#include <time.h> /* for time() */
#include <errno.h>
#include <sys/wait.h>
-#ifdef WITH_SELINUX
-#include <selinux/selinux.h>
-#define SELINUX_ENABLED is_selinux_enabled()>0
-#endif
#include <security/_pam_macros.h>
#define PAM_SM_ACCOUNT
#include <security/pam_modules.h>
+#include <security/pam_ext.h>
#include <security/pam_modutil.h>
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif /* LINUX_PAM */
-
#include "support.h"
+#include "passverify.h"
-#ifdef WITH_SELINUX
-
-struct spwd spwd;
-
-struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user)
+int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
+ const char *user, int *daysleft)
{
int retval=0, child, fds[2];
void (*sighandler)(int) = NULL;
/* create a pipe for the messages */
if (pipe(fds) != 0) {
D(("could not make pipe"));
- _log_err(LOG_ERR, pamh, "Could not make pipe %s",strerror(errno));
- return NULL;
+ pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m");
+ return PAM_AUTH_ERR;
}
D(("called."));
/* fork */
child = fork();
if (child == 0) {
- size_t i=0;
+ int i=0;
struct rlimit rlim;
static char *envp[] = { NULL };
char *args[] = { NULL, NULL, NULL, NULL };
- close(0); close(1);
- /* reopen stdin as pipe */
- close(fds[0]);
+ /* reopen stdout as pipe */
dup2(fds[1], STDOUT_FILENO);
/* XXX - should really tidy up PAM here too */
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- for (i=2; i < rlim.rlim_max; i++) {
- if ((unsigned int)fds[1] != i) {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+ for (i=0; i < (int)rlim.rlim_max; i++) {
+ if (i != STDOUT_FILENO) {
close(i);
}
}
}
+
+ if (geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
- args[2] = x_strdup("verify");
+ args[2] = x_strdup("chkexpiry");
execve(CHKPWD_HELPER, args, envp);
- _log_err(LOG_ERR, pamh, "helper binary execve failed: %s",strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
/* should not get here: exit with error */
- close (fds[1]);
D(("helper binary is not available"));
+ printf("-1\n");
exit(PAM_AUTHINFO_UNAVAIL);
} else {
close(fds[1]);
if (child > 0) {
- char buf[1024];
+ char buf[32];
int rc=0;
rc=waitpid(child, &retval, 0); /* wait for helper to complete */
if (rc<0) {
- _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
retval = PAM_AUTH_ERR;
} else {
retval = WEXITSTATUS(retval);
- if (retval != PAM_AUTHINFO_UNAVAIL) {
- rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
- if(rc > 0) {
+ rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
+ if(rc > 0) {
buf[rc] = '\0';
- if (sscanf(buf,"%ld:%ld:%ld:%ld:%ld:%ld",
- &spwd.sp_lstchg, /* last password change */
- &spwd.sp_min, /* days until change allowed. */
- &spwd.sp_max, /* days before change required */
- &spwd.sp_warn, /* days warning for expiration */
- &spwd.sp_inact, /* days before account inactive */
- &spwd.sp_expire) /* date when account expires */ != 6 ) retval = PAM_AUTH_ERR;
+ if (sscanf(buf,"%d", daysleft) != 1 )
+ retval = PAM_AUTH_ERR;
}
- else {
- _log_err(LOG_ERR, pamh, " ERROR %d:%s \n",rc, strerror(errno)); retval = PAM_AUTH_ERR;
+ else {
+ pam_syslog(pamh, LOG_ERR, "read unix_chkpwd output error %d: %m", rc);
+ retval = PAM_AUTH_ERR;
}
- }
}
} else {
- _log_err(LOG_ERR, pamh, "Fork failed %s \n",strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "Fork failed: %m");
D(("fork failed"));
retval = PAM_AUTH_ERR;
}
close(fds[0]);
}
- if (sighandler != NULL) {
+ if (sighandler != SIG_ERR) {
(void) signal(SIGCHLD, sighandler); /* restore old signal handler */
}
D(("Returning %d",retval));
- if (retval != PAM_SUCCESS) {
- return NULL;
- }
- return &spwd;
+ return retval;
}
-#endif
-
-
/*
* PAM framework looks for this entry-point to pass control to the
* account management module.
