FreeBSD Bugzilla – Attachment 148656 Details for
Bug 194604
[libpam] [patch] pam_unix doesn't allow validation of own password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
(Apply with -p1; diff against r273647.)
a.patch (text/plain), 9.68 KB, created by
Conrad Meyer
on 2014-10-26 05:42:42 UTC
(
hide
)
Description:
(Apply with -p1; diff against r273647.)
Filename:
MIME Type:
Creator:
Conrad Meyer
Created:
2014-10-26 05:42:42 UTC
Size:
9.68 KB
patch
obsolete
>From 09da0a229842e0307aa1977dbe1f82e15a309c5d Mon Sep 17 00:00:00 2001 >From: Conrad Meyer <cse.cem@gmail.com> >Date: Sat, 25 Oct 2014 18:26:25 -0400 >Subject: [PATCH] pam_unix: Add pam_unix_chkpwd helper; support querying own pw > >Useful for e.g. unprivileged lockscreens that need to authenticate the >keyboard user. (In particular, the Linux-PAM Unix module supports this >functionality and the enlightenment desktop relies upon this behavior.) >--- > lib/libpam/modules/Makefile | 2 +- > lib/libpam/modules/pam_unix/Makefile | 2 + > lib/libpam/modules/pam_unix/pam_unix.c | 52 +++++++++++++++- > lib/libpam/modules/pam_unix_chkpwd/Makefile | 18 ++++++ > .../modules/pam_unix_chkpwd/pam_unix_chkpwd.8 | 70 ++++++++++++++++++++++ > .../modules/pam_unix_chkpwd/pam_unix_chkpwd.c | 58 ++++++++++++++++++ > 6 files changed, 199 insertions(+), 3 deletions(-) > create mode 100644 lib/libpam/modules/pam_unix_chkpwd/Makefile > create mode 100644 lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.8 > create mode 100644 lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.c > >diff --git a/lib/libpam/modules/Makefile b/lib/libpam/modules/Makefile >index cacf011..58ac8f2 100644 >--- a/lib/libpam/modules/Makefile >+++ b/lib/libpam/modules/Makefile >@@ -26,6 +26,6 @@ > > .include "modules.inc" > >-SUBDIR= ${MODULES} >+SUBDIR= ${MODULES} pam_unix_chkpwd > > .include <bsd.subdir.mk> >diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile >index ea9e639..f7e73e7 100644 >--- a/lib/libpam/modules/pam_unix/Makefile >+++ b/lib/libpam/modules/pam_unix/Makefile >@@ -41,6 +41,8 @@ LIB= pam_unix > SRCS= pam_unix.c > MAN= pam_unix.8 > >+WARNS?= 6 >+ > DPADD+= ${LIBUTIL} ${LIBCRYPT} > LDADD+= -lutil -lcrypt > >diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c >index 9a213e2..d0d7ba0 100644 >--- a/lib/libpam/modules/pam_unix/pam_unix.c >+++ b/lib/libpam/modules/pam_unix/pam_unix.c >@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); > #include <sys/param.h> > #include <sys/socket.h> > #include <sys/time.h> >+#include <sys/wait.h> > #include <netinet/in.h> > #include <arpa/inet.h> > >@@ -74,6 +75,11 @@ __FBSDID("$FreeBSD$"); > #define LOCKED_PREFIX "*LOCKED*" > #define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1) > >+#define HELPER_EXE "/usr/libexec/pam_unix_chkpwd" >+#define SECRET_NAME "_PAM_UNIX_AUTHTOK" >+static int run_verify_helper(pam_handle_t *pamh, int flags, const char *user, >+ const char *pw); >+ > static void makesalt(char []); > > static char password_hash[] = PASSWORD_HASH; >@@ -85,8 +91,8 @@ static char password_hash[] = PASSWORD_HASH; > * authentication management > */ > PAM_EXTERN int >-pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, >- int argc __unused, const char *argv[] __unused) >+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc __unused, >+ const char *argv[] __unused) > { > login_cap_t *lc; > struct passwd *pwd; >@@ -128,6 +134,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, > if (strcmp(crypt(pass, realpw), realpw) == 0) > return (PAM_SUCCESS); > >+ /* >+ * Check with the suid helper, IFF we're not root and we're trying to >+ * authenticate ourself. >+ */ >+ if (getuid() != 0 && strcmp(getlogin(), user) == 0) >+ return (run_verify_helper(pamh, flags, user, pass)); >+ > PAM_VERBOSE_ERROR("UNIX authentication refused"); > return (PAM_AUTH_ERR); > } >@@ -475,3 +488,38 @@ makesalt(char salt[SALTSIZE + 1]) > } > > PAM_MODULE_ENTRY("pam_unix"); >+ >+static int >+run_verify_helper(pam_handle_t *pamh, int flags, const char *user, >+ const char *pw) >+{ >+ pid_t pid; >+ int rc; >+ >+ PAM_LOG("Doing UNIX helper authentication"); >+ >+ if ((rc = fork()) < 0) >+ return (PAM_AUTH_ERR); >+ else if (rc == 0) { >+ rc = setenv(SECRET_NAME, pw, 1); >+ if (rc < 0) >+ exit(PAM_AUTH_ERR); >+ rc = execl(HELPER_EXE, HELPER_EXE, user, NULL); >+ if (rc < 0) >+ exit(PAM_AUTH_ERR); >+ /* NORETURN */ >+ } >+ >+ pid = rc; >+ pid = waitpid(pid, &rc, WEXITED); >+ if (pid <= 0) >+ return (PAM_AUTH_ERR); >+ if (!WIFEXITED(rc)) >+ return (PAM_AUTH_ERR); >+ >+ if (WEXITSTATUS(rc) == PAM_SUCCESS) >+ return (PAM_SUCCESS); >+ >+ PAM_VERBOSE_ERROR("UNIX helper authentication refused"); >+ return (PAM_AUTH_ERR); >+} >diff --git a/lib/libpam/modules/pam_unix_chkpwd/Makefile b/lib/libpam/modules/pam_unix_chkpwd/Makefile >new file mode 100644 >index 0000000..4997a8c >--- /dev/null >+++ b/lib/libpam/modules/pam_unix_chkpwd/Makefile >@@ -0,0 +1,18 @@ >+# $FreeBSD$ >+ >+.include <src.opts.mk> >+ >+BINDIR?