summaryrefslogtreecommitdiff
path: root/Linux-PAM/modules/pam_unix/unix_chkpwd.c
diff options
context:
space:
mode:
Diffstat (limited to 'Linux-PAM/modules/pam_unix/unix_chkpwd.c')
-rw-r--r--Linux-PAM/modules/pam_unix/unix_chkpwd.c467
1 files changed, 42 insertions, 425 deletions
diff --git a/Linux-PAM/modules/pam_unix/unix_chkpwd.c b/Linux-PAM/modules/pam_unix/unix_chkpwd.c
index 486a8498..11ac3aac 100644
--- a/Linux-PAM/modules/pam_unix/unix_chkpwd.c
+++ b/Linux-PAM/modules/pam_unix/unix_chkpwd.c
@@ -13,7 +13,6 @@
#include "config.h"
-#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -25,401 +24,34 @@
#include <shadow.h>
#include <signal.h>
#include <time.h>
-#ifdef WITH_SELINUX
-#include <selinux/selinux.h>
-#define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0))
-static security_context_t prev_context=NULL;
-static int selinux_enabled=-1;
-#else
-#define SELINUX_ENABLED 0
-#endif
-
-#define MAXPASS 200 /* the maximum length of a password */
#include <security/_pam_types.h>
#include <security/_pam_macros.h>
-#include "md5.h"
-#include "bigcrypt.h"
-
-/* syslogging function for errors and other information */
-
-static void _log_err(int err, const char *format,...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("unix_chkpwd", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-static int _unix_shadowed(const struct passwd *pwd)
-{
- char hashpass[1024];
- if (pwd != NULL) {
- if (strcmp(pwd->pw_passwd, "x") == 0) {
- return 1;
- }
- if (strlen(pwd->pw_name) < sizeof(hashpass) - 2) {
- strcpy(hashpass, "##");
- strcpy(hashpass + 2, pwd->pw_name);
- if (strcmp(pwd->pw_passwd, hashpass) == 0) {
- return 1;
- }
- }
- }
- return 0;
-}
-
-static void su_sighandler(int sig)
-{
-#ifndef SA_RESETHAND
- /* emulate the behaviour of the SA_RESETHAND flag */
- if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV )
- signal(sig, SIG_DFL);
-#endif
- if (sig > 0) {
- _log_err(LOG_NOTICE, "caught signal %d.", sig);
- exit(sig);
- }
-}
-
-static void setup_signals(void)
-{
- struct sigaction action; /* posix signal structure */
-
- /*
- * Setup signal handlers
- */
- (void) memset((void *) &action, 0, sizeof(action));
- action.sa_handler = su_sighandler;
-#ifdef SA_RESETHAND
- action.sa_flags = SA_RESETHAND;
-#endif
- (void) sigaction(SIGILL, &action, NULL);
- (void) sigaction(SIGTRAP, &action, NULL);
- (void) sigaction(SIGBUS, &action, NULL);
- (void) sigaction(SIGSEGV, &action, NULL);
- action.sa_handler = SIG_IGN;
- action.sa_flags = 0;
- (void) sigaction(SIGTERM, &action, NULL);
- (void) sigaction(SIGHUP, &action, NULL);
- (void) sigaction(SIGINT, &action, NULL);
- (void) sigaction(SIGQUIT, &action, NULL);
-}
+#include "passverify.h"
-static int _verify_account(const char * const uname)
+static int _check_expiry(const char *uname)
{
struct spwd *spent;
struct passwd *pwent;
+ int retval;
+ int daysleft;
- pwent = getpwnam(uname);
- if (!pwent) {
- _log_err(LOG_ALERT, "could not identify user (from getpwnam(%s))", uname);
- return PAM_USER_UNKNOWN;
+ retval = get_account_info(uname, &pwent, &spent);
+ if (retval != PAM_SUCCESS) {
