search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'merges' of git://repo.or.cz/unleashed into merges
[unleashed.git] / usr / src / lib / libpam / pam_framework.c
blob448dd4d42e7377b71aa5828b47d7046c8c7e28f4
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2012 Joshua M. Clulow <josh@sysmgr.org>
26 * Copyright 2016 Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
27 */
28
29 #include <syslog.h>
30 #include <dlfcn.h>
31 #include <sys/types.h>
32 #include <sys/stat.h>
33 #include <stdlib.h>
34 #include <strings.h>
35 #include <malloc.h>
36 #include <unistd.h>
37 #include <fcntl.h>
38 #include <errno.h>
39
40 #include <security/pam_appl.h>
41 #include <security/pam_modules.h>
42 #include <sys/mman.h>
43
44 #include <libintl.h>
45
46 #include "pam_impl.h"
47
48 static char *pam_snames [PAM_NUM_MODULE_TYPES] = {
49 PAM_ACCOUNT_NAME,
50 PAM_AUTH_NAME,
51 PAM_PASSWORD_NAME,
52 PAM_SESSION_NAME
53 };
54
55 static char *pam_inames [PAM_MAX_ITEMS] = {
56 /* NONE */ NULL,
57 /* PAM_SERVICE */ "service",
58 /* PAM_USER */ "user",
59 /* PAM_TTY */ "tty",
60 /* PAM_RHOST */ "rhost",
61 /* PAM_CONV */ "conv",
62 /* PAM_AUTHTOK */ "authtok",
63 /* PAM_OLDAUTHTOK */ "oldauthtok",
64 /* PAM_RUSER */ "ruser",
65 /* PAM_USER_PROMPT */ "user_prompt",
66 /* PAM_REPOSITORY */ "repository",
67 /* PAM_RESOURCE */ "resource",
68 /* PAM_AUSER */ "auser",
69 /* Undefined Items */
70 };
71
72 /*
73 * This extra definition is needed in order to build this library
74 * on pre-64-bit-aware systems.
75 */
76 #if !defined(_LFS64_LARGEFILE)
77 #define stat64 stat
78 #endif /* !defined(_LFS64_LARGEFILE) */
79
80 /* functions to dynamically load modules */
81 static int load_modules(pam_handle_t *, int, char *, pamtab_t *);
82 static void *open_module(pam_handle_t *, char *);
83 static int load_function(void *, char *, int (**func)());
84
85 /* functions to read and store the pam.conf configuration file */
86 static int open_pam_conf(struct pam_fh **, pam_handle_t *, char *, int);
87 static void close_pam_conf(struct pam_fh *);
88 static int read_pam_conf(pam_handle_t *, char *, char *);
89 static int get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
90 pamtab_t **, char *, int);
91 static char *read_next_token(char **);
92 static char *nextline(struct pam_fh *, pam_handle_t *, int *);
93 static int verify_pam_conf(pamtab_t *, char *);
94
95 /* functions to clean up and free memory */
96 static void clean_up(pam_handle_t *);
97 static void free_pamconf(pamtab_t *);
98 static void free_pam_conf_info(pam_handle_t *);
99 static void free_env(env_list *);
100
101 /* convenience functions for I18N/L10N communication */
102
103 static void free_resp(int, struct pam_response *);
104 static int do_conv(pam_handle_t *, int, int,
105 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *,
106 struct pam_response **);
107
108 static int log_priority; /* pam_trace syslog priority & facility */
109 static int pam_debug = 0;
110
111 static char *
112 pam_trace_iname(int item_type, char *iname_buf)
113 {
114 char *name;
115
116 if (item_type <= 0 ||
117 item_type >= PAM_MAX_ITEMS ||
118 (name = pam_inames[item_type]) == NULL) {
119 (void) sprintf(iname_buf, "%d", item_type);
120 return (iname_buf);
121 }
122 return (name);
123 }
124
125 static char *
126 pam_trace_fname(int flag)
127 {
128 if (flag & PAM_BINDING)
129 return (PAM_BINDING_NAME);
130 if (flag & PAM_INCLUDE)
131 return (PAM_INCLUDE_NAME);
132 if (flag & PAM_OPTIONAL)
133 return (PAM_OPTIONAL_NAME);
134 if (flag & PAM_REQUIRED)
135 return (PAM_REQUIRED_NAME);
136 if (flag & PAM_REQUISITE)
137 return (PAM_REQUISITE_NAME);
138 if (flag & PAM_SUFFICIENT)
139 return (PAM_SUFFICIENT_NAME);
140 return ("bad flag name");
141 }
142
143 static char *
144 pam_trace_cname(pam_handle_t *pamh)
145 {
146 if (pamh->pam_conf_name[pamh->include_depth] == NULL)
147 return ("NULL");
148 return (pamh->pam_conf_name[pamh->include_depth]);
149 }
150
151 #include <deflt.h>
152 #include <stdarg.h>
153 /*
154 * pam_settrace - setup configuration for pam tracing
155 *
156 * turn on PAM debug if "magic" file exists
157 * if exists (original), pam_debug = PAM_DEBUG_DEFAULT,
158 * log_priority = LOG_DEBUG(7) and log_facility = LOG_AUTH(4).
159 *
160 * if has contents, keywork=value pairs:
161 *
162 * "log_priority=" 0-7, the pam_trace syslog priority to use
163 * (see sys/syslog.h)
164 * "log_facility=" 0-23, the pam_trace syslog facility to use
165 * (see sys/syslog.h)
166 * "debug_flags=" PAM_DEBUG_DEFAULT (0x0001), log traditional
167 * (original) debugging.
168 * Plus the logical or of:
169 * PAM_DEBUG_ITEM (0x0002), log item values and
170 * pam_get_item.
171 * PAM_DEBUG_MODULE (0x0004), log module return status.
172 * PAM_DEBUG_CONF (0x0008), log pam.conf parsing.
173 * PAM_DEBUG_DATA (0x0010), get/set_data.
174 * PAM_DEBUG_CONV (0x0020), conversation/response.
175 *
176 * If compiled with DEBUG:
177 * PAM_DEBUG_AUTHTOK (0x8000), display AUTHTOK value if
178 * PAM_DEBUG_ITEM is set and results from
179 * PAM_PROMPT_ECHO_OFF responses.
180 * USE CAREFULLY, THIS EXPOSES THE USER'S PASSWORDS.
181 *
182 * or set to 0 and off even if PAM_DEBUG file exists.
183 *
184 * Output has the general form:
185 * <whatever was set syslog> PAM[<pid>]: <interface>(<handle> and other info)
186 * <whatever was set syslog> PAM[<pid>]: details requested for <interface> call
187 * Where: <pid> is the process ID of the calling process.
188 * <handle> is the Hex value of the pam_handle associated with the
189 * call.
190 */
191
192 static void
193 pam_settrace()
194 {
195 void *defp;
196
197 if ((defp = defopen_r(PAM_DEBUG)) != NULL) {
198 char *arg;
199 int code;
200 int facility = LOG_AUTH;
201
202 pam_debug = PAM_DEBUG_DEFAULT;
203 log_priority = LOG_DEBUG;
204
205 (void) defcntl_r(DC_SETFLAGS, DC_CASE, defp);
206 if ((arg = defread_r(LOG_PRIORITY, defp)) != NULL) {
207 code = (int)strtol(arg, NULL, 10);
208 if ((code & ~LOG_PRIMASK) == 0) {
209 log_priority = code;
210 }
211 }
212 if ((arg = defread_r(LOG_FACILITY, defp)) != NULL) {
213 code = (int)strtol(arg, NULL, 10);
214 if (code < LOG_NFACILITIES) {
215 facility = code << 3;
216 }
217 }
218 if ((arg = defread_r(DEBUG_FLAGS, defp)) != NULL) {
219 pam_debug = (int)strtol(arg, NULL, 0);
220 }
221 defclose_r(defp);
222
223 log_priority |= facility;
224 }
225 }
226
227 /*
228 * pam_trace - logs tracing messages
229 *
230 * flag = debug_flags from /etc/pam_debug
231 * format and args = message to print (PAM[<pid>]: is prepended).
232 *
233 * global log_priority = pam_trace syslog (log_priority | log_facility)
234 * from /etc/pam_debug
235 */
236 /*PRINTFLIKE2*/
237 static void
238 pam_trace(int flag, char *format, ...)
239 {
240 va_list args;
241 char message[1024];
242 int savemask;
243
244 if ((pam_debug & flag) == 0)
245 return;
246
247 savemask = setlogmask(LOG_MASK(log_priority & LOG_PRIMASK));
248 (void) snprintf(message, sizeof (message), "PAM[%ld]: %s",
249 (long)getpid(), format);
250 va_start(args, format);
251 (void) vsyslog(log_priority, message, args);
252 va_end(args);
253 (void) setlogmask(savemask);
254 }
255
256 /*
257 * __pam_log - logs PAM syslog messages
258 *
259 * priority = message priority
260 * format and args = message to log
261 */
262 /*PRINTFLIKE2*/
263 void
264 __pam_log(int priority, const char *format, ...)
265 {
266 va_list args;
267 int savemask = setlogmask(LOG_MASK(priority & LOG_PRIMASK));
268
269 va_start(args, format);
270 (void) vsyslog(priority, format, args);
271 va_end(args);
272 (void) setlogmask(savemask);
273 }
274
275
276 /*
277 * pam_XXXXX routines
278 *
279 * These are the entry points to the authentication switch
280 */
281
282 /*
283 * pam_start - initiate an authentication transaction and
284 * set parameter values to be used during the
285 * transaction
286 */
287
288 int
289 pam_start(const char *service, const char *user,
290 const struct pam_conv *pam_conv, pam_handle_t **pamh)
291 {
292 int err;
293
294 *pamh = calloc(1, sizeof (struct pam_handle));
295
296 pam_settrace();
297 pam_trace(PAM_DEBUG_DEFAULT,
298 "pam_start(%s,%s,%p:%p) - debug = %x",
299 service ? service : "NULL", user ? user : "NULL", (void *)pam_conv,
300 (void *)*pamh, pam_debug);
301
302 if (*pamh == NULL)
303 return (PAM_BUF_ERR);
304
305 (*pamh)->pam_inmodule = RO_OK; /* OK to set RO items */
306 if ((err = pam_set_item(*pamh, PAM_SERVICE, (void *)service))
307 != PAM_SUCCESS) {
308 clean_up(*pamh);
309 *pamh = NULL;
310 return (err);
311 }
312
313 if ((err = pam_set_item(*pamh, PAM_USER, (void *)user))
314 != PAM_SUCCESS) {
315 clean_up(*pamh);
316 *pamh = NULL;
317 return (err);
318 }
319
320 if ((err = pam_set_item(*pamh, PAM_CONV, (void *)pam_conv))
321 != PAM_SUCCESS) {
322 clean_up(*pamh);
323 *pamh = NULL;
324 return (err);
325 }
326
327 (*pamh)->pam_inmodule = RW_OK;
328 return (PAM_SUCCESS);
329 }
330
331 /*
332 * pam_end - terminate an authentication transaction
333 */
334
335 int
336 pam_end(pam_handle_t *pamh, int pam_status)
337 {
338 struct pam_module_data *psd, *p;
339 fd_list *expired;
340 fd_list *traverse;
341 env_list *env_expired;
342 env_list *env_traverse;
343
344 pam_trace(PAM_DEBUG_DEFAULT,
345 "pam_end(%p): status = %s", (void *)pamh,
346 pam_strerror(pamh, pam_status));
347
348 if (pamh == NULL)
349 return (PAM_SYSTEM_ERR);
350
351 /* call the cleanup routines for module specific data */
352
353 psd = pamh->ssd;
354 while (psd) {
355 if (psd->cleanup) {
356 psd->cleanup(pamh, psd->data, pam_status);
357 }
358 p = psd;
359 psd = p->next;
360 free(p->module_data_name);
361 free(p);
362 }
363 pamh->ssd = NULL;
364
365 /* dlclose all module fds */
366 traverse = pamh->fd;
367 while (traverse) {
368 expired = traverse;
369 traverse = traverse->next;
370 (void) dlclose(expired->mh);
371 free(expired);
372 }
373 pamh->fd = 0;
374
375 /* remove all environment variables */
376 env_traverse = pamh->pam_env;
377 while (env_traverse) {
378 env_expired = env_traverse;
379 env_traverse = env_traverse->next;
380 free_env(env_expired);
381 }
382
383 clean_up(pamh);
384 return (PAM_SUCCESS);
385 }
386
387 /*
388 * pam_set_item - set the value of a parameter that can be
389 * retrieved via a call to pam_get_item()
390 */
391
392 int
393 pam_set_item(pam_handle_t *pamh, int item_type, const void *item)
394 {
395 struct pam_item *pip;
396 int size;
397 char iname_buf[PAM_MAX_MSG_SIZE];
398
399 if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
400 pam_trace(PAM_DEBUG_DEFAULT,
401 "pam_set_item(%p:%s)", (void *)pamh,
402 pam_trace_iname(item_type, iname_buf));
403 }
404
405 if (pamh == NULL)
406 return (PAM_SYSTEM_ERR);
407
408 /* check read only items */
409 if ((item_type == PAM_SERVICE) && (pamh->pam_inmodule != RO_OK))
410 return (PAM_PERM_DENIED);
411
412 /*
413 * Check that item_type is within valid range
414 */
415
416 if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
417 return (PAM_SYMBOL_ERR);
418
419 pip = &(pamh->ps_item[item_type]);
420
421 switch (item_type) {
422 case PAM_AUTHTOK:
423 case PAM_OLDAUTHTOK:
424 if (pip->pi_addr != NULL)
425 (void) memset(pip->pi_addr, 0, pip->pi_size);
426 /*FALLTHROUGH*/
427 case PAM_SERVICE:
428 case PAM_USER:
429 case PAM_TTY:
430 case PAM_RHOST:
431 case PAM_RUSER:
432 case PAM_USER_PROMPT:
433 case PAM_RESOURCE:
434 case PAM_AUSER:
435 if (pip->pi_addr != NULL) {
436 free(pip->pi_addr);
437 }
438
439 if (item == NULL) {
440 pip->pi_addr = NULL;
441 pip->pi_size = 0;
442 } else {
443 pip->pi_addr = strdup((char *)item);
444 if (pip->pi_addr == NULL) {
445 pip->pi_size = 0;
446 return (PAM_BUF_ERR);
447 }
448 pip->pi_size = strlen(pip->pi_addr);
449 }
450 break;
451 case PAM_CONV:
452 free(pip->pi_addr);
453 size = sizeof (struct pam_conv);
454 if ((pip->pi_addr = calloc(1, size)) == NULL)
455 return (PAM_BUF_ERR);
456 if (item != NULL)
457 (void) memcpy(pip->pi_addr, item, (unsigned int) size);
458 else
459 (void) memset(pip->pi_addr, 0, size);
460 pip->pi_size = size;
461 break;
462 case PAM_REPOSITORY:
463 if (pip->pi_addr != NULL) {
464 pam_repository_t *auth_rep;
465
466 auth_rep = (pam_repository_t *)pip->pi_addr;
467 free(auth_rep->type);
468 free(auth_rep->scope);
469 free(auth_rep);
470 }
471 if (item != NULL) {
472 pam_repository_t *s, *d;
473
474 size = sizeof (struct pam_repository);
475 pip->pi_addr = calloc(1, size);
476 if (pip->pi_addr == NULL)
477 return (PAM_BUF_ERR);
478
479 s = (struct pam_repository *)item;
480 d = (struct pam_repository *)pip->pi_addr;
481
482 d->type = strdup(s->type);
483 if (d->type == NULL)
484 return (PAM_BUF_ERR);
485 d->scope = malloc(s->scope_len);
486 if (d->scope == NULL)
487 return (PAM_BUF_ERR);
488 (void) memcpy(d->scope, s->scope, s->scope_len);
489 d->scope_len = s->scope_len;
490 }
491 pip->pi_size = size;
492 break;
493 default:
494 return (PAM_SYMBOL_ERR);
495 }
496 switch (item_type) {
497 case PAM_CONV:
498 pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%p",
499 (void *)pamh,
500 pam_trace_iname(item_type, iname_buf),
501 item ? (void *)((struct pam_conv *)item)->conv :
502 NULL);
503 break;
504 case PAM_REPOSITORY:
505 pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
506 (void *)pamh,
507 pam_trace_iname(item_type, iname_buf),
508 item ? (((struct pam_repository *)item)->type ?