= /usr/libexec >+ >+PROG= pam_unix_chkpwd >+MAN= pam_unix_chkpwd.8 >+ >+WARNS?= 6 >+ >+DPADD= ${LIBCRYPT} >+LDADD= -lcrypt >+ >+BINOWN= root >+BINMODE=4555 >+ >+.include <bsd.prog.mk> >diff --git a/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.8 b/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.8 >new file mode 100644 >index 0000000..a5e696f >--- /dev/null >+++ b/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.8 >@@ -0,0 +1,70 @@ >+.\" Copyright (c) Andrew G. Morgan, 1996. All rights reserved >+.\" Copyright (c) Red Hat, Inc., 2007,2008. All rights reserved >+.\" >+.\" Redistribution and use in source and binary forms, with or without >+.\" modification, are permitted provided that the following conditions >+.\" are met: >+.\" 1. Redistributions of source code must retain the above copyright >+.\" notice, and the entire permission notice in its entirety, >+.\" including the disclaimer of warranties. >+.\" 2. Redistributions in binary form must reproduce the above copyright >+.\" notice, this list of conditions and the following disclaimer in the >+.\" documentation and/or other materials provided with the distribution. >+.\" 3. The name of the author may not be used to endorse or promote >+.\" products derived from this software without specific prior >+.\" written permission. >+.\" >+.\" ALTERNATIVELY, this product may be distributed under the terms of >+.\" the GNU Public License, in which case the provisions of the GPL are >+.\" required INSTEAD OF the above restrictions. (This clause is >+.\" necessary due to a potential bad interaction between the GPL and >+.\" the restrictions contained in a BSD-style copyright.) >+.\" >+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED >+.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE >+.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, >+.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES >+.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR >+.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) >+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, >+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) >+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED >+.\" OF THE POSSIBILITY OF SUCH DAMAGE. >+.\" >+.\" $FreeBSD$ >+.\" >+.Dd January 23, 2008 >+.Dt PAM_UNIX_CHKPWD 8 >+.Os >+ >+.Sh NAME >+.Nm pam_unix_chkpwd >+.Nd pam_unix helper that verifies the password of the current user >+ >+.Sh SYNOPSIS >+.Pa pam_unix_chkpwd >+.Op Ar ... >+ >+.Sh DESCRIPTION >+ >+.Pa pam_unix_chkpwd >+is a helper program for the >+.Xr pam_unix 8 >+module that verifies the password of the current user. It also checks password >+and account expiration dates in >+.Xr master.passwd 5 . >+It is not intended to be run directly from the command line. >+ >+It is typically installed setuid root or setgid shadow. >+ >+The interface of the helper -- command line options, and input/output data >+format -- are internal to the >+.Xr pam_unix 8 >+module and it should not be called directly from applications. >+ >+.Sh SEE ALSO >+.Xr pam_unix 8 >+ >+.Sh AUTHORS >+Written by Andrew Morgan and others. >diff --git a/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.c b/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.c >new file mode 100644 >index 0000000..aa84662 >--- /dev/null >+++ b/lib/libpam/modules/pam_unix_chkpwd/pam_unix_chkpwd.c >@@ -0,0 +1,58 @@ >+/*- >+ * Copyright 2014 Conrad Meyer <cse.cem@gmail.com> >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND >+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE >+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE >+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE >+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL >+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS >+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) >+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT >+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY >+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF >+ * SUCH DAMAGE. >+ */ >+ >+#include <sys/cdefs.h> >+ >+#include <pwd.h> >+#include <stdlib.h> >+#include <string.h> >+#include <unistd.h> >+ >+#define SECRET_NAME "_PAM_UNIX_AUTHTOK" >+ >+int >+main(int argc, char **argv) >+{ >+ const char *user, *pw; >+ struct passwd *pwd; >+ >+ if (argc != 2) >+ return (1); >+ >+ user = argv[1]; >+ pw = getenv(SECRET_NAME); >+ >+ if (user == NULL || pw == NULL) >+ return (1); >+ >+ pwd = getpwnam(user); >+ if (pwd == NULL) >+ return (1); >+ >+ if (strcmp(crypt(pw, pwd->pw_passwd), pwd->pw_passwd) == 0) >+ return (0); >+ >+ return (1); >+} >-- >1.9.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=148656">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 194604
: 148656