diff options
Diffstat (limited to 'Linux-PAM/examples')
| -rw-r--r-- | Linux-PAM/examples/Makefile | 54 | ||||
| -rw-r--r-- | Linux-PAM/examples/blank.c | 158 | ||||
| -rw-r--r-- | Linux-PAM/examples/check_user.c | 60 | ||||
| -rw-r--r-- | Linux-PAM/examples/vpass.c | 47 | ||||
| -rwxr-xr-x | Linux-PAM/examples/wrap_xsh.sh | 5 | ||||
| -rw-r--r-- | Linux-PAM/examples/xsh.c | 177 |
6 files changed, 501 insertions, 0 deletions
diff --git a/Linux-PAM/examples/Makefile b/Linux-PAM/examples/Makefile new file mode 100644 index 00000000..a55f1d21 --- /dev/null +++ b/Linux-PAM/examples/Makefile @@ -0,0 +1,54 @@ +# +# $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:35 hartmans Exp $ +# + +include ../Make.Rules + +PROGS = blank xsh check_user +SRCS = blank.c xsh.c check_user.c +PROGSUID = + +ifeq ($(WITH_LIBDEBUG),yes) + LIBSUFFIX=d +else + LIBSUFFIX= +endif + +CFLAGS += -I$(absolute_srcdir)/libpam_misc/include + +LOADLIBES = -L$(absolute_objdir)/libpam -L$(absolute_objdir)/libpamc \ + -L$(absolute_objdir)/libpam_misc -lpam -lpam_misc + +ifeq ($(STATIC_LIBPAM),yes) + ifneq ($(DYNAMIC),) + CFLAGS += $(CC_STATIC) + LOADLIBES += $(LIBDL) + endif +endif + +all: $(PROGS) + +check_user: check_user.o + $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES) + +blank: blank.o + $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES) + +xsh: xsh.o + $(CC) $(CFLAGS) -o $@ $< $(LOADLIBES) + +clean: + rm -f *.a *.so *.o *~ $(PROGS) $(PROGSUID) + rm -f *.a *.out *.o *.so + +# note, the programs are test programs, they should not be +# installed on your system! + +install: all + if [ -n "$(PROGS)" ]; then cp $(PROGS) ../bin ; fi + if [ -n "$(PROGSUID)" ]; then \ + $(INSTALL) -m 4555 $(PROGSUID) ../bin ; fi + +remove: + cd ../bin ; rm -f $(PROGS) $(PROGSUID) + for x in $(PROGS) $(PROGSUID) ; do rm -f ../bin/$$x ; done diff --git a/Linux-PAM/examples/blank.c b/Linux-PAM/examples/blank.c new file mode 100644 index 00000000..e4129b4b --- /dev/null +++ b/Linux-PAM/examples/blank.c @@ -0,0 +1,158 @@ +/* + * $Id: blank.c,v 1.1.1.1 2001/04/29 04:17:04 hartmans Exp $ + */ + +/* Andrew Morgan (morgan@parc.power.net) -- a self contained `blank' + * application + * + * I am not very proud of this code. It makes use of a possibly ill- + * defined pamh pointer to call pam_strerror() with. The reason that + * I was sloppy with this is historical (pam_strerror, prior to 0.59, + * did not require a pamh argument) and if this program is used as a + * model for anything, I should wish that you will take this error into + * account. + */ + +#include <stdio.h> +#include <stdlib.h> + +#include <security/pam_appl.h> +#include <security/pam_misc.h> + +/* ------ some local (static) functions ------- */ + +static void bail_out(pam_handle_t *pamh, int really, int code, const char *fn) +{ + fprintf(stderr,"==> called %s()\n got: `%s'\n", fn, + pam_strerror(pamh, code)); + if (really && code) + exit (1); +} + +/* ------ some static data objects ------- */ + +static struct pam_conv conv = { + misc_conv, + NULL +}; + +/* ------- the application itself -------- */ + +int main(int argc, char **argv) +{ + pam_handle_t *pamh=NULL; + char *username=NULL; + int retcode; + + /* did the user call with a username as an argument ? */ + + if (argc > 2) { + fprintf(stderr,"usage: %s [username]\n",argv[0]); + } else if (argc == 2) { + username = argv[1]; + } + + /* initialize the Linux-PAM library */ + retcode = pam_start("blank", username, &conv, &pamh); + bail_out(pamh,1,retcode,"pam_start"); + + /* test the environment stuff */ + { +#define MAXENV 15 + const char *greek[MAXENV] = { + "a=alpha", "b=beta", "c=gamma", "d=delta", "e=epsilon", + "f=phi", "g=psi", "h=eta", "i=iota", "j=mu", "k=nu", + "l=zeta", "h=", "d", "k=xi" + }; + char **env; + int i; + + for (i=0; i<MAXENV; ++i) { + retcode = pam_putenv(pamh,greek[i]); + bail_out(pamh,0,retcode,"pam_putenv"); + } + env = pam_getenvlist(pamh); + if (env) + env = pam_misc_drop_env(env); + else + fprintf(stderr,"???\n"); + fprintf(stderr,"a test: c=[%s], j=[%s]\n" + , pam_getenv(pamh, "c"), pam_getenv(pamh, "j")); + } + + /* to avoid using goto we abuse a loop here */ + for (;;) { + /* authenticate the user --- `0' here, could have been PAM_SILENT + * | PAM_DISALLOW_NULL_AUTHTOK */ + + retcode = pam_authenticate(pamh, 0); + bail_out(pamh,0,retcode,"pam_authenticate"); + + /* has the user proved themself valid? */ + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: invalid request\n",argv[0]); + break; + } + + /* the user is valid, but should they have access at this + time? */ + + retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */ + bail_out(pamh,0,retcode,"pam_acct_mgmt"); + + if (retcode == PAM_NEW_AUTHTOK_REQD) { + fprintf(stderr,"Application must request new password...\n"); + retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK); + bail_out(pamh,0,retcode,"pam_chauthtok"); + } + + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: invalid request\n",argv[0]); + break; + } + + /* `0' could be as above */ + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + bail_out(pamh,0,retcode,"pam_setcred1"); + + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem setting user credentials\n" + ,argv[0]); + break; + } + + /* open a session for the user --- `0' could be PAM_SILENT */ + retcode = pam_open_session(pamh,0); + bail_out(pamh,0,retcode,"pam_open_session"); + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem opening a session\n",argv[0]); + break; + } + + fprintf(stderr,"The user has been authenticated and `logged in'\n"); + + /* close a session for the user --- `0' could be PAM_SILENT + * it is possible that this pam_close_call is in another program.. + */ + + retcode = pam_close_session(pamh,0); + bail_out(pamh,0,retcode,"pam_close_session"); + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem closing a session\n",argv[0]); + break; + } + + retcode = pam_setcred(pamh, PAM_DELETE_CRED); + bail_out(pamh,0,retcode,"pam_setcred2"); + + break; /* don't go on for ever! */ + } + + /* close the Linux-PAM library */ + retcode = pam_end(pamh, PAM_SUCCESS); + pamh = NULL; + + bail_out(pamh,1,retcode,"pam_end"); + + exit(0); +} diff --git a/Linux-PAM/examples/check_user.c b/Linux-PAM/examples/check_user.c new file mode 100644 index 00000000..295d6715 --- /dev/null +++ b/Linux-PAM/examples/check_user.c @@ -0,0 +1,60 @@ +/* + $Id: check_user.c,v 1.1.1.1 2001/04/29 04:17:04 hartmans Exp $ + + This program was contributed by Shane Watts <shane@icarus.bofh.asn.au> + slight modifications by AGM. + + You need to add the following (or equivalent) to the /etc/pam.conf file. + # check authorization + check auth required pam_unix_auth.so + check account required pam_unix_acct.so +*/ + +#include <security/pam_appl.h> +#include <security/pam_misc.h> +#include <stdio.h> + +static struct pam_conv conv = { + misc_conv, + NULL +}; + +int