509 ((struct pam_repository *)item)->type : "NULL") :
510 "NULL");
511 break;
512 case PAM_AUTHTOK:
513 case PAM_OLDAUTHTOK:
514 #ifdef DEBUG
515 if (pam_debug & PAM_DEBUG_AUTHTOK)
516 pam_trace(PAM_DEBUG_ITEM,
517 "pam_set_item(%p:%s)=%s", (void *)pamh,
518 pam_trace_iname(item_type, iname_buf),
519 item ? (char *)item : "NULL");
520 else
521 #endif /* DEBUG */
522 pam_trace(PAM_DEBUG_ITEM,
523 "pam_set_item(%p:%s)=%s", (void *)pamh,
524 pam_trace_iname(item_type, iname_buf),
525 item ? "********" : "NULL");
526 break;
527 default:
528 pam_trace(PAM_DEBUG_ITEM, "pam_set_item(%p:%s)=%s",
529 (void *)pamh,
530 pam_trace_iname(item_type, iname_buf),
531 item ? (char *)item : "NULL");
532 }
533
534 return (PAM_SUCCESS);
535 }
536
537 /*
538 * pam_get_item - read the value of a parameter specified in
539 * the call to pam_set_item()
540 */
541
542 int
543 pam_get_item(const pam_handle_t *pamh, int item_type, void **item)
544 {
545 struct pam_item *pip;
546 char iname_buf[PAM_MAX_MSG_SIZE];
547
548 if (((pam_debug & PAM_DEBUG_ITEM) == 0) || (pamh == NULL)) {
549 pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)",
550 (void *)pamh, pam_trace_iname(item_type, iname_buf));
551 }
552
553 if (pamh == NULL)
554 return (PAM_SYSTEM_ERR);
555
556 if (item_type <= 0 || item_type >= PAM_MAX_ITEMS)
557 return (PAM_SYMBOL_ERR);
558
559 if ((pamh->pam_inmodule != WO_OK) &&
560 ((item_type == PAM_AUTHTOK || item_type == PAM_OLDAUTHTOK))) {
561 __pam_log(LOG_AUTH | LOG_NOTICE, "pam_get_item(%s) called from "
562 "a non module context",
563 pam_trace_iname(item_type, iname_buf));
564 return (PAM_PERM_DENIED);
565 }
566
567 pip = (struct pam_item *)&(pamh->ps_item[item_type]);
568
569 *item = pip->pi_addr;
570 switch (item_type) {
571 case PAM_CONV:
572 pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%p",
573 (void *)pamh,
574 pam_trace_iname(item_type, iname_buf),
575 (void *)((struct pam_conv *)*item)->conv);
576 break;
577 case PAM_REPOSITORY:
578 pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
579 (void *)pamh,
580 pam_trace_iname(item_type, iname_buf),
581 *item ? (((struct pam_repository *)*item)->type ?
582 ((struct pam_repository *)*item)->type : "NULL") :
583 "NULL");
584 break;
585 case PAM_AUTHTOK:
586 case PAM_OLDAUTHTOK:
587 #ifdef DEBUG
588 if (pam_debug & PAM_DEBUG_AUTHTOK)
589 pam_trace(PAM_DEBUG_ITEM,
590 "pam_get_item(%p:%s)=%s", (void *)pamh,
591 pam_trace_iname(item_type, iname_buf),
592 *item ? *(char **)item : "NULL");
593 else
594 #endif /* DEBUG */
595 pam_trace(PAM_DEBUG_ITEM,
596 "pam_get_item(%p:%s)=%s", (void *)pamh,
597 pam_trace_iname(item_type, iname_buf),
598 *item ? "********" : "NULL");
599 break;
600 default:
601 pam_trace(PAM_DEBUG_ITEM, "pam_get_item(%p:%s)=%s",
602 (void *)pamh,
603 pam_trace_iname(item_type, iname_buf),
604 *item ? *(char **)item : "NULL");
605 }
606
607 return (PAM_SUCCESS);
608 }
609
610 /*
611 * parse_user_name - process the user response: ignore
612 * '\t' or ' ' before or after a user name.
613 * user_input is a null terminated string.
614 * *ret_username will be the user name.
615 */
616
617 static int
618 parse_user_name(char *user_input, char **ret_username)
619 {
620 register char *ptr;
621 register int index = 0;
622 char username[PAM_MAX_RESP_SIZE];
623
624 /* Set the default value for *ret_username */
625 *ret_username = NULL;
626
627 /*
628 * Set the initial value for username - this is a buffer holds
629 * the user name.
630 */
631 bzero((void *)username, PAM_MAX_RESP_SIZE);
632
633 /*
634 * The user_input is guaranteed to be terminated by a null character.
635 */
636 ptr = user_input;
637
638 /* Skip all the leading whitespaces if there are any. */
639 while ((*ptr == ' ') || (*ptr == '\t'))
640 ptr++;
641
642 if (*ptr == '\0') {
643 /*
644 * We should never get here since the user_input we got
645 * in pam_get_user() is not all whitespaces nor just "\0".
646 */
647 return (PAM_BUF_ERR);
648 }
649
650 /*
651 * username will be the first string we get from user_input
652 * - we skip leading whitespaces and ignore trailing whitespaces
653 */
654 while (*ptr != '\0') {
655 if ((*ptr == ' ') || (*ptr == '\t'))
656 break;
657 else {
658 username[index] = *ptr;
659 index++;
660 ptr++;
661 }
662 }
663
664 /* ret_username will be freed in pam_get_user(). */
665 if ((*ret_username = malloc(index + 1)) == NULL)
666 return (PAM_BUF_ERR);
667 (void) strcpy(*ret_username, username);
668 return (PAM_SUCCESS);
669 }
670
671 /*
672 * Get the value of PAM_USER. If not set, then use the convenience function
673 * to prompt for the user. Use prompt if specified, else use PAM_USER_PROMPT
674 * if it is set, else use default.
675 */
676 #define WHITESPACE 0
677 #define USERNAME 1
678
679 int
680 pam_get_user(pam_handle_t *pamh, char **user, const char *prompt_override)
681 {
682 int status;
683 char *prompt = NULL;
684 char *real_username;
685 struct pam_response *ret_resp = NULL;
686 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
687
688 pam_trace(PAM_DEBUG_DEFAULT,
689 "pam_get_user(%p, %p, %s)", (void *)pamh, (void *)*user,
690 prompt_override ? prompt_override : "NULL");
691 if (pamh == NULL)
692 return (PAM_SYSTEM_ERR);
693
694 if ((status = pam_get_item(pamh, PAM_USER, (void **)user))
695 != PAM_SUCCESS) {
696 return (status);
697 }
698
699 /* if the user is set, return it */
700
701 if (*user != NULL && *user[0] != '\0') {
702 return (PAM_SUCCESS);
703 }
704
705 /*
706 * if the module is requesting a special prompt, use it.
707 * else use PAM_USER_PROMPT.
708 */
709
710 if (prompt_override != NULL) {
711 prompt = (char *)prompt_override;
712 } else {
713 status = pam_get_item(pamh, PAM_USER_PROMPT, (void**)&prompt);
714 if (status != PAM_SUCCESS) {
715 return (status);
716 }
717 }
718
719 /* if the prompt is not set, use default */
720
721 if (prompt == NULL || prompt[0] == '\0') {
722 prompt = dgettext(TEXT_DOMAIN, "Please enter user name: ");
723 }
724
725 /* prompt for the user */
726
727 (void) strncpy(messages[0], prompt, sizeof (messages[0]));
728
729 for (;;) {
730 int state = WHITESPACE;
731
732 status = do_conv(pamh, PAM_PROMPT_ECHO_ON, 1, messages,
733 NULL, &ret_resp);
734
735 if (status != PAM_SUCCESS) {
736 return (status);
737 }
738
739 if (ret_resp->resp && ret_resp->resp[0] != '\0') {
740 int len = strlen(ret_resp->resp);
741 int i;
742
743 for (i = 0; i < len; i++) {
744 if ((ret_resp->resp[i] != ' ') &&
745 (ret_resp->resp[i] != '\t')) {
746 state = USERNAME;
747 break;
748 }
749 }
750
751 if (state == USERNAME)
752 break;
753 }
754 /* essentially empty response, try again */
755 free_resp(1, ret_resp);
756 ret_resp = NULL;
757 }
758
759 /* set PAM_USER */
760 /* Parse the user input to get the user name. */
761 status = parse_user_name(ret_resp->resp, &real_username);
762
763 if (status != PAM_SUCCESS) {
764 free(real_username);
765 free_resp(1, ret_resp);
766 return (status);
767 }
768
769 status = pam_set_item(pamh, PAM_USER, real_username);
770
771 free(real_username);
772
773 free_resp(1, ret_resp);
774 if (status != PAM_SUCCESS) {
775 return (status);
776 }
777
778 /*
779 * finally, get PAM_USER. We have to call pam_get_item to get
780 * the value of user because pam_set_item mallocs the memory.