+ helper_log_err(LOG_ALERT, "could not obtain user info (%s)", uname);
+ printf("-1\n");
+ return retval;
}
-
- spent = getspnam( uname );
- if (!spent) {
- _log_err(LOG_ALERT, "could not get username from shadow (%s))", uname);
- return PAM_AUTHINFO_UNAVAIL; /* Couldn't get username from shadow */
+
+ if (spent == NULL) {
+ printf("-1\n");
+ return retval;
}
- printf("%ld:%ld:%ld:%ld:%ld:%ld",
- spent->sp_lstchg, /* last password change */
- spent->sp_min, /* days until change allowed. */
- spent->sp_max, /* days before change required */
- spent->sp_warn, /* days warning for expiration */
- spent->sp_inact, /* days before account inactive */
- spent->sp_expire); /* date when account expires */
-
- return PAM_SUCCESS;
-}
-
-static int _unix_verify_password(const char *name, const char *p, int nullok)
-{
- struct passwd *pwd = NULL;
- struct spwd *spwdent = NULL;
- char *salt = NULL;
- char *pp = NULL;
- int retval = PAM_AUTH_ERR;
- size_t salt_len;
-
- /* UNIX passwords area */
- setpwent();
- pwd = getpwnam(name); /* Get password file entry... */
- endpwent();
- if (pwd != NULL) {
- if (_unix_shadowed(pwd)) {
- /*
- * ...and shadow password file entry for this user,
- * if shadowing is enabled
- */
- setspent();
- spwdent = getspnam(name);
- endspent();
- if (spwdent != NULL)
- salt = x_strdup(spwdent->sp_pwdp);
- else
- pwd = NULL;
- } else {
- if (strcmp(pwd->pw_passwd, "*NP*") == 0) { /* NIS+ */
- uid_t save_uid;
-
- save_uid = geteuid();
- seteuid(pwd->pw_uid);
- spwdent = getspnam(name);
- seteuid(save_uid);
-
- salt = x_strdup(spwdent->sp_pwdp);
- } else {
- salt = x_strdup(pwd->pw_passwd);
- }
- }
- }
- if (pwd == NULL || salt == NULL) {
- _log_err(LOG_WARNING, "check pass; user unknown");
- p = NULL;
- return PAM_USER_UNKNOWN;
- }
-
- salt_len = strlen(salt);
- if (salt_len == 0) {
- return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
- }
- if (p == NULL || strlen(p) == 0) {
- _pam_overwrite(salt);
- _pam_drop(salt);
- return PAM_AUTHTOK_ERR;
- }
-
- /* the moment of truth -- do we agree with the password? */
- retval = PAM_AUTH_ERR;
- if (!strncmp(salt, "$1$", 3)) {
- pp = Goodcrypt_md5(p, salt);
- if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- } else {
- _pam_overwrite(pp);
- _pam_drop(pp);
- pp = Brokencrypt_md5(p, salt);
- if (pp && strcmp(pp, salt) == 0)
- retval = PAM_SUCCESS;
- }
- } else if (*salt == '$') {
- /*
- * Ok, we don't know the crypt algorithm, but maybe
- * libcrypt nows about it? We should try it.
- */
- pp = x_strdup (crypt(p, salt));
- if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- }
- } else if (*salt == '*' || *salt == '!' || salt_len < 13) {
- retval = PAM_AUTH_ERR;
- } else {
- pp = bigcrypt(p, salt);
- /*
- * Note, we are comparing the bigcrypt of the password with
- * the contents of the password field. If the latter was
- * encrypted with regular crypt (and not bigcrypt) it will
- * have been truncated for storage relative to the output
- * of bigcrypt here. As such we need to compare only the
- * stored string with the subset of bigcrypt's result.
- * Bug 521314.