main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + int retval; + const char *user="nobody"; + + if(argc == 2) { + user = argv[1]; + } + + if(argc > 2) { + fprintf(stderr, "Usage: check_user [username]\n"); + exit(1); + } + + retval = pam_start("check", user, &conv, &pamh); + + if (retval == PAM_SUCCESS) + retval = pam_authenticate(pamh, 0); /* is user really user? */ + + if (retval == PAM_SUCCESS) + retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ + + /* This is where we have been authorized or not. */ + + if (retval == PAM_SUCCESS) { + fprintf(stdout, "Authenticated\n"); + } else { + fprintf(stdout, "Not Authenticated\n"); + } + + if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */ + pamh = NULL; + fprintf(stderr, "check_user: failed to release authenticator\n"); + exit(1); + } + + return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */ +} diff --git a/Linux-PAM/examples/vpass.c b/Linux-PAM/examples/vpass.c new file mode 100644 index 00000000..9a07ee38 --- /dev/null +++ b/Linux-PAM/examples/vpass.c @@ -0,0 +1,47 @@ +#include <stdlib.h> +#include <stdio.h> +#include <unistd.h> +#include <pwd.h> +#include <sys/types.h> +#include <security/pam_appl.h> + +static int test_conv(int num_msg, const struct pam_message **msgm, + struct pam_response **response, void *appdata_ptr) +{ + return 0; +} + +static struct pam_conv conv = { + test_conv, + NULL +}; + +int main(void) +{ + char *user; + pam_handle_t *pamh; + struct passwd *pw; + uid_t uid; + int res; + + uid = geteuid(); + pw = getpwuid(uid); + if (pw) { + user = pw->pw_name; + } else { + fprintf(stderr, "Invalid userid: %d\n", uid); + exit(1); + } + + pam_start("vpass", user, &conv, &pamh); + pam_set_item(pamh, PAM_TTY, "/dev/tty"); + if ((res = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { + fprintf(stderr, "Oops: %s\n", pam_strerror(pamh, res)); + exit(1); + } + + pam_end(pamh, res); + exit(0); +} + + diff --git a/Linux-PAM/examples/wrap_xsh.sh b/Linux-PAM/examples/wrap_xsh.sh new file mode 100755 index 00000000..af01697e --- /dev/null +++ b/Linux-PAM/examples/wrap_xsh.sh @@ -0,0 +1,5 @@ +#!/bin/bash +export LD_PRELOAD=../libpam/libpam.so:../libpam_misc/libpam_misc.so +ldd ./xsh +./xsh "$@" + diff --git a/Linux-PAM/examples/xsh.c b/Linux-PAM/examples/xsh.c new file mode 100644 index 00000000..0e092402 --- /dev/null +++ b/Linux-PAM/examples/xsh.c @@ -0,0 +1,177 @@ +/* + * $Id: xsh.c,v 1.1.1.2 2002/09/15 20:08:35 hartmans Exp $ + */ + +/* Andrew Morgan (morgan@kernel.org) -- an example application + * that invokes a shell, based on blank.c */ + +#include <stdio.h> +#include <stdlib.h> + +#include <security/pam_appl.h> +#include <security/pam_misc.h> + +#include <security/_pam_aconf.h> + +#include <pwd.h> +#include <sys/types.h> +#include <unistd.h> + +/* ------ some local (static) functions ------- */ + +static void bail_out(pam_handle_t *pamh,int really, int code, const char *fn) +{ + fprintf(stderr,"==> called %s()\n got: `%s'\n", fn, + pam_strerror(pamh,code)); + if (really && code) + exit (1); +} + +/* ------ some static data objects ------- */ + +static struct pam_conv conv = { + misc_conv, + NULL +}; + +/* ------- the application itself -------- */ + +int main(int argc, char **argv) +{ + pam_handle_t *pamh=NULL; + const char *username=NULL; + const char *service="xsh"; + int retcode; + + /* did the user call with a username as an argument ? + * did they also */ + + if (argc > 