781 */
782
783 status = pam_get_item(pamh, PAM_USER, (void**)user);
784 return (status);
785 }
786
787 /*
788 * Set module specific data
789 */
790
791 int
792 pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
793 void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status))
794 {
795 struct pam_module_data *psd;
796
797 pam_trace(PAM_DEBUG_DATA,
798 "pam_set_data(%p:%s:%d)=%p", (void *)pamh,
799 module_data_name ? module_data_name : "NULL", pamh->pam_inmodule,
800 data);
801 if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
802 module_data_name == NULL) {
803 return (PAM_SYSTEM_ERR);
804 }
805
806 /* check if module data already exists */
807
808 for (psd = pamh->ssd; psd; psd = psd->next) {
809 if (strcmp(psd->module_data_name, module_data_name) == 0) {
810 /* clean up original data before setting the new data */
811 if (psd->cleanup) {
812 psd->cleanup(pamh, psd->data, PAM_SUCCESS);
813 }
814 psd->data = (void *)data;
815 psd->cleanup = cleanup;
816 return (PAM_SUCCESS);
817 }
818 }
819
820 psd = malloc(sizeof (struct pam_module_data));
821 if (psd == NULL)
822 return (PAM_BUF_ERR);
823
824 psd->module_data_name = strdup(module_data_name);
825 if (psd->module_data_name == NULL) {
826 free(psd);
827 return (PAM_BUF_ERR);
828 }
829
830 psd->data = (void *)data;
831 psd->cleanup = cleanup;
832 psd->next = pamh->ssd;
833 pamh->ssd = psd;
834 return (PAM_SUCCESS);
835 }
836
837 /*
838 * get module specific data
839 */
840
841 int
842 pam_get_data(const pam_handle_t *pamh, const char *module_data_name,
843 const void **data)
844 {
845 struct pam_module_data *psd;
846
847 if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
848 module_data_name == NULL) {
849 pam_trace(PAM_DEBUG_DATA,
850 "pam_get_data(%p:%s:%d)=%p", (void *)pamh,
851 module_data_name ? module_data_name : "NULL",
852 pamh->pam_inmodule, *data);
853 return (PAM_SYSTEM_ERR);
854 }
855
856 for (psd = pamh->ssd; psd; psd = psd->next) {
857 if (strcmp(psd->module_data_name, module_data_name) == 0) {
858 *data = psd->data;
859 pam_trace(PAM_DEBUG_DATA,
860 "pam_get_data(%p:%s)=%p", (void *)pamh,
861 module_data_name, *data);
862 return (PAM_SUCCESS);
863 }
864 }
865 pam_trace(PAM_DEBUG_DATA,
866 "pam_get_data(%p:%s)=%s", (void *)pamh, module_data_name,
867 "PAM_NO_MODULE_DATA");
868
869 return (PAM_NO_MODULE_DATA);
870 }
871
872 /*
873 * PAM equivalent to strerror()
874 */
875 /* ARGSUSED */
876 const char *
877 pam_strerror(pam_handle_t *pamh, int errnum)
878 {
879 switch (errnum) {
880 case PAM_SUCCESS:
881 return (dgettext(TEXT_DOMAIN, "Success"));
882 case PAM_OPEN_ERR:
883 return (dgettext(TEXT_DOMAIN, "Dlopen failure"));
884 case PAM_SYMBOL_ERR:
885 return (dgettext(TEXT_DOMAIN, "Symbol not found"));
886 case PAM_SERVICE_ERR:
887 return (dgettext(TEXT_DOMAIN,
888 "Error in underlying service module"));
889 case PAM_SYSTEM_ERR:
890 return (dgettext(TEXT_DOMAIN, "System error"));
891 case PAM_BUF_ERR:
892 return (dgettext(TEXT_DOMAIN, "Memory buffer error"));
893 case PAM_CONV_ERR:
894 return (dgettext(TEXT_DOMAIN, "Conversation failure"));
895 case PAM_PERM_DENIED:
896 return (dgettext(TEXT_DOMAIN, "Permission denied"));
897 case PAM_MAXTRIES:
898 return (dgettext(TEXT_DOMAIN,
899 "Maximum number of attempts exceeded"));
900 case PAM_AUTH_ERR:
901 return (dgettext(TEXT_DOMAIN, "Authentication failed"));
902 case PAM_NEW_AUTHTOK_REQD:
903 return (dgettext(TEXT_DOMAIN, "Get new authentication token"));
904 case PAM_CRED_INSUFFICIENT:
905 return (dgettext(TEXT_DOMAIN, "Insufficient credentials"));
906 case PAM_AUTHINFO_UNAVAIL:
907 return (dgettext(TEXT_DOMAIN,
908 "Can not retrieve authentication info"));
909 case PAM_USER_UNKNOWN:
910 return (dgettext(TEXT_DOMAIN, "No account present for user"));
911 case PAM_CRED_UNAVAIL:
912 return (dgettext(TEXT_DOMAIN,
913 "Can not retrieve user credentials"));
914 case PAM_CRED_EXPIRED:
915 return (dgettext(TEXT_DOMAIN,
916 "User credentials have expired"));
917 case PAM_CRED_ERR:
918 return (dgettext(TEXT_DOMAIN,
919 "Failure setting user credentials"));
920 case PAM_ACCT_EXPIRED:
921 return (dgettext(TEXT_DOMAIN, "User account has expired"));
922 case PAM_AUTHTOK_EXPIRED:
923 return (dgettext(TEXT_DOMAIN, "User password has expired"));
924 case PAM_SESSION_ERR:
925 return (dgettext(TEXT_DOMAIN,
926 "Can not make/remove entry for session"));
927 case PAM_AUTHTOK_ERR:
928 return (dgettext(TEXT_DOMAIN,
929 "Authentication token manipulation error"));
930 case PAM_AUTHTOK_RECOVERY_ERR:
931 return (dgettext(TEXT_DOMAIN,
932 "Authentication token can not be recovered"));
933 case PAM_AUTHTOK_LOCK_BUSY:
934 return (dgettext(TEXT_DOMAIN,
935 "Authentication token lock busy"));
936 case PAM_AUTHTOK_DISABLE_AGING:
937 return (dgettext(TEXT_DOMAIN,
938 "Authentication token aging disabled"));
939 case PAM_NO_MODULE_DATA:
940 return (dgettext(TEXT_DOMAIN,
941 "Module specific data not found"));
942 case PAM_IGNORE:
943 return (dgettext(TEXT_DOMAIN, "Ignore module"));
944 case PAM_ABORT:
945 return (dgettext(TEXT_DOMAIN, "General PAM failure "));
946 case PAM_TRY_AGAIN:
947 return (dgettext(TEXT_DOMAIN,
948 "Unable to complete operation. Try again"));
949 default:
950 return (dgettext(TEXT_DOMAIN, "Unknown error"));
951 }
952 }
953
954 static void *
955 sm_name(int ind)
956 {
957 switch (ind) {
958 case PAM_AUTHENTICATE:
959 return (PAM_SM_AUTHENTICATE);
960 case PAM_SETCRED:
961 return (PAM_SM_SETCRED);
962 case PAM_ACCT_MGMT:
963 return (PAM_SM_ACCT_MGMT);
964 case PAM_OPEN_SESSION:
965 return (PAM_SM_OPEN_SESSION);
966 case PAM_CLOSE_SESSION:
967 return (PAM_SM_CLOSE_SESSION);
968 case PAM_CHAUTHTOK:
969 return (PAM_SM_CHAUTHTOK);
970 }
971 return (NULL);
972 }
973
974 static int
975 (*func(pamtab_t *modulep, int ind))()
976 {
977 void *funcp;
978
979 if ((funcp = modulep->function_ptr) == NULL)
980 return (NULL);
981
982 switch (ind) {
983 case PAM_AUTHENTICATE:
984 return (((struct auth_module *)funcp)->pam_sm_authenticate);
985 case PAM_SETCRED:
986 return (((struct auth_module *)funcp)->pam_sm_setcred);
987 case PAM_ACCT_MGMT:
988 return (((struct account_module *)funcp)->pam_sm_acct_mgmt);
989 case PAM_OPEN_SESSION:
990 return (((struct session_module *)funcp)->pam_sm_open_session);
991 case PAM_CLOSE_SESSION:
992 return (((struct session_module *)funcp)->pam_sm_close_session);
993 case PAM_CHAUTHTOK:
994 return (((struct password_module *)funcp)->pam_sm_chauthtok);
995 }
996 return (NULL);
997 }
998
999 /*
1000 * Run through the PAM service module stack for the given module type.
1001 */
1002 static int
1003 run_stack(pam_handle_t *pamh, int flags, int type, int def_err, int ind,
1004 char *function_name)
1005 {
1006 int err = PAM_SYSTEM_ERR; /* preset */
1007 int optional_error = 0;
1008 int required_error = 0;
1009 int success = 0;
1010 pamtab_t *modulep;
1011 int (*sm_func)();
1012 char *service;
1013 char *service_file;
1014
1015 if (pamh == NULL)
1016 return (PAM_SYSTEM_ERR);
1017
1018 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
1019 if (service == NULL || *service == '\0') {
1020 __pam_log(LOG_AUTH | LOG_ERR, "No service name");
1021 return (PAM_SYSTEM_ERR);
1022 }
1023
1024 /* read initial entries from /etc/pam.d/<service> */
1025 if (asprintf(&service_file, "%s%s", PAM_CONFIG_DIR, service) < 0)
1026 return (PAM_SYSTEM_ERR);
1027 if ((err = read_pam_conf(pamh, service_file, service))
1028 != PAM_SUCCESS) {
1029 pam_trace(PAM_DEBUG_CONF, "run_stack[%d:%s]: can't read "
1030 "service-specific conf %s", pamh->include_depth,
1031 pam_trace_cname(pamh), modulep->module_path, service_file);
1032 }
1033 free(service_file);
1034 service_file = NULL;
1035
1036 if ((modulep =
1037 pamh->pam_conf_info[pamh->include_depth][type]) == NULL) {
1038 __pam_log(LOG_AUTH | LOG_ERR, "%s no initial module present",
1039 pam_trace_cname(pamh));
1040 goto exit_return;
1041 }
1042
1043 pamh->pam_inmodule = WO_OK; /* OK to get AUTHTOK */
1044 include:
1045 pam_trace(PAM_DEBUG_MODULE,
1046 "[%d:%s]:run_stack:%s(%p, %x): %s", pamh->include_depth,
1047 pam_trace_cname(pamh), function_name, (void *)pamh, flags,
1048 modulep ? modulep->module_path : "NULL");
1049
1050 while (modulep != NULL) {
1051 if (modulep->pam_flag & PAM_INCLUDE) {
1052 /* save the return location */
1053 pamh->pam_conf_modulep[pamh->include_depth] =
1054 modulep->next;
1055 pam_trace(PAM_DEBUG_MODULE,
1056 "setting for include[%d:%p]",
1057 pamh->include_depth, (void *)modulep->next);
1058 if (pamh->include_depth++ >= PAM_MAX_INCLUDE) {
1059 __pam_log(LOG_AUTH | LOG_ERR,
1060 "run_stack: includes too deep %d "
1061 "found trying to include %s from %s, %d "
1062 "allowed", pamh->include_depth,
1063 modulep->module_path, pamh->pam_conf_name
1064 [PAM_MAX_INCLUDE] == NULL ? "NULL" :
1065 pamh->pam_conf_name[PAM_MAX_INCLUDE],
1066 PAM_MAX_INCLUDE);
1067 goto exit_return;
1068 }
1069 err = read_pam_conf(pamh, modulep->module_path, service);
1070 if (err != PAM_SUCCESS) {
1071 __pam_log(LOG_AUTH | LOG_ERR,
1072 "run_stack[%d:%s]: can't read included "
1073 "conf %s", pamh->include_depth,
1074 pam_trace_cname(pamh),
1075 modulep->module_path);
1076 goto exit_return;
1077 }
1078 if ((modulep = pamh->pam_conf_info
1079 [pamh->include_depth][type]) == NULL) {
1080 __pam_log(LOG_AUTH | LOG_ERR,
1081 "run_stack[%d:%s]: no include module "
1082 "present %s", pamh->include_depth,
1083 pam_trace_cname(pamh), function_name);
1084 goto exit_return;
1085 }
1086 if (modulep->pam_flag & PAM_INCLUDE) {
1087 /* first line another include */
1088 goto include;
1089 }
1090 pam_trace(PAM_DEBUG_DEFAULT, "include[%d:%s]"
1091 "(%p, %s)=%s", pamh->include_depth,
1092 pam_trace_cname(pamh), (void *)pamh,
1093 function_name, modulep->module_path);
1094 if ((err = load_modules(pamh, type, sm_name(ind),
1095 pamh->pam_conf_info
1096 [pamh->include_depth][type])) != PAM_SUCCESS) {
1097 pam_trace(PAM_DEBUG_DEFAULT,
1098 "[%d:%s]:%s(%p, %x): load_modules failed",
1099 pamh->include_depth, pam_trace_cname(pamh),
1100 function_name, (void *)pamh, flags);
1101 goto exit_return;
1102 }
1103 if ((modulep = pamh->pam_conf_info
1104 [pamh->include_depth][type]) == NULL) {
1105 __pam_log(LOG_AUTH | LOG_ERR,
1106 "%s no initial module present",
1107 pam_trace_cname(pamh));
1108 goto exit_return;
1109 }
1110 } else if ((err = load_modules(pamh, type, sm_name(ind),
1111 modulep)) != PAM_SUCCESS) {
1112 pam_trace(PAM_DEBUG_DEFAULT,
1113 "[%d:%s]:%s(%p, %x): load_modules failed",
1114 pamh->include_depth, pam_trace_cname(pamh),
1115 function_name, (void *)pamh, flags);
1116 goto exit_return;
1117 } /* PAM_INCLUDE */
1118 sm_func = func(modulep, ind);
1119 if (sm_func) {
1120 err = sm_func(pamh, flags, modulep->module_argc,
1121 (const char **)modulep->module_argv);
1122
1123 pam_trace(PAM_DEBUG_MODULE,
1124 "[%d:%s]:%s(%p, %x): %s returned %s",
1125 pamh->include_depth, pam_trace_cname(pamh),
1126 function_name, (void *)pamh, flags,
1127 modulep->module_path, pam_strerror(pamh, err));
1128
1129 switch (err) {
1130 case PAM_IGNORE:
1131 /* do nothing */
1132 break;
1133 case PAM_SUCCESS:
1134 if ((modulep->pam_flag & PAM_SUFFI_BIND) &&
1135 !required_error) {
1136 pamh->pam_inmodule = RW_OK;
1137 pam_trace(PAM_DEBUG_MODULE,
1138 "[%d:%s]:%s(%p, %x): %s: success",
1139 pamh->include_depth,
1140 pam_trace_cname(pamh),
1141 function_name, (void *)pamh, flags,
1142 (modulep->pam_flag & PAM_BINDING) ?
