Relevant BUGIDs: 424315

Purpose of commit: cleanup, new feature

Commit summary:
---------------
I'm adding a new module (pam_debug) that helped me to verify that
the new setcred handling did not suffer from a bug in the handling
of 'auth optional'. I'm also fixing a D(()) line from
libpam/pam_dispatch.c which was simply broken.

[There is still an outstanding backward compatibility issue with
 pam_dispatch that I'll address with respect to Bug 468724.]

diff --git a/CHANGELOG b/CHANGELOG
index ae2fa0bcf4400c9ee744f1fbcc9d584cf669c05d..d4d295243436d87255bfeee12cfdde99d0cb1748 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -49,6 +49,10 @@ bug report - outstanding bugs are listed here:
 0.76: please submit patches for this section with actual code/doc
       patches!
 
+* verified that the setcred stack didn't suffer from the bug I was
+  nervous about, add a new module pam_debug to help me test this.
+  fixed a libpam/pam_dispatch.c instrumentation line that I tripped
+  over when testing. (Bug 424315 - agmorgan)
 * some BSD updates and fixes from Mark Murray - including a slightly
   more robust conversation function and some minimization of gcc
   warnings. (Bug 449203 - agmorgan)

diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index 6212ac87b7c3927a37f078633b63d1f9a27f1df2..2a6befd4177e1d53e774962819f0c0fc5ab6bfa9 100644 (file)
--- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c
@@ -126,8 +126,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
            action = h->actions[cached_retval];
        }
 
-       D((stderr,
-          "use_cached_chain=%d action=%d cached_retval=%d retval=%d\n",
+       D(("use_cached_chain=%d action=%d cached_retval=%d retval=%d",
           use_cached_chain, action, cached_retval, retval));
 
        /* decide what to do */

diff --git a/modules/pam_debug/Makefile b/modules/pam_debug/Makefile
new file mode 100644 (file)
index 0000000..ae22cad
--- /dev/null
+++ b/modules/pam_debug/Makefile
@@ -0,0 +1,15 @@
+#
+# $Id$
+#
+# This Makefile controls a build process of $(TITLE) module for
+# Linux-PAM. You should not modify this Makefile (unless you know
+# what you are doing!).
+#
+# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27
+#
+
+include ../../Make.Rules
+
+TITLE=pam_debug
+
+include ../Simple.Rules

diff --git a/modules/pam_debug/README b/modules/pam_debug/README
new file mode 100644 (file)
index 0000000..b537e3a
--- /dev/null
+++ b/modules/pam_debug/README
@@ -0,0 +1,15 @@
+# $Id$
+#
+
+This module returns what its module arguments tell it to return. It
+can be used for debugging libpam and/or an application.
+
+Here are some example ways to use it:
+
+auth   requisite       pam_permit.so
+auth    [success=2 default=ok]  pam_debug.so auth=perm_denied cred=success
+auth    [default=reset]         pam_debug.so auth=success cred=perm_denied
+auth    [success=done default=die] pam_debug.so
+auth    optional        pam_debug.so auth=perm_denied cred=perm_denied
+auth    sufficient      pam_debug.so auth=success cred=success
+

diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c
new file mode 100644 (file)
index 0000000..152b977
--- /dev/null
+++ b/modules/pam_debug/pam_debug.c
@@ -0,0 +1,175 @@
+/* pam_permit module */
+
+/*
+ * $Id$
+ *
+ * Written by Andrew Morgan <morgan@kernel.org> 2001/02/04
+ *
+ */
+
+#define DEFAULT_USER "nobody"
+
+#include <stdio.h>
+
+/*
+ * This module is intended as a debugging aide for determining how
+ * the PAM stack is operating.
+ *
+ * here, we make definitions for the externally accessible functions
+ * in this file (these definitions are required for static modules
+ * but strongly encouraged generally) they are used to instruct the
+ * modules include file to define their prototypes.
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+#define PAM_SM_PASSWORD
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+
+#define _PAM_ACTION_UNDEF (-10)
+#include "../../libpam/pam_tokens.h"
+
+/* --- authentication management functions --- */
+
+static int state(pam_handle_t *pamh, const char *text)
+{
+    int retval;
+    struct pam_conv *conv;
+    struct pam_message msg[1], *mesg[1];
+    struct pam_response *response;
+
+    retval = pam_get_item(pamh, PAM_CONV, (const void **)&conv);
+    if ((retval != PAM_SUCCESS) || (conv == NULL)) {
+       D(("failed to obtain conversation function"));
+       return PAM_ABORT;
+    }
+
+    msg[0].msg_style = PAM_TEXT_INFO;
+    msg[0].msg = text;
+    mesg[0] = &msg[0];
+
+    retval = conv->conv(1, (const struct pam_message **) mesg,
+                       &response, conv->appdata_ptr);
+    if (retval != PAM_SUCCESS) {
+       D(("conversation failed"));
+    }
+
+    return retval;
+}
+
+static int parse_args(int retval, const char *event,
+                     pam_handle_t *pamh, int argc, const char **argv)
+{
+    int i;
+
+    for (i=0; i<argc; ++i) {
+       int length = strlen(event);
+       if (!strncmp(event, argv[i], length) && (argv[i][length] == '=')) {
+           int j;
+           const char *return_string = argv[i] + (length+1);
+
+           for (j=0; j<_PAM_RETURN_VALUES; ++j) {
+               if (!strcmp(return_string, _pam_token_returns[j])) {
+                   retval = j;
+                   state(pamh, argv[i]);
+                   break;
+               }
+           }
+           break;
+       }
+    }
+
+    return retval;
+}
+
+PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+                       const char **argv)
+{
+    int retval;
+    const char *user=NULL;
+
+    /*
+     * authentication requires we know who the user wants to be
+     */
+    retval = pam_get_user(pamh, &user, NULL);
+    if (retval != PAM_SUCCESS) {
+       D(("get user returned error: %s", pam_strerror(pamh,retval)));
+       return retval;
+    }
+    if (user == NULL || *user == '\0') {
+       D(("username not known"));
+       pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+    }
+    user = NULL;                                            /* clean up */
+
+    retval = parse_args(PAM_SUCCESS, "auth", pamh, argc, argv);
+
+    return retval;
+}
+
+PAM_EXTERN
+int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, 
+                  const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "cred", pamh, argc, argv);
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+                    const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "acct", pamh, argc, argv);
+}
+
+/* --- password management --- */
+
+PAM_EXTERN
+int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
+                    const char **argv)
+{
+    if (flags & PAM_PRELIM_CHECK) {
+       return parse_args(PAM_SUCCESS, "prechauthtok", pamh, argc, argv);
+    } else {
+       return parse_args(PAM_SUCCESS, "chauthtok", pamh, argc, argv);
+    }
+}
+
+/* --- session management --- */
+
+PAM_EXTERN
+int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc,
+                       const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "open_session", pamh, argc, argv);
+}
+
+PAM_EXTERN
+int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
+                        ,const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "close_session", pamh, argc, argv);
+}
+
+/* end of module definition */
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_permit_modstruct = {
+    "pam_debug",
+    pam_sm_authenticate,
+    pam_sm_setcred,
+    pam_sm_acct_mgmt,
+    pam_sm_open_session,
+    pam_sm_close_session,
+    pam_sm_chauthtok
+};
+
+#endif