| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: pam_ksu.c,v 1.9 2014/02/27 18:09:38 joerg Exp $ */ | | 1 | /* $NetBSD: pam_ksu.c,v 1.9.28.1 2023/06/21 22:07:06 martin Exp $ */ |
2 | | | 2 | |
3 | /*- | | 3 | /*- |
4 | * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> | | 4 | * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
9 | * are met: | | 9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
| @@ -19,27 +19,27 @@ | | | @@ -19,27 +19,27 @@ |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | | 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
26 | * SUCH DAMAGE. | | 26 | * SUCH DAMAGE. |
27 | */ | | 27 | */ |
28 | #include <sys/cdefs.h> | | 28 | #include <sys/cdefs.h> |
29 | #ifdef __FreeBSD__ | | 29 | #ifdef __FreeBSD__ |
30 | __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); | | 30 | __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); |
31 | #else | | 31 | #else |
32 | __RCSID("$NetBSD: pam_ksu.c,v 1.9 2014/02/27 18:09:38 joerg Exp $"); | | 32 | __RCSID("$NetBSD: pam_ksu.c,v 1.9.28.1 2023/06/21 22:07:06 martin Exp $"); |
33 | #endif | | 33 | #endif |
34 | | | 34 | |
35 | #include <sys/param.h> | | 35 | #include <sys/param.h> |
36 | #include <errno.h> | | 36 | #include <errno.h> |
37 | #include <stdio.h> | | 37 | #include <stdio.h> |
38 | #include <stdlib.h> | | 38 | #include <stdlib.h> |
39 | #include <string.h> | | 39 | #include <string.h> |
40 | #include <unistd.h> | | 40 | #include <unistd.h> |
41 | | | 41 | |
42 | #include <krb5/krb5.h> | | 42 | #include <krb5/krb5.h> |
43 | | | 43 | |
44 | #define PAM_SM_AUTH | | 44 | #define PAM_SM_AUTH |
45 | #define PAM_SM_CRED | | 45 | #define PAM_SM_CRED |
| @@ -52,56 +52,62 @@ static const char superuser[] = "root"; | | | @@ -52,56 +52,62 @@ static const char superuser[] = "root"; |
52 | #define PASSWORD_PROMPT "%s's password:" | | 52 | #define PASSWORD_PROMPT "%s's password:" |
53 | | | 53 | |
54 | static void log_krb5(krb5_context, krb5_error_code, const char *, ...) | | 54 | static void log_krb5(krb5_context, krb5_error_code, const char *, ...) |
55 | __printflike(3, 4); | | 55 | __printflike(3, 4); |
56 | static krb5_error_code get_su_principal(krb5_context, const char *, | | 56 | static krb5_error_code get_su_principal(krb5_context, const char *, |
57 | const char *, char **, krb5_principal *); | | 57 | const char *, char **, krb5_principal *); |
58 | static int auth_krb5(pam_handle_t *, krb5_context, const char *, | | 58 | static int auth_krb5(pam_handle_t *, krb5_context, const char *, |
59 | krb5_principal); | | 59 | krb5_principal); |
60 | | | 60 | |
61 | PAM_EXTERN int | | 61 | PAM_EXTERN int |
62 | pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | | 62 | pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, |
63 | int argc __unused, const char *argv[] __unused) | | 63 | int argc __unused, const char *argv[] __unused) |
64 | { | | 64 | { |
| | | 65 | krb5_boolean allow_homedir; |
65 | krb5_context context; | | 66 | krb5_context context; |
66 | krb5_principal su_principal; | | 67 | krb5_principal su_principal; |
67 | const char *user; | | 68 | const char *user; |
68 | const void *ruser; | | 69 | const void *ruser; |
69 | char *su_principal_name; | | 70 | char *su_principal_name; |
70 | krb5_error_code rv; | | 71 | krb5_error_code rv; |
71 | int pamret; | | 72 | int pamret; |
72 | | | 73 | |
73 | pamret = pam_get_user(pamh, &user, NULL); | | 74 | pamret = pam_get_user(pamh, &user, NULL); |
74 | if (pamret != PAM_SUCCESS) | | 75 | if (pamret != PAM_SUCCESS) |
75 | return (pamret); | | 76 | return (pamret); |
76 | PAM_LOG("Got user: %s", user); | | 77 | PAM_LOG("Got user: %s", user); |
77 | pamret = pam_get_item(pamh, PAM_RUSER, &ruser); | | 78 | pamret = pam_get_item(pamh, PAM_RUSER, &ruser); |
78 | if (pamret != PAM_SUCCESS) | | 79 | if (pamret != PAM_SUCCESS) |
79 | return (pamret); | | 80 | return (pamret); |
80 | PAM_LOG("Got ruser: %s", (const char *)ruser); | | 81 | PAM_LOG("Got ruser: %s", (const char *)ruser); |
| | | 82 | allow_homedir = krb5_set_home_dir_access(NULL, FALSE); |
81 | rv = krb5_init_context(&context); | | 83 | rv = krb5_init_context(&context); |
82 | if (rv != 0) { | | 84 | if (rv != 0) { |
83 | log_krb5(context, rv, "krb5_init_context failed"); | | 85 | log_krb5(context, rv, "krb5_init_context failed"); |
84 | return (PAM_SERVICE_ERR); | | 86 | pamret = PAM_SERVICE_ERR; |
| | | 87 | goto out; |
85 | } | | 88 | } |
86 | rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); | | 89 | rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); |
87 | if (rv != 0) | | 90 | if (rv != 0) { |
88 | return (PAM_AUTH_ERR); | | 91 | pamret = PAM_AUTH_ERR; |
| | | 92 | goto out; |
| | | 93 | } |
89 | PAM_LOG("kuserok: %s -> %s", su_principal_name, user); | | 94 | PAM_LOG("kuserok: %s -> %s", su_principal_name, user); |
90 | rv = krb5_kuserok(context, su_principal, user); | | 95 | rv = krb5_kuserok(context, su_principal, user); |
91 | pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; | | 96 | pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; |
92 | free(su_principal_name); | | 97 | free(su_principal_name); |
93 | krb5_free_principal(context, su_principal); | | 98 | krb5_free_principal(context, su_principal); |
94 | krb5_free_context(context); | | 99 | krb5_free_context(context); |
| | | 100 | out: (void)krb5_set_home_dir_access(NULL, allow_homedir); |
95 | return (pamret); | | 101 | return (pamret); |
96 | } | | 102 | } |
97 | | | 103 | |
98 | PAM_EXTERN int | | 104 | PAM_EXTERN int |
99 | pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, | | 105 | pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, |
100 | int ac __unused, const char *av[] __unused) | | 106 | int ac __unused, const char *av[] __unused) |
101 | { | | 107 | { |
102 | | | 108 | |
103 | return (PAM_SUCCESS); | | 109 | return (PAM_SUCCESS); |
104 | } | | 110 | } |
105 | | | 111 | |
106 | /* Authenticate using Kerberos 5. | | 112 | /* Authenticate using Kerberos 5. |
107 | * pamh -- The PAM handle. | | 113 | * pamh -- The PAM handle. |