diff options
Diffstat (limited to 'Linux-PAM/xtests')
31 files changed, 1411 insertions, 14 deletions
diff --git a/Linux-PAM/xtests/Makefile.am b/Linux-PAM/xtests/Makefile.am index ac6e2954..f2e48c5e 100644 --- a/Linux-PAM/xtests/Makefile.am +++ b/Linux-PAM/xtests/Makefile.am @@ -11,12 +11,22 @@ CLEANFILES = *~ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ - tst-pam_cracklib1.pamd + tst-pam_cracklib1.pamd tst-pam_cracklib2.pamd \ + tst-pam_unix1.pamd tst-pam_unix2.pamd tst-pam_unix3.pamd \ + tst-pam_unix1.sh tst-pam_unix2.sh tst-pam_unix3.sh \ + access.conf tst-pam_access1.pamd tst-pam_access1.sh \ + tst-pam_access2.pamd tst-pam_access2.sh \ + tst-pam_access3.pamd tst-pam_access3.sh \ + tst-pam_access4.pamd tst-pam_access4.sh \ + limits.conf tst-pam_limits1.pamd tst-pam_limits1.sh XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ - tst-pam_dispatch4 tst-pam_cracklib1 + tst-pam_dispatch4 tst-pam_cracklib1 tst-pam_cracklib2 \ + tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 \ + tst-pam_access1 tst-pam_access2 tst-pam_access3 \ + tst-pam_access4 tst-pam_limits1 noinst_PROGRAMS = $(XTESTS) xtests: $(XTESTS) run-xtests.sh - $(srcdir)/run-xtests.sh + "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} diff --git a/Linux-PAM/xtests/access.conf b/Linux-PAM/xtests/access.conf new file mode 100644 index 00000000..8088ec61 --- /dev/null +++ b/Linux-PAM/xtests/access.conf @@ -0,0 +1,2 @@ + +-:ALL EXCEPT (tstpamaccess) tstpamaccess3 :LOCAL diff --git a/Linux-PAM/xtests/limits.conf b/Linux-PAM/xtests/limits.conf new file mode 100644 index 00000000..41a3ea3c --- /dev/null +++ b/Linux-PAM/xtests/limits.conf @@ -0,0 +1,2 @@ +* soft nice 19 +* hard nice -20 diff --git a/Linux-PAM/xtests/run-xtests.sh b/Linux-PAM/xtests/run-xtests.sh index 9c8c3571..76daba22 100755 --- a/Linux-PAM/xtests/run-xtests.sh +++ b/Linux-PAM/xtests/run-xtests.sh @@ -1,20 +1,32 @@ #!/bin/bash +SRCDIR=$1 +shift 1 +[ -z "${SRCDIR}" ] && SRCDIR='.' + if test `id -u` -ne 0 ; then echo "You need to be root to run the tests" exit 1 fi -XTESTS="tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ - tst-pam_dispatch4 tst-pam_cracklib1" +XTESTS="$@" failed=0 pass=0 all=0 +mkdir -p /etc/security +cp /etc/security/access.conf /etc/security/access.conf-pam-xtests +install -m 644 "${SRCDIR}"/access.conf /etc/security/access.conf +cp /etc/security/limits.conf /etc/security/limits.conf-pam-xtests +install -m 644 "${SRCDIR}"/limits.conf /etc/security/limits.conf for testname in $XTESTS ; do - install -m 644 $testname.pamd /etc/pam.d/$testname - ./$testname > /dev/null + install -m 644 "${SRCDIR}"/$testname.pamd /etc/pam.d/$testname + if test -x "${SRCDIR}"/$testname.sh ; then + "${SRCDIR}"/$testname.sh > /dev/null + else + ./$testname > /dev/null + fi if test $? -ne 0 ; then echo "FAIL: $testname" failed=`expr $failed + 1` @@ -24,15 +36,17 @@ for testname in $XTESTS ; do fi all=`expr $all + 1` rm -f /etc/pam.d/$testname - done - if test "$failed" -ne 0; then +done +mv /etc/security/access.conf-pam-xtests /etc/security/access.conf +mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf +if test "$failed" -ne 0; then echo "===================" echo "$failed of $all tests failed" echo "===================" exit 1 - else +else echo "==================" echo "All $all tests passed" echo "==================" - fi +fi exit 0 diff --git a/Linux-PAM/xtests/tst-pam_access1.c b/Linux-PAM/xtests/tst-pam_access1.c new file mode 100644 index 00000000..06b65f0c --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access1.c @@ -0,0 +1,131 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + test case: + + Check the following line in access.conf: + -:ALL EXCEPT (tstpamaccess):LOCAL + + User is member of group tstpamaccess, pam_authenticate should pass. +*/ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + reply[count].resp = strdup ("!!"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh = NULL; + const char *user="tstpamaccess"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_access1", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access1: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_set_item (pamh, PAM_TTY, "/dev/tty1"); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, + "pam_access1: pam_set_item(PAM_TTY) returned %d\n", + retval); + return 1; + } + + retval = pam_authenticate (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access1: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access1: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_access1.pamd b/Linux-PAM/xtests/tst-pam_access1.pamd new file mode 100644 index 00000000..f47ec34f --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access1.