int argc, const char **argv)
{
unsigned int ctrl;
- const void *uname;
+ const void *void_uname;
+ const char *uname;
int retval, daysleft;
- time_t curdays;
struct spwd *spent;
struct passwd *pwent;
char buf[256];
D(("called."));
- ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
- retval = pam_get_item(pamh, PAM_USER, &uname);
+ retval = pam_get_item(pamh, PAM_USER, &void_uname);
+ uname = void_uname;
D(("user = `%s'", uname));
if (retval != PAM_SUCCESS || uname == NULL) {
- _log_err(LOG_ALERT, pamh
- ,"could not identify user (from uid=%d)"
- ,getuid());
+ pam_syslog(pamh, LOG_ALERT,
+ "could not identify user (from uid=%lu)",
+ (unsigned long int)getuid());
return PAM_USER_UNKNOWN;
}
- pwent = pam_modutil_getpwnam(pamh, uname);
- if (!pwent) {
- _log_err(LOG_ALERT, pamh
- ,"could not identify user (from getpwnam(%s))"
- ,uname);
- return PAM_USER_UNKNOWN;
+ retval = get_account_info(pamh, uname, &pwent, &spent);
+ if (retval == PAM_USER_UNKNOWN) {
+ pam_syslog(pamh, LOG_ALERT,
+ "could not identify user (from getpwnam(%s))",
+ uname);
+ return retval;
}
- if (!strcmp( pwent->pw_passwd, "*NP*" )) { /* NIS+ */
- uid_t save_euid, save_uid;
-
- save_euid = geteuid();
- save_uid = getuid();
- if (save_uid == pwent->pw_uid)
- setreuid( save_euid, save_uid );
- else {
- setreuid( 0, -1 );
- if (setreuid( -1, pwent->pw_uid ) == -1) {
- setreuid( -1, 0 );
- setreuid( 0, -1 );
- if(setreuid( -1, pwent->pw_uid ) == -1)
- return PAM_CRED_INSUFFICIENT;
- }
- }
- spent = pam_modutil_getspnam (pamh, uname);
- if (save_uid == pwent->pw_uid)
- setreuid( save_uid, save_euid );
- else {
- if (setreuid( -1, 0 ) == -1)
- setreuid( save_uid, -1 );
- setreuid( -1, save_euid );
- }
-
- } else if (_unix_shadowed (pwent))
- spent = pam_modutil_getspnam (pamh, uname);
- else
+ if (retval == PAM_SUCCESS && spent == NULL)
return PAM_SUCCESS;
-#ifdef WITH_SELINUX
- if (!spent && SELINUX_ENABLED )
- spent = _unix_run_verify_binary(pamh, ctrl, uname);
-#endif
-
- if (!spent)
+ if (retval == PAM_UNIX_RUN_HELPER) {
+ retval = _unix_run_verify_binary(pamh, ctrl, uname, &daysleft);
+ if (retval == PAM_AUTHINFO_UNAVAIL &&
+ on(UNIX_BROKEN_SHADOW, ctrl))
+ return PAM_SUCCESS;
+ } else if (retval != PAM_SUCCESS) {
if (on(UNIX_BROKEN_SHADOW,ctrl))
return PAM_SUCCESS;
-
- if (!spent)
- return PAM_AUTHINFO_UNAVAIL; /* Couldn't get username from shadow */
-
- curdays = time(NULL) / (60 * 60 * 24);
- D(("today is %d, last change %d", curdays, spent->sp_lstchg));
- if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) {
- _log_err(LOG_NOTICE, pamh
- ,"account %s has expired (account expired)"
- ,uname);
- _make_remark(pamh, ctrl, PAM_ERROR_MSG,
- _("Your account has expired; please contact your system administrator"));
- D(("account expired"));
- return PAM_ACCT_EXPIRED;
- }
- if (spent->sp_lstchg == 0) {
- _log_err(LOG_NOTICE, pamh
- ,"expired password for user %s (root enforced)"
- ,uname);
+ else
+ return retval;
+ } else
+ retval = check_shadow_expiry(pamh, spent, &daysleft);
+
+ switch (retval) {
+ case PAM_ACCT_EXPIRED:
+ pam_syslog(pamh, LOG_NOTICE,
+ "account %s has expired (account expired)",
+ uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
- _("You are required to change your password immediately (root enforced)"));
