From 570caf15023db11726885e9ff5eb47aff1720706 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 8 May 2020 08:00:00 +0000 Subject: pam_nologin: add a test for return values * modules/pam_nologin/tst-pam_nologin-retval.c: New file. * modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS). (check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables. --- modules/pam_nologin/Makefile.am | 5 +- modules/pam_nologin/tst-pam_nologin-retval.c | 226 +++++++++++++++++++++++++++ 2 files changed, 230 insertions(+), 1 deletion(-) create mode 100644 modules/pam_nologin/tst-pam_nologin-retval.c (limited to 'modules/pam_nologin') diff --git a/modules/pam_nologin/Makefile.am b/modules/pam_nologin/Makefile.am index e2d00725..d1ec2035 100644 --- a/modules/pam_nologin/Makefile.am +++ b/modules/pam_nologin/Makefile.am @@ -12,7 +12,7 @@ dist_man_MANS = pam_nologin.8 endif XMLS = README.xml pam_nologin.8.xml dist_check_SCRIPTS = tst-pam_nologin -TESTS = $(dist_check_SCRIPTS) +TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -27,6 +27,9 @@ endif securelib_LTLIBRARIES = pam_nologin.la pam_nologin_la_LIBADD = $(top_builddir)/libpam/libpam.la +check_PROGRAMS = tst-pam_nologin-retval +tst_pam_nologin_retval_LDADD = $(top_builddir)/libpam/libpam.la + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_nologin/tst-pam_nologin-retval.c b/modules/pam_nologin/tst-pam_nologin-retval.c new file mode 100644 index 00000000..0046eec3 --- /dev/null +++ b/modules/pam_nologin/tst-pam_nologin-retval.c @@ -0,0 +1,226 @@ +/* + * Check pam_nologin return values. + * + * Copyright (c) 2020 Dmitry V. Levin + */ + +#include "test_assert.h" + +#include +#include +#include +#include +#include +#include + +#define MODULE_NAME "pam_nologin" +#define TEST_NAME "tst-" MODULE_NAME "-retval" + +static const char service_file[] = TEST_NAME ".service"; +static const char missing_file[] = TEST_NAME ".missing"; +static const char empty_file[] = "/dev/null"; +static const char user_name[] = ""; +static struct pam_conv conv; + +int +main(void) +{ + pam_handle_t *pamh = NULL; + FILE *fp; + struct passwd *pw; + char cwd[PATH_MAX]; + + ASSERT_NE(NULL, getcwd(cwd, sizeof(cwd))); + + /* PAM_IGNORE -> PAM_PERM_DENIED */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_PERM_DENIED, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_IGNORE -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "auth required %s/../pam_permit/.libs/pam_permit.so\n" + "account required %s/.libs/%s.so file=%s\n" + "account required %s/../pam_permit/.libs/pam_permit.so\n" + "password required %s/.libs/%s.so file=%s\n" + "password required %s/../pam_permit/.libs/pam_permit.so\n" + "session required %s/.libs/%s.so file=%s\n" + "session required %s/../pam_permit/.libs/pam_permit.so\n", + cwd, MODULE_NAME, missing_file, cwd, + cwd, MODULE_NAME, missing_file, cwd, + cwd, MODULE_NAME, missing_file, cwd, + cwd, MODULE_NAME, missing_file, cwd)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* successok -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so successok file=%s\n" + "account required %s/.libs/%s.so successok file=%s\n" + "password required %s/.libs/%s.so successok file=%s\n" + "session required %s/.libs/%s.so successok file=%s\n", + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file, + cwd, MODULE_NAME, missing_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_USER_UNKNOWN */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, user_name, &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_USER_UNKNOWN, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* uid == 0 */ + if ((pw = getpwuid(0)) != NULL) { + /* successok -> PAM_SUCCESS */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so successok file=%s\n" + "account required %s/.libs/%s.so successok file=%s\n" + "password required %s/.libs/%s.so successok file=%s\n" + "session required %s/.libs/%s.so successok file=%s\n", + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SUCCESS, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + + /* PAM_SYSTEM_ERR */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, ".", + cwd, MODULE_NAME, ".", + cwd, MODULE_NAME, ".", + cwd, MODULE_NAME, ".")); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_SYSTEM_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_SYSTEM_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + } + + /* uid != 0 */ + if (geteuid() != 0 && (pw = getpwuid(geteuid())) != NULL) { + /* PAM_AUTH_ERR */ + ASSERT_NE(NULL, fp = fopen(service_file, "w")); + ASSERT_LT(0, fprintf(fp, "#%%PAM-1.0\n" + "auth required %s/.libs/%s.so file=%s\n" + "account required %s/.libs/%s.so file=%s\n" + "password required %s/.libs/%s.so file=%s\n" + "session required %s/.libs/%s.so file=%s\n", + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file, + cwd, MODULE_NAME, empty_file)); + ASSERT_EQ(0, fclose(fp)); + + ASSERT_EQ(PAM_SUCCESS, + pam_start_confdir(service_file, pw->pw_name, + &conv, ".", &pamh)); + ASSERT_NE(NULL, pamh); + ASSERT_EQ(PAM_AUTH_ERR, pam_authenticate(pamh, 0)); + ASSERT_EQ(PAM_PERM_DENIED, pam_setcred(pamh, 0)); + ASSERT_EQ(PAM_AUTH_ERR, pam_acct_mgmt(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_chauthtok(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_open_session(pamh, 0)); + ASSERT_EQ(PAM_MODULE_UNKNOWN, pam_close_session(pamh, 0)); + ASSERT_EQ(PAM_SUCCESS, pam_end(pamh, 0)); + pamh = NULL; + } + + ASSERT_EQ(0, unlink(service_file)); + + return 0; +} -- cgit v1.2.3