- */
- if (pp && salt_len == 13 && strlen(pp) > salt_len) {
- _pam_overwrite(pp+salt_len);
- }
-
- if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- }
- }
- p = NULL; /* no longer needed here */
-
- /* clean up */
- _pam_overwrite(pp);
- _pam_drop(pp);
-
- return retval;
-}
-
-static char *getuidname(uid_t uid)
-{
- struct passwd *pw;
- static char username[32];
-
- pw = getpwuid(uid);
- if (pw == NULL)
- return NULL;
-
- strncpy(username, pw->pw_name, sizeof(username));
- username[sizeof(username) - 1] = '\0';
-
- return username;
-}
-#define SH_TMPFILE "/etc/nshadow"
-static int _update_shadow(const char *forwho)
-{
- struct spwd *spwdent = NULL, *stmpent = NULL;
- FILE *pwfile, *opwfile;
- int err = 1;
- int oldmask;
- struct stat st;
- char pass[MAXPASS + 1];
- char towhat[MAXPASS + 1];
- int npass=0;
-
- /* read the password from stdin (a pipe from the pam_unix module) */
-
- npass = read(STDIN_FILENO, pass, MAXPASS);
-
- if (npass < 0) { /* is it a valid password? */
-
- _log_err(LOG_DEBUG, "no password supplied");
- return PAM_AUTHTOK_ERR;
-
- } else if (npass >= MAXPASS) {
-
- _log_err(LOG_DEBUG, "password too long");
- return PAM_AUTHTOK_ERR;
-
- } else {
- /* does pass agree with the official one? */
- int retval=0;
- pass[npass] = '\0'; /* NUL terminate */
- retval = _unix_verify_password(forwho, pass, 0);
- if (retval != PAM_SUCCESS) {
+ retval = check_shadow_expiry(spent, &daysleft);
+ printf("%d\n", daysleft);
return retval;
- }
- }
-
- /* read the password from stdin (a pipe from the pam_unix module) */
-
- npass = read(STDIN_FILENO, towhat, MAXPASS);
-
- if (npass < 0) { /* is it a valid password? */
-
- _log_err(LOG_DEBUG, "no new password supplied");
- return PAM_AUTHTOK_ERR;
-
- } else if (npass >= MAXPASS) {
-
- _log_err(LOG_DEBUG, "new password too long");
- return PAM_AUTHTOK_ERR;
-
- }
-
- towhat[npass] = '\0'; /* NUL terminate */
- spwdent = getspnam(forwho);
- if (spwdent == NULL) {
- return PAM_USER_UNKNOWN;
- }
- oldmask = umask(077);
-
-#ifdef WITH_SELINUX
- if (SELINUX_ENABLED) {
- security_context_t shadow_context=NULL;
- if (getfilecon("/etc/shadow",&shadow_context)<0) {
- return PAM_AUTHTOK_ERR;
- };
- if (getfscreatecon(&prev_context)<0) {
- freecon(shadow_context);
- return PAM_AUTHTOK_ERR;
- }
- if (setfscreatecon(shadow_context)) {
- freecon(shadow_context);
- freecon(prev_context);
- return PAM_AUTHTOK_ERR;
- }
- freecon(shadow_context);
- }
-#endif
- pwfile = fopen(SH_TMPFILE, "w");
- umask(oldmask);
- if (pwfile == NULL) {
- err = 1;
- goto done;
- }
-
- opwfile = fopen("/etc/shadow", "r");
- if (opwfile == NULL) {
- fclose(pwfile);
- err = 1;
- goto done;
- }
-
- if (fstat(fileno(opwfile), &st) == -1) {
- fclose(opwfile);
- fclose(pwfile);
- err = 1;
- goto done;
- }
-
- if (fchown(fileno(pwfile), st.st_uid, st.st_gid) == -1) {
- fclose(opwfile);
- fclose(pwfile);
- err = 1;
- goto done;
- }
- if (fchmod(fileno(pwfile), st.st_mode) == -1) {
- fclose(opwfile);
- fclose(pwfile);
- err = 1;
- goto done;
- }
-
- stmpent = fgetspent(opwfile);
- while (stmpent) {
-
- if (!strcmp(stmpent->sp_namp, forwho)) {
- stmpent->sp_pwdp = towhat;
- stmpent->sp_lstchg = time(NULL) / (60 * 60 * 24);
- err = 0;
- D(("Set password %s for %s", stmpent->sp_pwdp, forwho));
- }
-
- if (putspent(stmpent, pwfile)) {
- D(("error writing entry to shadow file: %m"));
- err = 1;
- break;
- }
-
- stmpent = fgetspent(opwfile);
- }
- fclose(opwfile);
-
- if (fclose(pwfile)) {
- D(("error writing entries to shadow file: %m"));
- err = 1;
- }
-
- done:
- if (!err) {
- if (rename(SH_TMPFILE, "/etc/shadow"))
- err = 1;
- }
-
-#ifdef WITH_SELINUX
- if (SELINUX_ENABLED) {
- if (setfscreatecon(prev_context)) {
- err = 1;
- }
- if (prev_context)
- freecon(prev_context);
- prev_context=NULL;
- }
-#endif
-
- if (!err) {
- return PAM_SUCCESS;
- } else {
- unlink(SH_TMPFILE);
- return PAM_AUTHTOK_ERR;
- }
}
int main(int argc, char *argv[])
@@ -427,9 +59,10 @@ int main(int argc, char *argv[])
char pass[MAXPASS + 1];
char *option;
int npass, nullok;
- int force_failure = 0;
+ int blankpass = 0;
int retval = PAM_AUTH_ERR;
char *user;
+ char *passwords[] = { pass };
/*
* Catch or ignore as many signal as possible.
