2 * Copyright information at end of file.
21 #include <sys/resource.h>
22 #include <rpcsvc/ypclnt.h>
24 #include <security/_pam_macros.h>
25 #include <security/pam_modules.h>
26 #include <security/pam_ext.h>
27 #include <security/pam_modutil.h>
30 #include "passverify.h"
32 #include <selinux/selinux.h>
33 #define SELINUX_ENABLED is_selinux_enabled()>0
35 #define SELINUX_ENABLED 0
38 /* this is a front-end for module-application conversations */
40 int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
41 int type, const char *text)
43 int retval = PAM_SUCCESS;
45 if (off(UNIX__QUIET, ctrl)) {
46 retval = pam_prompt(pamh, type, NULL, "%s", text);
52 * set the control flags for the UNIX module.
55 int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc,
62 ctrl = UNIX_DEFAULTS; /* the default selection of options */
64 /* set some flags manually */
66 if (getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) {
68 set(UNIX__IAMROOT, ctrl);
70 if (flags & PAM_UPDATE_AUTHTOK) {
71 D(("UPDATE_AUTHTOK"));
72 set(UNIX__UPDATE, ctrl);
74 if (flags & PAM_PRELIM_CHECK) {
76 set(UNIX__PRELIM, ctrl);
78 if (flags & PAM_SILENT) {
80 set(UNIX__QUIET, ctrl);
82 /* now parse the arguments to this module */
87 D(("pam_unix arg: %s", *argv));
89 for (j = 0; j < UNIX_CTRLS_; ++j) {
90 if (unix_args[j].token
91 && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
96 if (j >= UNIX_CTRLS_) {
97 pam_syslog(pamh, LOG_ERR,
98 "unrecognized option [%s]", *argv);
100 ctrl &= unix_args[j].mask; /* for turning things off */
101 ctrl |= unix_args[j].flag; /* for turning things on */
103 if (remember != NULL) {
104 if (j == UNIX_REMEMBER_PASSWD) {
105 *remember = strtol(*argv + 9, NULL, 10);
106 if ((*remember == INT_MIN) || (*remember == INT_MAX))
114 ++argv; /* step to next argument */
117 if (flags & PAM_DISALLOW_NULL_AUTHTOK) {
118 D(("DISALLOW_NULL_AUTHTOK"));
119 set(UNIX__NONULL, ctrl);
122 /* auditing is a more sensitive version of debug */
124 if (on(UNIX_AUDIT, ctrl)) {
125 set(UNIX_DEBUG, ctrl);
127 /* return the set of flags */
133 static void _cleanup(pam_handle_t * pamh UNUSED, void *x, int error_status UNUSED)
138 /* ************************************************************** *
139 * Useful non-trivial functions *
140 * ************************************************************** */
143 * the following is used to keep track of the number of times a user fails
144 * to authenticate themself.
147 #define FAIL_PREFIX "-UN*X-FAIL-"
148 #define UNIX_MAX_RETRIES 3
150 struct _pam_failed_auth {
151 char *user; /* user that's failed to be authenticated */
152 char *name; /* attempt from user with name */
153 int uid; /* uid of calling user */
154 int euid; /* euid of calling process */
155 int count; /* number of failures so far */
158 #ifndef PAM_DATA_REPLACE
159 #error "Need to get an updated libpam 0.52 or better"
162 static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err)
165 const void *service = NULL;
166 const void *ruser = NULL;
167 const void *rhost = NULL;
168 const void *tty = NULL;
169 struct _pam_failed_auth *failure;
173 quiet = err & PAM_DATA_SILENT; /* should we log something? */
174 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
175 failure = (struct _pam_failed_auth *) fl;
177 if (failure != NULL) {
179 if (!quiet && !err) { /* under advisement from Sun,may go away */
181 /* log the number of authentication failures */
182 if (failure->count > 1) {
183 (void) pam_get_item(pamh, PAM_SERVICE,
185 (void) pam_get_item(pamh, PAM_RUSER,
187 (void) pam_get_item(pamh, PAM_RHOST,
189 (void) pam_get_item(pamh, PAM_TTY,
191 pam_syslog(pamh, LOG_NOTICE,
192 "%d more authentication failure%s; "
193 "logname=%s uid=%d euid=%d "
