/* * pam_private.h * * This is the Linux-PAM Library Private Header. It contains things * internal to the Linux-PAM library. Things not needed by either an * application or module. * * Please see end of file for copyright. * * Creator: Marc Ewing. * Maintained: CVS */ #ifndef _PAM_PRIVATE_H #define _PAM_PRIVATE_H #include "config.h" #include #include #include #include /* the Linux-PAM configuration file */ #define PAM_CONFIG "/etc/pam.conf" #define PAM_CONFIG_D "/etc/pam.d" #define PAM_CONFIG_DF "/etc/pam.d/%s" #define PAM_CONFIG_DIST_D "/usr/lib/pam.d" #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s" #define PAM_DEFAULT_SERVICE "other" /* lower case */ #ifdef PAM_LOCKING /* * the Linux-PAM lock file. If it exists Linux-PAM will abort. Use it * to block access to libpam */ #define PAM_LOCK_FILE "/var/lock/subsys/PAM" #endif /* components of the pam_handle structure */ #define _PAM_INVALID_RETVAL -1 /* default value for cached_retval */ struct handler { int handler_type; int (*func)(pam_handle_t *pamh, int flags, int argc, char **argv); int actions[_PAM_RETURN_VALUES]; /* set by authenticate, open_session, chauthtok(1st) consumed by setcred, close_session, chauthtok(2nd) */ int cached_retval; int *cached_retval_p; int argc; char **argv; struct handler *next; char *mod_name; int stack_level; int grantor; }; #define PAM_HT_MODULE 0 #define PAM_HT_MUST_FAIL 1 #define PAM_HT_SUBSTACK 2 #define PAM_HT_SILENT_MODULE 3 struct loaded_module { char *name; int type; /* PAM_STATIC_MOD or PAM_DYNAMIC_MOD */ void *dl_handle; }; #define PAM_MT_DYNAMIC_MOD 0 #define PAM_MT_STATIC_MOD 1 #define PAM_MT_FAULTY_MOD 2 struct handlers { struct handler *authenticate; struct handler *setcred; struct handler *acct_mgmt; struct handler *open_session; struct handler *close_session; struct handler *chauthtok; }; struct service { struct loaded_module *module; /* Array of modules */ int modules_allocated; int modules_used; int handlers_loaded; struct handlers conf; /* the configured handlers */ struct handlers other; /* the default handlers */ }; /* * Environment helper functions */ #define PAM_ENV_CHUNK 10 /* chunks of memory calloc()'d * * at once */ struct pam_environ { int entries; /* the number of pointers available */ int requested; /* the number of pointers used: * * 1 <= requested <= entries */ char **list; /* the environment storage (a list * * of pointers to malloc() memory) */ }; #include typedef enum { PAM_FALSE, PAM_TRUE } _pam_boolean; struct _pam_fail_delay { _pam_boolean set; unsigned int delay; time_t begin; const void *delay_fn_ptr; }; /* initial state in substack */ struct _pam_substack_state { int impression; int status; }; struct _pam_former_state { /* this is known and set by _pam_dispatch() */ int choice; /* which flavor of module function did we call? */ /* state info for the _pam_dispatch_aux() function */ int depth; /* how deep in the stack were we? */ int impression; /* the impression at that time */ int status; /* the status before returning incomplete */ struct _pam_substack_state *substates; /* array of initial substack states */ /* state info used by pam_get_user() function */ int fail_user; int want_user; char *prompt; /* saved prompt information */ /* state info for the pam_chauthtok() function */ _pam_boolean update; }; struct pam_handle { char *authtok; unsigned caller_is; struct pam_conv *pam_conversation; char *oldauthtok; char *prompt; /* for use by pam_get_user() */ char *service_name; char *user; char *rhost; char *ruser; char *tty; char *xdisplay; char *authtok_type; /* PAM_AUTHTOK_TYPE */ struct pam_data *data; struct pam_environ *env; /* structure to maintain environment list */ struct _pam_fail_delay fail_delay; /* helper function for easy delays */ struct pam_xauth_data xauth; /* auth info for X display */ struct service handlers; struct _pam_former_state former; /* library state - support for event driven applications */ const char *mod_name; /* Name of the module currently executed */ int mod_argc; /* Number of module arguments */ char **mod_argv; /* module arguments */ int choice; /* Which function we call from the module */ #ifdef HAVE_LIBAUDIT int audit_state; /* keep track of reported audit messages */ #endif }; /* Values for select arg to _pam_dispatch() */ #define PAM_NOT_STACKED 0 #define PAM_AUTHENTICATE 1 #define PAM_SETCRED 2 #define PAM_ACCOUNT 3 #define PAM_OPEN_SESSION 4 #define PAM_CLOSE_SESSION 5 #define PAM_CHAUTHTOK 6 #define _PAM_ACTION_IS_JUMP(x) ((x) > 0) #define _PAM_ACTION_IGNORE 0 #define _PAM_ACTION_OK -1 #define _PAM_ACTION_DONE -2 #define _PAM_ACTION_BAD -3 #define _PAM_ACTION_DIE -4 #define _PAM_ACTION_RESET -5 /* Add any new entries here. Will need to change ..._UNDEF and then * need to change pam_tokens.h */ #define _PAM_ACTION_UNDEF -6 /* this is treated as an error ( = _PAM_ACTION_BAD) */ #define PAM_SUBSTACK_MAX_LEVEL 16 /* maximum level of substacks */ /* character tables for parsing config files */ extern const char * const _pam_token_actions[-_PAM_ACTION_UNDEF]; extern const char * const _pam_token_returns[_PAM_RETURN_VALUES+1]; /* * internally defined functions --- these should not be directly * called by applications or modules */ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice); /* Free various allocated structures and dlclose() the libs */ int _pam_free_handlers(pam_handle_t *pamh); /* Parse config file, allocate handler structures, dlopen() */ int _pam_init_handlers(pam_handle_t *pamh); /* Set all hander stuff to 0/NULL - called once from pam_start() */ void _pam_start_handlers(pam_handle_t *pamh); /* environment helper functions */ /* create the environment structure */ int _pam_make_env(pam_handle_t *pamh); /* delete the environment structure */ void _pam_drop_env(pam_handle_t *pamh); /* these functions deal with failure delays as required by the authentication modules and application. Their *interface* is likely to remain the same although their function is hopefully going to improve */ /* reset the timer to no-delay */ void _pam_reset_timer(pam_handle_t *pamh); /* this sets the clock ticking */ void _pam_start_timer(pam_handle_t *pamh); /* this waits for the clock to stop ticking if status != PAM_SUCCESS */ void _pam_await_timer(pam_handle_t *pamh, int status); typedef void (*voidfunc(void))(void); typedef int (*servicefn)(pam_handle_t *, int, int, char **); void *_pam_dlopen (const char *mod_path); servicefn _pam_dlsym (void *handle, const char *symbol); void _pam_dlclose (void *handle); const char *_pam_dlerror (void); /* For now we just use a stack and linear search for module data. */ /* If it becomes apparent that there is a lot of data, it should */ /* changed to either a sorted list or a hash table. */ struct pam_data { char *name; void *data; void (*cleanup)(pam_handle_t *pamh, void *data, int error_status); struct pam_data *next; }; void _pam_free_data(pam_handle_t *pamh, int status); char *_pam_StrTok(char *from, const char *format, char **next); char *_pam_strdup(const char *s); char *_pam_memdup(const char *s, int len); int _pam_mkargv(char *s, char ***argv, int *argc); void _pam_sanitize(pam_handle_t *pamh); void _pam_set_default_control(int *control_array, int default_action); void _pam_parse_control(int *control_array, char *tok); #define _PAM_SYSTEM_LOG_PREFIX "PAM" /* * XXX - Take care with this. It could confuse the logic of a trailing * else */ #define IF_NO_PAMH(X,pamh,ERR) \ if ((pamh) == NULL) { \ syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX " " X ": NULL pam handle passed"); \ return ERR; \ } /* * include some helpful macros */ #include /* used to work out where control currently resides (in an application or in a module) */ #define _PAM_CALLED_FROM_MODULE 1 #define _PAM_CALLED_FROM_APP 2 #define __PAM_FROM_MODULE(pamh) ((pamh)->caller_is == _PAM_CALLED_FROM_MODULE) #define __PAM_FROM_APP(pamh) ((pamh)->caller_is == _PAM_CALLED_FROM_APP) #define __PAM_TO_MODULE(pamh) \ do { (pamh)->caller_is = _PAM_CALLED_FROM_MODULE; } while (0) #define __PAM_TO_APP(pamh) \ do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) #ifdef HAVE_LIBAUDIT extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); #endif /* * Copyright (C) 1995 by Red Hat Software, Marc Ewing * Copyright (c) 1996-8,2001 by Andrew G. Morgan * * All rights reserved * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, and the entire permission notice in its entirety, * including the disclaimer of warranties. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. */ #endif /* _PAM_PRIVATE_H_ */