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_access.so nodefgroup +account required pam_permit.so +password required pam_permit.so +session required pam_permit.so + diff --git a/Linux-PAM/xtests/tst-pam_access1.sh b/Linux-PAM/xtests/tst-pam_access1.sh new file mode 100755 index 00000000..48d8cb3e --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access1.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +/usr/sbin/groupadd -p '!!' tstpamaccess +/usr/sbin/useradd -G tstpamaccess -p '!!' tstpamaccess +./tst-pam_access1 +RET=$? +/usr/sbin/userdel -r tstpamaccess 2> /dev/null +/usr/sbin/groupdel tstpamaccess 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_access2.c b/Linux-PAM/xtests/tst-pam_access2.c new file mode 100644 index 00000000..194d07d7 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access2.c @@ -0,0 +1,131 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + test case: + + Check the following line in access.conf: + -:ALL EXCEPT (tstpamaccess):LOCAL + + User is not member of group tstpamaccess, pam_authenticate should fail. +*/ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + reply[count].resp = strdup ("!!"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh = NULL; + const char *user="tstpamaccess"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_access2", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access2: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_set_item (pamh, PAM_TTY, "/dev/tty1"); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, + "pam_access2: pam_set_item(PAM_TTY) returned %d\n", + retval); + return 1; + } + + retval = pam_authenticate (pamh, 0); + if (retval != PAM_PERM_DENIED) + { + if (debug) + fprintf (stderr, "pam_access2: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access2: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_access2.pamd b/Linux-PAM/xtests/tst-pam_access2.pamd new file mode 100644 index 00000000..f47ec34f --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access2.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_access.so nodefgroup +account required pam_permit.so +password required pam_permit.so +session required pam_permit.so + diff --git a/Linux-PAM/xtests/tst-pam_access2.sh b/Linux-PAM/xtests/tst-pam_access2.sh new file mode 100755 index 00000000..c1b3c992 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access2.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +/usr/sbin/groupadd -p '!!' tstpamaccess +/usr/sbin/useradd -p '!!' tstpamaccess +./tst-pam_access2 +RET=$? +/usr/sbin/userdel -r tstpamaccess 2> /dev/null +/usr/sbin/groupdel tstpamaccess 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_access3.c b/Linux-PAM/xtests/tst-pam_access3.c new file mode 100644 index 00000000..cd989bb3 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access3.c @@ -0,0 +1,131 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + test case: + + Check the following line in access.conf: + -:ALL EXCEPT tstpamaccess3 :LOCAL + + pam_authenticate should pass for user tstpamaccess3 +*/ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + reply[count].resp = strdup ("!!"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh = NULL; + const char *user="tstpamaccess3"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_access3", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access3: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_set_item (pamh, PAM_TTY, "/dev/tty1"); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, + "pam_access3: pam_set_item(PAM_TTY) returned %d\n", + retval); + return 1; + } + + retval = pam_authenticate (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access3: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access3: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_access3.pamd b/Linux-PAM/xtests/tst-pam_access3.pamd new file mode 100644 index 00000000..f47ec34f --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access3.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_access.so nodefgroup +account required pam_permit.so +password required pam_permit.so +session required pam_permit.so + diff --git a/Linux-PAM/xtests/tst-pam_access3.sh b/Linux-PAM/xtests/tst-pam_access3.sh new file mode 100755 index 00000000..348e0c3c --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access3.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/sbin/useradd -p '!!' tstpamaccess3 +./tst-pam_access3 +RET=$? +/usr/sbin/userdel -r tstpamaccess3 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_access4.c b/Linux-PAM/xtests/tst-pam_access4.c new file mode 100644 index 00000000..1e53a364 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access4.c @@ -0,0 +1,149 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + test case: + + Check the following line in access.conf: + -:ALL EXCEPT tstpamaccess3 :LOCAL + + pam_authenticate should fail for /dev/tty1 and pass for www.example.com +*/ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + reply[count].resp = strdup ("!!"