diff options
| author | Dmitry V. Levin <ldv@altlinux.org> | 2020-05-01 21:44:59 +0000 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@altlinux.org> | 2020-05-22 11:00:00 +0000 |
| commit | be80ddec86c182c22338cb9b526f2fadaf4c1c86 (patch) | |
| tree | 0b7b6a0781f429cb73d22ee833efe5b08e96767e /modules/pam_localuser | |
| parent | 2e379a5a7f6ccf07dc2da92bff26f459e419a072 (diff) | |
pam_localuser: refactor pam_sm_authenticate
* modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
function.
(pam_sm_authenticate): Use it.
Diffstat (limited to 'modules/pam_localuser')
| -rw-r--r-- | modules/pam_localuser/pam_localuser.c | 119 |
1 files changed, 63 insertions, 56 deletions
diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c index a9fbb64e..cb507524 100644 --- a/modules/pam_localuser/pam_localuser.c +++ b/modules/pam_localuser/pam_localuser.c @@ -2,6 +2,7 @@ * pam_localuser module * * Copyright 2001, 2004 Red Hat, Inc. + * Copyright (c) 2020 Dmitry V. Levin <ldv@altlinux.org> * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -47,52 +48,17 @@ #include <security/pam_ext.h> #include "pam_inline.h" -int -pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int +check_user_in_passwd(pam_handle_t *pamh, const char *user_name, + const char *file_name) { - int i, ret; + int rc; + size_t user_len; FILE *fp; - int debug = 0; - const char *filename = "/etc/passwd"; char line[BUFSIZ]; - const char* user; - size_t user_len; - - /* process arguments */ - for(i = 0; i < argc; i++) { - if(strcmp("debug", argv[i]) == 0) { - debug = 1; - } - } - for(i = 0; i < argc; i++) { - const char *str; - - if (strcmp("debug", argv[i]) == 0) { - /* Already processed. */ - continue; - } - if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { - filename = str; - if(debug) { - pam_syslog (pamh, LOG_DEBUG, - "set filename to \"%s\"", - filename); - } - } else { - pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", - argv[i]); - } - } - - /* Obtain the user name. */ - if ((ret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_NOTICE, "cannot determine user name"); - return ret == PAM_CONV_AGAIN ? PAM_INCOMPLETE : ret; - } - - if ((user_len = strlen(user)) == 0) { + /* Validate the user name. */ + if ((user_len = strlen(user_name)) == 0) { pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); return PAM_SERVICE_ERR; } @@ -102,7 +68,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, return PAM_SERVICE_ERR; } - if (strchr(user, ':') != NULL) { + if (strchr(user_name, ':') != NULL) { /* * "root:x" is not a local user name even if the passwd file * contains a line starting with "root:x:". @@ -111,9 +77,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, } /* Open the passwd file. */ - if ((fp = fopen(filename, "r")) == NULL) { - pam_syslog (pamh, LOG_ERR, "error opening \"%s\": %m", - filename); + if (file_name == NULL) { + file_name = "/etc/passwd"; + } + if ((fp = fopen(file_name, "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name); return PAM_SERVICE_ERR; } @@ -122,25 +90,20 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, * the latter is not flexible enough in handling long lines * in passwd files. */ - ret = PAM_PERM_DENIED; + rc = PAM_PERM_DENIED; while (fgets(line, sizeof(line), fp) != NULL) { size_t line_len; const char *str; - if(debug) { - pam_syslog (pamh, LOG_DEBUG, "checking \"%s\"", line); - } - /* * Does this line start with the user name * followed by a colon? */ - if (strncmp(user, line, user_len) == 0 && + if (strncmp(user_name, line, user_len) == 0 && line[user_len] == ':') { - ret = PAM_SUCCESS; + rc = PAM_SUCCESS; break; } - /* Has a newline been read? */ line_len = strlen(line); if (line_len < sizeof(line) - 1 || @@ -164,9 +127,53 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, /* Continue with the next line. */ } - /* okay, we're done */ fclose(fp); - return ret; + return rc; +} + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i; + int rc; + int debug = 0; + const char *file_name = NULL; + const char *user_name = NULL; + + /* Process arguments. */ + for (i = 0; i < argc; ++i) { + if (strcmp("debug", argv[i]) == 0) { + debug = 1; + } + } + for (i = 0; i < argc; ++i) { + const char *str; + + if (strcmp("debug", argv[i]) == 0) { + /* Already processed. */ + continue; + } + if ((str = pam_str_skip_prefix(argv[i], "file=")) != NULL) { + file_name = str; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "set filename to %s", file_name); + } + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option: %s", + argv[i]); + } + } + + /* Obtain the user name. */ + if ((rc = pam_get_user(pamh, &user_name, NULL)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s", + pam_strerror(pamh, rc)); + return rc == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rc; + } + + return check_user_in_passwd(pamh, user_name, file_name); } int |