1143 PAM_BINDING_NAME :
1144 PAM_SUFFICIENT_NAME);
1145 goto exit_return;
1146 }
1147 success = 1;
1148 break;
1149 case PAM_TRY_AGAIN:
1150 /*
1151 * We need to return immediately, and
1152 * we shouldn't reset the AUTHTOK item
1153 * since it is not an error per-se.
1154 */
1155 pamh->pam_inmodule = RW_OK;
1156 pam_trace(PAM_DEBUG_MODULE,
1157 "[%d:%s]:%s(%p, %x): TRY_AGAIN: %s",
1158 pamh->include_depth, pam_trace_cname(pamh),
1159 function_name, (void *)pamh, flags,
1160 pam_strerror(pamh, required_error ?
1161 required_error : err));
1162 err = required_error ? required_error : err;
1163 goto exit_return;
1164 default:
1165 if (modulep->pam_flag & PAM_REQUISITE) {
1166 pamh->pam_inmodule = RW_OK;
1167 pam_trace(PAM_DEBUG_MODULE,
1168 "[%d:%s]:%s(%p, %x): requisite: %s",
1169 pamh->include_depth,
1170 pam_trace_cname(pamh),
1171 function_name, (void *)pamh, flags,
1172 pam_strerror(pamh,
1173 required_error ? required_error :
1174 err));
1175 err = required_error ?
1176 required_error : err;
1177 goto exit_return;
1178 } else if (modulep->pam_flag & PAM_REQRD_BIND) {
1179 if (!required_error)
1180 required_error = err;
1181 } else {
1182 if (!optional_error)
1183 optional_error = err;
1184 }
1185 pam_trace(PAM_DEBUG_DEFAULT,
1186 "[%d:%s]:%s(%p, %x): error %s",
1187 pamh->include_depth, pam_trace_cname(pamh),
1188 function_name, (void *)pamh, flags,
1189 pam_strerror(pamh, err));
1190 break;
1191 }
1192 }
1193 modulep = modulep->next;
1194 }
1195
1196 pam_trace(PAM_DEBUG_MODULE, "[%d:%s]:stack_end:%s(%p, %x): %s %s: %s",
1197 pamh->include_depth, pam_trace_cname(pamh), function_name,
1198 (void *)pamh, flags, pamh->include_depth ? "included" : "final",
1199 required_error ? "required" : success ? "success" :
1200 optional_error ? "optional" : "default",
1201 pam_strerror(pamh, required_error ? required_error :
1202 success ? PAM_SUCCESS : optional_error ? optional_error : def_err));
1203 if (pamh->include_depth > 0) {
1204 free_pam_conf_info(pamh);
1205 pamh->include_depth--;
1206 /* continue at next entry */
1207 modulep = pamh->pam_conf_modulep[pamh->include_depth];
1208 pam_trace(PAM_DEBUG_MODULE, "looping for include[%d:%p]",
1209 pamh->include_depth, (void *)modulep);
1210 goto include;
1211 }
1212 free_pam_conf_info(pamh);
1213 pamh->pam_inmodule = RW_OK;
1214 if (required_error != 0)
1215 return (required_error);
1216 else if (success != 0)
1217 return (PAM_SUCCESS);
1218 else if (optional_error != 0)
1219 return (optional_error);
1220 else
1221 return (def_err);
1222
1223 exit_return:
1224 /*
1225 * All done at whatever depth we're at.
1226 * Go back to not having read /etc/pam.conf
1227 */
1228 while (pamh->include_depth > 0) {
1229 free_pam_conf_info(pamh);
1230 pamh->include_depth--;
1231 }
1232 free_pam_conf_info(pamh);
1233 pamh->pam_inmodule = RW_OK;
1234 return (err);
1235 }
1236
1237 /*
1238 * pam_authenticate - authenticate a user
1239 */
1240
1241 int
1242 pam_authenticate(pam_handle_t *pamh, int flags)
1243 {
1244 int retval;
1245
1246 retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_AUTH_ERR,
1247 PAM_AUTHENTICATE, "pam_authenticate");
1248
1249 if (retval != PAM_SUCCESS)
1250 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1251 return (retval);
1252 }
1253
1254 /*
1255 * pam_setcred - modify or retrieve user credentials
1256 */
1257
1258 int
1259 pam_setcred(pam_handle_t *pamh, int flags)
1260 {
1261 int retval;
1262
1263 retval = run_stack(pamh, flags, PAM_AUTH_MODULE, PAM_CRED_ERR,
1264 PAM_SETCRED, "pam_setcred");
1265
1266 if (retval != PAM_SUCCESS)
1267 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1268 return (retval);
1269 }
1270
1271 /*
1272 * pam_acct_mgmt - check password aging, account expiration
1273 */
1274
1275 int
1276 pam_acct_mgmt(pam_handle_t *pamh, int flags)
1277 {
1278 int retval;
1279
1280 retval = run_stack(pamh, flags, PAM_ACCOUNT_MODULE, PAM_ACCT_EXPIRED,
1281 PAM_ACCT_MGMT, "pam_acct_mgmt");
1282
1283 if (retval != PAM_SUCCESS &&
1284 retval != PAM_NEW_AUTHTOK_REQD) {
1285 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1286 }
1287 return (retval);
1288 }
1289
1290 /*
1291 * pam_open_session - begin session management
1292 */
1293
1294 int
1295 pam_open_session(pam_handle_t *pamh, int flags)
1296 {
1297 int retval;
1298
1299 retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1300 PAM_OPEN_SESSION, "pam_open_session");
1301
1302 if (retval != PAM_SUCCESS)
1303 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1304 return (retval);
1305 }
1306
1307 /*
1308 * pam_close_session - terminate session management
1309 */
1310
1311 int
1312 pam_close_session(pam_handle_t *pamh, int flags)
1313 {
1314 int retval;
1315
1316 retval = run_stack(pamh, flags, PAM_SESSION_MODULE, PAM_SESSION_ERR,
1317 PAM_CLOSE_SESSION, "pam_close_session");
1318
1319 if (retval != PAM_SUCCESS)
1320 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1321 return (retval);
1322 }
1323
1324 /*
1325 * pam_chauthtok - change user authentication token
1326 */
1327
1328 int
1329 pam_chauthtok(pam_handle_t *pamh, int flags)
1330 {
1331 int retval;
1332
1333 /* do not let apps use PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK */
1334 if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
1335 pam_trace(PAM_DEBUG_DEFAULT,
1336 "pam_chauthtok(%p, %x): %s", (void *)pamh, flags,
1337 pam_strerror(pamh, PAM_SYMBOL_ERR));
1338 return (PAM_SYMBOL_ERR);
1339 }
1340
1341 /* 1st pass: PRELIM CHECK */
1342 retval = run_stack(pamh, flags | PAM_PRELIM_CHECK, PAM_PASSWORD_MODULE,
1343 PAM_AUTHTOK_ERR, PAM_CHAUTHTOK, "pam_chauthtok-prelim");
1344
1345 if (retval == PAM_TRY_AGAIN)
1346 return (retval);
1347
1348 if (retval != PAM_SUCCESS) {
1349 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1350 return (retval);
1351 }
1352
1353 /* 2nd pass: UPDATE AUTHTOK */
1354 retval = run_stack(pamh, flags | PAM_UPDATE_AUTHTOK,
1355 PAM_PASSWORD_MODULE, PAM_AUTHTOK_ERR, PAM_CHAUTHTOK,
1356 "pam_chauthtok-update");
1357
1358 if (retval != PAM_SUCCESS)
1359 (void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1360
1361 return (retval);
1362 }
1363
1364 /*
1365 * pam_putenv - add an environment variable to the PAM handle
1366 * if name_value == 'NAME=VALUE' then set variable to the value
1367 * if name_value == 'NAME=' then set variable to an empty value
1368 * if name_value == 'NAME' then delete the variable
1369 */
1370
1371 int
1372 pam_putenv(pam_handle_t *pamh, const char *name_value)
1373 {
1374 int error = PAM_SYSTEM_ERR;
1375 char *equal_sign = 0;
1376 char *name = NULL, *value = NULL, *tmp_value = NULL;
1377 env_list *traverse, *trail;
1378
1379 pam_trace(PAM_DEBUG_DEFAULT,
1380 "pam_putenv(%p, %s)", (void *)pamh,
1381 name_value ? name_value : "NULL");
1382
1383 if (pamh == NULL || name_value == NULL)
1384 goto out;
1385
1386 /* see if we were passed 'NAME=VALUE', 'NAME=', or 'NAME' */
1387 if ((equal_sign = strchr(name_value, '=')) != 0) {
1388 if ((name = calloc(equal_sign - name_value + 1,
1389 sizeof (char))) == 0) {
1390 error = PAM_BUF_ERR;
1391 goto out;
1392 }
1393 (void) strncpy(name, name_value, equal_sign - name_value);
1394 if ((value = strdup(++equal_sign)) == 0) {
1395 error = PAM_BUF_ERR;
1396 goto out;
1397 }
1398 } else {
1399 if ((name = strdup(name_value)) == 0) {
1400 error = PAM_BUF_ERR;
1401 goto out;
1402 }
1403 }
1404
1405 /* check to see if we already have this variable in the PAM handle */
1406 traverse = pamh->pam_env;
1407 trail = traverse;
1408 while (traverse && strncmp(traverse->name, name, strlen(name))) {
1409 trail = traverse;
1410 traverse = traverse->next;
1411 }
1412
1413 if (traverse) {
1414 /* found a match */
1415 if (value == 0) {
1416 /* remove the env variable */
1417 if (pamh->pam_env == traverse)
1418 pamh->pam_env = traverse->next;
1419 else
1420 trail->next = traverse->next;
1421 free_env(traverse);
1422 } else if (strlen(value) == 0) {
1423 /* set env variable to empty value */
1424 if ((tmp_value = strdup("")) == 0) {
1425 error = PAM_SYSTEM_ERR;
1426 goto out;
1427 }
1428 free(traverse->value);
1429 traverse->value = tmp_value;
1430 } else {
1431 /* set the new value */
1432 if ((tmp_value = strdup(value)) == 0) {
1433 error = PAM_SYSTEM_ERR;
1434 goto out;
1435 }
1436 free(traverse->value);
1437 traverse->value = tmp_value;
1438 }
1439
1440 } else if (traverse == 0 && value) {
1441 /*
1442 * could not find a match in the PAM handle.
1443 * add the new value if there is one
1444 */
1445 if ((traverse = calloc(1, sizeof (env_list))) == 0) {
1446 error = PAM_BUF_ERR;
1447 goto out;
1448 }
1449 if ((traverse->name = strdup(name)) == 0) {
1450 free_env(traverse);
1451 error = PAM_BUF_ERR;
1452 goto out;
1453 }
1454 if ((traverse->value = strdup(value)) == 0) {
1455 free_env(traverse);
1456 error = PAM_BUF_ERR;
1457 goto out;
1458 }
1459 if (trail == 0) {
1460 /* new head of list */
1461 pamh->pam_env = traverse;
1462 } else {
1463 /* adding to end of list */
1464 trail->next = traverse;
1465 }
1466 }
1467
1468 error = PAM_SUCCESS;
1469 out:
1470 if (error != PAM_SUCCESS) {
1471 if (traverse) {
1472 free(traverse->name);
1473 free(traverse->value);
1474 free(traverse);
1475 }
1476 }
1477 free(name);
1478 free(value);
1479 return (error);
1480 }
1481
1482 /*
1483 * pam_getenv - retrieve an environment variable from the PAM handle
1484 */
1485 char *
1486 pam_getenv(pam_handle_t *pamh, const char *name)
1487 {
1488 int error = PAM_SYSTEM_ERR;
1489 env_list *traverse;
1490
1491 pam_trace(PAM_DEBUG_DEFAULT,
1492 "pam_getenv(%p, %p)", (void *)pamh, (void *)name);
1493
1494 if (pamh == NULL || name == NULL)
1495 goto out;
1496
1497 /* check to see if we already have this variable in the PAM handle */
1498 traverse = pamh->pam_env;
1499 while (traverse && strncmp(traverse->name, name, strlen(name))) {
1500 traverse = traverse->next;
1501 }
1502 error = (traverse ? PAM_SUCCESS : PAM_SYSTEM_ERR);
1503 pam_trace(PAM_DEBUG_DEFAULT,
1504 "pam_getenv(%p, %s)=%s", (void *)pamh, name,
1505 traverse ? traverse->value : "NULL");
1506 out:
1507 return (error ? NULL : strdup(traverse->value));
1508 }
1509
1510 /*
1511 * pam_getenvlist - retrieve all environment variables from the PAM handle
1512 * in a NULL terminated array. On error, return NULL.
1513 */
1514 char **
1515 pam_getenvlist(pam_handle_t *pamh)
1516 {
1517 int error = PAM_SYSTEM_ERR;
1518 char **list = 0;
1519 int length = 0;
1520 env_list *traverse;
1521 char *tenv;
1522 size_t tenv_size;
1523
1524 pam_trace(PAM_DEBUG_DEFAULT,
1525 "pam_getenvlist(%p)", (void *)pamh);
1526
1527 if (pamh == NULL)
1528 goto out;
1529
1530 /* find out how many environment variables we have */
1531 traverse = pamh->pam_env;
1532 while (traverse) {
1533 length++;
1534 traverse = traverse->next;
1535 }
1536
1537 /* allocate the array we will return to the caller */
1538 if ((list = calloc(length + 1, sizeof (char *))) == NULL) {
1539 error = PAM_BUF_ERR;
1540 goto out;
1541 }
1542
1543 /* add the variables one by one */
1544 length = 0;
1545 traverse = pamh->pam_env;
1546 while (traverse != NULL) {
1547 tenv_size = strlen(traverse->name) +
1548 strlen(traverse->value) + 2; /* name=val\0 */
1549 if ((tenv = malloc(tenv_size)) == NULL) {
1550 error = PAM_BUF_ERR;
1551 goto out;
1552 }
1553 /*LINTED*/
1554 (void) sprintf(tenv, "%s=%s", traverse->name, traverse->value);
1555 list[length++] = tenv;
1556 traverse = traverse->next;
1557 }
1558 list[length] = NULL;
1559
1560 error = PAM_SUCCESS;
1561 out:
1562 if (error != PAM_SUCCESS) {
1563 /* free the partially constructed list */
1564 if (list) {
1565 length = 0;
1566 while (list[length] != NULL) {
1567 free(list[length]);
1568 length++;
1569 }
1570 free(list);
1571 }
1572 }
1573 return (error ? NULL : list);
1574 }
1575
1576 /*
1577 * Routines to load a requested module on demand
1578 */
1579
1580 /*
1581 * load_modules - load the requested module.
1582 * if the dlopen or dlsym fail, then
1583 * the module is ignored.
1584 */
1585
1586 static int
1587 load_modules(pam_handle_t *pamh, int type, char *function_name,
1588 pamtab_t *pam_entry)
1589 {
1590 void *mh;
1591 struct auth_module *authp;
1592 struct account_module *accountp;
1593 struct session_module *sessionp;
1594 struct password_module *passwdp;
1595 int loading_functions = 0; /* are we currently loading functions? */
1596
1597 pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=%s:%s",
1598 pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1599 function_name, pam_trace_fname(pam_entry->pam_flag),
1600 pam_entry->module_path);
1601
1602 while (pam_entry != NULL) {
1603 pam_trace(PAM_DEBUG_DEFAULT,
1604 "while load_modules[%d:%s](%p, %s)=%s",
1605 pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1606 function_name, pam_entry->module_path);
1607
1608 if (pam_entry->pam_flag & PAM_INCLUDE) {
1609 pam_trace(PAM_DEBUG_DEFAULT,
1610 "done load_modules[%d:%s](%p, %s)=%s",
1611 pamh->include_depth, pam_trace_cname(pamh),
1612 (void *)pamh, function_name,
1613 pam_entry->module_path);
1614 return (PAM_SUCCESS);
1615 }
1616 switch (type) {
1617 case PAM_AUTH_MODULE:
1618
1619 /* if the function has already been loaded, return */
1620 authp = pam_entry->function_ptr;
1621 if (!loading_functions &&
1622 (((strcmp(function_name, PAM_SM_AUTHENTICATE)
1623 == 0) && authp && authp->pam_sm_authenticate) ||
1624 ((strcmp(function_name, PAM_SM_SETCRED) == 0) &&
1625 authp && authp->pam_sm_setcred))) {
1626 return (PAM_SUCCESS);
1627 }
1628
1629 /* function has not been loaded yet */
1630 loading_functions = 1;
1631 if (authp == NULL) {
1632 authp = calloc(1, sizeof (struct auth_module));
1633 if (authp == NULL)
1634 return (PAM_BUF_ERR);
1635 }
1636
1637 /* if open_module fails, return error */
1638 if ((mh = open_module(pamh,
1639 pam_entry->module_path)) == NULL) {
1640 __pam_log(LOG_AUTH | LOG_ERR,
1641 "load_modules[%d:%s]: can not open module "
1642 "%s", pamh->include_depth,
1643 pam_trace_cname(pamh),
1644 pam_entry->module_path);
1645 free(authp);
1646 return (PAM_OPEN_ERR);
1647 }
1648
1649 /* load the authentication function */
1650 if (strcmp(function_name, PAM_SM_AUTHENTICATE) == 0) {
1651 if (load_function(mh, PAM_SM_AUTHENTICATE,
1652 &authp->pam_sm_authenticate)
1653 != PAM_SUCCESS) {
1654 /* return error if dlsym fails */
1655 free(authp);
1656 return (PAM_SYMBOL_ERR);
1657 }
1658
1659 /* load the setcred function */
1660 } else if (strcmp(function_name, PAM_SM_SETCRED) == 0) {
1661 if (load_function(mh, PAM_SM_SETCRED,
1662 &authp->pam_sm_setcred) != PAM_SUCCESS) {
1663 /* return error if dlsym fails */
1664 free(authp);
1665 return (PAM_SYMBOL_ERR);
1666 }
1667 }
1668 pam_entry->function_ptr = authp;
1669 break;
1670 case PAM_ACCOUNT_MODULE:
1671 accountp = pam_entry->function_ptr;
1672 if (!loading_functions &&
1673 (strcmp(function_name, PAM_SM_ACCT_MGMT) == 0) &&
1674 accountp && accountp->pam_sm_acct_mgmt) {
1675 return (PAM_SUCCESS);
1676 }
1677
1678 /*
1679 * If functions are added to the account module,
1680 * verify that one of the other functions hasn't
1681 * already loaded it. See PAM_AUTH_MODULE code.
1682 */
1683 loading_functions = 1;
1684 accountp = calloc(1, sizeof (struct account_module));
1685 if (accountp == NULL)
1686 return (PAM_BUF_ERR);
1687
1688 /* if open_module fails, return error */
1689 if ((mh = open_module(pamh,
1690 pam_entry->module_path)) == NULL) {
1691 __pam_log(LOG_AUTH | LOG_ERR,
1692 "load_modules[%d:%s]: can not open module "
1693 "%s", pamh->include_depth,
1694 pam_trace_cname(pamh),
1695 pam_entry->module_path);
1696 free(accountp);
1697 return (PAM_OPEN_ERR);
1698 }
1699
1700 if (load_function(mh, PAM_SM_ACCT_MGMT,
1701 &accountp->pam_sm_acct_mgmt) != PAM_SUCCESS) {
1702 __pam_log(LOG_AUTH | LOG_ERR,
1703 "load_modules[%d:%s]: pam_sm_acct_mgmt() "
1704 "missing", pamh->include_depth,
1705 pam_trace_cname(pamh));
1706 free(accountp);
1707 return (PAM_SYMBOL_ERR);
1708 }
1709 pam_entry->function_ptr = accountp;
1710 break;
1711 case PAM_SESSION_MODULE:
1712 sessionp = pam_entry->function_ptr;
1713 if (!loading_functions &&
1714 (((strcmp(function_name,
1715 PAM_SM_OPEN_SESSION) == 0) &&
1716 sessionp && sessionp->pam_sm_open_session) ||
1717 ((strcmp(function_name,
1718 PAM_SM_CLOSE_SESSION) == 0) &&
1719 sessionp && sessionp->pam_sm_close_session))) {
1720 return (PAM_SUCCESS);
1721 }
1722
1723 loading_functions = 1;
1724 if (sessionp == NULL) {
1725 sessionp = calloc(1,
1726 sizeof (struct session_module));
1727 if (sessionp == NULL)
1728 return (PAM_BUF_ERR);
1729 }
1730
1731 /* if open_module fails, return error */
1732 if ((mh = open_module(pamh,
1733 pam_entry->module_path)) == NULL) {
1734 __pam_log(LOG_AUTH | LOG_ERR,
1735 "load_modules[%d:%s]: can not open module "
1736 "%s", pamh->include_depth,
1737 pam_trace_cname(pamh),
1738 pam_entry->module_path);
1739 free(sessionp);
1740 return (PAM_OPEN_ERR);
1741 }
1742
1743 if ((strcmp(function_name, PAM_SM_OPEN_SESSION) == 0) &&
1744 load_function(mh, PAM_SM_OPEN_SESSION,
1745 &sessionp->pam_sm_open_session) != PAM_SUCCESS) {
1746 free(sessionp);
1747 return (PAM_SYMBOL_ERR);
1748 } else if ((strcmp(function_name,
1749 PAM_SM_CLOSE_SESSION) == 0) &&
1750 load_function(mh, PAM_SM_CLOSE_SESSION,
1751 &sessionp->pam_sm_close_session) != PAM_SUCCESS) {
1752 free(sessionp);
1753 return (PAM_SYMBOL_ERR);
1754 }
1755 pam_entry->function_ptr = sessionp;
1756 break;
1757 case PAM_PASSWORD_MODULE:
1758 passwdp = pam_entry->function_ptr;
1759 if (!loading_functions &&
1760 (strcmp(function_name, PAM_SM_CHAUTHTOK) == 0) &&
1761 passwdp && passwdp->pam_sm_chauthtok) {
1762 return (PAM_SUCCESS);
1763 }
1764
1765 /*
1766 * If functions are added to the password module,
1767 * verify that one of the other functions hasn't
1768 * already loaded it. See PAM_AUTH_MODULE code.
1769 */
1770 loading_functions = 1;
1771 passwdp = calloc(1, sizeof (struct password_module));
1772 if (passwdp == NULL)
1773 return (PAM_BUF_ERR);
1774
1775 /* if open_module fails, continue */
1776 if ((mh = open_module(pamh,
1777 pam_entry->module_path)) == NULL) {
1778 __pam_log(LOG_AUTH | LOG_ERR,
1779 "load_modules[%d:%s]: can not open module "
1780 "%s", pamh->include_depth,
1781 pam_trace_cname(pamh),
1782 pam_entry->module_path);
1783 free(passwdp);
1784 return (PAM_OPEN_ERR);
1785 }
1786
1787 if (load_function(mh, PAM_SM_CHAUTHTOK,
1788 &passwdp->pam_sm_chauthtok) != PAM_SUCCESS) {
1789 free(passwdp);
1790 return (PAM_SYMBOL_ERR);
1791 }
1792 pam_entry->function_ptr = passwdp;
1793 break;
1794 default:
1795 pam_trace(PAM_DEBUG_DEFAULT,
1796 "load_modules[%d:%s](%p, %s): unsupported type %d",
1797 pamh->include_depth, pam_trace_cname(pamh),
1798 (void *)pamh, function_name, type);
1799 break;
1800 }
1801
1802 pam_entry = pam_entry->next;
1803 } /* while */
1804
1805 pam_trace(PAM_DEBUG_MODULE, "load_modules[%d:%s](%p, %s)=done",
1806 pamh->include_depth, pam_trace_cname(pamh), (void *)pamh,
1807 function_name);
1808
1809 return (PAM_SUCCESS);
1810 }
1811
1812 /*
1813 * open_module - Open the module first checking for
1814 * propers modes and ownerships on the file.