194 "tty=%s ruser=%s rhost=%s "
196 failure->count - 1, failure->count == 2 ? "" : "s",
197 failure->name, failure->uid, failure->euid,
198 tty ? (const char *)tty : "", ruser ? (const char *)ruser : "",
199 rhost ? (const char *)rhost : "",
200 (failure->user && failure->user[0] != '\0')
201 ? " user=" : "", failure->user
204 if (failure->count > UNIX_MAX_RETRIES) {
205 pam_syslog(pamh, LOG_ALERT,
206 "service(%s) ignoring max retries; %d > %d",
207 service == NULL ? "**unknown**" : (const char *)service,
213 _pam_delete(failure->user); /* tidy up */
214 _pam_delete(failure->name); /* tidy up */
220 * _unix_getpwnam() searches only /etc/passwd and NIS to find user information
222 static void _unix_cleanup(pam_handle_t *pamh UNUSED, void *data, int error_status UNUSED)
227 int _unix_getpwnam(pam_handle_t *pamh, const char *name,
228 int files, int nis, struct passwd **ret)
232 int matched = 0, buflen;
233 char *slogin, *spasswd, *suid, *sgid, *sgecos, *shome, *sshell, *p;
235 memset(buf, 0, sizeof(buf));
237 if (!matched && files) {
238 int userlen = strlen(name);
239 passwd = fopen("/etc/passwd", "r");
240 if (passwd != NULL) {
241 while (fgets(buf, sizeof(buf), passwd) != NULL) {
242 if ((buf[userlen] == ':') &&
243 (strncmp(name, buf, userlen) == 0)) {
244 p = buf + strlen(buf) - 1;
245 while (isspace(*p) && (p >= buf)) {
256 if (!matched && nis) {
257 char *userinfo = NULL, *domain = NULL;
259 len = yp_get_default_domain(&domain);
260 if (len == YPERR_SUCCESS) {
261 len = yp_bind(domain);
263 if (len == YPERR_SUCCESS) {
264 i = yp_match(domain, "passwd.byname", name,
265 strlen(name), &userinfo, &len);
267 if ((i == YPERR_SUCCESS) && ((size_t)len < sizeof(buf))) {
268 strncpy(buf, userinfo, sizeof(buf) - 1);
269 buf[sizeof(buf) - 1] = '\0';
275 if (matched && (ret != NULL)) {
280 spasswd = strchr(slogin, ':');
281 if (spasswd == NULL) {
286 suid = strchr(spasswd, ':');
292 sgid = strchr(suid, ':');
298 sgecos = strchr(sgid, ':');
299 if (sgecos == NULL) {
304 shome = strchr(sgecos, ':');
310 sshell = strchr(shome, ':');
311 if (sshell == NULL) {
316 buflen = sizeof(struct passwd) +
318 strlen(spasswd) + 1 +
324 *ret = malloc(buflen);
328 memset(*ret, '\0', buflen);
330 (*ret)->pw_uid = strtol(suid, &p, 10);
331 if ((strlen(suid) == 0) || (*p != '\0')) {
337 (*ret)->pw_gid = strtol(sgid, &p, 10);
338 if ((strlen(sgid) == 0) || (*p != '\0')) {
344 p = ((char*)(*ret)) + sizeof(struct passwd);
345 (*ret)->pw_name = strcpy(p, slogin);
347 (*ret)->pw_passwd = strcpy(p, spasswd);
349 (*ret)->pw_gecos = strcpy(p, sgecos);
351 (*ret)->pw_dir = strcpy(p, shome);
353 (*ret)->pw_shell = strcpy(p, sshell);
355 snprintf(buf, sizeof(buf), "_pam_unix_getpwnam_%s", name);
357 if (pam_set_data(pamh, buf,
358 *ret, _unix_cleanup) != PAM_SUCCESS) {
368 * _unix_comsefromsource() is a quick check to see if information about a given
369 * user comes from a particular source (just files and nis for now)
372 int _unix_comesfromsource(pam_handle_t *pamh,
373 const char *name, int files, int nis)
375 return _unix_getpwnam(pamh, name, files, nis, NULL);
379 * _unix_blankpasswd() is a quick check for a blank password
381 * returns TRUE if user does not have a password
382 * - to avoid prompting for one in such cases (CG)
386 _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
388 struct passwd *pwd = NULL;
389 struct spwd *spwdent = NULL;
396 * This function does not have to be too smart if something goes
397 * wrong, return FALSE and let this case to be treated somewhere
401 if (on(UNIX__NONULL, ctrl))
402 return 0; /* will fail but don't let on yet */
404 /* UNIX passwords area */
406 /* Get password file entry... */
