#!/bin/sh # This is a shell archive echo x pam-pwauth_suid mkdir -p pam-pwauth_suid > /dev/null 2>&1 echo x pam-pwauth_suid/files mkdir -p pam-pwauth_suid/files > /dev/null 2>&1 echo x pam-pwauth_suid/Makefile sed 's/^X//' > pam-pwauth_suid/Makefile << 'SHAR_END' X# $FreeBSD$ X XPORTNAME= pam-pwauth_suid XDISTVERSION= 1.2 XCATEGORIES= security XDISTFILES= X XMAINTAINER= bughub@hotmail.com XCOMMENT= PAM authentication module for unprivileged users X XLICENSE= BSD2CLAUSE X XWRKSRC= ${WRKDIR} X XPAMDEF+= -DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\" XPAMDEF+= -DNO_STATIC_MODULES X Xdo-extract: X ${CP} ${FILESDIR}/pam_pwauth_suid.c ${FILESDIR}/pwauth_suid_helper.c \ X ${WRKSRC} X Xdo-build: X (cd ${WRKSRC} && \ X ${CC} ${CFLAGS} -c -fPIC ${PAMDEF} pam_pwauth_suid.c && \ X ${CC} ${LDFLAGS} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so && \ X ${CC} ${CFLAGS} ${LDFLAGS} pwauth_suid_helper.c -o pwauth_suid_helper -lcrypt) X Xdo-install: X ${MKDIR} ${STAGEDIR}${PREFIX}/lib/security X ${INSTALL_LIB} ${WRKSRC}/pam_pwauth_suid.so \ X ${STAGEDIR}${PREFIX}/lib/security X ${INSTALL_PROGRAM} ${WRKSRC}/pwauth_suid_helper \ X ${STAGEDIR}${PREFIX}/libexec X ${MKDIR} ${STAGEDIR}${PREFIX}/share/examples/pam-pwauth_suid X ${SED} -e 's|@PREFIX@|${PREFIX}|g' ${FILESDIR}/xscreensaver > \ X ${STAGEDIR}${PREFIX}/share/examples/pam-pwauth_suid/xscreensaver X X.include SHAR_END echo x pam-pwauth_suid/pkg-descr sed 's/^X//' > pam-pwauth_suid/pkg-descr << 'SHAR_END' XThe pam_pwauth_suid authentication module uses a setuid program Xto verify a password against the encrypted password in the Xdatabase used by the system. This way, an unprivileged user can Xverify his own passsword stored in a shadow password database. XThere might be some risk that the communication between the Xinvoking program and the setuid program is logged, or for abuse Xfor dictionary attacks. SHAR_END echo x pam-pwauth_suid/pkg-plist sed 's/^X//' > pam-pwauth_suid/pkg-plist << 'SHAR_END' Xlib/security/pam_pwauth_suid.so X@(,,4555) libexec/pwauth_suid_helper Xshare/examples/pam-pwauth_suid/xscreensaver SHAR_END echo x pam-pwauth_suid/pkg-message sed 's/^X//' > pam-pwauth_suid/pkg-message << 'SHAR_END' X=========================================================================== X$NetBSD: MESSAGE,v 1.3 2019/05/01 02:37:56 gutteridge Exp $ X XIn order to make unlocking work, you need to add an appropriate file Xto your pam configuration directory (usually /etc/pam.d). XA sample pam.d file for xscreensaver can be found in X${PREFIX}/share/examples/pam-pwauth_suid X=========================================================================== SHAR_END echo x pam-pwauth_suid/files/pam_pwauth_suid.c sed 's/^X//' > pam-pwauth_suid/files/pam_pwauth_suid.c << 'SHAR_END' X/* $NetBSD: pam_pwauth_suid.c,v 1.3 2008/07/17 18:00:58 drochner Exp $ */ X X#include X#define PAM_SM_AUTH X#include X#include X X#include X#include X#include X#include X#include X Xstatic int Xaskhelper(const char *user, const char *pass) X{ X int fd[2]; X sigset_t chldsig, omask; X pid_t pid, rpid; X ssize_t res; X size_t pwlen; X int err, s; X X if (pipe(fd) < 0) X return errno; X X /* make sure only we get the exit status of the helper */ X sigemptyset(&chldsig); X sigaddset(&chldsig, SIGCHLD); X