FreeBSD Bugzilla – Attachment 222001 Details for
Bug 253073
New port: security/pam-pwauth_suid PAM authentication module for unprivileged users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
PAM authentication module for unprivileged users
pam-pwauth_suid.shar (text/plain), 6.62 KB, created by
`
on 2021-01-29 07:33:08 UTC
(
hide
)
Description:
PAM authentication module for unprivileged users
Filename:
MIME Type:
Creator:
`
Created:
2021-01-29 07:33:08 UTC
Size:
6.62 KB
patch
obsolete
>#!/bin/sh ># This is a shell archive >echo x pam-pwauth_suid >mkdir -p pam-pwauth_suid > /dev/null 2>&1 >echo x pam-pwauth_suid/files >mkdir -p pam-pwauth_suid/files > /dev/null 2>&1 >echo x pam-pwauth_suid/Makefile >sed 's/^X//' > pam-pwauth_suid/Makefile << 'SHAR_END' >X# $FreeBSD$ >X >XPORTNAME= pam-pwauth_suid >XDISTVERSION= 1.2 >XCATEGORIES= security >XDISTFILES= >X >XMAINTAINER= bughub@hotmail.com >XCOMMENT= PAM authentication module for unprivileged users >X >XLICENSE= BSD2CLAUSE >X >XWRKSRC= ${WRKDIR} >X >XPAMDEF+= -DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\" >XPAMDEF+= -DNO_STATIC_MODULES >X >Xdo-extract: >X ${CP} ${FILESDIR}/pam_pwauth_suid.c ${FILESDIR}/pwauth_suid_helper.c \ >X ${WRKSRC} >X >Xdo-build: >X (cd ${WRKSRC} && \ >X ${CC} ${CFLAGS} -c -fPIC ${PAMDEF} pam_pwauth_suid.c && \ >X ${CC} ${LDFLAGS} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so && \ >X ${CC} ${CFLAGS} ${LDFLAGS} pwauth_suid_helper.c -o pwauth_suid_helper -lcrypt) >X >Xdo-install: >X ${MKDIR} ${STAGEDIR}${PREFIX}/lib/security >X ${INSTALL_LIB} ${WRKSRC}/pam_pwauth_suid.so \ >X ${STAGEDIR}${PREFIX}/lib/security >X ${INSTALL_PROGRAM} ${WRKSRC}/pwauth_suid_helper \ >X ${STAGEDIR}${PREFIX}/libexec >X ${MKDIR} ${STAGEDIR}${PREFIX}/share/examples/pam-pwauth_suid >X ${SED} -e 's|@PREFIX@|${PREFIX}|g' ${FILESDIR}/xscreensaver > \ >X ${STAGEDIR}${PREFIX}/share/examples/pam-pwauth_suid/xscreensaver >X >X.include <bsd.port.mk> >SHAR_END >echo x pam-pwauth_suid/pkg-descr >sed 's/^X//' > pam-pwauth_suid/pkg-descr << 'SHAR_END' >XThe pam_pwauth_suid authentication module uses a setuid program >Xto verify a password against the encrypted password in the >Xdatabase used by the system. This way, an unprivileged user can >Xverify his own passsword stored in a shadow password database. >XThere might be some risk that the communication between the >Xinvoking program and the setuid program is logged, or for abuse >Xfor dictionary attacks. >SHAR_END >echo x pam-pwauth_suid/pkg-plist >sed 's/^X//' > pam-pwauth_suid/pkg-plist << 'SHAR_END' >Xlib/security/pam_pwauth_suid.so >X@(,,4555) libexec/pwauth_suid_helper >Xshare/examples/pam-pwauth_suid/xscreensaver >SHAR_END >echo x pam-pwauth_suid/pkg-message >sed 's/^X//' > pam-pwauth_suid/pkg-message << 'SHAR_END' >X=========================================================================== >X$NetBSD: MESSAGE,v 1.3 2019/05/01 02:37:56 gutteridge Exp $ >X >XIn order to make unlocking work, you need to add an appropriate file >Xto your pam configuration directory (usually /etc/pam.d). >XA sample pam.d file for xscreensaver can be found in >X${PREFIX}/share/examples/pam-pwauth_suid >X=========================================================================== >SHAR_END >echo x pam-pwauth_suid/files/pam_pwauth_suid.c >sed 's/^X//' > pam-pwauth_suid/files/pam_pwauth_suid.c << 'SHAR_END' >X/* $NetBSD: pam_pwauth_suid.c,v 1.3 2008/07/17 18:00:58 drochner Exp $ */ >X >X#include <sys/types.h> >X#define PAM_SM_AUTH >X#include <security/pam_appl.h> >X#include <security/pam_modules.h> >X >X#include <unistd.h> >X#include <string.h> >X#include <sys/wait.h> >X#include <errno.h> >X#include <signal.h> >X >Xstatic int >Xaskhelper(const char *user, const char *pass) >X{ >X int fd[2]; >X sigset_t chldsig, omask; >X