Relevant BUGIDs: none

Purpose of commit: cleanup Commit summary: --------------- Move pam_selinux_check.c code from pam_selinux.c to main fail. Replace syslog with pam_syslog Use pam_prompt instead of conv() functions.
author: Thorsten Kukuk <kukuk@thkukuk.de> 2005-09-05 11:48:35 +0000
committer: Thorsten Kukuk <kukuk@thkukuk.de> 2005-09-05 11:48:35 +0000
commit: 164ec576e4035a69260bb5c24c703fe515375191 (patch)
tree: d9aa36baefe5e4650895ddc903ff6f760be1da27 /modules/pam_selinux/pam_selinux_check.c
parent: ba926ead93e31e97e4e42f70fb856356f175bff9 (diff)
1 files changed, 120 insertions, 3 deletions
diff --git a/modules/pam_selinux/pam_selinux_check.c b/modules/pam_selinux/pam_selinux_check.c
index f2aa795e..6ff3fbc0 100644
--- a/modules/pam_selinux/pam_selinux_check.c
+++ b/modules/pam_selinux/pam_selinux_check.c
@@ -1,5 +1,5 @@
 /******************************************************************************
- * A module for Linux-PAM that will set the default security context after login 
+ * A module for Linux-PAM that will set the default security context after login
  * via PAM.
  *
  * Copyright (c) 2003 Red Hat, Inc.
@@ -38,6 +38,123 @@
  *
  */
 
-#define PAM_SELINUX_MAIN 1
-#include "pam_selinux.c"
+/************************************************************************
+ *
+ * All PAM code goes in this section.
+ *
+ ************************************************************************/
+
+#include "config.h"
+
+#include <errno.h>
+#include <syslog.h>
+#include <unistd.h>               /* for getuid(), exit(), getopt() */
+#include <signal.h>
+#include <sys/wait.h>		  /* for wait() */
+
+#include <security/pam_appl.h>    /* for PAM functions */
+#include <security/pam_misc.h>    /* for misc_conv PAM utility function */
+
+#define SERVICE_NAME "pam_selinux_check"   /* the name of this program for PAM */
+				  /* The file containing the context to run
+				   * the scripts under.                     */
+int authenticate_via_pam( const char *user ,   pam_handle_t **pamh);
+
+/* authenticate_via_pam()
+ *
+ * in:     user
+ * out:    nothing
+ * return: value   condition
+ *         -----   ---------
+ *           1     pam thinks that the user authenticated themselves properly
+ *           0     otherwise
+ *
+ * this function uses pam to authenticate the user running this
+ * program.  this is the only function in this program that makes pam
+ * calls.
+ *
+ */
+
+int authenticate_via_pam( const char *user ,   pam_handle_t **pamh) {
+
+  struct pam_conv *conv;
+  int result = 0;    /* our result, set to 0 (not authenticated) by default */
+
+  /* this is a jump table of functions for pam to use when it wants to *
+   * communicate with the user.  we'll be using misc_conv(), which is  *
+   * provided for us via pam_misc.h.                                   */
+  struct pam_conv pam_conversation = {
+    misc_conv,
+    NULL
+  };
+  conv = &pam_conversation;
+
+
+  /* make `p_pam_handle' a valid pam handle so we can use it when *
+   * calling pam functions.                                       */
+  if( PAM_SUCCESS != pam_start( SERVICE_NAME,
+				user,
+				conv,
+				pamh ) ) {
+    fprintf( stderr, _("failed to initialize PAM\n") );
+    exit( -1 );
+  }
+
+  if( PAM_SUCCESS != pam_set_item(*pamh, PAM_RUSER, user))
+  {
+      fprintf( stderr, _("failed to pam_set_item()\n") );
+      exit( -1 );
+  }
+
+  /* Ask PAM to authenticate the user running this program */
+  if( PAM_SUCCESS == pam_authenticate(*pamh,0) ) {
+    if ( PAM_SUCCESS == pam_open_session(*pamh, 0) )
+      result = 1;  /* user authenticated OK! */
+  }
+  return( result );
+
+} /* authenticate_via_pam() */
+
+int
+main (int argc, char **argv)
+{
+  pam_handle_t *pamh;
+  int childPid;
+
+  if (!authenticate_via_pam(argv[1],&pamh))
+    exit(-1);
+
+  childPid = fork();
+  if (childPid < 0) {
+    int errsv = errno;
+
+    /* error in fork() */
+    fprintf(stderr, _("login: failure forking: %s"), strerror(errsv));
+    pam_close_session(pamh, 0);
+    /* We're done with PAM.  Free `pam_handle'. */
+    pam_end( pamh, PAM_SUCCESS );
+    exit(0);
+  }
+  if (childPid) {
+    close(0); close(1); close(2);
+    struct sigaction sa;
+    memset(&sa,0,sizeof(sa));
+    sa.sa_handler = SIG_IGN;
+    sigaction(SIGQUIT, &sa, NULL);
+    sigaction(SIGINT, &sa, NULL);
+    while(wait(NULL) == -1 && errno == EINTR) /**/ ;
+    openlog("login", LOG_ODELAY, LOG_AUTHPRIV);
+    pam_close_session(pamh, 0);
+    /* We're done with PAM.  Free `pam_handle'. */
+    pam_end( pamh, PAM_SUCCESS );
+    exit(0);
+  }
+  argv[0]="/bin/sh";
+  argv[1]=NULL;
 
+  /* NOTE: The environment has not been sanitized. LD_PRELOAD and other fun
+   * things could be set. */
+  execv("/bin/sh",argv);
+  fprintf(stderr,"Failure\n");
+  return 0;
+}
author	Thorsten Kukuk <kukuk@thkukuk.de>	2005-09-05 11:48:35 +0000
committer	Thorsten Kukuk <kukuk@thkukuk.de>	2005-09-05 11:48:35 +0000
commit	164ec576e4035a69260bb5c24c703fe515375191 (patch)
tree	d9aa36baefe5e4650895ddc903ff6f760be1da27 /modules/pam_selinux/pam_selinux_check.c
parent	ba926ead93e31e97e4e42f70fb856356f175bff9 (diff)