@@ -446,7 +79,7 @@ int main(int argc, char *argv[])
*/
if (isatty(STDIN_FILENO) || argc != 3 ) {
- _log_err(LOG_NOTICE
+ helper_log_err(LOG_NOTICE
,"inappropriate use of Unix helper binary [UID=%d]"
,getuid());
fprintf(stderr
@@ -458,11 +91,9 @@ int main(int argc, char *argv[])
/*
* Determine what the current user's name is.
- * On a SELinux enabled system with a strict policy leaving the
- * existing check prevents shadow password authentication from working.
* We must thus skip the check if the real uid is 0.
*/
- if (SELINUX_ENABLED && getuid() == 0) {
+ if (getuid() == 0) {
user=argv[1];
}
else {
@@ -476,63 +107,49 @@ int main(int argc, char *argv[])
option=argv[2];
- if (strncmp(argv[2], "verify", 8) == 0) {
- /* Get the account information from the shadow file */
- return _verify_account(argv[1]);
- }
-
- if (strncmp(option, "shadow", 8) == 0) {
- /* Attempting to change the password */
- return _update_shadow(argv[1]);
- }
-
+ if (strcmp(option, "chkexpiry") == 0)
+ /* Check account information from the shadow file */
+ return _check_expiry(argv[1]);
/* read the nullok/nonull option */
- if (strncmp(option, "nullok", 8) == 0)
+ else if (strcmp(option, "nullok") == 0)
nullok = 1;
- else
+ else if (strcmp(option, "nonull") == 0)
nullok = 0;
+ else
+ return PAM_SYSTEM_ERR;
/* read the password from stdin (a pipe from the pam_unix module) */
- npass = read(STDIN_FILENO, pass, MAXPASS);
+ npass = read_passwords(STDIN_FILENO, 1, passwords);
- if (npass < 0) { /* is it a valid password? */
-
- _log_err(LOG_DEBUG, "no password supplied");
-
- } else if (npass >= MAXPASS) {
-
- _log_err(LOG_DEBUG, "password too long");
-
- } else {
- if (npass == 0) {
- /* the password is NULL */
-
- retval = _unix_verify_password(user, NULL, nullok);
-
- } else {
- /* does pass agree with the official one? */
-
- pass[npass] = '\0'; /* NUL terminate */
- retval = _unix_verify_password(user, pass, nullok);
+ if (npass != 1) { /* is it a valid password? */
+ helper_log_err(LOG_DEBUG, "no password supplied");
+ *pass = '\0';
+ }
- }
+ if (*pass == '\0') {
+ blankpass = 1;
}
+ retval = helper_verify_password(user, pass, nullok);
+
memset(pass, '\0', MAXPASS); /* clear memory of the password */
/* return pass or fail */
- if ((retval != PAM_SUCCESS) || force_failure) {
- _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
- return PAM_AUTH_ERR;
+ if (retval != PAM_SUCCESS) {
+ if (!nullok || !blankpass)
+ /* no need to log blank pass test */
+ helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+ return PAM_AUTH_ERR;
} else {
- return PAM_SUCCESS;
+ return PAM_SUCCESS;
}
}
/*
* Copyright (c) Andrew G. Morgan, 1996. All rights reserved
+ * Copyright (c) Red Hat, Inc., 2007,2008. All rights reserved
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions