1 /*
2 * pam_private.h
3 *
4 * This is the Linux-PAM Library Private Header. It contains things
5 * internal to the Linux-PAM library. Things not needed by either an
6 * application or module.
7 *
8 * Please see end of file for copyright.
9 *
10 * Creator: Marc Ewing.
11 * Maintained: CVS
12 */
13
14 #ifndef _PAM_PRIVATE_H
15 #define _PAM_PRIVATE_H
16
17 #include "config.h"
18
19 #include <syslog.h>
20
21 #include <security/pam_appl.h>
22 #include <security/pam_modules.h>
23 #include <security/pam_ext.h>
24
25 /* the Linux-PAM configuration file */
26
27 #define PAM_CONFIG "/etc/pam.conf"
28 #define PAM_CONFIG_D "/etc/pam.d"
29 #define PAM_CONFIG_DF "/etc/pam.d/%s"
30 #define PAM_CONFIG_DIST_D "/usr/lib/pam.d"
31 #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s"
32 #ifdef VENDORDIR
33 #define PAM_CONFIG_DIST2_D VENDORDIR"/pam.d"
34 #define PAM_CONFIG_DIST2_DF VENDORDIR"/pam.d/%s"
35 #endif
36
37
38 #define PAM_DEFAULT_SERVICE "other" /* lower case */
39
40 #ifdef PAM_LOCKING
41 /*
42 * the Linux-PAM lock file. If it exists Linux-PAM will abort. Use it
43 * to block access to libpam
44 */
45 #define PAM_LOCK_FILE "/var/lock/subsys/PAM"
46 #endif
47
48 /* components of the pam_handle structure */
49
50 #define _PAM_INVALID_RETVAL -1 /* default value for cached_retval */
51
52 struct handler {
53 int handler_type;
54 int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv);
55 int actions[_PAM_RETURN_VALUES];
56 /* set by authenticate, open_session, chauthtok(1st)
57 consumed by setcred, close_session, chauthtok(2nd) */
58 int cached_retval; int *cached_retval_p;
59 int argc;
60 char **argv;
61 struct handler *next;
62 char *mod_name;
63 int stack_level;
64 int grantor;
65 };
66
67 #define PAM_HT_MODULE 0
68 #define PAM_HT_MUST_FAIL 1
69 #define PAM_HT_SUBSTACK 2
70 #define PAM_HT_SILENT_MODULE 3
71
72 struct loaded_module {
73 char *name;
74 int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */
75 void *dl_handle;
76 };
77
78 #define PAM_MT_DYNAMIC_MOD 0
79 #define PAM_MT_STATIC_MOD 1
80 #define PAM_MT_FAULTY_MOD 2
81
82 struct handlers {
83 struct handler *authenticate;
84 struct handler *setcred;
85 struct handler *acct_mgmt;
86 struct handler *open_session;
87 struct handler *close_session;
88 struct handler *chauthtok;
89 };
90
91 struct service {
92 struct loaded_module *module; /* Array of modules */
93 int modules_allocated;
94 int modules_used;
95 int handlers_loaded;
96
97 struct handlers conf; /* the configured handlers */
98 struct handlers other; /* the default handlers */
99 };
100
101 /*
102 * Environment helper functions
103 */
104
105 #define PAM_ENV_CHUNK 10 /* chunks of memory calloc()'d *
106 * at once */
107
108 struct pam_environ {
109 int entries; /* the number of pointers available */
110 int requested; /* the number of pointers used: *
111 * 1 <= requested <= entries */
112 char **list; /* the environment storage (a list *
113 * of pointers to malloc() memory) */
114 };
115
116 #include <sys/time.h>
117
118 typedef enum { PAM_FALSE, PAM_TRUE } _pam_boolean;
119
120 struct _pam_fail_delay {
121 _pam_boolean set;
122 unsigned int delay;
123 time_t begin;
124 const void *delay_fn_ptr;
125 };
126
127 /* initial state in substack */
128 struct _pam_substack_state {
129 int impression;
130 int status;
131 };
132
133 struct _pam_former_state {
134 /* this is known and set by _pam_dispatch() */
135 int choice; /* which flavor of module function did we call? */
136
137 /* state info for the _pam_dispatch_aux() function */
138 int depth; /* how deep in the stack were we? */
139 int impression; /* the impression at that time */
140 int status; /* the status before returning incomplete */
141 struct _pam_substack_state *substates; /* array of initial substack states */
142
143 /* state info used by pam_get_user() function */
144 int fail_user;
145 int want_user;