if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0) { X err = errno; X goto error2; X } X X pid = vfork(); X switch (pid) { X case -1: X err = errno; X goto error; X case 0: /* child, feed it through its stdin */ X (void)dup2(fd[0], STDIN_FILENO); X (void)close(fd[0]); X (void)close(fd[1]); X execl(PATH_HELPER, PATH_HELPER, user, NULL); X _exit(errno); X default: /* parent */ X (void)close(fd[0]); X fd[0] = -1; X break; X } X X pwlen = strlen(pass); X res = write(fd[1], pass, pwlen); X if (res != pwlen) { X err = (res == -1 ? errno : EIO); X goto error; X } X X (void)close(fd[1]); /* now child gets an EOF */ X X rpid = waitpid(pid, &s, 0); X sigprocmask(SIG_SETMASK, &omask, 0); X if (rpid != pid) X return errno; X if (!WIFEXITED(s) || WEXITSTATUS(s)) X return EAUTH; X X return 0; X Xerror: X sigprocmask(SIG_SETMASK, &omask, 0); Xerror2: X if (fd[0] != -1) X (void)close(fd[0]); X (void)close(fd[1]); X return err; X} X XPAM_EXTERN int Xpam_sm_authenticate(pam_handle_t *pamh, int flags, X int argc, const char **argv) X{ X const char *user, *pass; X int res; X X res = pam_get_user(pamh, &user, NULL); X if (res != PAM_SUCCESS) X return res; X res = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); X if (res != PAM_SUCCESS) X return res; X X if (askhelper(user, pass) != 0) X return PAM_AUTH_ERR; X X return PAM_SUCCESS; X} X XPAM_EXTERN int Xpam_sm_setcred(pam_handle_t *pamh, int flags, X int argc, const char **argv) X{ X X return PAM_SUCCESS; X} X XPAM_MODULE_ENTRY("pam_passwdhelper"); SHAR_END echo x pam-pwauth_suid/files/pwauth_suid_helper.c sed 's/^X//' > pam-pwauth_suid/files/pwauth_suid_helper.c << 'SHAR_END' X/* $NetBSD: pwauth_suid_helper.c,v 1.2 2008/07/17 18:00:58 drochner Exp $ */ X X#include X#include X#include X#include X Xstatic char pwbuf[_PASSWORD_LEN + 1]; X Xint Xmain(int argc, char **argv) X{ X const struct passwd *pwent; X ssize_t res; X char *bufptr; X const char *pwhash; X size_t buflen; X X if (argc != 2) X return (EINVAL); X X /* X * mlock(2) pwbuf[]? NetBSD's getpass(3) doesn't, X * so don't bother for now. X */ X X bufptr = pwbuf; X buflen = sizeof(pwbuf); X do { X res = read(STDIN_FILENO, bufptr, buflen); X if (res < 0) X return (errno); X bufptr += res; X buflen -= res; X } while (res > 0 && buflen > 0); X if (buflen == 0) X return (ENOMEM); X /* pwbuf is \0-terminated here b/c pwbuf is in bss */ X pwbuf[sizeof(pwbuf) - 1] = '\0'; /* be paranoid */ X X /* X * Use username as key rather than uid so that it will not X * fail completely if multiple pw entries share a uid. X * Return same result in "not me" and "doesn't exist" cases X * to avoid leak of account information. X */ X pwent = getpwnam(argv[1]); X if (!pwent || (pwent->pw_uid != getuid())) X return (EPERM); X X /* X * Forcibly eat up some wall time to prevent use of this program X * to brute-force. X */ X usleep(100000); X X pwhash = crypt(pwbuf, pwent->pw_passwd); X memset(pwbuf, 0, sizeof(pwbuf)); X if (pwhash && strcmp(pwhash, pwent->pw_passwd) == 0) X return (0); X X return (EAUTH); X} SHAR_END echo x pam-pwauth_suid/files/xscreensaver sed 's/^X//' > pam-pwauth_suid/files/xscreensaver << 'SHAR_END' X# $NetBSD: xscreensaver,v 1.1 2008/07/17 18:00:58 drochner Exp $ Xauth required @PREFIX@/lib/security/pam_pwauth_suid.so SHAR_END exit