- D(("need a new password"));
- return PAM_NEW_AUTHTOK_REQD;
- }
- if (curdays < spent->sp_lstchg) {
- _log_err(LOG_DEBUG, pamh
- ,"account %s has password changed in future"
- ,uname);
- return PAM_SUCCESS;
- }
- if ((curdays - spent->sp_lstchg > spent->sp_max)
- && (curdays - spent->sp_lstchg > spent->sp_inact)
- && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
- && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
- _log_err(LOG_NOTICE, pamh
- ,"account %s has expired (failed to change password)"
- ,uname);
- _make_remark(pamh, ctrl, PAM_ERROR_MSG,
- _("Your account has expired; please contact your system administrator"));
- D(("account expired 2"));
- return PAM_ACCT_EXPIRED;
- }
- if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
- _log_err(LOG_DEBUG, pamh
- ,"expired password for user %s (password aged)"
- ,uname);
+ _("Your account has expired; please contact your system administrator"));
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ if (daysleft == 0) {
+ pam_syslog(pamh, LOG_NOTICE,
+ "expired password for user %s (root enforced)",
+ uname);
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
+ _("You are required to change your password immediately (root enforced)"));
+ } else {
+ pam_syslog(pamh, LOG_DEBUG,
+ "expired password for user %s (password aged)",
+ uname);
+ _make_remark(pamh, ctrl, PAM_ERROR_MSG,
+ _("You are required to change your password immediately (password aged)"));
+ }
+ break;
+ case PAM_AUTHTOK_EXPIRED:
+ pam_syslog(pamh, LOG_NOTICE,
+ "account %s has expired (failed to change password)",
+ uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
- _("You are required to change your password immediately (password aged)"));
- D(("need a new password 2"));
- return PAM_NEW_AUTHTOK_REQD;
- }
- if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
- && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
- daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
- _log_err(LOG_DEBUG, pamh
- ,"password for user %s will expire in %d days"
- ,uname, daysleft);
- snprintf(buf, sizeof (buf), _("Warning: your password will expire in %d day%.2s"),
- daysleft, daysleft == 1 ? "" : "s");
- _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
+ _("Your account has expired; please contact your system administrator"));
+ break;
+ case PAM_AUTHTOK_ERR:
+ retval = PAM_SUCCESS;
+ /* fallthrough */
+ case PAM_SUCCESS:
+ if (daysleft >= 0) {
+ pam_syslog(pamh, LOG_DEBUG,
+ "password for user %s will expire in %d days",
+ uname, daysleft);
+#if defined HAVE_DNGETTEXT && defined ENABLE_NLS
+ snprintf (buf, sizeof (buf),
+ dngettext(PACKAGE,
+ "Warning: your password will expire in %d day",
+ "Warning: your password will expire in %d days",
+ daysleft),
+ daysleft);
+#else
+ if (daysleft == 1)
+ snprintf(buf, sizeof (buf),
+ _("Warning: your password will expire in %d day"),
+ daysleft);
+ else
+ snprintf(buf, sizeof (buf),
+ /* TRANSLATORS: only used if dngettext is not supported */
+ _("Warning: your password will expire in %d days"),
+ daysleft);
+#endif
+ _make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
+ }
}
D(("all done"));
- return PAM_SUCCESS;
+ return retval;
}
projects / linux-pam / blobdiff