1815 */
1816
1817 static void *
1818 open_module(pam_handle_t *pamh, char *module_so)
1819 {
1820 struct stat64 stb;
1821 char *errmsg;
1822 void *lfd;
1823 fd_list *module_fds = 0;
1824 fd_list *trail = 0;
1825 fd_list *traverse = 0;
1826
1827 /* Check the ownership and file modes */
1828 if (stat64(module_so, &stb) < 0) {
1829 __pam_log(LOG_AUTH | LOG_ERR,
1830 "open_module[%d:%s]: stat(%s) failed: %s",
1831 pamh->include_depth, pam_trace_cname(pamh), module_so,
1832 strerror(errno));
1833 return (NULL);
1834 }
1835 if (stb.st_uid != (uid_t)0) {
1836 __pam_log(LOG_AUTH | LOG_ALERT,
1837 "open_module[%d:%s]: Owner of the module %s is not root",
1838 pamh->include_depth, pam_trace_cname(pamh), module_so);
1839 return (NULL);
1840 }
1841 if (stb.st_mode & S_IWGRP) {
1842 __pam_log(LOG_AUTH | LOG_ALERT,
1843 "open_module[%d:%s]: module %s writable by group",
1844 pamh->include_depth, pam_trace_cname(pamh), module_so);
1845 return (NULL);
1846 }
1847 if (stb.st_mode & S_IWOTH) {
1848 __pam_log(LOG_AUTH | LOG_ALERT,
1849 "open_module[%d:%s]: module %s writable by world",
1850 pamh->include_depth, pam_trace_cname(pamh), module_so);
1851 return (NULL);
1852 }
1853
1854 /*
1855 * Perform the dlopen()
1856 */
1857 lfd = (void *)dlopen(module_so, RTLD_LAZY);
1858
1859 if (lfd == NULL) {
1860 errmsg = dlerror();
1861 __pam_log(LOG_AUTH | LOG_ERR, "open_module[%d:%s]: %s "
1862 "failed: %s", pamh->include_depth, pam_trace_cname(pamh),
1863 module_so, errmsg != NULL ? errmsg : "Unknown error");
1864 return (NULL);
1865 } else {
1866 /* add this fd to the pam handle */
1867 if ((module_fds = calloc(1, sizeof (fd_list))) == 0) {
1868 (void) dlclose(lfd);
1869 lfd = 0;
1870 return (NULL);
1871 }
1872 module_fds->mh = lfd;
1873
1874 if (pamh->fd == 0) {
1875 /* adding new head of list */
1876 pamh->fd = module_fds;
1877 } else {
1878 /* appending to end of list */
1879 traverse = pamh->fd;
1880 while (traverse) {
1881 trail = traverse;
1882 traverse = traverse->next;
1883 }
1884 trail->next = module_fds;
1885 }
1886 }
1887
1888 return (lfd);
1889 }
1890
1891 /*
1892 * load_function - call dlsym() to resolve the function address
1893 */
1894 static int
1895 load_function(void *lfd, char *name, int (**func)())
1896 {
1897 char *errmsg = NULL;
1898
1899 if (lfd == NULL)
1900 return (PAM_SYMBOL_ERR);
1901
1902 *func = (int (*)())dlsym(lfd, name);
1903 if (*func == NULL) {
1904 errmsg = dlerror();
1905 __pam_log(LOG_AUTH | LOG_ERR, "dlsym failed %s: error %s",
1906 name, errmsg != NULL ? errmsg : "Unknown error");
1907 return (PAM_SYMBOL_ERR);
1908 }
1909
1910 pam_trace(PAM_DEBUG_DEFAULT,
1911 "load_function: successful load of %s", name);
1912 return (PAM_SUCCESS);
1913 }
1914
1915 /*
1916 * Routines to read the pam.conf configuration file
1917 */
1918
1919 /*
1920 * open_pam_conf - open the pam.conf config file
1921 */
1922
1923 static int
1924 open_pam_conf(struct pam_fh **pam_fh, pam_handle_t *pamh, char *config,
1925 int shardfile)
1926 {
1927 struct stat64 stb;
1928 int fd;
1929
1930 if ((fd = open(config, O_RDONLY)) == -1) {
1931 if (!shardfile)
1932 __pam_log(LOG_AUTH | LOG_ALERT,
1933 "open_pam_conf[%d:%s]: open(%s) failed: %s",
1934 pamh->include_depth, pam_trace_cname(pamh), config,
1935 strerror(errno));
1936 return (0);
1937 }
1938 /* Check the ownership and file modes */
1939 if (fstat64(fd, &stb) < 0) {
1940 __pam_log(LOG_AUTH | LOG_ALERT,
1941 "open_pam_conf[%d:%s]: stat(%s) failed: %s",
1942 pamh->include_depth, pam_trace_cname(pamh), config,
1943 strerror(errno));
1944 (void) close(fd);
1945 return (0);
1946 }
1947 if (stb.st_uid != (uid_t)0) {
1948 __pam_log(LOG_AUTH | LOG_ALERT,
1949 "open_pam_conf[%d:%s]: Owner of %s is not root",
1950 pamh->include_depth, pam_trace_cname(pamh), config);
1951 (void) close(fd);
1952 return (0);
1953 }
1954 if (stb.st_mode & S_IWGRP) {
1955 __pam_log(LOG_AUTH | LOG_ALERT,
1956 "open_pam_conf[%d:%s]: %s writable by group",
1957 pamh->include_depth, pam_trace_cname(pamh), config);
1958 (void) close(fd);
1959 return (0);
1960 }
1961 if (stb.st_mode & S_IWOTH) {
1962 __pam_log(LOG_AUTH | LOG_ALERT,
1963 "open_pam_conf[%d:%s]: %s writable by world",
1964 pamh->include_depth, pam_trace_cname(pamh), config);
1965 (void) close(fd);
1966 return (0);
1967 }
1968 if ((*pam_fh = calloc(1, sizeof (struct pam_fh))) == NULL) {
1969 (void) close(fd);
1970 return (0);
1971 }
1972 (*pam_fh)->fconfig = fd;
1973 (*pam_fh)->bufsize = (size_t)stb.st_size;
1974 if (((*pam_fh)->data = mmap(NULL, (*pam_fh)->bufsize, PROT_READ,
1975 MAP_PRIVATE, (*pam_fh)->fconfig, 0)) == MAP_FAILED) {
1976 (void) close(fd);
1977 free (*pam_fh);
1978 return (0);
1979 }
1980 (*pam_fh)->bufferp = (*pam_fh)->data;
1981
1982 return (1);
1983 }
1984
1985 /*
1986 * close_pam_conf - close pam.conf
1987 */
1988
1989 static void
1990 close_pam_conf(struct pam_fh *pam_fh)
1991 {
1992 (void) munmap(pam_fh->data, pam_fh->bufsize);
1993 (void) close(pam_fh->fconfig);
1994 free(pam_fh);
1995 }
1996
1997 /*
1998 * read_pam_conf - read in each entry in pam.conf and store info
1999 * under the pam handle.
2000 */
2001
2002 static int
2003 read_pam_conf(pam_handle_t *pamh, char *config, char *service)
2004 {
2005 struct pam_fh *pam_fh;
2006 pamtab_t *pamentp;
2007 pamtab_t *tpament;
2008 int error;
2009 int i = pamh->include_depth; /* include depth */
2010 int j;
2011 int shardfile = 1;
2012 /*
2013 * service types:
2014 * error (-1), "auth" (0), "account" (1), "session" (2), "password" (3)
2015 */
2016 int service_found[PAM_NUM_MODULE_TYPES+1] = {0, 0, 0, 0, 0};
2017
2018 pamh->pam_conf_name[i] = strdup(config);
2019 pam_trace(PAM_DEBUG_CONF, "read_pam_conf[%d:%s](%p) open(%s)",
2020 i, pam_trace_cname(pamh), (void *)pamh, config);
2021 if (open_pam_conf(&pam_fh, pamh, config, 1) == 0) {
2022 /* fall back to /etc/pam.conf */
2023 config = PAM_CONFIG;
2024 shardfile = 0;
2025
2026 pam_trace(PAM_DEBUG_CONF, "read_pam_conf[%d:%s](%p) open(%s)",
2027 i, pam_trace_cname(pamh), (void *)pamh, PAM_CONFIG);
2028 if (open_pam_conf(&pam_fh, pamh, config, 0) == 0)
2029 return (PAM_SYSTEM_ERR);
2030 }
2031
2032 while ((error =
2033 get_pam_conf_entry(pam_fh, pamh, &pamentp, service, shardfile))
2034 == PAM_SUCCESS && pamentp) {
2035
2036 /* See if entry is this service and valid */
2037 if (verify_pam_conf(pamentp, service)) {
2038 pam_trace(PAM_DEBUG_CONF,
2039 "read_pam_conf[%d:%s](%p): bad entry error %s",
2040 i, pam_trace_cname(pamh), (void *)pamh, service);
2041
2042 error = PAM_SYSTEM_ERR;
2043 free_pamconf(pamentp);
2044 goto out;
2045 }
2046 if (strcasecmp(pamentp->pam_service, service) == 0) {
2047 pam_trace(PAM_DEBUG_CONF,
2048 "read_pam_conf[%d:%s](%p): processing %s",
2049 i, pam_trace_cname(pamh), (void *)pamh, service);
2050 /* process first service entry */
2051 if (service_found[pamentp->pam_type + 1] == 0) {
2052 /* purge "other" entries */
2053 while ((tpament = pamh->pam_conf_info[i]
2054 [pamentp->pam_type]) != NULL) {
2055 pam_trace(PAM_DEBUG_CONF,
2056 "read_pam_conf(%p): purging "
2057 "\"other\"[%d:%s][%s]",
2058 (void *)pamh, i,
2059 pam_trace_cname(pamh),
2060 pam_snames[pamentp->pam_type]);
2061 pamh->pam_conf_info[i]
2062 [pamentp->pam_type] = tpament->next;
2063 free_pamconf(tpament);
2064 }
2065 /* add first service entry */
2066 pam_trace(PAM_DEBUG_CONF,
2067 "read_pam_conf(%p): adding 1st "
2068 "%s[%d:%s][%s]",
2069 (void *)pamh, service, i,
2070 pam_trace_cname(pamh),
2071 pam_snames[pamentp->pam_type]);
2072 pamh->pam_conf_info[i][pamentp->pam_type] =
2073 pamentp;
2074 service_found[pamentp->pam_type + 1] = 1;
2075 } else {
2076 /* append more service entries */
2077 pam_trace(PAM_DEBUG_CONF,
2078 "read_pam_conf(%p): adding more "
2079 "%s[%d:%s][%s]",
2080 (void *)pamh, service, i,
2081 pam_trace_cname(pamh),
2082 pam_snames[pamentp->pam_type]);
2083 tpament =
2084 pamh->pam_conf_info[i][pamentp->pam_type];
2085 while (tpament->next != NULL) {
2086 tpament = tpament->next;
2087 }
2088 tpament->next = pamentp;
2089 }
2090 } else if (service_found[pamentp->pam_type + 1] == 0) {
2091 /* See if "other" entry available and valid */
2092 if (verify_pam_conf(pamentp, "other")) {
2093 pam_trace(PAM_DEBUG_CONF,
2094 "read_pam_conf(%p): bad entry error %s "
2095 "\"other\"[%d:%s]",
2096 (void *)pamh, service, i,
2097 pam_trace_cname(pamh));
2098 error = PAM_SYSTEM_ERR;
2099 free_pamconf(pamentp);
2100 goto out;
2101 }
2102 if (strcasecmp(pamentp->pam_service, "other") == 0) {
2103 pam_trace(PAM_DEBUG_CONF,
2104 "read_pam_conf(%p): processing "
2105 "\"other\"[%d:%s]", (void *)pamh, i,
2106 pam_trace_cname(pamh));
2107 if ((tpament = pamh->pam_conf_info[i]
2108 [pamentp->pam_type]) == NULL) {
2109 /* add first "other" entry */
2110 pam_trace(PAM_DEBUG_CONF,
2111 "read_pam_conf(%p): adding 1st "
2112 "other[%d:%s][%s]", (void *)pamh, i,
2113 pam_trace_cname(pamh),
2114 pam_snames[pamentp->pam_type]);
2115 pamh->pam_conf_info[i]
2116 [pamentp->pam_type] = pamentp;
2117 } else {
2118 /* append more "other" entries */
2119 pam_trace(PAM_DEBUG_CONF,
2120 "read_pam_conf(%p): adding more "
2121 "other[%d:%s][%s]", (void *)pamh, i,
2122 pam_trace_cname(pamh),
2123 pam_snames[pamentp->pam_type]);
2124 while (tpament->next != NULL) {
2125 tpament = tpament->next;
2126 }
2127 tpament->next = pamentp;
2128 }
2129 } else {
2130 /* irrelevant entry */
2131 free_pamconf(pamentp);
2132 }
2133 } else {
2134 /* irrelevant entry */
2135 free_pamconf(pamentp);
2136 }
2137 }
2138
2139 /*
2140 * If we have no entries for this module type (e.g. "account"), then
2141 * generate a single "include" rule for the shard file "other" as a
2142 * fallback.
2143 */
2144 if (strcasecmp(service, "other") == 0)
2145 goto out;
2146
2147 for (j = 0; j < PAM_NUM_MODULE_TYPES; j++) {
2148 pamtab_t *pe;
2149
2150 if (service_found[j + 1] != 0 ||
2151 pamh->pam_conf_info[i][j] != NULL)
2152 continue;
2153
2154 pe = calloc(1, sizeof (pamtab_t));
2155
2156 pam_trace(PAM_DEBUG_CONF, "read_pam_conf(%p): falling back to "
2157 "\"other\" for module type \"%s\" in service \"%s\"",
2158 (void *)pamh, pam_snames[j], service);
2159 if (pe == NULL) {
2160 error = PAM_SYSTEM_ERR;
2161 __pam_log(LOG_AUTH | LOG_ERR, "calloc: out of memory");
2162 goto out;
2163 }
2164
2165 pe->pam_service = strdup(service);
2166 pe->pam_type = j;
2167 pe->pam_flag = PAM_INCLUDE;
2168 if (asprintf(&pe->module_path, "%s%s", PAM_CONFIG_DIR,
2169 "other") < 0) {
2170 free(pe);
2171 error = PAM_SYSTEM_ERR;
2172 __pam_log(LOG_AUTH | LOG_ERR, "asprintf: out of memory");
2173 goto out;
2174 }
2175
2176 pamh->pam_conf_info[i][j] = pe;
2177 }
2178
2179 out:
2180 (void) close_pam_conf(pam_fh);
2181 if (error != PAM_SUCCESS)
2182 free_pam_conf_info(pamh);
2183 return (error);
2184 }
2185
2186 /*
2187 * get_pam_conf_entry - get a pam.conf entry
2188 */
2189
2190 static int
2191 get_pam_conf_entry(struct pam_fh *pam_fh, pam_handle_t *pamh, pamtab_t **pam,
2192 char *service, int shardfile)
2193 {
2194 char *cp, *arg;
2195 int argc;
2196 char *tmp, *tmp_free;
2197 int i;
2198 char *current_line = NULL;
2199 int error = PAM_SYSTEM_ERR; /* preset to error */
2200 int err;
2201
2202 /* get the next line from pam.conf */
2203 if ((cp = nextline(pam_fh, pamh, &err)) == NULL) {
2204 /* no more lines in pam.conf ==> return */
2205 error = PAM_SUCCESS;
2206 *pam = NULL;
2207 goto out;
2208 }
2209
2210 if ((*pam = calloc(1, sizeof (pamtab_t))) == NULL) {
2211 __pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2212 goto out;
2213 }
2214
2215 /* copy full line for error reporting */
2216 if ((current_line = strdup(cp)) == NULL) {
2217 __pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2218 goto out;
2219 }
2220
2221 pam_trace(PAM_DEBUG_CONF,
2222 "pam.conf[%s] entry:\t%s", pam_trace_cname(pamh), current_line);
2223
2224 if (shardfile) {
2225 /*
2226 * If this is an /etc/pam.d shard file, then the service name
2227 * comes from the file name of the shard.
2228 */
2229 if (((*pam)->pam_service = strdup(service)) == 0) {
2230 __pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2231 goto out;
2232 }
2233 } else {
2234 /* get service name (e.g. login, su, passwd) */
2235 if ((arg = read_next_token(&cp)) == 0) {
2236 __pam_log(LOG_AUTH | LOG_CRIT,
2237 "illegal pam.conf[%s] entry: %s: missing SERVICE "
2238 "NAME", pam_trace_cname(pamh), current_line);
2239 goto out;
2240 }
2241 if (((*pam)->pam_service = strdup(arg)) == 0) {
2242 __pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2243 goto out;
2244 }
2245 }
2246
2247 /* get module type (e.g. authentication, acct mgmt) */
2248 if ((arg = read_next_token(&cp)) == 0) {
2249 __pam_log(LOG_AUTH | LOG_CRIT,
2250 "illegal pam.conf[%s] entry: %s: missing MODULE TYPE",
2251 pam_trace_cname(pamh), current_line);
2252 (*pam)->pam_type = -1; /* 0 is a valid value */
2253 goto getflag;
2254 }
2255 if (strcasecmp(arg, PAM_AUTH_NAME) == 0) {
2256 (*pam)->pam_type = PAM_AUTH_MODULE;
2257 } else if (strcasecmp(arg, PAM_ACCOUNT_NAME) == 0) {
2258 (*pam)->pam_type = PAM_ACCOUNT_MODULE;
2259 } else if (strcasecmp(arg, PAM_SESSION_NAME) == 0) {
2260 (*pam)->pam_type = PAM_SESSION_MODULE;
2261 } else if (strcasecmp(arg, PAM_PASSWORD_NAME) == 0) {
2262 (*pam)->pam_type = PAM_PASSWORD_MODULE;
2263 } else {
2264 /* error */
2265 __pam_log(LOG_AUTH | LOG_CRIT,
2266 "illegal pam.conf[%s] entry: %s: invalid module "
2267 "type: %s", pam_trace_cname(pamh), current_line, arg);
2268 (*pam)->pam_type = -1; /* 0 is a valid value */
2269 }
2270
2271 getflag:
2272 /* get pam flag (e.g., requisite, required, sufficient, optional) */
2273 if ((arg = read_next_token(&cp)) == 0) {
2274 __pam_log(LOG_AUTH | LOG_CRIT,
2275 "illegal pam.conf[%s] entry: %s: missing CONTROL FLAG",
2276 pam_trace_cname(pamh), current_line);
2277 goto getpath;
2278 }
2279 if (strcasecmp(arg, PAM_BINDING_NAME) == 0) {
2280 (*pam)->pam_flag = PAM_BINDING;
2281 } else if (strcasecmp(arg, PAM_INCLUDE_NAME) == 0) {
2282 (*pam)->pam_flag = PAM_INCLUDE;
2283 } else if (strcasecmp(arg, PAM_OPTIONAL_NAME) == 0) {
2284 (*pam)->pam_flag = PAM_OPTIONAL;
2285 } else if (strcasecmp(arg, PAM_REQUIRED_NAME) == 0) {
2286 (*pam)->pam_flag = PAM_REQUIRED;
2287 } else if (strcasecmp(arg, PAM_REQUISITE_NAME) == 0) {
2288 (*pam)->pam_flag = PAM_REQUISITE;
2289 } else if (strcasecmp(arg, PAM_SUFFICIENT_NAME) == 0) {
2290 (*pam)->pam_flag = PAM_SUFFICIENT;
2291 } else {
2292 /* error */
2293 __pam_log(LOG_AUTH | LOG_CRIT,
2294 "illegal pam.conf[%s] entry: %s",
2295 pam_trace_cname(pamh), current_line);
2296 __pam_log(LOG_AUTH | LOG_CRIT,
2297 "\tinvalid control flag: %s", arg);
2298 }
2299
2300 getpath:
2301 /* get module path (e.g. /usr/lib/security/pam_unix_auth.so.1) */
2302 if ((arg = read_next_token(&cp)) == 0) {
2303 __pam_log(LOG_AUTH | LOG_CRIT,
2304 "illegal pam.conf[%s] entry: %s: missing MODULE PATH",
2305 pam_trace_cname(pamh), current_line);
2306 error = PAM_SUCCESS; /* success */
2307 goto out;
2308 }
2309 if (arg[0] != '/') {
2310 int ret;
2311 /*
2312 * If module path does not start with "/", then
2313 * prepend PAM_LIB_DIR (/usr/lib/security/).
2314 */
2315 if ((*pam)->pam_flag & PAM_INCLUDE) {
2316 /*
2317 * If this is an /etc/pam.d shard, we want to get
2318 * included files from /etc/pam.d rather than
2319 * /usr/lib/security.
2320 */
2321 ret = asprintf(&(*pam)->module_path, "%s%s",
2322 (shardfile ? PAM_CONFIG_DIR : PAM_LIB_DIR), arg);
2323 } else {
2324 ret = asprintf(&(*pam)->module_path, "%s%s%s",
2325 PAM_LIB_DIR, PAM_ISA_DIR, arg);
2326 }
2327 if (ret < 0) {
2328 __pam_log(LOG_AUTH | LOG_ERR,
2329 "asprintf: out of memory");
2330 goto out;
2331 }
2332 } else {
2333 /* Full path provided for module */
2334 char *isa;
2335
2336 /* Check for Instruction Set Architecture indicator */
2337 if ((isa = strstr(arg, PAM_ISA)) != NULL) {
2338 size_t len;
2339 len = strlen(arg) - (sizeof (PAM_ISA)-1) +
2340 sizeof (PAM_ISA_DIR);
2341
2342 /* substitute the architecture dependent path */
2343 if (((*pam)->module_path = malloc(len)) == NULL) {
2344 __pam_log(LOG_AUTH | LOG_ERR,
2345 "strdup: out of memory");
2346 goto out;
2347 }
2348 *isa = '\000';
2349 isa += strlen(PAM_ISA);
2350 (void) snprintf((*pam)->module_path, len, "%s%s%s",
2351 arg, PAM_ISA_DIR, isa);
2352 } else if (((*pam)->module_path = strdup(arg)) == 0) {
2353 __pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2354 goto out;
2355 }
2356 }
2357
2358 /* count the number of module-specific options first */
2359 argc = 0;
2360 if ((tmp = strdup(cp)) == NULL) {
2361 __pam_log(LOG_AUTH | LOG_ERR, "strdup: out of memory");
2362 goto out;
2363 }
2364 tmp_free = tmp;
2365 for (arg = read_next_token(&tmp); arg; arg = read_next_token(&tmp))
2366 argc++;
2367 free(tmp_free);
2368
2369 /* allocate array for the module-specific options */
2370 if (argc > 0) {
2371 if (((*pam)->module_argv =
2372 calloc(argc+1, sizeof (char *))) == 0) {
2373 __pam_log(LOG_AUTH | LOG_ERR, "calloc: out of memory");
2374 goto out;
2375 }
2376 i = 0;
2377 for (arg = read_next_token(&cp); arg;
2378 arg = read_next_token(&cp)) {
2379 (*pam)->module_argv[i] = strdup(arg);
2380 if ((*pam)->module_argv[i] == NULL) {
2381 __pam_log(LOG_AUTH | LOG_ERR, "strdup failed");
2382 goto out;
2383 }
2384 i++;
2385 }
2386 (*pam)->module_argv[argc] = NULL;
2387 }
2388 (*pam)->module_argc = argc;
2389
2390 error = PAM_SUCCESS; /* success */
2391 (*pam)->pam_err = err; /* was the line truncated */
2392
2393 out:
2394 free(current_line);
2395 if (error != PAM_SUCCESS) {
2396 /* on error free this */
2397 if (*pam)
2398 free_pamconf(*pam);
2399 }
2400 return (error);
2401 }
2402
2403
2404 /*
2405 * read_next_token - skip tab and space characters and return the next token
2406 */
2407
2408 static char *
2409 read_next_token(char **cpp)
2410 {
2411 register char *cp = *cpp;
2412 char *start;
2413
2414 if (cp == NULL) {
2415 *cpp = NULL;
2416 return (NULL);
2417 }
2418 while (*cp == ' ' || *cp == '\t')
2419 cp++;
2420 if (*cp == '\0') {
2421 *cpp = NULL;
2422 return (NULL);
2423 }
2424 start = cp;
2425 while (*cp && *cp != ' ' && *cp != '\t')
2426 cp++;
2427 if (*cp != '\0')
2428 *cp++ = '\0';
2429 *cpp = cp;
2430 return (start);
2431 }
2432
2433 static char *
2434 pam_conf_strnchr(char *sp, int c, intptr_t count)
2435 {
2436 while (count) {
2437 if (*sp == (char)c)
2438 return ((char *)sp);
2439 else {
2440 sp++;
2441 count--;
2442 }
2443 };
2444 return (NULL);
2445 }
2446
2447 /*
2448 * nextline - skip all blank lines and comments
2449 */
2450
2451 static char *
2452 nextline(struct pam_fh *pam_fh, pam_handle_t *pamh, int *err)
2453 {
2454 char *ll;
2455 int find_a_line = 0;
2456 char *data = pam_fh->data;
2457 char *bufferp = pam_fh->bufferp;
2458 char *bufferendp = &data[pam_fh->bufsize];
2459 size_t input_len;
2460
2461 /*
2462 * Skip the blank line, comment line
2463 */
2464 while (!find_a_line) {
2465 /* if we are at the end of the buffer, there is no next line */
2466 if (bufferp == bufferendp)
2467 return (NULL);
2468
2469 /* skip blank line */
2470 while (*bufferp == '\n') {
2471 /*
2472 * If we are at the end of the buffer, there is
2473 * no next line.
2474 */
2475 if (++bufferp == bufferendp) {
2476 return (NULL);
2477 }
2478 /* else we check *bufferp again */
2479 }
2480
2481 /* skip comment line */
2482 while (*bufferp == '#') {
2483 if ((ll = pam_conf_strnchr(bufferp, '\n',
2484 bufferendp - bufferp)) != NULL) {
2485 bufferp = ll;
2486 } else {
2487 /*
2488 * this comment line the last line.
2489 * no next line
2490 */
2491 return (NULL);
2492 }
2493
2494 /*
2495 * If we are at the end of the buffer, there is
2496 * no next line.
2497 */
2498 if (bufferp == bufferendp) {
2499 return (NULL);
2500 }
2501 }
2502
2503 if ((*bufferp != '\n') && (*bufferp != '#')) {
2504 find_a_line = 1;
2505 }
2506 }
2507
2508 *err = PAM_SUCCESS;
2509 /* now we find one line */
2510 if ((ll = pam_conf_strnchr(bufferp, '\n', bufferendp - bufferp))
2511 != NULL) {
2512 if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2513 __pam_log(LOG_AUTH | LOG_ERR,
2514 "nextline[%d:%s]: pam.conf line too long %.256s",
2515 pamh->include_depth, pam_trace_cname(pamh),
2516 bufferp);
2517 input_len = sizeof (pam_fh->line) - 1;
2518 *err = PAM_SERVICE_ERR;
2519 }
2520 (void) strncpy(pam_fh->line, bufferp, input_len);
2521 pam_fh->line[input_len] = '\0';
2522 pam_fh->bufferp = ll++;
2523 } else {
2524 ll = bufferendp;
2525 if ((input_len = ll - bufferp) >= sizeof (pam_fh->line)) {
2526 __pam_log(LOG_AUTH | LOG_ERR,
2527 "nextline[%d:%s]: pam.conf line too long %.256s",
2528 pamh->include_depth, pam_trace_cname(pamh),
2529 bufferp);
2530 input_len = sizeof (pam_fh->line) - 1;
2531 *err = PAM_SERVICE_ERR;
2532 }
2533 (void) strncpy(pam_fh->line, bufferp, input_len);
2534 pam_fh->line[input_len] = '\0';
2535 pam_fh->bufferp = ll;
2536 }
2537
2538 return (pam_fh->line);
2539 }
2540
2541 /*
2542 * verify_pam_conf - verify that the pam_conf entry is filled in.
2543 *
2544 * True = Error if there is no service.
2545 * True = Error if there is a service and it matches the requested service
2546 * but, the type, flag, line overflow, or path is in error.
