diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2009-05-29 21:22:58 +0000 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2009-05-29 21:22:58 +0000 |
| commit | f91b33e7b87b0447029e9b7593b796c3b9d0d0b0 (patch) | |
| tree | cb66705231e6c4480c62c3b690867c426cf2763b /pam | |
| parent | 7c32d0121c95bbb05ab064b29bf7ec2ba5defc00 (diff) | |
refactor protocol reading and writing macros to the common directory, use more logical names and in the PAM module no longer use NSS status codes (import of r887 from nss-pam-ldapd)
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@904 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pam')
| -rw-r--r-- | pam/Makefile.am | 6 | ||||
| -rw-r--r-- | pam/common.h | 84 | ||||
| -rw-r--r-- | pam/pam.c | 136 |
3 files changed, 155 insertions, 71 deletions
diff --git a/pam/Makefile.am b/pam/Makefile.am index c816ffd..765776c 100644 --- a/pam/Makefile.am +++ b/pam/Makefile.am @@ -22,10 +22,10 @@ noinst_PROGRAMS = pam_ldap.so AM_CPPFLAGS=-I$(top_srcdir) AM_CFLAGS = -fPIC -pam_ldap_so_SOURCES = ../nslcd.h ../nslcd-common.h \ - ../compat/attrs.h pam.c +pam_ldap_so_SOURCES = ../nslcd.h ../common/nslcd-prot.h \ + ../compat/attrs.h pam.c common.h pam_ldap_so_LDFLAGS = -shared -Wl,--version-script,\$(srcdir)/exports.linux -pam_ldap_so_LDADD = ../common/libtio.a ../nss/common.o -lpam +pam_ldap_so_LDADD = ../common/libtio.a ../common/libprot.a -lpam EXTRA_DIST = exports.linux diff --git a/pam/common.h b/pam/common.h new file mode 100644 index 0000000..32c6d88 --- /dev/null +++ b/pam/common.h @@ -0,0 +1,84 @@ +/* + common.h - common functions for PAM lookups + + Copyright (C) 2009 Arthur de Jong + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + 02110-1301 USA +*/ + +#ifndef _PAM_COMMON_H +#define _PAM_COMMON_H 1 + +#include <stdio.h> + +#include "nslcd.h" +#include "common/nslcd-prot.h" +#include "compat/attrs.h" + +/* These are macros for handling read and write problems, they are + PAM specific due to the return code so are defined here. They + genrally close the open file, set an error code and return with + an error status. */ + +/* Macro is called to handle errors in opening a client connection. */ +#define ERROR_OUT_OPENERROR \ + return PAM_AUTHINFO_UNAVAIL; + +/* Macro is called to handle errors on read operations. */ +#define ERROR_OUT_READERROR(fp) \ + (void)tio_close(fp); \ + fp=NULL; \ + return PAM_AUTHINFO_UNAVAIL; + +/* Macro is called to handle problems with too small a buffer. */ +#define ERROR_OUT_BUFERROR(fp) \ + return PAM_SYSTEM_ERR; + +/* This macro is called if there was a problem with a write + operation. */ +#define ERROR_OUT_WRITEERROR(fp) \ + ERROR_OUT_READERROR(fp) + +/* This macro is called if the read status code is not + NSLCD_RESULT_BEGIN. */ +#define ERROR_OUT_NOSUCCESS(fp) \ + (void)tio_close(fp); \ + fp=NULL; \ + return PAM_USER_UNKNOWN; + +/* This is a generic PAM request generation macro. The action + parameter