146 char *prompt; /* saved prompt information */
147
148 /* state info for the pam_chauthtok() function */
149 _pam_boolean update;
150 };
151
152 struct pam_handle {
153 char *authtok;
154 unsigned caller_is;
155 struct pam_conv *pam_conversation;
156 char *oldauthtok;
157 char *prompt; /* for use by pam_get_user() */
158 char *service_name;
159 char *user;
160 char *rhost;
161 char *ruser;
162 char *tty;
163 char *xdisplay;
164 char *authtok_type; /* PAM_AUTHTOK_TYPE */
165 struct pam_data *data;
166 struct pam_environ *env; /* structure to maintain environment list */
167 struct _pam_fail_delay fail_delay; /* helper function for easy delays */
168 struct pam_xauth_data xauth; /* auth info for X display */
169 struct service handlers;
170 struct _pam_former_state former; /* library state - support for
171 event driven applications */
172 const char *mod_name; /* Name of the module currently executed */
173 int mod_argc; /* Number of module arguments */
174 char **mod_argv; /* module arguments */
175 int choice; /* Which function we call from the module */
176
177 #ifdef HAVE_LIBAUDIT
178 int audit_state; /* keep track of reported audit messages */
179 #endif
180 int authtok_verified;
181 char *confdir;
182 };
183
184 /* Values for select arg to _pam_dispatch() */
185 #define PAM_NOT_STACKED 0
186 #define PAM_AUTHENTICATE 1
187 #define PAM_SETCRED 2
188 #define PAM_ACCOUNT 3
189 #define PAM_OPEN_SESSION 4
190 #define PAM_CLOSE_SESSION 5
191 #define PAM_CHAUTHTOK 6
192
193 #define _PAM_ACTION_IS_JUMP(x) ((x) > 0)
194 #define _PAM_ACTION_IGNORE 0
195 #define _PAM_ACTION_OK -1
196 #define _PAM_ACTION_DONE -2
197 #define _PAM_ACTION_BAD -3
198 #define _PAM_ACTION_DIE -4
199 #define _PAM_ACTION_RESET -5
200 /* Add any new entries here. Will need to change ..._UNDEF and then
201 * need to change pam_tokens.h */
202 #define _PAM_ACTION_UNDEF -6 /* this is treated as an error
203 ( = _PAM_ACTION_BAD) */
204
205 #define PAM_SUBSTACK_MAX_LEVEL 16 /* maximum level of substacks */
206
207 /* character tables for parsing config files */
208 extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF];
209 extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1];
210
211 /*
212 * internally defined functions --- these should not be directly
213 * called by applications or modules
214 */
215 int _pam_dispatch(pam_handle_t *pamh, int flags, int choice);
216
217 /* Free various allocated structures and dlclose() the libs */
218 int _pam_free_handlers(pam_handle_t *pamh);
219
220 /* Parse config file, allocate handler structures, dlopen() */
221 int _pam_init_handlers(pam_handle_t *pamh);
222
223 /* Set all handler stuff to 0/NULL - called once from pam_start() */
224 void _pam_start_handlers(pam_handle_t *pamh);
225
226 /* environment helper functions */
227
228 /* create the environment structure */
229 int _pam_make_env(pam_handle_t *pamh);
230
231 /* delete the environment structure */
232 void _pam_drop_env(pam_handle_t *pamh);
233
234 /* these functions deal with failure delays as required by the
235 authentication modules and application. Their *interface* is likely
236 to remain the same although their function is hopefully going to
237 improve */
238
239 /* reset the timer to no-delay */
240 void _pam_reset_timer(pam_handle_t *pamh);
241
242 /* this sets the clock ticking */
243 void _pam_start_timer(pam_handle_t *pamh);
244
245 /* this waits for the clock to stop ticking if status != PAM_SUCCESS */
246 void _pam_await_timer(pam_handle_t *pamh, int status);
247
248 typedef void (*voidfunc(void))(void);
249 typedef int (*servicefn)(pam_handle_t *, int, int, char **);
250
251 void *_pam_dlopen (const char *mod_path);
252 servicefn _pam_dlsym (void *handle, const char *symbol);
253 void _pam_dlclose (void *handle);
254 const char *_pam_dlerror (void);
255
256 /* For now we just use a stack and linear search for module data. */
257 /* If it becomes apparent that there is a lot of data, it should */
258 /* changed to either a sorted list or a hash table. */
259
260 struct pam_data {
261 char *name;
262 void *data;
263 void (*cleanup)(pam_handle_t *pamh, void *data, int error_status);
264 struct pam_data *next;
265 };
266
267 void _pam_free_data(pam_handle_t *pamh, int status);
268
269 char *_pam_StrTok(char *from, const char *format, char **next);
270
271 char *_pam_strdup(const char *s);
272
273 char *_pam_memdup(const char *s, int len);
274
275 int _pam_mkargv(const char *s, char ***argv, int *argc);
276
277 void _pam_sanitize(pam_handle_t *pamh);
278
279 void _pam_set_default_control(int *control_array, int default_action);
280
281 void _pam_parse_control(int *control_array, char *tok);
282
283 #define _PAM_SYSTEM_LOG_PREFIX "PAM"
284
285 /*
286 * XXX - Take care with this. It could confuse the logic of a trailing
287 * else
288 */
289
290 #define IF_NO_PAMH(X,pamh,ERR) \
291 if ((pamh) == NULL) { \
292 syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX " " X ": NULL pam handle passed"); \
293 return ERR; \
294 }
295
296 /*
297 * include some helpful macros
298 */
299
300 #include <security/_pam_macros.h>
301
302 /* used to work out where control currently resides (in an application
303 or in a module) */
304
305 #define _PAM_CALLED_FROM_MODULE 1
306 #define _PAM_CALLED_FROM_APP 2
307
308 #define __PAM_FROM_MODULE(pamh) ((pamh)->caller_is == _PAM_CALLED_FROM_MODULE)
309 #define __PAM_FROM_APP(pamh) ((pamh)->caller_is == _PAM_CALLED_FROM_APP)
310 #define __PAM_TO_MODULE(pamh) \
311 do { (pamh)->caller_is = _PAM_CALLED_FROM_MODULE; } while (0)
312 #define __PAM_TO_APP(pamh) \
313 do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
314
315 #ifdef HAVE_LIBAUDIT
316 extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
317 extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
318 #endif
319
320 /*
321 * Copyright (C) 1995 by Red Hat Software, Marc Ewing
322 * Copyright (c) 1996-8,2001 by Andrew G. Morgan <morgan@kernel.org>
323 *
324 * All rights reserved
325 *
326 * Redistribution and use in source and binary forms, with or without
327 * modification, are permitted provided that the following conditions
328 * are met:
329 * 1. Redistributions of source code must retain the above copyright
330 * notice, and the entire permission notice in its entirety,
331 * including the disclaimer of warranties.
332 * 2. Redistributions in binary form must reproduce the above copyright
333 * notice, this list of conditions and the following disclaimer in the
334 * documentation and/or other materials provided with the distribution.
335 * 3. The name of the author may not be used to endorse or promote
336 * products derived from this software without specific prior
337 * written permission.
338 *
339 * ALTERNATIVELY, this product may be distributed under the terms of
340 * the GNU Public License, in which case the provisions of the GPL are
341 * required INSTEAD OF the above restrictions. (This clause is
342 * necessary due to a potential bad interaction between the GPL and
343 * the restrictions contained in a BSD-style copyright.)
344 *
345 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
346 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
347 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
348 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
349 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
350 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
351 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
352 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
353 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
354 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
355 * OF THE POSSIBILITY OF SUCH DAMAGE.
356 */
357
358 #endif /* _PAM_PRIVATE_H_ */