3) { + fprintf(stderr,"usage: %s [username [service-name]]\n",argv[0]); + } + if ((argc >= 2) && (argv[1][0] != '-')) { + username = argv[1]; + } + if (argc == 3) { + service = argv[2]; + } + + /* initialize the Linux-PAM library */ + retcode = pam_start(service, username, &conv, &pamh); + bail_out(pamh,1,retcode,"pam_start"); + + /* fill in the RUSER and RHOST etc. fields */ + { + char buffer[100]; + struct passwd *pw; + const char *tty; + + pw = getpwuid(getuid()); + if (pw != NULL) { + retcode = pam_set_item(pamh, PAM_RUSER, pw->pw_name); + bail_out(pamh,1,retcode,"pam_set_item(PAM_RUSER)"); + } + + retcode = gethostname(buffer, sizeof(buffer)-1); + if (retcode) { + perror("failed to look up hostname"); + retcode = pam_end(pamh, PAM_ABORT); + bail_out(pamh,1,retcode,"pam_end"); + } + retcode = pam_set_item(pamh, PAM_RHOST, buffer); + bail_out(pamh,1,retcode,"pam_set_item(PAM_RHOST)"); + + tty = ttyname(fileno(stdin)); + if (tty) { + retcode = pam_set_item(pamh, PAM_TTY, tty); + bail_out(pamh,1,retcode,"pam_set_item(PAM_RHOST)"); + } + } + + /* to avoid using goto we abuse a loop here */ + for (;;) { + /* authenticate the user --- `0' here, could have been PAM_SILENT + * | PAM_DISALLOW_NULL_AUTHTOK */ + + retcode = pam_authenticate(pamh, 0); + bail_out(pamh,0,retcode,"pam_authenticate"); + + /* has the user proved themself valid? */ + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: invalid request\n",argv[0]); + break; + } + + /* the user is valid, but should they have access at this + time? */ + + retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */ + bail_out(pamh,0,retcode,"pam_acct_mgmt"); + + if (retcode == PAM_NEW_AUTHTOK_REQD) { + fprintf(stderr,"Application must request new password...\n"); + retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK); + bail_out(pamh,0,retcode,"pam_chauthtok"); + } + + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: invalid request\n",argv[0]); + break; + } + + /* `0' could be as above */ + retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED); + bail_out(pamh,0,retcode,"pam_setcred"); + + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem setting user credentials\n" + ,argv[0]); + break; + } + + /* open a session for the user --- `0' could be PAM_SILENT */ + retcode = pam_open_session(pamh,0); + bail_out(pamh,0,retcode,"pam_open_session"); + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem opening a session\n",argv[0]); + break; + } + + pam_get_item(pamh, PAM_USER, (const void **) &username); + fprintf(stderr, + "The user [%s] has been authenticated and `logged in'\n", + username); + + /* this is always a really bad thing for security! */ + system("/bin/sh"); + + /* close a session for the user --- `0' could be PAM_SILENT + * it is possible that this pam_close_call is in another program.. + */ + + retcode = pam_close_session(pamh,0); + bail_out(pamh,0,retcode,"pam_close_session"); + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem closing a session\n",argv[0]); + break; + } + + /* `0' could be as above */ + retcode = pam_setcred(pamh, PAM_DELETE_CRED); + bail_out(pamh,0,retcode,"pam_setcred"); + if (retcode != PAM_SUCCESS) { + fprintf(stderr,"%s: problem deleting user credentials\n" + ,argv[0]); + break; + } + + break; /* don't go on for ever! */ + } + + /* close the Linux-PAM library */ + retcode = pam_end(pamh, PAM_SUCCESS); + pamh = NULL; + bail_out(pamh,1,retcode,"pam_end"); + + exit(0); +} |