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh = NULL; + const char *user="tstpamaccess"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_access4", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access4: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_set_item (pamh, PAM_TTY, "/dev/tty1"); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, + "pam_access4-1: pam_set_item(PAM_TTY) returned %d\n", + retval); + return 1; + } + + retval = pam_authenticate (pamh, 0); + if (retval != PAM_PERM_DENIED) + { + if (debug) + fprintf (stderr, "pam_access4-1: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_set_item (pamh, PAM_TTY, "www.example.com"); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, + "pam_access4-2: pam_set_item(PAM_TTY) returned %d\n", + retval); + return 1; + } + + retval = pam_authenticate (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access4-2: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_access4: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_access4.pamd b/Linux-PAM/xtests/tst-pam_access4.pamd new file mode 100644 index 00000000..f47ec34f --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access4.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_access.so nodefgroup +account required pam_permit.so +password required pam_permit.so +session required pam_permit.so + diff --git a/Linux-PAM/xtests/tst-pam_access4.sh b/Linux-PAM/xtests/tst-pam_access4.sh new file mode 100755 index 00000000..58bf260d --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_access4.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/sbin/useradd -p '!!' tstpamaccess +./tst-pam_access4 +RET=$? +/usr/sbin/userdel -r tstpamaccess 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_cracklib1.c b/Linux-PAM/xtests/tst-pam_cracklib1.c index 6c0ec321..1600df97 100644 --- a/Linux-PAM/xtests/tst-pam_cracklib1.c +++ b/Linux-PAM/xtests/tst-pam_cracklib1.c @@ -83,8 +83,7 @@ static struct pam_conv conv = { }; -/* Check that errors of optional modules are ignored and that - required modules after a sufficient one are not executed. */ +/* Check that pam_cracklib does not seg.fault on empty passwords. */ int main(int argc, char *argv[]) @@ -114,7 +113,7 @@ main(int argc, char *argv[]) return 1; } - /* Try two, first input is NULL */ + /* Try two, second input is NULL */ retval = pam_chauthtok (pamh, 0); if (retval != PAM_AUTHTOK_RECOVERY_ERR) { diff --git a/Linux-PAM/xtests/tst-pam_cracklib2.c b/Linux-PAM/xtests/tst-pam_cracklib2.c new file mode 100644 index 00000000..49166a4e --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_cracklib2.c @@ -0,0 +1,140 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* This test case checks + Patch 1688777: pam_cracklib support for minimum character classes */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + static int calls = 0; + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + /* first tow calls get a correct password, second a too + easy one. */ + if (calls > 1) + reply[count].resp = strdup ("too easy"); + else + { + ++calls; + reply[count].resp = strdup ("1a9C*8dK"); + } + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="root"; + int retval; + int debug = 0; + + /* Simulate passwd call by normal user */ + setuid (65534); + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_cracklib2", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "cracklib2: pam_start returned %d\n", retval); + return 1; + } + + /* Try one, first input is correct, second is NULL */ + retval = pam_chauthtok (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "cracklib2-1: pam_chauthtok returned %d\n", retval); + return 1; + } + + /* Try two, second input is NULL */ + retval = pam_chauthtok (pamh, 0); + if (retval != PAM_AUTHTOK_ERR) + { + if (debug) + fprintf (stderr, "cracklib2-2: pam_chauthtok returned %d\n", retval); + return 1; + } + + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "cracklib2: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_cracklib2.pamd b/Linux-PAM/xtests/tst-pam_cracklib2.pamd new file mode 100644 index 00000000..5915aecd --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_cracklib2.pamd @@ -0,0 +1,2 @@ +#%PAM-1.0 +password required pam_cracklib.so minclass=4 diff --git a/Linux-PAM/xtests/tst-pam_limits1.c b/Linux-PAM/xtests/tst-pam_limits1.c new file mode 100644 index 00000000..cf025d3d --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_limits1.c @@ -0,0 +1,148 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + test case: + + Check the following line in limits.conf: + * soft nice 19 + * hard nice -20 + + getrlimit should return soft=1 and hard=40. +*/ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <sys/time.h> +#include <sys/resource.h> + +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + reply[count].resp = strdup ("!!"