1 /*
2 * Check pam_faillock return values.
3 */
4
5 #include "test_assert.h"
6
7 #include <limits.h>
8 #include <stdio.h>
9 #include <string.h>
10 #include <unistd.h>
11 #include <security/pam_appl.h>
12
13 #define MODULE_NAME "pam_faillock"
14 #define TEST_NAME "tst-" MODULE_NAME "-retval"
15
16 static const char service_file[] = TEST_NAME ".service";
17 static const char config_filename[] = TEST_NAME ".conf";
18 static const char user_name[] = "root";
19 static struct pam_conv conv;
20
21 int
22 main(void)
23 {
24 pam_handle_t *pamh = NULL;
25 FILE *fp;
26 char cwd[PATH_MAX];
27
28 ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd)));
29
30 ASSERT_NE(NULL, fp = fopen(config_filename, "w"));
31 ASSERT_LT(0, fprintf(fp,
32 "deny = 2\n"
33 "unlock_time = 5\n"
34 "root_unlock_time = 5\n"));
35 ASSERT_EQ(0, fclose(fp));
36
37 /* root has access */
38 ASSERT_NE(NULL, fp = fopen(service_file, "w"));
39 ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
40 "auth required %s/../pam_permit/.libs/pam_permit.so\n"
41 "auth required %s/.libs/%s.so authsucc even_deny_root dir=%s conf=%s\n"
42 "account required %s/.libs/%s.so dir=%s\n"
43 "password required %s/.libs/%s.so dir=%s\n"
44 "session required %s/.libs/%s.so dir=%s\n",
45 cwd,
46 cwd, MODULE_NAME, cwd, config_filename,
47 cwd, MODULE_NAME, cwd,
48 cwd, MODULE_NAME, cwd,
49 cwd, MODULE_NAME, cwd));
50
51 ASSERT_EQ(0, fclose(fp));
52
53 ASSERT_EQ(PAM_SUCCESS,
54 pam_start_confdir(service_file, user_name, &conv, ".", &pamh));
55 ASSERT_NE(NULL, pamh);
56 ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0));
57 ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0));
58 ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0));
59 ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0));
60 ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0));
61 ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0));
62 ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0));
63 ASSERT_EQ(0, unlink(service_file));
64 pamh = NULL;
65
66 /* root tries to login 2 times without success*/
67 ASSERT_NE(NULL, fp = fopen(service_file, "w"));
68 ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
69 "auth requisite %s/.libs/%s.so dir=%s preauth even_deny_root conf=%s\n"
70 "auth [success=1 default=bad] %s/../pam_debug/.libs/pam_debug.so auth=perm_denied cred=success\n"
71 "auth [default=die] %s/.libs/%s.so dir=%s authfail even_deny_root conf=%s\n"
72 "auth sufficient %s/.libs/%s.so dir=%s authsucc even_deny_root conf=%s\n",
73 cwd, MODULE_NAME, cwd, config_filename,
74 cwd,
75 cwd, MODULE_NAME, cwd, config_filename,
76 cwd, MODULE_NAME, cwd, config_filename));
77
78 ASSERT_EQ(0, fclose(fp));
79
80 ASSERT_EQ(PAM_SUCCESS,
81 pam_start_confdir(service_file, user_name, &conv, ".", &pamh));
82 ASSERT_NE(NULL, pamh);
83 ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0));
84 ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0));
85 pamh = NULL;
86 ASSERT_EQ(0, unlink(service_file));
87
88 /* root is locked for 5 sec*/
89 ASSERT_NE(NULL, fp = fopen(service_file, "w"));
90 ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n"
91 "auth requisite %s/.libs/%s.so dir=%s preauth even_deny_root conf=%s\n"
92 "auth [success=1 default=bad] %s/../pam_debug/.libs/pam_debug.so auth=success cred=success\n"
93 "auth [default=die] %s/.libs/%s.so dir=%s authfail even_deny_root conf=%s\n"
94 "auth sufficient %s/.libs/%s.so dir=%s authsucc even_deny_root conf=%s\n",
95 cwd, MODULE_NAME, cwd, config_filename,
96 cwd,
97 cwd, MODULE_NAME, cwd, config_filename,
98 cwd, MODULE_NAME, cwd, config_filename));
99
100 ASSERT_EQ(0, fclose(fp));
101
102 ASSERT_EQ(PAM_SUCCESS,
103 pam_start_confdir(service_file, user_name, &conv, ".", &pamh));
104 ASSERT_NE(NULL, pamh);
105 ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0));
106
107 /* waiting at least 5 sec --> login is working again*/
108 sleep(6);
109 ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0));
110
111 ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0));
112 ASSERT_EQ(0, unlink(service_file));
113 pamh = NULL;
114
115 ASSERT_EQ(0,unlink(user_name));
116 ASSERT_EQ(0,unlink(config_filename));
117
118 return 0;
119 }