#define PAM_SM_ACCOUNT
#include <security/pam_modules.h>
-#include <security/_pam_modutil.h>
-
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif /* LINUX_PAM */
+#include <security/pam_ext.h>
+#include <security/pam_modutil.h>
#include "support.h"
/* create a pipe for the messages */
if (pipe(fds) != 0) {
D(("could not make pipe"));
- _log_err(LOG_ERR, pamh, "Could not make pipe %s",strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m");
return NULL;
}
D(("called."));
}
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
execve(CHKPWD_HELPER, args, envp);
- _log_err(LOG_ERR, pamh, "helper binary execve failed: %s",strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
/* should not get here: exit with error */
close (fds[1]);
D(("helper binary is not available"));
int rc=0;
rc=waitpid(child, &retval, 0); /* wait for helper to complete */
if (rc<0) {
- _log_err(LOG_ERR, pamh, "unix_chkpwd waitpid returned %d: %s", rc, strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
retval = PAM_AUTH_ERR;
} else {
retval = WEXITSTATUS(retval);
if (retval != PAM_AUTHINFO_UNAVAIL) {
- rc = _pammodutil_read(fds[0], buf, sizeof(buf) - 1);
+ rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
if(rc > 0) {
buf[rc] = '\0';
if (sscanf(buf,"%ld:%ld:%ld:%ld:%ld:%ld",
&spwd.sp_expire) /* date when account expires */ != 6 ) retval = PAM_AUTH_ERR;
}
else {
- _log_err(LOG_ERR, pamh, " ERROR %d:%s \n",rc, strerror(errno)); retval = PAM_AUTH_ERR;
+ pam_syslog(pamh, LOG_ERR, " ERROR %d: %m", rc); retval = PAM_AUTH_ERR;
}
}
}
} else {
- _log_err(LOG_ERR, pamh, "Fork failed %s \n",strerror(errno));
+ pam_syslog(pamh, LOG_ERR, "Fork failed: %m");
D(("fork failed"));
retval = PAM_AUTH_ERR;
}
int argc, const char **argv)
{
unsigned int ctrl;
- const void *uname;
+ const void *void_uname;
+ const char *uname;
int retval, daysleft;
time_t curdays;
struct spwd *spent;
ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
- retval = pam_get_item(pamh, PAM_USER, &uname);
+ retval = pam_get_item(pamh, PAM_USER, &void_uname);
+ uname = void_uname;
D(("user = `%s'", uname));
if (retval != PAM_SUCCESS || uname == NULL) {
- _log_err(LOG_ALERT, pamh
- ,"could not identify user (from uid=%d)"
- ,getuid());
+ pam_syslog(pamh, LOG_ALERT,
+ "could not identify user (from uid=%d)",
+ getuid());
return PAM_USER_UNKNOWN;
}
- pwent = _pammodutil_getpwnam(pamh, uname);
+ pwent = pam_modutil_getpwnam(pamh, uname);
if (!pwent) {
- _log_err(LOG_ALERT, pamh
- ,"could not identify user (from getpwnam(%s))"
- ,uname);
+ pam_syslog(pamh, LOG_ALERT,
+ "could not identify user (from getpwnam(%s))",
+ uname);
return PAM_USER_UNKNOWN;
}
return PAM_CRED_INSUFFICIENT;
}
}
- spent = _pammodutil_getspnam (pamh, uname);
+ spent = pam_modutil_getspnam (pamh, uname);
if (save_uid == pwent->pw_uid)
setreuid( save_uid, save_euid );
else {
}
} else if (_unix_shadowed (pwent))
- spent = _pammodutil_getspnam (pamh, uname);
+ spent = pam_modutil_getspnam (pamh, uname);
else
return PAM_SUCCESS;
curdays = time(NULL) / (60 * 60 * 24);
D(("today is %d, last change %d", curdays, spent->sp_lstchg));
if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) {
- _log_err(LOG_NOTICE, pamh
- ,"account %s has expired (account expired)"
- ,uname);
+ pam_syslog(pamh, LOG_NOTICE,
+ "account %s has expired (account expired)",
+ uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
_("Your account has expired; please contact your system administrator"));
D(("account expired"));
return PAM_ACCT_EXPIRED;
}
if (spent->sp_lstchg == 0) {
- _log_err(LOG_NOTICE, pamh
- ,"expired password for user %s (root enforced)"
- ,uname);
+ pam_syslog(pamh, LOG_NOTICE,
+ "expired password for user %s (root enforced)",
+ uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
_("You are required to change your password immediately (root enforced)"));
D(("need a new password"));
return PAM_NEW_AUTHTOK_REQD;
}
if (curdays < spent->sp_lstchg) {
- _log_err(LOG_DEBUG, pamh
- ,"account %s has password changed in future"
- ,uname);
+ pam_syslog(pamh, LOG_DEBUG,
+ "account %s has password changed in future",
+ uname);
return PAM_SUCCESS;
}
if ((curdays - spent->sp_lstchg > spent->sp_max)
&& (curdays - spent->sp_lstchg > spent->sp_inact)
&& (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
&& (spent->sp_max != -1) && (spent->sp_inact != -1)) {
- _log_err(LOG_NOTICE, pamh
- ,"account %s has expired (failed to change password)"
- ,uname);
+ pam_syslog(pamh, LOG_NOTICE,
+ "account %s has expired (failed to change password)",
+ uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
_("Your account has expired; please contact your system administrator"));
D(("account expired 2"));
return PAM_ACCT_EXPIRED;
}
if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
- _log_err(LOG_DEBUG, pamh
- ,"expired password for user %s (password aged)"
- ,uname);
+ pam_syslog(pamh, LOG_DEBUG,
+ "expired password for user %s (password aged)",
+ uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
_("You are required to change your password immediately (password aged)"));
D(("need a new password 2"));
if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
&& (spent->sp_max != -1) && (spent->sp_warn != -1)) {
daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
- _log_err(LOG_DEBUG, pamh
- ,"password for user %s will expire in %d days"
- ,uname, daysleft);
+ pam_syslog(pamh, LOG_DEBUG,
+ "password for user %s will expire in %d days",
+ uname, daysleft);
snprintf(buf, sizeof (buf), _("Warning: your password will expire in %d day%.2s"),
daysleft, daysleft == 1 ? "" : "s");
_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);