Attachment #38113 for bug #61544

Lines 274-277 Link Here

(-)hylafax-4.1.8.chris/config.h.in (+6 lines)
274	#define SNPP_DEFREDIALS 12 /* number times to dial phone */	274	#define SNPP_DEFREDIALS 12 /* number times to dial phone */
275	#define SNPP_DEFNOTIFY "none" /* default is no email notification */	275	#define SNPP_DEFNOTIFY "none" /* default is no email notification */
276	#define SNPP_DEFPRIORITY 127 /* default job priority */	276	#define SNPP_DEFPRIORITY 127 /* default job priority */
		277
		278	/*
		279	* PAM Authentication
		280	*/
		281	@HAVE_PAM@
		282
277	#endif	283	#endif

Lines 178-184 Link Here

(-)hylafax-4.1.8.chris/configure (-1 / +24 lines)
178	LIBDB	178	LIBDB
179	LLDOPTS	179	LLDOPTS
180	LN	180	LN
181	LN_S"	181	LN_S
		182	HAVE_PAM
		183	PAMLIBS"
182		184
183	VAR2="MACHDEPLIBS	185	VAR2="MACHDEPLIBS
184	MAKECXXOVERRIDE	186	MAKECXXOVERRIDE
Lines 323-328 Link Here
323	--version print the version of autoconf that created configure	325	--version print the version of autoconf that created configure
324	--target=TARGET configure for TARGET [TARGET=HOST]	326	--target=TARGET configure for TARGET [TARGET=HOST]
325	--srcdir=DIR find the sources in DIR [configure dir or ..]	327	--srcdir=DIR find the sources in DIR [configure dir or ..]
		328	--disable-pam disable all PAM support
326	--with-PARAM[=ARG] set configuration PARAM [ARG=yes]	329	--with-PARAM[=ARG] set configuration PARAM [ARG=yes]
327	EOF	330	EOF
328	}	331	}
Lines 376-381 Link Here
376	-srcdir=\|--srcdir=) SRCDIR="$ac_optarg";;	379	-srcdir=\|--srcdir=) SRCDIR="$ac_optarg";;
377	-target\|--target) ac_prev=TARGET;;	380	-target\|--target) ac_prev=TARGET;;
378	-target=\|--target=) TARGET="$ac_optarg" ;;	381	-target=\|--target=) TARGET="$ac_optarg" ;;
		382	-disable-pam\|--disable-pam) DISABLE_PAM="yes" ;;
379	-version\|--version)	383	-version\|--version)
380	echo "This is HylaFAX configure $Revision: 1.92 $"	384	echo "This is HylaFAX configure $Revision: 1.92 $"
381	exit 0	385	exit 0
Lines 1548-1553 Link Here
1548	LIBSUN=no	1552	LIBSUN=no
1549	fi	1553	fi
1550	fi	1554	fi
		1555	HAVE_PAM="/#define HAVE_PAM 1/"
		1556	PAMLIBS=""
		1557	if [ "$DISABLE_PAM" != "yes" ]; then
		1558	Note "Checking for PAM (Pluggable Authentication Module) support"
		1559	CheckForLibrary pam_authenticate -lpam &&
		1560	CheckForLibrary misc_conv -lpam_misc -lpam &&
		1561	CheckForIncludeFile security/pam_appl.h &&
		1562	CheckForIncludeFile security/pam_misc.h && {
		1563	HAVE_PAM="#define HAVE_PAM 1"
		1564	PAMLIBS="-lpam -lpam_misc"
		1565	}
		1566	if [ "x$PAMLIBS" = "x" ]; then
		1567	Note "... not found. Disabling PAM support"
		1568	else
		1569	Note "... found. Enabling PAM support"
		1570	fi
		1571	else
		1572	Note "Disabling PAM support"
		1573	fi
1551	CheckForLibrary crypt -lc \|\| {	1574	CheckForLibrary crypt -lc \|\| {
1552	#	1575	#
1553	# FreeBSD-2.1 in particular needs -lcrypt.	1576	# FreeBSD-2.1 in particular needs -lcrypt.

Lines 133-139 Link Here

(-)hylafax-4.1.8.chris/defs.in (-1 / +1 lines)
133	C++FILE = @CXXFILE@	133	C++FILE = @CXXFILE@
134		134
135	# default definitions for programs--overide them as desired	135	# default definitions for programs--overide them as desired
136	LIBS = ${LIBUTIL}	136	LIBS = ${LIBUTIL} @PAMLIBS@
137	LLDLIBS = ${LIBS} ${LIBTIFF} ${LIBZ} ${LIBREGEX} ${LIBPORT} ${MACHDEPLIBS}	137	LLDLIBS = ${LIBS} ${LIBTIFF} ${LIBZ} ${LIBREGEX} ${LIBPORT} ${MACHDEPLIBS}
138	#	138	#
139	# Override this definition to eliminate shared library use.	139	# Override this definition to eliminate shared library use.