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh = NULL; + const char *user="tstpamlimits"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_limits1", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_limits1: pam_start returned %d\n", retval); + return 1; + } + + retval = pam_set_item (pamh, PAM_TTY, "/dev/tty1"); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, + "pam_limits1: pam_set_item(PAM_TTY) returned %d\n", + retval); + return 1; + } + + retval = pam_open_session (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_limits1: pam_open_session returned %d\n", + retval); + return 1; + } + + struct rlimit rlim; + + getrlimit (RLIMIT_NICE, &rlim); + + if (rlim.rlim_cur != 1 && rlim.rlim_max != 40) + { + if (debug) + fprintf (stderr, "pam_limits1: getrlimit failed, soft=%u, hard=%u\n", + (unsigned int) rlim.rlim_cur, (unsigned int) rlim.rlim_max); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_limits1: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_limits1.pamd b/Linux-PAM/xtests/tst-pam_limits1.pamd new file mode 100644 index 00000000..206ef1f7 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_limits1.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_permit.so +account required pam_permit.so +password required pam_permit.so +session required pam_limits.so + diff --git a/Linux-PAM/xtests/tst-pam_limits1.sh b/Linux-PAM/xtests/tst-pam_limits1.sh new file mode 100755 index 00000000..4faa8223 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_limits1.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/sbin/useradd -p '!!' tstpamlimits +./tst-pam_limits1 +RET=$? +/usr/sbin/userdel -r tstpamlimits 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_unix1.c b/Linux-PAM/xtests/tst-pam_unix1.c new file mode 100644 index 00000000..7b884997 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix1.c @@ -0,0 +1,121 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Test case: '!!' as password should not allow login + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + reply[count].resp = strdup ("!!"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + + +/* Check that errors of optional modules are ignored and that + required modules after a sufficient one are not executed. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="tstpamunix"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_unix1", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_unix1: pam_start returned %d\n", retval); + return 1; + } + + /* !! as password should not allow login */ + retval = pam_authenticate (pamh, 0); + if (retval != PAM_AUTH_ERR) + { + if (debug) + fprintf (stderr, "pam_unix1: pam_authenticate returned %d\n", retval); + return 1; + } + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "pam_unix1: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_unix1.pamd b/Linux-PAM/xtests/tst-pam_unix1.pamd new file mode 100644 index 00000000..1a2990c7 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix1.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_unix.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so + diff --git a/Linux-PAM/xtests/tst-pam_unix1.sh b/Linux-PAM/xtests/tst-pam_unix1.sh new file mode 100755 index 00000000..f75bd842 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix1.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +/usr/sbin/useradd -p '!!' tstpamunix +./tst-pam_unix1 +RET=$? +/usr/sbin/userdel -r tstpamunix 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_unix2.c b/Linux-PAM/xtests/tst-pam_unix2.c new file mode 100644 index 00000000..bf6cd8e7 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix2.c @@ -0,0 +1,153 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Check crypt handling + * First use exact password, 8 characters (13 characters crypt) + * Second use longer password, 9 characters + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +static int in_test; + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + /* first call get a password, second one a too long one */ + if (in_test == 1) + reply[count].resp = strdup ("pamunix0"); + else if (in_test == 2) + reply[count].resp = strdup ("pamunix01"); + else + reply[count].resp = strdup ("pamunix1"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + + +/* Check that errors of optional modules are ignored and that + required modules after a sufficient one are not executed. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="tstpamunix"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_unix2", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix2: pam_start returned %d\n", retval); + return 1; + } + + /* Try one, first input is correct, second is NULL */ + in_test = 1; + retval = pam_authenticate (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix2-1: pam_authenticate returned %d\n", retval); + return 1; + } + + /* Try two, second input is too long */ + in_test = 2; + retval = pam_authenticate (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix2-2: pam_authenticate returned %d\n", retval); + return 1; + } + + /* Third try, third input is wrong */ + in_test = 3; + retval = pam_authenticate (pamh, 0); + if (retval != PAM_AUTH_ERR) + { + if (debug) + fprintf (stderr, "unix2-3: pam_authenticate returned %d\n", retval); + return 1; + } + + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix2: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_unix2.pamd b/Linux-PAM/xtests/tst-pam_unix2.pamd new file mode 100644 index 00000000..1a2990c7 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix2.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_unix.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so + diff --git a/Linux-PAM/xtests/tst-pam_unix2.sh b/Linux-PAM/xtests/tst-pam_unix2.sh new file mode 100755 index 00000000..7093155f --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix2.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# pamunix0 = 0aXKZztA.d1KY +/usr/sbin/useradd -p 0aXKZztA.d1KY tstpamunix +./tst-pam_unix2 +RET=$? +/usr/sbin/userdel -r tstpamunix 2> /dev/null +exit $RET diff --git a/Linux-PAM/xtests/tst-pam_unix3.c b/Linux-PAM/xtests/tst-pam_unix3.c new file mode 100644 index 00000000..bd5ffca4 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix3.c @@ -0,0 +1,154 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Check bigcrypt handling + * First use exact password, 9 characters (24 characters crypt) + * Second use shorter password, 8 characters + * Third use wrong password, 9 characters + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <string.h> +#include <security/pam_appl.h> + +static int in_test; + +/* A conversation function which uses an internally-stored value for + the responses. */ +static int +fake_conv (int num_msg, const struct pam_message **msgm UNUSED, + struct pam_response **response, void *appdata_ptr UNUSED) +{ + struct pam_response *reply; + int count; + + /* Sanity test. */ + if (num_msg <= 0) + return PAM_CONV_ERR; + + /* Allocate memory for the responses. */ + reply = calloc (num_msg, sizeof (struct pam_response)); + if (reply == NULL) + return PAM_CONV_ERR; + + /* Each prompt elicits the same response. */ + for (count = 0; count < num_msg; ++count) + { + reply[count].resp_retcode = 0; + /* first call get a password, second one a too short one */ + if (in_test == 1) + reply[count].resp = strdup ("pamunix01"); + else if (in_test == 2) + reply[count].resp = strdup ("pamunix0"); + else + reply[count].resp = strdup ("pamunix11"); + } + + /* Set the pointers in the response structure and return. */ + *response = reply; + return PAM_SUCCESS; +} + +static struct pam_conv conv = { + fake_conv, + NULL +}; + + +/* Check that errors of optional modules are ignored and that + required modules after a sufficient one are not executed. */ + +int +main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + const char *user="tstpamunix"; + int retval; + int debug = 0; + + if (argc > 1 && strcmp (argv[1], "-d") == 0) + debug = 1; + + retval = pam_start("tst-pam_unix3", user, &conv, &pamh); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix3: pam_start returned %d\n", retval); + return 1; + } + + /* Try one, first input is correct, second is NULL */ + in_test = 1; + retval = pam_authenticate (pamh, 0); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix3-1: pam_authenticate returned %d\n", retval); + return 1; + } + + /* Try two, second input is too short */ + in_test = 2; + retval = pam_authenticate (pamh, 0); + if (retval != PAM_AUTH_ERR) + { + if (debug) + fprintf (stderr, "unix3-2: pam_authenticate returned %d\n", retval); + return 1; + } + + /* Third try, third input is wrong */ + in_test = 3; + retval = pam_authenticate (pamh, 0); + if (retval != PAM_AUTH_ERR) + { + if (debug) + fprintf (stderr, "unix3-3: pam_authenticate returned %d\n", retval); + return 1; + } + + + retval = pam_end (pamh,retval); + if (retval != PAM_SUCCESS) + { + if (debug) + fprintf (stderr, "unix3: pam_end returned %d\n", retval); + return 1; + } + return 0; +} diff --git a/Linux-PAM/xtests/tst-pam_unix3.pamd b/Linux-PAM/xtests/tst-pam_unix3.pamd new file mode 100644 index 00000000..1a2990c7 --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix3.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_unix.so +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so + diff --git a/Linux-PAM/xtests/tst-pam_unix3.sh b/Linux-PAM/xtests/tst-pam_unix3.sh new file mode 100755 index 00000000..ef4a07cd --- /dev/null +++ b/Linux-PAM/xtests/tst-pam_unix3.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU +/usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix +./tst-pam_unix3 +RET=$? +/usr/sbin/userdel -r tstpamunix 2> /dev/null +exit $RET |