407 pwd = pam_modutil_getpwnam (pamh, name);
410 if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
412 uid_t save_euid, save_uid;
414 save_euid = geteuid();
416 if (save_uid == pwd->pw_uid)
417 setreuid( save_euid, save_uid );
420 if (setreuid( -1, pwd->pw_uid ) == -1) {
423 if(setreuid( -1, pwd->pw_uid ) == -1)
424 /* Will fail elsewhere. */
429 spwdent = pam_modutil_getspnam (pamh, name);
430 if (save_uid == pwd->pw_uid)
431 setreuid( save_uid, save_euid );
433 if (setreuid( -1, 0 ) == -1)
434 setreuid( save_uid, -1 );
435 setreuid( -1, save_euid );
437 } else if (_unix_shadowed(pwd)) {
439 * ...and shadow password file entry for this user,
440 * if shadowing is enabled
442 spwdent = pam_modutil_getspnam(pamh, name);
445 salt = x_strdup(spwdent->sp_pwdp);
447 salt = x_strdup(pwd->pw_passwd);
449 /* Does this user have a password? */
453 if (strlen(salt) == 0)
468 * verify the password of a user
471 #include <sys/types.h>
472 #include <sys/wait.h>
474 static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
475 unsigned int ctrl, const char *user)
477 int retval, child, fds[2];
478 void (*sighandler)(int) = NULL;
481 /* create a pipe for the password */
482 if (pipe(fds) != 0) {
483 D(("could not make pipe"));
487 if (off(UNIX_NOREAP, ctrl)) {
489 * This code arranges that the demise of the child does not cause
490 * the application to receive a signal it is not expecting - which
491 * may kill the application or worse.
493 * The "noreap" module argument is provided so that the admin can
494 * override this behavior.
496 sighandler = signal(SIGCHLD, SIG_DFL);
504 static char *envp[] = { NULL };
505 char *args[] = { NULL, NULL, NULL, NULL };
507 /* XXX - should really tidy up PAM here too */
510 /* reopen stdin as pipe */
512 dup2(fds[0], STDIN_FILENO);
514 if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
515 for (i=2; i < (int)rlim.rlim_max; i++) {
521 if (SELINUX_ENABLED && geteuid() == 0) {
522 /* must set the real uid to 0 so the helper will not error
523 out if pam is called from setuid binary (su, sudo...) */
527 /* exec binary helper */
528 args[0] = strdup(CHKPWD_HELPER);
529 args[1] = x_strdup(user);
530 if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
531 args[2]=strdup("nullok");
533 args[2]=strdup("nonull");
536 execve(CHKPWD_HELPER, args, envp);
538 /* should not get here: exit with error */
539 D(("helper binary is not available"));
540 exit(PAM_AUTHINFO_UNAVAIL);
541 } else if (child > 0) {
543 /* if the stored password is NULL */
545 if (passwd != NULL) { /* send the password to the child */
546 write(fds[1], passwd, strlen(passwd)+1);
549 write(fds[1], "", 1); /* blank password */
551 close(fds[0]); /* close here to avoid possible SIGPIPE above */
553 rc=waitpid(child, &retval, 0); /* wait for helper to complete */
555 pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
556 retval = PAM_AUTH_ERR;
558 retval = WEXITSTATUS(retval);
564 retval = PAM_AUTH_ERR;
567 if (sighandler != SIG_ERR) {
568 (void) signal(SIGCHLD, sighandler); /* restore old signal handler */
571 D(("returning %d", retval));
575 int _unix_verify_password(pam_handle_t * pamh, const char *name
576 ,const char *p, unsigned int ctrl)
578 struct passwd *pwd = NULL;
579 struct spwd *spwdent = NULL;
587 #ifdef HAVE_PAM_FAIL_DELAY
588 if (off(UNIX_NODELAY, ctrl)) {
589 D(("setting delay"));
590 (void) pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
594 /* locate the entry for this user */
596 D(("locating user's record"));
598 /* UNIX passwords area */
599 pwd = pam_modutil_getpwnam (pamh, name); /* Get password file entry... */
602 if (strcmp( pwd->pw_passwd, "*NP*" ) == 0)
604 uid_t save_euid, save_uid;
606 save_euid = geteuid();
608 if (save_uid == pwd->pw_uid)
609 setreuid( save_euid, save_uid );
612 if (setreuid( -1, pwd->pw_uid ) == -1) {
615 if(setreuid( -1, pwd->pw_uid ) == -1)
616 return PAM_CRED_INSUFFICIENT;
620 spwdent = pam_modutil_getspnam (pamh, name);
621 if (save_uid == pwd->pw_uid)
622 setreuid( save_uid, save_euid );
624 if (setreuid( -1, 0 ) == -1)
625 setreuid( save_uid, -1 );
626 setreuid( -1, save_euid );
628 } else if (_unix_shadowed(pwd)) {
630 * ...and shadow password file entry for this user,
631 * if shadowing is enabled
633 spwdent = pam_modutil_getspnam (pamh, name);
636 salt = x_strdup(spwdent->sp_pwdp);
638 salt = x_strdup(pwd->pw_passwd);
641 data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name));
642 if (data_name == NULL) {
643 pam_syslog(pamh, LOG_CRIT, "no memory for data-name");
645 strcpy(data_name, FAIL_PREFIX);
646 strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name);
649 retval = PAM_SUCCESS;
650 if (pwd == NULL || salt == NULL || !strcmp(salt, "x") || ((salt[0] == '#') && (salt[1] == '#') && !strcmp(salt + 2, name))) {
652 if (pwd != NULL && (geteuid() || SELINUX_ENABLED)) {
653 /* we are not root perhaps this is the reason? Run helper */
654 D(("running helper binary"));
655 retval = _unix_run_helper_binary(pamh, p, ctrl, name);
657 D(("user's record unavailable"));
660 retval = PAM_USER_UNKNOWN;
662 retval = PAM_AUTHINFO_UNAVAIL;
663 if (on(UNIX_AUDIT, ctrl)) {
664 /* this might be a typo and the user has given a password
665 instead of a username. Careful with this. */
666 pam_syslog(pamh, LOG_WARNING,
667 "check pass; user (%s) unknown", name);
670 if (on(UNIX_DEBUG, ctrl) || pwd == NULL) {
671 pam_syslog(pamh, LOG_WARNING,
672 "check pass; user unknown");
674 /* don't log failure as another pam module can succeed */
680 retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
683 if (retval == PAM_SUCCESS) {
684 if (data_name) /* reset failures */
685 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
687 if (data_name != NULL) {
688 struct _pam_failed_auth *new = NULL;
689 const struct _pam_failed_auth *old = NULL;
691 /* get a failure recorder */
693 new = (struct _pam_failed_auth *)
694 malloc(sizeof(struct _pam_failed_auth));
698 const char *login_name;
699 const void *void_old;
702 login_name = pam_modutil_getlogin(pamh);
703 if (login_name == NULL) {
707 new->user = x_strdup(name ? name : "");
709 new->euid = geteuid();
710 new->name = x_strdup(login_name);
712 /* any previous failures for this user ? */
713 if (pam_get_data(pamh, data_name, &void_old)
720 new->count = old->count + 1;
721 if (new->count >= UNIX_MAX_RETRIES) {
722 retval = PAM_MAXTRIES;
725 const void *service=NULL;
726 const void *ruser=NULL;
727 const void *rhost=NULL;
728 const void *tty=NULL;
730 (void) pam_get_item(pamh, PAM_SERVICE,
732 (void) pam_get_item(pamh, PAM_RUSER,
734 (void) pam_get_item(pamh, PAM_RHOST,
736 (void) pam_get_item(pamh, PAM_TTY,
739 pam_syslog(pamh, LOG_NOTICE,
740 "authentication failure; "
741 "logname=%s uid=%d euid=%d "
742 "tty=%s ruser=%s rhost=%s "
744 new->name, new->uid, new->euid,
745 tty ? (const char *)tty : "",
746 ruser ? (const char *)ruser : "",
747 rhost ? (const char *)rhost : "",
748 (new->user && new->user[0] != '\0')
755 pam_set_data(pamh, data_name, new, _cleanup_failures);
758 pam_syslog(pamh, LOG_CRIT,
759 "no memory for failure recorder");
766 _pam_delete(data_name);
770 D(("done [%d].", retval));
776 * obtain a password from the user
779 int _unix_read_password(pam_handle_t * pamh
784 ,const char *data_name
788 int retval = PAM_SUCCESS;
794 * make sure nothing inappropriate gets returned
797 *pass = token = NULL;
800 * which authentication token are we getting?
