1 /*
2 * pam_unix authentication management
3 *
4 * Copyright Alexander O. Yuriev, 1996. All rights reserved.
5 * NIS+ support by Thorsten Kukuk <kukuk@weber.uni-paderborn.de>
6 * Copyright Jan Rękorajski, 1999. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, and the entire permission notice in its entirety,
13 * including the disclaimer of warranties.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. The name of the author may not be used to endorse or promote
18 * products derived from this software without specific prior
19 * written permission.
20 *
21 * ALTERNATIVELY, this product may be distributed under the terms of
22 * the GNU Public License, in which case the provisions of the GPL are
23 * required INSTEAD OF the above restrictions. (This clause is
24 * necessary due to a potential bad interaction between the GPL and
25 * the restrictions contained in a BSD-style copyright.)
26 *
27 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
28 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
30 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
31 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
32 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
33 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
35 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
36 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
37 * OF THE POSSIBILITY OF SUCH DAMAGE.
38 */
39
40 #include "config.h"
41
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <stdarg.h>
45 #include <string.h>
46 #include <unistd.h>
47 #include <fcntl.h>
48 #include <ctype.h>
49 #include <sys/types.h>
50 #include <sys/stat.h>
51 #include <syslog.h>
52
53 #include <security/_pam_macros.h>
54 #include <security/pam_modules.h>
55 #include <security/pam_ext.h>
56
57 #include "support.h"
58
59 /*
60 * PAM framework looks for these entry-points to pass control to the
61 * authentication module.
62 */
63
64 /* Fun starts here :)
65
66 * pam_sm_authenticate() performs UNIX/shadow authentication
67 *
68 * First, if shadow support is available, attempt to perform
69 * authentication using shadow passwords. If shadow is not
70 * available, or user does not have a shadow password, fallback
71 * onto a normal UNIX authentication
72 */
73
74 #define AUTH_RETURN \
75 do { \
76 D(("recording return code for next time [%d]", \
77 retval)); \
78 *ret_data = retval; \
79 pam_set_data(pamh, "unix_setcred_return", \
80 (void *) ret_data, setcred_free); \
81 D(("done. [%s]", pam_strerror(pamh, retval))); \
82 return retval; \
83 } while (0)
84
85
86 static void
87 setcred_free (pam_handle_t *pamh UNUSED, void *ptr, int err UNUSED)
88 {
89 if (ptr)
90 free (ptr);
91 }
92
93 int
94 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
95 {
96 unsigned long long ctrl;
97 int retval, *ret_data = NULL;
98 const char *name;
99 const char *p;
100
101 D(("called."));
102
103 ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
104
105 /* Get a few bytes so we can pass our return value to
106 pam_sm_setcred() and pam_sm_acct_mgmt(). */
107 ret_data = malloc(sizeof(int));
108 if (!ret_data) {
109 D(("cannot malloc ret_data"));
110 pam_syslog(pamh, LOG_CRIT,
111 "pam_unix_auth: cannot allocate ret_data");
112 return PAM_BUF_ERR;
113 }
114
115 /* get the user'name' */
116
117 retval = pam_get_user(pamh, &name, NULL);
118 if (retval == PAM_SUCCESS) {
119 /*
120 * Various libraries at various times have had bugs related to
121 * '+' or '-' as the first character of a user name. Don't
122 * allow this characters here.
123 */
124 if (name[0] == '-' || name[0] == '+') {
125 pam_syslog(pamh, LOG_NOTICE, "bad username [%s]", name);
126 retval = PAM_USER_UNKNOWN;
127 AUTH_RETURN;
128 }
129 if (on(UNIX_DEBUG, ctrl))
130 pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
131 } else {
132 if (retval == PAM_CONV_AGAIN) {
133 D(("pam_get_user/conv() function is not ready yet"));
134 /* it is safe to resume this function so we translate this
135 * retval to the value that indicates we're happy to resume.
136 */
137 retval = PAM_INCOMPLETE;
138 } else if (on(UNIX_DEBUG, ctrl)) {
139 pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
140 }
141 AUTH_RETURN;
142 }
143
144 /* if this user does not have a password... */
145
146 if (_unix_blankpasswd(pamh, ctrl, name)) {
147 pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
148 name = NULL;
149 retval = PAM_SUCCESS;
150 AUTH_RETURN;
151 }
152 /* get this user's authentication token */
153
154 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &p , NULL);
155 if (retval != PAM_SUCCESS) {
156 if (retval != PAM_CONV_AGAIN) {
157 pam_syslog(pamh, LOG_CRIT,
158 "auth could not identify password for [%s]", name);
159 } else {
160 D(("conversation function is not ready yet"));
161 /*
162 * it is safe to resume this function so we translate this
163 * retval to the value that indicates we're happy to resume.
164 */
165 retval = PAM_INCOMPLETE;
166 }
167 name = NULL;
168 AUTH_RETURN;
169 }
170 D(("user=%s, password=[%s]", name, p));
171
172 /* verify the password of this user */
173 retval = _unix_verify_password(pamh, name, p, ctrl);
174 name = p = NULL;
175
176 AUTH_RETURN;
177 }
178
179
180 /*
181 * The only thing _pam_set_credentials_unix() does is initialization of
182 * UNIX group IDs.
183 *
184 * Well, everybody but me on linux-pam is convinced that it should not
185 * initialize group IDs, so I am not doing it but don't say that I haven't
186 * warned you. -- AOY
187 */
188
189 int
190 pam_sm_setcred (pam_handle_t *pamh, int flags,
191 int argc, const char **argv)
192 {
193 int retval;
194 const void *pretval = NULL;
195 unsigned long long ctrl;
196
197 D(("called."));
198
199 ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
200
201 retval = PAM_SUCCESS;
202
203 D(("recovering return code from auth call"));
204 /* We will only find something here if UNIX_LIKE_AUTH is set --
205 don't worry about an explicit check of argv. */
206 if (on(UNIX_LIKE_AUTH, ctrl)
207 && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
208 && pretval) {
209 retval = *(const int *)pretval;
210 pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
211 D(("recovered data indicates that old retval was %d", retval));
212 }
213
214 return retval;
215 }