> -#ifdef HAVE_PWDBLIB -# include <pwdb/pwdb_public.h> -#else -# include <pwd.h> -# include <grp.h> -#endif - - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH - -#include <security/pam_modules.h> - -/* variables */ -static char use_group[BUFSIZ]; - -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) -{ - va_list args; - - va_start(args, format); - openlog("PAM-Wheel", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); -} - -/* checks if a user is on a list of members of the GID 0 group */ - -static int is_on_list(char * const *list, const char *member) -{ - while (*list) { - if (strcmp(*list, member) == 0) - return 1; - list++; - } - return 0; -} - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 - -static int _pam_parse(int argc, const char **argv) -{ - int ctrl=0; - - /* step through arguments */ - for (ctrl=0; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; - else if (!strcmp(*argv,"trust")) - ctrl |= PAM_TRUST_ARG; - else if (!strcmp(*argv,"deny")) - ctrl |= PAM_DENY_ARG; - else if (!strncmp(*argv,"group=",6)) - strcpy(use_group,*argv+6); - else { - _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv); - } - } - - return ctrl; -} - - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - int ctrl; - const char *username; - char *fromsu; - struct passwd *pwd, *tpwd; - struct group *grp; - int retval = PAM_AUTH_ERR; - - /* Init the optional group */ - bzero(use_group,sizeof(use_group)); - - ctrl = _pam_parse(argc, argv); - retval = pam_get_user(pamh,&username,NULL); - if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the username"); - return PAM_SERVICE_ERR; - } - - /* su to a uid 0 account ? */ - pwd = getpwnam(username); - if (!pwd) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"unknown user %s",username); - return PAM_USER_UNKNOWN; - } - - /* Now we know that the username exists, pass on to other modules... - * the call to pam_get_user made this obsolete, so is commented out - * - * pam_set_item(pamh,PAM_USER,(const void *)username); - */ - - /* is this user an UID 0 account ? */ - if(pwd->pw_uid) { - /* no need to check for wheel */ - return PAM_IGNORE; - } - - if (ctrl & PAM_USE_UID_ARG) { - tpwd = getpwuid(getuid()); - if (!tpwd) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"who is running me ?!"); - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = getlogin(); - if (!fromsu) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"who is running me ?!"); - return PAM_SERVICE_ERR; - } - } - - if (!use_group[0]) - grp = getgrgid(0); - else - grp = getgrnam(use_group); - - if (!grp || !grp->gr_mem) { - if (ctrl & PAM_DEBUG_ARG) { - if (!use_group[0]) - _pam_log(LOG_NOTICE,"no members in a GID 0 group"); - else - _pam_log(LOG_NOTICE,"no members in '%s' group",use_group); - } - if (ctrl & PAM_DENY_ARG) - /* if this was meant to deny access to the members - * of this group and the group does not exist, allow - * access - */ - return PAM_IGNORE; - else - return PAM_AUTH_ERR; - } - - if (is_on_list(grp->gr_mem, fromsu)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Access %s to '%s' for '%s'", - (ctrl & PAM_DENY_ARG)?"denied":"granted", - fromsu,username); - if (ctrl & PAM_DENY_ARG) - return PAM_PERM_DENIED; - else - if (ctrl & PAM_TRUST_ARG) - return PAM_SUCCESS; - else - return PAM_IGNORE; - } - - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE,"Access %s for '%s' to '%s'", - (ctrl & PAM_DENY_ARG)?"granted":"denied",fromsu,username); - if (ctrl & PAM_DENY_ARG) - return PAM_SUCCESS; - else - return PAM_PERM_DENIED; -} - -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc - ,const char **argv) -{ - return PAM_SUCCESS; -} - - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_wheel_modstruct = { - "pam_wheel", - pam_sm_authenticate, - pam_sm_setcred, - NULL, - NULL, - NULL, - NULL, -}; - -#endif - -/* - * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1996, 1997 - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ |
