summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2007-12-06 20:20:07 +0000
committerTomas Mraz <tm@t8m.info>2007-12-06 20:20:07 +0000
commit632dffe99cc8e3aefb4410aec2a3091df48a6f46 (patch)
treea143da18fc11f9f9dbec7a9f514ea9bec110bcad
parent337e34ff7407327700ae3ddf2bdda00698386e13 (diff)
Relevant BUGIDs:
Purpose of commit: new feature Commit summary: --------------- 2007-12-06 Eamon Walsh <ewalsh@tycho.nsa.gov> * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n() macro. * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY, PAM_XAUTHDATA items, pam_xauth_data struct. * libpam/pam_item.c (pam_set_item, pam_get_item): Handle PAM_XDISPLAY and PAM_XAUTHDATA items. * libpam/pam_end.c (pam_end): Destroy the new items. * libpam/pam_private.h (pam_handle): Add data members for new items. Add prototype for _pam_memdup. * libpam/pam_misc.c: Add _pam_memdup. * doc/man/Makefile.am: Add pam_xauth_data.3. Replace pam_item_types.inc.xml with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml. * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml. * doc/man/pam_set_item.3.xml: Likewise. * doc/man/pam_item_types.inc.xml: Removed file. * doc/man/pam_item_types_ext.inc.xml: New file. * doc/man/pam_item_types_std.inc.xml: New file.
Diffstat
-rw-r--r--ChangeLog22
-rw-r--r--NEWS1
-rw-r--r--doc/man/Makefile.am10
-rw-r--r--doc/man/pam_get_item.3.xml13
-rw-r--r--doc/man/pam_item_types_ext.inc.xml45
-rw-r--r--doc/man/pam_item_types_std.inc.xml (renamed from doc/man/pam_item_types.inc.xml)13
-rw-r--r--doc/man/pam_set_item.3.xml13
-rw-r--r--libpam/include/security/_pam_macros.h9
-rw-r--r--libpam/include/security/_pam_types.h14
-rw-r--r--libpam/pam_end.c9
-rw-r--r--libpam/pam_item.c26
-rw-r--r--libpam/pam_misc.c22
-rw-r--r--libpam/pam_private.h4
13 files changed, 179 insertions, 22 deletions
diff --git a/ChangeLog b/ChangeLog
index 32135cdd..452001e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,25 @@
+2007-12-06 Eamon Walsh <ewalsh@tycho.nsa.gov>
+
+ * libpam/include/security/_pam_macros.h: Add _pam_overwrite_n()
+ macro.
+ * libpam/include/security/_pam_types.h: Add PAM_XDISPLAY,
+ PAM_XAUTHDATA items, pam_xauth_data struct.
+ * libpam/pam_item.c (pam_set_item, pam_get_item): Handle
+ PAM_XDISPLAY and PAM_XAUTHDATA items.
+ * libpam/pam_end.c (pam_end): Destroy the new items.
+ * libpam/pam_private.h (pam_handle): Add data members for new
+ items. Add prototype for _pam_memdup.
+ * libpam/pam_misc.c: Add _pam_memdup.
+ * doc/man/Makefile.am: Add pam_xauth_data.3. Replace
+ pam_item_types.inc.xml with pam_item_types_std.inc.xml and
+ pam_item_types_ext.inc.xml.
+ * doc/man/pam_get_item.3.xml: Replace pam_item_types.inc.xml
+ with pam_item_types_std.inc.xml and pam_item_types_ext.inc.xml.
+ * doc/man/pam_set_item.3.xml: Likewise.
+ * doc/man/pam_item_types.inc.xml: Removed file.
+ * doc/man/pam_item_types_ext.inc.xml: New file.
+ * doc/man/pam_item_types_std.inc.xml: New file.
+
2007-12-06 Tomas Mraz <t8m@centrum.cz>
* modules/pam_tty_audit/pam_tty_audit.8.xml: Fix example.
diff --git a/NEWS b/NEWS
index 87aaa6c7..e794525e 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ Linux-PAM NEWS -- history of user-visible changes.
* New substack directive in config file syntax.
* New module pam_tty_audit.so for enabling and disabling tty
auditing.
+* New PAM items PAM_XDISPLAY and PAM_XAUTHDATA.
Release 0.99.9.0
* misc_conv no longer blocks SIGINT; applications that don't want
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
index 7d17a439..926f1ae5 100644
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@@ -10,7 +10,7 @@ man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \
pam_acct_mgmt.3 pam_authenticate.3 \
pam_chauthtok.3 pam_close_session.3 pam_conv.3 \
pam_end.3 pam_error.3 \
- pam_fail_delay.3 \
+ pam_fail_delay.3 pam_xauth_data.3 \
pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \
pam_getenvlist.3 \
pam_info.3 \
@@ -27,7 +27,7 @@ XMLS = pam.3.xml pam.8.xml \
pam_acct_mgmt.3.xml pam_authenticate.3.xml \
pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \
pam_end.3.xml pam_error.3.xml \
- pam_fail_delay.3.xml \
+ pam_fail_delay.3.xml pam_xauth_data.3 \
pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \
pam_getenv.3.xml pam_getenvlist.3.xml \
pam_info.3.xml \
@@ -38,14 +38,14 @@ XMLS = pam.3.xml pam.8.xml \
pam_sm_close_session.3.xml pam_sm_open_session.3.xml \
pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \
pam_sm_chauthtok.3.xml \
- pam_item_types.inc.xml \
+ pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \
pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
pam_misc_setenv.3.xml
if ENABLE_REGENERATE_MAN
-pam_get_item.3: pam_item_types.inc.xml
-pam_set_data.3: pam_item_types.inc.xml
+pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
+pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
-include $(top_srcdir)/Make.xml.rules
endif
diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml
index e5806d11..d07862e0 100644
--- a/doc/man/pam_get_item.3.xml
+++ b/doc/man/pam_get_item.3.xml
@@ -3,7 +3,8 @@
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
[
<!--
-<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml">
-->
]>
@@ -55,7 +56,15 @@
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_item_types.inc.xml"/>
+ href="pam_item_types_std.inc.xml"/>
+
+ <para>
+ The following additional items are specific to Linux-PAM and should not be used in
+ portable applications:
+ </para>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_item_types_ext.inc.xml"/>
<para>
If a service module wishes to obtain the name of the user,
diff --git a/doc/man/pam_item_types_ext.inc.xml b/doc/man/pam_item_types_ext.inc.xml
new file mode 100644
index 00000000..0c72f699
--- /dev/null
+++ b/doc/man/pam_item_types_ext.inc.xml
@@ -0,0 +1,45 @@
+<!-- this file is included by pam_set_item and pam_get_item -->
+
+ <variablelist>
+ <varlistentry>
+ <term>PAM_FAIL_DELAY</term>
+ <listitem>
+ <para>
+ A function pointer to redirect centrally managed
+ failure delays. See
+ <citerefentry>
+ <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_XDISPLAY</term>
+ <listitem>
+ <para>
+ The name of the X display. For graphical, X-based applications the
+ value for this item should be the <emphasis>$DISPLAY</emphasis>
+ variable. This value should be used instead of
+ <emphasis>PAM_TTY</emphasis> for passing the
+ name of the display where possible.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_XAUTHDATA</term>
+ <listitem>
+ <para>
+ A pointer to a structure containing the X authentication data
+ required to make a connection to the display specified by
+ <emphasis>PAM_XDISPLAY</emphasis>, if such information is
+ necessary. See
+ <citerefentry>
+ <refentrytitle>pam_xauth_data</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
diff --git a/doc/man/pam_item_types.inc.xml b/doc/man/pam_item_types_std.inc.xml
index 9d70087b..81f240b0 100644
--- a/doc/man/pam_item_types.inc.xml
+++ b/doc/man/pam_item_types_std.inc.xml
@@ -135,17 +135,4 @@
</listitem>
</varlistentry>
- <varlistentry>
- <term>PAM_FAIL_DELAY</term>
- <listitem>
- <para>
- A function pointer to redirect centrally managed
- failure delays. See
- <citerefentry>
- <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>.
- </para>
- </listitem>
- </varlistentry>
-
</variablelist>
diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml
index cbac8413..39758313 100644
--- a/doc/man/pam_set_item.3.xml
+++ b/doc/man/pam_set_item.3.xml
@@ -3,7 +3,8 @@
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
[
<!--
-<!ENTITY accessconf SYSTEM "pam_item_types.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml">
+<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml">
-->
]>
@@ -52,7 +53,15 @@
</para>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
- href="pam_item_types.inc.xml"/>
+ href="pam_item_types_std.inc.xml"/>
+
+ <para>
+ The following additional items are specific to Linux-PAM and should not be used in
+ portable applications:
+ </para>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_item_types_ext.inc.xml"/>
<para>
For all <emphasis>item_type</emphasis>s, other than PAM_CONV and
diff --git a/libpam/include/security/_pam_macros.h b/libpam/include/security/_pam_macros.h
index f7da10a7..72aaf468 100644
--- a/libpam/include/security/_pam_macros.h
+++ b/libpam/include/security/_pam_macros.h
@@ -25,6 +25,15 @@ do { \
*__xx__++ = '\0'; \
} while (0)
+#define _pam_overwrite_n(x,n) \
+do { \
+ register char *__xx__; \
+ register int __i__ = 0; \
+ if ((__xx__=(x))) \
+ for (;__i__<n; __i__++) \
+ __xx__[__i__] = 0; \
+} while (0)
+
/*
* Don't just free it, forget it too.
*/
diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h
index 45bae97b..2f7e807f 100644
--- a/libpam/include/security/_pam_types.h
+++ b/libpam/include/security/_pam_types.h
@@ -138,8 +138,11 @@ typedef struct pam_handle pam_handle_t;
#define PAM_OLDAUTHTOK 7 /* The old authentication token */
#define PAM_RUSER 8 /* The remote user name */
#define PAM_USER_PROMPT 9 /* the prompt for getting a username */
+/* Linux-PAM extensions */
#define PAM_FAIL_DELAY 10 /* app supplied function to override failure
delays */
+#define PAM_XDISPLAY 11 /* X display name */
+#define PAM_XAUTHDATA 12 /* X server authentication data */
/* -------------- Special defines used by Linux-PAM -------------- */
@@ -279,6 +282,17 @@ struct pam_conv {
void *appdata_ptr;
};
+/* Used by the PAM_XAUTHDATA pam item. Contains X authentication
+ data used by modules to connect to the user's X display. Note:
+ this structure is intentionally compatible with xcb_auth_info_t. */
+
+struct pam_xauth_data {
+ int namelen;
+ char *name;
+ int datalen;
+ char *data;
+};
+
/* ... adapted from the pam_appl.h file created by Theodore Ts'o and
*
* Copyright Theodore Ts'o, 1996. All rights reserved.
diff --git a/libpam/pam_end.c b/libpam/pam_end.c
index de1c26ed..f400c325 100644
--- a/libpam/pam_end.c
+++ b/libpam/pam_end.c
@@ -73,6 +73,15 @@ int pam_end(pam_handle_t *pamh, int pam_status)
_pam_drop(pamh->former.substates);
+ _pam_overwrite(pamh->xdisplay);
+ _pam_drop(pamh->xdisplay);
+
+ _pam_overwrite(pamh->xauth.name);
+ _pam_drop(pamh->xauth.name);
+ _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen);
+ _pam_drop(pamh->xauth.data);
+ _pam_overwrite_n(&pamh->xauth, sizeof(pamh->xauth));
+
/* and finally liberate the memory for the pam_handle structure */
_pam_drop(pamh);
diff --git a/libpam/pam_item.c b/libpam/pam_item.c
index 52efe80b..41d90087 100644
--- a/libpam/pam_item.c
+++ b/libpam/pam_item.c
@@ -138,6 +138,24 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item)
pamh->fail_delay.delay_fn_ptr = item;
break;
+ case PAM_XDISPLAY:
+ RESET(pamh->xdisplay, item);
+ break;
+
+ case PAM_XAUTHDATA:
+ if (pamh->xauth.namelen) {
+ _pam_overwrite(pamh->xauth.name);
+ free(pamh->xauth.name);
+ }
+ if (pamh->xauth.datalen) {
+ _pam_overwrite_n(pamh->xauth.data, pamh->xauth.datalen);
+ free(pamh->xauth.data);
+ }
+ pamh->xauth = *((const struct pam_xauth_data *) item);
+ pamh->xauth.name = _pam_strdup(pamh->xauth.name);
+ pamh->xauth.data = _pam_memdup(pamh->xauth.data, pamh->xauth.datalen);
+ break;
+
default:
retval = PAM_BAD_ITEM;
}
@@ -220,6 +238,14 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item)
*item = pamh->fail_delay.delay_fn_ptr;
break;
+ case PAM_XDISPLAY:
+ *item = pamh->xdisplay;
+ break;
+
+ case PAM_XAUTHDATA:
+ *item = &pamh->xauth;
+ break;
+
default:
retval = PAM_BAD_ITEM;
}
diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c
index 770c9cce..574a570e 100644
--- a/libpam/pam_misc.c
+++ b/libpam/pam_misc.c
@@ -137,6 +137,28 @@ char *_pam_strdup(const char *x)
return new; /* return the duplicate or NULL on error */
}
+/*
+ * Safe duplication of memory buffers. "Paranoid"; don't leave
+ * evidence of old token around for later stack analysis.
+ */
+
+char *_pam_memdup(const char *x, int len)
+{
+ register char *new=NULL;
+
+ if (x != NULL) {
+ if ((new = malloc(len)) == NULL) {
+ len = 0;
+ pam_syslog(NULL, LOG_CRIT, "_pam_memdup: failed to get memory");
+ } else {
+ memcpy (new, x, len);
+ }
+ x = NULL;
+ }
+
+ return new; /* return the duplicate or NULL on error */
+}
+
/* Generate argv, argc from s */
/* caller must free(argv) */
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index bf32ad44..333f4d0f 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -152,9 +152,11 @@ struct pam_handle {
char *rhost;
char *ruser;
char *tty;
+ char *xdisplay;
struct pam_data *data;
struct pam_environ *env; /* structure to maintain environment list */
struct _pam_fail_delay fail_delay; /* helper function for easy delays */
+ struct pam_xauth_data xauth; /* auth info for X display */
struct service handlers;
struct _pam_former_state former; /* library state - support for
event driven applications */
@@ -267,6 +269,8 @@ char *_pam_StrTok(char *from, const char *format, char **next);
char *_pam_strdup(const char *s);
+char *_pam_memdup(const char *s, int len);
+
int _pam_mkargv(char *s, char ***argv, int *argc);
void _pam_sanitize(pam_handle_t *pamh);
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 11:31:30 +0000