Attachment #148656 for bug #194604

View | Details | Raw Unified | Return to bug 194604
Collapse All | Expand All

Lines 26-31 Link Here

(-)b/lib/libpam/modules/Makefile (-1 / +1 lines)
26		26
27	.include "modules.inc"	27	.include "modules.inc"
28		28
29	SUBDIR= ${MODULES}	29	SUBDIR= ${MODULES} pam_unix_chkpwd
30		30
31	.include <bsd.subdir.mk>	31	.include <bsd.subdir.mk>

Lines 41-46 LIB= pam_unix Link Here

(-)b/lib/libpam/modules/pam_unix/Makefile (+2 lines)
41	SRCS= pam_unix.c	41	SRCS= pam_unix.c
42	MAN= pam_unix.8	42	MAN= pam_unix.8
43		43
		44	WARNS?= 6
		45
44	DPADD+= ${LIBUTIL} ${LIBCRYPT}	46	DPADD+= ${LIBUTIL} ${LIBCRYPT}
45	LDADD+= -lutil -lcrypt	47	LDADD+= -lutil -lcrypt
46		48

Lines 40-45 __FBSDID("$FreeBSD$"); Link Here

(-)b/lib/libpam/modules/pam_unix/pam_unix.c (-2 / +50 lines)
40	#include <sys/param.h>	40	#include <sys/param.h>
41	#include <sys/socket.h>	41	#include <sys/socket.h>
42	#include <sys/time.h>	42	#include <sys/time.h>
		43	#include <sys/wait.h>
43	#include <netinet/in.h>	44	#include <netinet/in.h>
44	#include <arpa/inet.h>	45	#include <arpa/inet.h>
45		46
Lines 74-79 __FBSDID("$FreeBSD$"); Link Here
74	#define LOCKED_PREFIX "LOCKED"	75	#define LOCKED_PREFIX "LOCKED"
75	#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)	76	#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)
76		77
		78	#define HELPER_EXE "/usr/libexec/pam_unix_chkpwd"
		79	#define SECRET_NAME "_PAM_UNIX_AUTHTOK"
		80	static int run_verify_helper(pam_handle_t pamh, int flags, const char user,
		81	const char *pw);
		82
77	static void makesalt(char []);	83	static void makesalt(char []);
78		84
79	static char password_hash[] = PASSWORD_HASH;	85	static char password_hash[] = PASSWORD_HASH;
Lines 85-92 static char password_hash[] = PASSWORD_HASH; Link Here
85	* authentication management	91	* authentication management
86	*/	92	*/
87	PAM_EXTERN int	93	PAM_EXTERN int
88	pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,	94	pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc __unused,
89	int argc __unused, const char *argv[] __unused)	95	const char *argv[] __unused)
90	{	96	{
91	login_cap_t *lc;	97	login_cap_t *lc;
92	struct passwd *pwd;	98	struct passwd *pwd;
Lines 128-133 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, Link Here
128	if (strcmp(crypt(pass, realpw), realpw) == 0)	134	if (strcmp(crypt(pass, realpw), realpw) == 0)
129	return (PAM_SUCCESS);	135	return (PAM_SUCCESS);
130		136
		137	/*
		138	* Check with the suid helper, IFF we're not root and we're trying to
		139	* authenticate ourself.
		140	*/
		141	if (getuid() != 0 && strcmp(getlogin(), user) == 0)
		142	return (run_verify_helper(pamh, flags, user, pass));
		143
131	PAM_VERBOSE_ERROR("UNIX authentication refused");	144	PAM_VERBOSE_ERROR("UNIX authentication refused");
132	return (PAM_AUTH_ERR);	145	return (PAM_AUTH_ERR);
133	}	146	}
Lines 475-477 makesalt(char salt[SALTSIZE + 1]) Link Here
475	}	488	}
476		489
477	PAM_MODULE_ENTRY("pam_unix");	490	PAM_MODULE_ENTRY("pam_unix");
		491
		492	static int
		493	run_verify_helper(pam_handle_t pamh, int flags, const char user,
		494	const char *pw)
		495	{
		496	pid_t pid;
		497	int rc;
		498
		499	PAM_LOG("Doing UNIX helper authentication");
		500
		501	if ((rc = fork()) < 0)
		502	return (PAM_AUTH_ERR);
		503	else if (rc == 0) {
		504	rc = setenv(SECRET_NAME, pw, 1);
		505	if (rc < 0)
		506	exit(PAM_AUTH_ERR);
		507	rc = execl(HELPER_EXE, HELPER_EXE, user, NULL);
		508	if (rc < 0)
		509	exit(PAM_AUTH_ERR);
		510	/* NORETURN */
		511	}
		512
		513	pid = rc;
		514	pid = waitpid(pid, &rc, WEXITED);
		515	if (pid <= 0)
		516	return (PAM_AUTH_ERR);
		517	if (!WIFEXITED(rc))
		518	return (PAM_AUTH_ERR);
		519
		520	if (WEXITSTATUS(rc) == PAM_SUCCESS)
		521	return (PAM_SUCCESS);
		522
		523	PAM_VERBOSE_ERROR("UNIX helper authentication refused");
		524	return (PAM_AUTH_ERR);
		525	}




# $FreeBSD$

.include <src.opts.mk>

BINDIR?=	/usr/libexec

PROG=	pam_unix_chkpwd
MAN=	pam_unix_chkpwd.8

WARNS?=	6

DPADD=	${LIBCRYPT}
LDADD=	-lcrypt

BINOWN=	root
BINMODE=4555

.include <bsd.prog.mk>




.\" Copyright (c) Andrew G. Morgan, 1996. All rights reserved
.\" Copyright (c) Red Hat, Inc., 2007,2008. All rights reserved
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, and the entire permission notice in its entirety,
.\"    including the disclaimer of warranties.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote
.\"    products derived from this software without specific prior
.\"    written permission.
.\"
.\" ALTERNATIVELY, this product may be distributed under the terms of
.\" the GNU Public License, in which case the provisions of the GPL are
.\" required INSTEAD OF the above restrictions.  (This clause is
.\" necessary due to a potential bad interaction between the GPL and
.\" the restrictions contained in a BSD-style copyright.)
.\"
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd January 23, 2008
.Dt PAM_UNIX_CHKPWD 8
.Os

.Sh NAME
.Nm pam_unix_chkpwd
.Nd pam_unix helper that verifies the password of the current user

.Sh SYNOPSIS
.Pa pam_unix_chkpwd
.Op Ar ...

.Sh DESCRIPTION

.Pa pam_unix_chkpwd
is a helper program for the
.Xr pam_unix 8
module that verifies the password of the current user. It also checks password
and account expiration dates in
.Xr master.passwd 5 .
It is not intended to be run directly from the command line.

It is typically installed setuid root or setgid shadow.

The interface of the helper -- command line options, and input/output data
format -- are internal to the
.Xr pam_unix 8
module and it should not be called directly from applications.

.Sh SEE ALSO
.Xr pam_unix 8

.Sh AUTHORS
Written by Andrew Morgan and others.




/*-
 * Copyright 2014 Conrad Meyer <cse.cem@gmail.com>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/cdefs.h>

#include <pwd.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define	SECRET_NAME	"_PAM_UNIX_AUTHTOK"

int
main(int argc, char **argv)
{
	const char *user, *pw;
	struct passwd *pwd;

	if (argc != 2)
		return (1);

	user = argv[1];
	pw = getenv(SECRET_NAME);

	if (user == NULL || pw == NULL)
		return (1);

	pwd = getpwnam(user);
	if (pwd == NULL)
		return (1);

	if (strcmp(crypt(pw, pwd->pw_passwd), pwd->pw_passwd) == 0)
		return (0);

	return (1);
}

Return to bug 194604

Added Link Here

(-)b/lib/libpam/modules/pam_unix_chkpwd/Makefile (+18 lines)
1	# $FreeBSD$
2
3	.include <src.opts.mk>
4
5	BINDIR?= /usr/libexec
6
7	PROG= pam_unix_chkpwd
8	MAN= pam_unix_chkpwd.8
9
10	WARNS?= 6
11
12	DPADD= ${LIBCRYPT}
13	LDADD= -lcrypt
14
15	BINOWN= root
16	BINMODE=4555
17
18	.include <bsd.prog.mk>

Added Link Here

(-)b/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.8 (+70 lines)
1	.\" Copyright (c) Andrew G. Morgan, 1996. All rights reserved
2	.\" Copyright (c) Red Hat, Inc., 2007,2008. All rights reserved
3	.\"
4	.\" Redistribution and use in source and binary forms, with or without
5	.\" modification, are permitted provided that the following conditions
6	.\" are met:
7	.\" 1. Redistributions of source code must retain the above copyright
8	.\" notice, and the entire permission notice in its entirety,
9	.\" including the disclaimer of warranties.
10	.\" 2. Redistributions in binary form must reproduce the above copyright
11	.\" notice, this list of conditions and the following disclaimer in the
12	.\" documentation and/or other materials provided with the distribution.
13	.\" 3. The name of the author may not be used to endorse or promote
14	.\" products derived from this software without specific prior
15	.\" written permission.
16	.\"
17	.\" ALTERNATIVELY, this product may be distributed under the terms of
18	.\" the GNU Public License, in which case the provisions of the GPL are
19	.\" required INSTEAD OF the above restrictions. (This clause is
20	.\" necessary due to a potential bad interaction between the GPL and
21	.\" the restrictions contained in a BSD-style copyright.)
22	.\"
23	.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
24	.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
26	.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
27	.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
28	.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
29	.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
33	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
34	.\"
35	.\" $FreeBSD$
36	.\"
37	.Dd January 23, 2008
38	.Dt PAM_UNIX_CHKPWD 8
39	.Os
40
41	.Sh NAME
42	.Nm pam_unix_chkpwd
43	.Nd pam_unix helper that verifies the password of the current user
44
45	.Sh SYNOPSIS
46	.Pa pam_unix_chkpwd
47	.Op Ar ...
48
49	.Sh DESCRIPTION
50
51	.Pa pam_unix_chkpwd
52	is a helper program for the
53	.Xr pam_unix 8
54	module that verifies the password of the current user. It also checks password
55	and account expiration dates in
56	.Xr master.passwd 5 .
57	It is not intended to be run directly from the command line.
58
59	It is typically installed setuid root or setgid shadow.
60
61	The interface of the helper -- command line options, and input/output data
62	format -- are internal to the
63	.Xr pam_unix 8
64	module and it should not be called directly from applications.
65
66	.Sh SEE ALSO
67	.Xr pam_unix 8
68
69	.Sh AUTHORS
70	Written by Andrew Morgan and others.

Added Link Here

(-)b/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.c (-1 / +58 lines)
0	-	1	/*-
		2	* Copyright 2014 Conrad Meyer <cse.cem@gmail.com>
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
		14	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		15	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
		16	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
		17	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
		18	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
		19	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		20	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
		21	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
		22	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		23	* SUCH DAMAGE.
		24	*/
		25
		26	#include <sys/cdefs.h>
		27
		28	#include <pwd.h>
		29	#include <stdlib.h>
		30	#include <string.h>
		31	#include <unistd.h>
		32
		33	#define SECRET_NAME "_PAM_UNIX_AUTHTOK"
		34
		35	int
		36	main(int argc, char **argv)
		37	{
		38	const char user, pw;
		39	struct passwd *pwd;
		40
		41	if (argc != 2)
		42	return (1);
		43
		44	user = argv[1];
		45	pw = getenv(SECRET_NAME);
		46
		47	if (user == NULL \|\| pw == NULL)
		48	return (1);
		49
		50	pwd = getpwnam(user);
		51	if (pwd == NULL)
		52	return (1);
		53
		54	if (strcmp(crypt(pw, pwd->pw_passwd), pwd->pw_passwd) == 0)
		55	return (0);
		56
		57	return (1);
		58	}