803 authtok_flag = on(UNIX__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
806 * should we obtain the password from a PAM item ?
809 if (on(UNIX_TRY_FIRST_PASS, ctrl) || on(UNIX_USE_FIRST_PASS, ctrl)) {
810 retval = pam_get_item(pamh, authtok_flag, pass);
811 if (retval != PAM_SUCCESS) {
813 pam_syslog(pamh, LOG_ALERT,
814 "pam_get_item returned error to unix-read-password"
817 } else if (*pass != NULL) { /* we have a password! */
819 } else if (on(UNIX_USE_FIRST_PASS, ctrl)) {
820 return PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */
821 } else if (on(UNIX_USE_AUTHTOK, ctrl)
822 && off(UNIX__OLD_PASSWD, ctrl)) {
823 return PAM_AUTHTOK_ERR;
827 * getting here implies we will have to get the password from the
833 char *resp[2] = { NULL, NULL };
835 if (comment != NULL && off(UNIX__QUIET, ctrl)) {
836 retval = pam_info(pamh, "%s", comment);
839 if (retval == PAM_SUCCESS) {
840 retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
841 &resp[0], "%s", prompt1);
843 if (retval == PAM_SUCCESS && prompt2 != NULL) {
844 retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
845 &resp[1], "%s", prompt2);
850 if (resp[0] != NULL && resp[replies-1] != NULL) {
851 /* interpret the response */
853 if (retval == PAM_SUCCESS) { /* a good conversation */
858 /* verify that password entered correctly */
859 if (strcmp(token, resp[replies - 1])) {
861 retval = PAM_AUTHTOK_RECOVERY_ERR;
862 _make_remark(pamh, ctrl,
863 PAM_ERROR_MSG, MISTYPED_PASS);
867 pam_syslog(pamh, LOG_NOTICE,
868 "could not recover authentication token");
874 retval = (retval == PAM_SUCCESS)
875 ? PAM_AUTHTOK_RECOVERY_ERR : retval;
880 _pam_delete(resp[1]);
883 if (retval != PAM_SUCCESS) {
886 if (on(UNIX_DEBUG, ctrl))
887 pam_syslog(pamh, LOG_DEBUG,
888 "unable to obtain a password");
891 /* 'token' is the entered password */
893 if (off(UNIX_NOT_SET_PASS, ctrl)) {
895 /* we store this password as an item */
897 retval = pam_set_item(pamh, authtok_flag, token);
898 _pam_delete(token); /* clean it up */
899 if (retval != PAM_SUCCESS
900 || (retval = pam_get_item(pamh, authtok_flag, pass))
904 pam_syslog(pamh, LOG_CRIT, "error manipulating password");
910 * then store it as data specific to this module. pam_end()
911 * will arrange to clean it up.
914 retval = pam_set_data(pamh, data_name, (void *) token, _cleanup);
915 if (retval != PAM_SUCCESS) {
916 pam_syslog(pamh, LOG_CRIT,
917 "error manipulating password data [%s]",
918 pam_strerror(pamh, retval));
923 token = NULL; /* break link to password */
929 /* ****************************************************************** *
930 * Copyright (c) Jan Rêkorajski 1999.
931 * Copyright (c) Andrew G. Morgan 1996-8.
932 * Copyright (c) Alex O. Yuriev, 1996.
933 * Copyright (c) Cristian Gafton 1996.
935 * Redistribution and use in source and binary forms, with or without
936 * modification, are permitted provided that the following conditions
938 * 1. Redistributions of source code must retain the above copyright
939 * notice, and the entire permission notice in its entirety,
940 * including the disclaimer of warranties.
941 * 2. Redistributions in binary form must reproduce the above copyright
942 * notice, this list of conditions and the following disclaimer in the
943 * documentation and/or other materials provided with the distribution.
944 * 3. The name of the author may not be used to endorse or promote
945 * products derived from this software without specific prior
946 * written permission.
948 * ALTERNATIVELY, this product may be distributed under the terms of
949 * the GNU Public License, in which case the provisions of the GPL are
950 * required INSTEAD OF the above restrictions. (This clause is
951 * necessary due to a potential bad interaction between the GPL and
952 * the restrictions contained in a BSD-style copyright.)
954 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
955 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
956 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
957 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
958 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
959 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
960 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
961 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
962 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
963 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
964 * OF THE POSSIBILITY OF SUCH DAMAGE.