is the NSLCD_ACTION_.. action, the writefn is the + operation for writing the parameter and readfn is the function + name for reading a single result entry. The function is assumed + to have result, buffer, buflen and errnop parameters that define + the result structure, the user buffer with length and the + errno to return. This macro should be called through some of + the customized ones below. */ +#define PAM_REQUEST(action,writefn,readfn) \ + TFILE *fp; \ + int32_t tmpint32; \ + int retv; \ + /* open socket and write request */ \ + NSLCD_REQUEST(fp,action,writefn); \ + /* read response */ \ + READ_RESPONSE_CODE(fp); \ + retv=readfn; \ + /* close socket and we're done */ \ + if (retv==PAM_SUCCESS) \ + (void)tio_close(fp); \ + return retv; + +#endif /* not _PAM_COMMON_H */ @@ -32,10 +32,7 @@ #include <errno.h> #include <syslog.h> -/* really ugly workaround */ -#define SKIP_BUFCHECK 1 - -#include "nss/common.h" +#include "common.h" #include "compat/attrs.h" /* these are defined (before including pam_modules.h) for staticly linking */ @@ -57,20 +54,6 @@ #define PLD_CTX "PAM_LDAPD_CTX" -#define NSS2PAM_RC(rc,ignore,ok) \ - switch(rc) { \ - case NSS_STATUS_SUCCESS: \ - rc = ok; break; \ - case NSS_STATUS_UNAVAIL: \ - rc = (ignore & IGNORE_UNAVAIL) ? PAM_IGNORE : PAM_AUTHINFO_UNAVAIL; \ - break; \ - case NSS_STATUS_NOTFOUND: \ - rc = (ignore & IGNORE_UNKNOWN) ? PAM_IGNORE: PAM_USER_UNKNOWN; \ - break; \ - default: \ - rc = PAM_SYSTEM_ERR; break; \ - } - typedef struct pld_ctx { char *user; char *dn; @@ -224,33 +207,33 @@ static int pam_get_authtok( return rc; } -static enum nss_status pam_read_authc( - TFILE *fp,pld_ctx *ctx,int *errnop) +static int pam_read_authc( + TFILE *fp,pld_ctx *ctx) { char *buffer = ctx->buf; size_t buflen = sizeof(ctx->buf); size_t bufptr = 0; int32_t tmpint32; - READ_STRING_BUF(fp,ctx->tmpluser); - READ_STRING_BUF(fp,ctx->dn); + READ_BUF_STRING(fp,ctx->tmpluser); + READ_BUF_STRING(fp,ctx->dn); READ_INT32(fp,ctx->authok); READ_INT32(fp,ctx->authz); - READ_STRING_BUF(fp,ctx->authzmsg); + READ_BUF_STRING(fp,ctx->authzmsg); ctx->authok = nslcd2pam_rc(ctx->authok); ctx->authz = nslcd2pam_rc(ctx->authz); - return NSS_STATUS_SUCCESS; + return PAM_SUCCESS; } -static enum nss_status pam_do_authc( - pld_ctx *ctx, const char *user, const char *svc,const char *pwd,int *errnop) +static int pam_do_authc( + pld_ctx *ctx, const char *user, const char *svc,const char *pwd) { - NSS_BYGEN(NSLCD_ACTION_PAM_AUTHC, + PAM_REQUEST(NSLCD_ACTION_PAM_AUTHC, WRITE_STRING(fp,user); WRITE_STRING(fp,ctx->dn); WRITE_STRING(fp,svc); WRITE_STRING(fp,pwd), - pam_read_authc(fp,ctx,errnop)); + pam_read_authc(fp,ctx)); } #define USE_FIRST 1 @@ -260,7 +243,7 @@ static enum nss_status pam_do_authc( int pam_sm_authenticate( pam_handle_t *pamh, int flags, int argc, const char **argv) { - int err, rc; + int rc; const char *username, *svc; char *p = NULL; int first_pass = 0, ignore_flags = 0; @@ -311,8 +294,13 @@ int pam_sm_authenticate( } rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p); if (rc == PAM_SUCCESS) { - rc = pam_do_authc(ctx, username, svc, p, &err); - NSS2PAM_RC(rc, ignore_flags, ctx->authok); + rc = pam_do_authc(ctx, username, svc, p); + if (rc==PAM_SUCCESS) + rc=ctx->authok; + if ((rc==PAM_AUTHINFO_UNAVAIL)&&(ignore_flags&IGNORE_UNAVAIL)) + rc=PAM_IGNORE; + else if ((rc==PAM_USER_UNKNOWN)&&(ignore_flags&IGNORE_UNKNOWN)) + rc=PAM_IGNORE; } if (rc == PAM_SUCCESS || (first_pass & USE_FIRST)) { break; @@ -362,36 +350,36 @@ pam_warn( &resp, aconv->appdata_ptr); } -static enum nss_status pam_read_authz( - TFILE *fp,pld_ctx *ctx,int *errnop) +static int pam_read_authz( + TFILE *fp,pld_ctx *ctx) { char *buffer = ctx->buf; size_t buflen = sizeof(ctx->buf); size_t bufptr = 0; int32_t tmpint32; - READ_STRING_BUF(fp,ctx->tmpluser); - READ_STRING_BUF(fp,ctx->dn); + READ_BUF_STRING(fp,ctx->tmpluser); + READ_BUF_STRING(fp,ctx->dn); READ_INT32(fp,ctx->authz); - READ_STRING_BUF(fp,ctx->authzmsg); + READ_BUF_STRING(fp,ctx->authzmsg); ctx->authz = nslcd2pam_rc(ctx->authz); - return NSS_STATUS_SUCCESS; + return PAM_SUCCESS; } -static enum nss_status pam_do_authz( - pld_ctx *ctx,const char *username,const char *svc,int *errnop) +static int pam_do_authz( + pld_ctx *ctx,const char *username,const char *svc) { - NSS_BYGEN(NSLCD_ACTION_PAM_AUTHZ, + PAM_REQUEST(NSLCD_ACTION_PAM_AUTHZ, WRITE_STRING(fp,username); WRITE_STRING(fp,ctx->dn); WRITE_STRING(fp,svc), - pam_read_authz(fp,ctx,errnop)); + pam_read_authz(fp,ctx)); } int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, int argc, const char **argv) { - int rc, err; + int rc; const char *username, *svc; int no_warn = 0, ignore_flags = 0; int i; @@ -440,8 +428,11 @@ int pam_sm_acct_mgmt( ctx2.dn = ctx->dn; ctx2.user = ctx->user; - rc = pam_do_authz(&ctx2, username, svc, &err); - NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS); + rc = pam_do_authz(&ctx2, username, svc); + if ((rc==PAM_AUTHINFO_UNAVAIL)&&(ignore_flags&IGNORE_UNAVAIL)) + rc=PAM_IGNORE; + else if ((rc==PAM_USER_UNKNOWN)&&(ignore_flags&IGNORE_UNKNOWN)) + rc=PAM_IGNORE; if (rc != PAM_SUCCESS) { if (rc != PAM_IGNORE) pam_warn(appconv, "LDAP authorization failed", PAM_ERROR_MSG, no_warn); @@ -463,16 +454,16 @@ int pam_sm_acct_mgmt( return rc; } -static enum nss_status pam_read_sess( - TFILE *fp,pld_ctx *ctx,int *errnop) +static int pam_read_sess( + TFILE *fp,pld_ctx *ctx) { int tmpint32; READ_INT32(fp,ctx->sessid); - return NSS_STATUS_SUCCESS; + return PAM_SUCCESS; } -static enum nss_status pam_do_sess( - pam_handle_t *pamh,pld_ctx *ctx,int action,int *errnop) +static int pam_do_sess( + pam_handle_t *pamh,pld_ctx *ctx,int action) { const char *svc = NULL, *tty = NULL, *rhost = NULL, *ruser = NULL; @@ -482,7 +473,7 @@ static enum nss_status pam_do_sess( pam_get_item (pamh, PAM_RUSER, (CONST_ARG void **) &ruser); { - NSS_BYGEN(action, + PAM_REQUEST(action, WRITE_STRING(fp,ctx->user); WRITE_STRING(fp,ctx->dn); WRITE_STRING(fp,svc); @@ -490,7 +481,7 @@ static enum nss_status pam_do_sess( WRITE_STRING(fp,rhost); WRITE_STRING(fp,ruser); WRITE_INT32(fp,ctx->sessid), - pam_read_sess(fp,ctx,errnop)); + pam_read_sess(fp,ctx)); } } @@ -536,8 +527,11 @@ static int pam_sm_session( if (rc != PAM_SUCCESS) return rc; - rc = pam_do_sess(pamh, ctx, action, &err); - NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS); + rc = pam_do_sess(pamh, ctx, action); + if ((rc==PAM_AUTHINFO_UNAVAIL)&&(ignore_flags&IGNORE_UNAVAIL)) + rc=PAM_IGNORE; + else if ((rc==PAM_USER_UNKNOWN)&&(ignore_flags&IGNORE_UNKNOWN)) + rc=PAM_IGNORE; return rc; } @@ -573,39 +567,39 @@ int pam_sm_close_session( return rc; } -static enum nss_status pam_read_pwmod( - TFILE *fp,pld_ctx *ctx,int *errnop) +static int pam_read_pwmod( + TFILE *fp,pld_ctx *ctx) { char *buffer = ctx->buf, *user; size_t buflen = sizeof(ctx->buf); size_t bufptr = 0; int32_t tmpint32; - READ_STRING_BUF(fp,ctx->tmpluser); - READ_STRING_BUF(fp,ctx->dn); + READ_BUF_STRING(fp,ctx->tmpluser); + READ_BUF_STRING(fp,ctx->dn); READ_INT32(fp,ctx->authz); - READ_STRING_BUF(fp,ctx->authzmsg); + READ_BUF_STRING(fp,ctx->authzmsg); ctx->authz = nslcd2pam_rc(ctx->authz); - return NSS_STATUS_SUCCESS; + return PAM_SUCCESS; } -static enum nss_status pam_do_pwmod( +static int pam_do_pwmod( pld_ctx *ctx, const char *user, const char *svc, - const char *oldpw, const char *newpw, int *errnop) + const char *oldpw, const char *newpw) { - NSS_BYGEN(NSLCD_ACTION_PAM_PWMOD, + PAM_REQUEST(NSLCD_ACTION_PAM_PWMOD, WRITE_STRING(fp,user); WRITE_STRING(fp,ctx->dn); WRITE_STRING(fp,svc); WRITE_STRING(fp,oldpw); WRITE_STRING(fp,newpw), - pam_read_pwmod(fp,ctx,errnop)); + pam_read_pwmod(fp,ctx)); } int pam_sm_chauthtok( pam_handle_t *pamh, int flags, int argc, const char **argv) { - int rc, err; + int rc; const char *username, *p = NULL, *q = NULL, *svc; int first_pass = 0, no_warn = 0, ignore_flags = 0; int i, success = PAM_SUCCESS; @@ -671,8 +665,11 @@ int pam_sm_chauthtok( rc = PAM_SUCCESS; } if (!ctx->dn) { - rc = pam_do_pwmod(ctx, username, svc, p, NULL, &err); - NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS); + rc = pam_do_pwmod(ctx, username, svc, p, NULL); + if ((rc==PAM_AUTHINFO_UNAVAIL)&&(ignore_flags&IGNORE_UNAVAIL)) + rc=PAM_IGNORE; + else if ((rc==PAM_USER_UNKNOWN)&&(ignore_flags&IGNORE_UNKNOWN)) + rc=PAM_IGNORE; } return rc; } @@ -703,9 +700,12 @@ int pam_sm_chauthtok( if (rc != PAM_SUCCESS) return rc; } - rc = pam_do_pwmod(ctx, username, svc, p, q, &err); + rc = pam_do_pwmod(ctx, username, svc, p, q); + if ((rc==PAM_AUTHINFO_UNAVAIL)&&(ignore_flags&IGNORE_UNAVAIL)) + rc=PAM_IGNORE; + else if ((rc==PAM_USER_UNKNOWN)&&(ignore_flags&IGNORE_UNKNOWN)) + rc=PAM_IGNORE; p = NULL; q = NULL; - NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS); if (rc == PAM_SUCCESS) { rc = ctx->authz; if (rc != PAM_SUCCESS) |