pid_t pid, rpid; >X ssize_t res; >X size_t pwlen; >X int err, s; >X >X if (pipe(fd) < 0) >X return errno; >X >X /* make sure only we get the exit status of the helper */ >X sigemptyset(&chldsig); >X sigaddset(&chldsig, SIGCHLD); >X if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0) { >X err = errno; >X goto error2; >X } >X >X pid = vfork(); >X switch (pid) { >X case -1: >X err = errno; >X goto error; >X case 0: /* child, feed it through its stdin */ >X (void)dup2(fd[0], STDIN_FILENO); >X (void)close(fd[0]); >X (void)close(fd[1]); >X execl(PATH_HELPER, PATH_HELPER, user, NULL); >X _exit(errno); >X default: /* parent */ >X (void)close(fd[0]); >X fd[0] = -1; >X break; >X } >X >X pwlen = strlen(pass); >X res = write(fd[1], pass, pwlen); >X if (res != pwlen) { >X err = (res == -1 ? errno : EIO); >X goto error; >X } >X >X (void)close(fd[1]); /* now child gets an EOF */ >X >X rpid = waitpid(pid, &s, 0); >X sigprocmask(SIG_SETMASK, &omask, 0); >X if (rpid != pid) >X return errno; >X if (!WIFEXITED(s) || WEXITSTATUS(s)) >X return EAUTH; >X >X return 0; >X >Xerror: >X sigprocmask(SIG_SETMASK, &omask, 0); >Xerror2: >X if (fd[0] != -1) >X (void)close(fd[0]); >X (void)close(fd[1]); >X return err; >X} >X >XPAM_EXTERN int >Xpam_sm_authenticate(pam_handle_t *pamh, int flags, >X int argc, const char **argv) >X{ >X const char *user, *pass; >X int res; >X >X res = pam_get_user(pamh, &user, NULL); >X if (res != PAM_SUCCESS) >X return res; >X res = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); >X if (res != PAM_SUCCESS) >X return res; >X >X if (askhelper(user, pass) != 0) >X return PAM_AUTH_ERR; >X >X return PAM_SUCCESS; >X} >X >XPAM_EXTERN int >Xpam_sm_setcred(pam_handle_t *pamh, int flags, >X int argc, const char **argv) >X{ >X >X return PAM_SUCCESS; >X} >X >XPAM_MODULE_ENTRY("pam_passwdhelper"); >SHAR_END >echo x pam-pwauth_suid/files/pwauth_suid_helper.c >sed 's/^X//' > pam-pwauth_suid/files/pwauth_suid_helper.c << 'SHAR_END' >X/* $NetBSD: pwauth_suid_helper.c,v 1.2 2008/07/17 18:00:58 drochner Exp $ */ >X >X#include <pwd.h> >X#include <string.h> >X#include <errno.h> >X#include <unistd.h> >X >Xstatic char pwbuf[_PASSWORD_LEN + 1]; >X >Xint >Xmain(int argc, char **argv) >X{ >X const struct passwd *pwent; >X ssize_t res; >X char *bufptr; >X const char *pwhash; >X size_t buflen; >X >X if (argc != 2) >X return (EINVAL); >X >X /* >X * mlock(2) pwbuf[]? NetBSD's getpass(3) doesn't, >X * so don't bother for now. >X */ >X >X bufptr = pwbuf; >X buflen = sizeof(pwbuf); >X do { >X res = read(STDIN_FILENO, bufptr, buflen); >X if (res < 0) >X return (errno); >X bufptr += res; >X buflen -= res; >X } while (res > 0 && buflen > 0); >X if (buflen == 0) >X return (ENOMEM); >X /* pwbuf is \0-terminated here b/c pwbuf is in bss */ >X pwbuf[sizeof(pwbuf) - 1] = '\0'; /* be paranoid */ >X >X /* >X * Use username as key rather than uid so that it will not >X * fail completely if multiple pw entries share a uid. >X * Return same result in "not me" and "doesn't exist" cases >X * to avoid leak of account information. >X */ >X pwent = getpwnam(argv[1]); >X if (!pwent || (pwent->pw_uid != getuid())) >X return (EPERM); >X >X /* >X * Forcibly eat up some wall time to prevent use of this program >X * to brute-force. >X */ >X usleep(100000); >X >X pwhash = crypt(pwbuf, pwent->pw_passwd); >X memset(pwbuf, 0, sizeof(pwbuf)); >X if (pwhash && strcmp(pwhash, pwent->pw_passwd) == 0) >X return (0); >X >X return (EAUTH); >X} >SHAR_END >echo x pam-pwauth_suid/files/xscreensaver >sed 's/^X//' > pam-pwauth_suid/files/xscreensaver << 'SHAR_END' >X# $NetBSD: xscreensaver,v 1.1 2008/07/17 18:00:58 drochner Exp $ >Xauth required @PREFIX@/lib/security/pam_pwauth_suid.so >SHAR_END >exit
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 253073
: 222001