2547 */
2548
2549 static int
2550 verify_pam_conf(pamtab_t *pam, char *service)
2551 {
2552 return ((pam->pam_service == NULL) ||
2553 ((strcasecmp(pam->pam_service, service) == 0) &&
2554 ((pam->pam_type == -1) ||
2555 (pam->pam_flag == 0) ||
2556 (pam->pam_err != PAM_SUCCESS) ||
2557 (pam->module_path == NULL))));
2558 }
2559
2560 /*
2561 * Routines to free allocated storage
2562 */
2563
2564 /*
2565 * clean_up - free allocated storage in the pam handle
2566 */
2567
2568 static void
2569 clean_up(pam_handle_t *pamh)
2570 {
2571 int i;
2572 pam_repository_t *auth_rep;
2573
2574 if (pamh) {
2575 while (pamh->include_depth >= 0) {
2576 free_pam_conf_info(pamh);
2577 pamh->include_depth--;
2578 }
2579
2580 /* Cleanup PAM_REPOSITORY structure */
2581 auth_rep = pamh->ps_item[PAM_REPOSITORY].pi_addr;
2582 if (auth_rep != NULL) {
2583 free(auth_rep->type);
2584 free(auth_rep->scope);
2585 }
2586
2587 for (i = 0; i < PAM_MAX_ITEMS; i++) {
2588 if (pamh->ps_item[i].pi_addr != NULL) {
2589 if (i == PAM_AUTHTOK || i == PAM_OLDAUTHTOK) {
2590 (void) memset(pamh->ps_item[i].pi_addr,
2591 0, pamh->ps_item[i].pi_size);
2592 }
2593 free(pamh->ps_item[i].pi_addr);
2594 }
2595 }
2596 free(pamh);
2597 }
2598 }
2599
2600 /*
2601 * free_pamconf - free memory used to store pam.conf entry
2602 */
2603
2604 static void
2605 free_pamconf(pamtab_t *cp)
2606 {
2607 int i;
2608
2609 if (cp) {
2610 free(cp->pam_service);
2611 free(cp->module_path);
2612 for (i = 0; i < cp->module_argc; i++) {
2613 free(cp->module_argv[i]);
2614 }
2615 if (cp->module_argc > 0)
2616 free(cp->module_argv);
2617 free(cp->function_ptr);
2618
2619 free(cp);
2620 }
2621 }
2622
2623 /*
2624 * free_pam_conf_info - free memory used to store all pam.conf info
2625 * under the pam handle
2626 */
2627
2628 static void
2629 free_pam_conf_info(pam_handle_t *pamh)
2630 {
2631 pamtab_t *pamentp;
2632 pamtab_t *pament_trail;
2633 int i = pamh->include_depth;
2634 int j;
2635
2636 for (j = 0; j < PAM_NUM_MODULE_TYPES; j++) {
2637 pamentp = pamh->pam_conf_info[i][j];
2638 pamh->pam_conf_info[i][j] = NULL;
2639 pament_trail = pamentp;
2640 while (pamentp) {
2641 pamentp = pamentp->next;
2642 free_pamconf(pament_trail);
2643 pament_trail = pamentp;
2644 }
2645 }
2646 if (pamh->pam_conf_name[i] != NULL) {
2647 free(pamh->pam_conf_name[i]);
2648 pamh->pam_conf_name[i] = NULL;
2649 }
2650 }
2651
2652 static void
2653 free_env(env_list *pam_env)
2654 {
2655 if (pam_env) {
2656 free(pam_env->name);
2657 free(pam_env->value);
2658 free(pam_env);
2659 }
2660 }
2661
2662 /*
2663 * Internal convenience functions for Solaris PAM service modules.
2664 */
2665
2666 #include <libintl.h>
2667 #include <nl_types.h>
2668 #include <synch.h>
2669 #include <locale.h>
2670 #include <thread.h>
2671
2672 typedef struct pam_msg_data {
2673 nl_catd fd;
2674 } pam_msg_data_t;
2675
2676 /*
2677 * free_resp():
2678 * free storage for responses used in the call back "pam_conv" functions
2679 */
2680
2681 void
2682 free_resp(int num_msg, struct pam_response *resp)
2683 {
2684 int i;
2685 struct pam_response *r;
2686
2687 if (resp) {
2688 r = resp;
2689 for (i = 0; i < num_msg; i++, r++) {
2690 if (r->resp) {
2691 /* clear before freeing -- may be a password */
2692 bzero(r->resp, strlen(r->resp));
2693 free(r->resp);
2694 r->resp = NULL;
2695 }
2696 }
2697 free(resp);
2698 }
2699 }
2700
2701 static int
2702 do_conv(pam_handle_t *pamh, int msg_style, int num_msg,
2703 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp,
2704 struct pam_response *ret_respp[])
2705 {
2706 struct pam_message *msg;
2707 struct pam_message *m;
2708 int i;
2709 int k;
2710 int retcode;
2711 struct pam_conv *pam_convp;
2712
2713 if ((retcode = pam_get_item(pamh, PAM_CONV,
2714 (void **)&pam_convp)) != PAM_SUCCESS) {
2715 return (retcode);
2716 }
2717
2718 /*
2719 * When pam_set_item() is called to set PAM_CONV and the
2720 * item is NULL, memset(pip->pi_addr, 0, size) is called.
2721 * So at this point, we should check whether pam_convp->conv
2722 * is NULL or not.
2723 */
2724 if ((pam_convp == NULL) || (pam_convp->conv == NULL))
2725 return (PAM_SYSTEM_ERR);
2726
2727 i = 0;
2728 k = num_msg;
2729
2730 msg = calloc(num_msg, sizeof (struct pam_message));
2731 if (msg == NULL) {
2732 return (PAM_BUF_ERR);
2733 }
2734 m = msg;
2735
2736 while (k--) {
2737 /*
2738 * fill out the message structure to display prompt message
2739 */
2740 m->msg_style = msg_style;
2741 m->msg = messages[i];
2742 pam_trace(PAM_DEBUG_CONV,
2743 "pam_conv_msg(%p:%d[%d]=%s)",
2744 (void *)pamh, msg_style, i, messages[i]);
2745 m++;
2746 i++;
2747 }
2748
2749 /*
2750 * The UNIX pam modules always calls __pam_get_authtok() and
2751 * __pam_display_msg() with a NULL pointer as the conv_apdp.
2752 * In case the conv_apdp is NULL and the pam_convp->appdata_ptr
2753 * is not NULL, we should pass the pam_convp->appdata_ptr
2754 * to the conversation function.
2755 */
2756 if (conv_apdp == NULL && pam_convp->appdata_ptr != NULL)
2757 conv_apdp = pam_convp->appdata_ptr;
2758
2759 /*
2760 * Call conv function to display the prompt.
2761 */
2762 retcode = (pam_convp->conv)(num_msg, &msg, ret_respp, conv_apdp);
2763 pam_trace(PAM_DEBUG_CONV,
2764 "pam_conv_resp(%p pam_conv = %s) ret_respp = %p",
2765 (void *)pamh, pam_strerror(pamh, retcode), (void *)ret_respp);
2766 if (*ret_respp == NULL) {
2767 pam_trace(PAM_DEBUG_CONV,
2768 "pam_conv_resp(%p No response requested)", (void *)pamh);
2769 } else if ((pam_debug & (PAM_DEBUG_CONV | PAM_DEBUG_AUTHTOK)) != 0) {
2770 struct pam_response *r = *ret_respp;
2771
2772 for (i = 0; i < num_msg; i++, r++) {
2773 if (r->resp == NULL) {
2774 pam_trace(PAM_DEBUG_CONV,
2775 "pam_conv_resp(%p:"
2776 "[%d] NULL response string)",
2777 (void *)pamh, i);
2778 } else {
2779 if (msg_style == PAM_PROMPT_ECHO_OFF) {
2780 #ifdef DEBUG
2781 pam_trace(PAM_DEBUG_AUTHTOK,
2782 "pam_conv_resp(%p:[%d]=%s, "
2783 "code=%d)",
2784 (void *)pamh, i, r->resp,
2785 r->resp_retcode);
2786 #endif /* DEBUG */
2787 pam_trace(PAM_DEBUG_CONV,
2788 "pam_conv_resp(%p:[%d] len=%lu, "
2789 "code=%d)",
2790 (void *)pamh, i,
2791 (ulong_t)strlen(r->resp),
2792 r->resp_retcode);
2793 } else {
2794 pam_trace(PAM_DEBUG_CONV,
2795 "pam_conv_resp(%p:[%d]=%s, "
2796 "code=%d)",
2797 (void *)pamh, i, r->resp,
2798 r->resp_retcode);
2799 }
2800 }
2801 }
2802 }
2803
2804 free(msg);
2805 return (retcode);
2806 }
2807
2808 /*
2809 * __pam_display_msg():
2810 * display message by calling the call back functions
2811 * provided by the application through "pam_conv" structure
2812 */
2813
2814 int
2815 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
2816 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp)
2817 {
2818 struct pam_response *ret_respp = NULL;
2819 int ret;
2820
2821 ret = do_conv(pamh, msg_style, num_msg, messages,
2822 conv_apdp, &ret_respp);
2823
2824 if (ret_respp != NULL)
2825 free_resp(num_msg, ret_respp);
2826
2827 return (ret);
2828 }
2829
2830 /*
2831 * __pam_get_authtok()
2832 * retrieves a password of at most PASS_MAX length from the pam
2833 * handle (pam_get_item) or from the input stream (do_conv).
2834 *
2835 * This function allocates memory for the new authtok.
2836 * Applications calling this function are responsible for
2837 * freeing this memory.
2838 *
2839 * If "source" is
2840 * PAM_HANDLE
2841 * and "type" is:
2842 * PAM_AUTHTOK - password is taken from pam handle (PAM_AUTHTOK)
2843 * PAM_OLDAUTHTOK - password is taken from pam handle (PAM_OLDAUTHTOK)
2844 *
2845 * If "source" is
2846 * PAM_PROMPT
2847 * and "type" is:
2848 * 0: Prompt for new passwd, do not even attempt
2849 * to store it in the pam handle.
2850 * PAM_AUTHTOK: Prompt for new passwd, store in pam handle as
2851 * PAM_AUTHTOK item if this value is not already set.
2852 * PAM_OLDAUTHTOK: Prompt for new passwd, store in pam handle as
2853 * PAM_OLDAUTHTOK item if this value is not
2854 * already set.
2855 */
2856 int
2857 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
2858 char **authtok)
2859 {
2860 int error = PAM_SYSTEM_ERR;
2861 char *new_password = NULL;
2862 struct pam_response *ret_resp = NULL;
2863 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
2864
2865 if ((*authtok = calloc(PASS_MAX+1, sizeof (char))) == NULL)
2866 return (PAM_BUF_ERR);
2867
2868 if (prompt == NULL)
2869 prompt = dgettext(TEXT_DOMAIN, "password: ");
2870
2871 switch (source) {
2872 case PAM_HANDLE:
2873
2874 /* get password from pam handle item list */
2875
2876 switch (type) {
2877 case PAM_AUTHTOK:
2878 case PAM_OLDAUTHTOK:
2879
2880 if ((error = pam_get_item(pamh, type,
2881 (void **)&new_password)) != PAM_SUCCESS)
2882 goto err_ret;
2883
2884 if (new_password == NULL || new_password[0] == '\0') {
2885 free(*authtok);
2886 *authtok = NULL;
2887 } else {
2888 (void) strlcpy(*authtok, new_password,
2889 PASS_MAX+1);
2890 }
2891 break;
2892 default:
2893 __pam_log(LOG_AUTH | LOG_ERR,
2894 "__pam_get_authtok() invalid type: %d", type);
2895 error = PAM_SYMBOL_ERR;
2896 goto err_ret;
2897 }
2898 break;
2899 case PAM_PROMPT:
2900
2901 /*
2902 * Prompt for new password and save in pam handle item list
2903 * if the that item is not already set.
2904 */
2905
2906 (void) strncpy(messages[0], prompt, sizeof (messages[0]));
2907 if ((error = do_conv(pamh, PAM_PROMPT_ECHO_OFF, 1, messages,
2908 NULL, &ret_resp)) != PAM_SUCCESS)
2909 goto err_ret;
2910
2911 if (ret_resp->resp == NULL) {
2912 /* getpass didn't return anything */
2913 error = PAM_SYSTEM_ERR;
2914 goto err_ret;
2915 }
2916
2917 /* save the new password if this item was NULL */
2918 if (type) {
2919 if ((error = pam_get_item(pamh, type,
2920 (void **)&new_password)) != PAM_SUCCESS) {
2921 free_resp(1, ret_resp);
2922 goto err_ret;
2923 }
2924 if (new_password == NULL)
2925 (void) pam_set_item(pamh, type, ret_resp->resp);
2926 }
2927
2928 (void) strlcpy(*authtok, ret_resp->resp, PASS_MAX+1);
2929 free_resp(1, ret_resp);
2930 break;
2931 default:
2932 __pam_log(LOG_AUTH | LOG_ERR,
2933 "__pam_get_authtok() invalid source: %d", source);
2934 error = PAM_SYMBOL_ERR;
2935 goto err_ret;
2936 }
2937
2938 return (PAM_SUCCESS);
2939
2940 err_ret:
2941 bzero(*authtok, PASS_MAX+1);
2942 free(*authtok);
2943 *authtok = NULL;
2944 return (error);
2945 }
Unleashed OS