granicus.if.org Git - linux-pam/blob - examples/xsh.c

   1 /*
   2  * $Id$
   3  */
   4
   5 /* Andrew Morgan (morgan@kernel.org) -- an example application
   6  * that invokes a shell, based on blank.c */
   7
   8 #include <stdio.h>
   9 #include <stdlib.h>
  10
  11 #include <security/pam_appl.h>
  12 #include <security/pam_misc.h>
  13
  14 #include <security/_pam_aconf.h>
  15
  16 #include <pwd.h>
  17 #include <sys/types.h>
  18 #include <unistd.h>
  19
  20 /* ------ some local (static) functions ------- */
  21
  22 static void bail_out(pam_handle_t *pamh,int really, int code, const char *fn)
  23 {
  24      fprintf(stderr,"==> called %s()\n  got: `%s'\n", fn,
  25              pam_strerror(pamh,code));
  26      if (really && code)
  27           exit (1);
  28 }
  29
  30 /* ------ some static data objects ------- */
  31
  32 static struct pam_conv conv = {
  33      misc_conv,
  34      NULL
  35 };
  36
  37 /* ------- the application itself -------- */
  38
  39 int main(int argc, char **argv)
  40 {
  41      pam_handle_t *pamh=NULL;
  42      const char *username=NULL;
  43      const char *service="xsh";
  44      int retcode;
  45
  46      /* did the user call with a username as an argument ?
  47       * did they also */
  48
  49      if (argc > 3) {
  50           fprintf(stderr,"usage: %s [username [service-name]]\n",argv[0]);
  51      }
  52      if (argc >= 2) {
  53           username = argv[1];
  54      }
  55      if (argc == 3) {
  56          service = argv[2];
  57      }
  58
  59      /* initialize the Linux-PAM library */
  60      retcode = pam_start(service, username, &conv, &pamh);
  61      bail_out(pamh,1,retcode,"pam_start");
  62
  63      /* fill in the RUSER and RHOST fields */
  64      {
  65          char buffer[100];
  66          struct passwd *pw;
  67
  68          pw = getpwuid(getuid());
  69          if (pw != NULL) {
  70              retcode = pam_set_item(pamh, PAM_RUSER, pw->pw_name);
  71              bail_out(pamh,1,retcode,"pam_set_item(PAM_RUSER)");
  72          }
  73          retcode = gethostname(buffer, sizeof(buffer)-1);
  74          if (retcode) {
  75              perror("failed to look up hostname");
  76              retcode = pam_end(pamh, PAM_ABORT);
  77              bail_out(pamh,1,retcode,"pam_end");
  78          }
  79          retcode = pam_set_item(pamh, PAM_RHOST, buffer);
  80          bail_out(pamh,1,retcode,"pam_set_item(PAM_RHOST)");
  81      }
  82
  83      /* to avoid using goto we abuse a loop here */
  84      for (;;) {
  85           /* authenticate the user --- `0' here, could have been PAM_SILENT
  86            *    | PAM_DISALLOW_NULL_AUTHTOK */
  87
  88           retcode = pam_authenticate(pamh, 0);
  89           bail_out(pamh,0,retcode,"pam_authenticate");
  90
  91           /* has the user proved themself valid? */
  92           if (retcode != PAM_SUCCESS) {
  93                fprintf(stderr,"%s: invalid request\n",argv[0]);
  94                break;
  95           }
  96
  97           /* the user is valid, but should they have access at this
  98              time? */
  99
 100           retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */
 101           bail_out(pamh,0,retcode,"pam_acct_mgmt");
 102
 103           if (retcode == PAM_NEW_AUTHTOK_REQD) {
 104                fprintf(stderr,"Application must request new password...\n");
 105                retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK);
 106                bail_out(pamh,0,retcode,"pam_chauthtok");
 107           }
 108
 109           if (retcode != PAM_SUCCESS) {
 110                fprintf(stderr,"%s: invalid request\n",argv[0]);
 111                break;
 112           }
 113
 114           /* `0' could be as above */
 115           retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
 116           bail_out(pamh,0,retcode,"pam_setcred");
 117
 118           if (retcode != PAM_SUCCESS) {
 119                fprintf(stderr,"%s: problem setting user credentials\n"
 120                        ,argv[0]);
 121                break;
 122           }
 123
 124           /* open a session for the user --- `0' could be PAM_SILENT */
 125           retcode = pam_open_session(pamh,0);
 126           bail_out(pamh,0,retcode,"pam_open_session");
 127           if (retcode != PAM_SUCCESS) {
 128                fprintf(stderr,"%s: problem opening a session\n",argv[0]);
 129                break;
 130           }
 131
 132           pam_get_item(pamh, PAM_USER, (const void **) &username);
 133           fprintf(stderr,
 134                   "The user [%s] has been authenticated and `logged in'\n",
 135                   username);
 136
 137           /* this is always a really bad thing for security! */
 138           system("/bin/sh");
 139
 140           /* close a session for the user --- `0' could be PAM_SILENT
 141            * it is possible that this pam_close_call is in another program..
 142            */
 143
 144           retcode = pam_close_session(pamh,0);
 145           bail_out(pamh,0,retcode,"pam_close_session");
 146           if (retcode != PAM_SUCCESS) {
 147                fprintf(stderr,"%s: problem closing a session\n",argv[0]);
 148                break;
 149           }
 150
 151           /* `0' could be as above */
 152           retcode = pam_setcred(pamh, PAM_DELETE_CRED);
 153           bail_out(pamh,0,retcode,"pam_setcred");
 154           if (retcode != PAM_SUCCESS) {
 155                fprintf(stderr,"%s: problem deleting user credentials\n"
 156                        ,argv[0]);
 157                break;
 158           }
 159
 160           break;                      /* don't go on for ever! */
 161      }
 162
 163      /* close the Linux-PAM library */
 164      retcode = pam_end(pamh, PAM_SUCCESS);
 165      pamh = NULL;
 166      bail_out(pamh,1,retcode,"pam_end");
 167
 168      exit(0);
 169 }