Lines 624-629 Link Here

(-)hylafax-4.1.8.chris/hfaxd/HylaFAXServer.c++ (+2 lines)
624	{ "faxqfifoname", &HylaFAXServer::faxqFIFOName, "/" FAX_FIFO },	624	{ "faxqfifoname", &HylaFAXServer::faxqFIFOName, "/" FAX_FIFO },
625	{ "systemtype", &HylaFAXServer::systemType,	625	{ "systemtype", &HylaFAXServer::systemType,
626	"UNIX Type: L8 Version: SVR4" },	626	"UNIX Type: L8 Version: SVR4" },
		627	{ "admingroup", &HylaFAXServer::admingroup },
627	};	628	};
628	HylaFAXServer::numbertag HylaFAXServer::numbers[] = {	629	HylaFAXServer::numbertag HylaFAXServer::numbers[] = {
629	{ "servertracing", &HylaFAXServer::tracingLevel, TRACE_SERVER },	630	{ "servertracing", &HylaFAXServer::tracingLevel, TRACE_SERVER },
Lines 644-649 Link Here
644	for (i = N(numbers)-1; i >= 0; i--)	645	for (i = N(numbers)-1; i >= 0; i--)
645	(this).numbers[i].p = numbers[i].def;	646	(this).numbers[i].p = numbers[i].def;
646	faxContact.append("@" \| hostname);	647	faxContact.append("@" \| hostname);
		648	admingroup = "faxadmin";
647	}	649	}
648		650
649	void	651	void

Lines 38-43 Link Here

(-)hylafax-4.1.8.chris/hfaxd/HylaFAXServer.h (+15 lines)
38	#include "Trigger.h"	38	#include "Trigger.h"
39	#include "Syslog.h"	39	#include "Syslog.h"
40		40
		41	#include "config.h"
		42
		43	#ifdef HAVE_PAM
		44	extern "C" {
		45	#include <security/pam_appl.h>
		46	#include <security/pam_misc.h>
		47	#include <grp.h>
		48	}
		49	#endif // HAVE_PAM
		50
41	#include <sys/types.h>	51	#include <sys/types.h>
42	#include <sys/socket.h>	52	#include <sys/socket.h>
43	#include <dirent.h>	53	#include <dirent.h>
Lines 213-218 Link Here
213	u_int adminAttempts; // number of failed admin attempts	223	u_int adminAttempts; // number of failed admin attempts
214	u_int maxAdminAttempts; // admin failures before server exits	224	u_int maxAdminAttempts; // admin failures before server exits
215	fxStr the_user; // name of user	225	fxStr the_user; // name of user
		226	fxStr admingroup; // name of local user group that is allowed
		227	// to administer the fax server
216	IDCache* idcache; // fax UID -> name mapping table	228	IDCache* idcache; // fax UID -> name mapping table
217	/*	229	/*
218	* File and file-transfer related state.	230	* File and file-transfer related state.
Lines 330-337 Link Here
330	void setFileOwner(const char* filename);	342	void setFileOwner(const char* filename);
331		343
332	void loginRefused(const char* why);	344	void loginRefused(const char* why);
		345	bool pamCheck(const char* user=NULL, const char* pass=NULL);
		346	bool pamIsAdmin(const char* user=NULL);
333	bool checkUser(const char*);	347	bool checkUser(const char*);
334	bool checkuser(FILE, const char name);	348	bool checkuser(FILE, const char name);
		349	bool checkuser(const char *name);
335	void login(void);	350	void login(void);
336	void end_login(void);	351	void end_login(void);
337	virtual void dologout(int status);	352	virtual void dologout(int status);




	loginRefused("user denied");
}

#ifdef HAVE_PAM
int
pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata)
{
	int i;
	char *password =(char*) appdata;
	struct pam_response* replies;
	int retval = PAM_CONV_ERR;

	replies=(struct pam_response*)calloc(num_msg, sizeof(struct pam_response));

	for (i=0; i<num_msg; i++) {
		switch(msg[i]->msg_style) {
			case PAM_PROMPT_ECHO_OFF:
				replies[i].resp = x_strdup(password);
				replies[i].resp_retcode = 0;
				retval = PAM_SUCCESS;
				break;
		}
	}
	*resp = replies;
	return(retval);
}
#endif //HAVE_PAM

bool
HylaFAXServer::pamIsAdmin(const char* user)
{
	bool retval = false;
#ifdef HAVE_PAM
	int i;
	static struct group* grinfo = getgrnam(admingroup);
	const char *curruser = (user == NULL ? the_user.c_str() : user);
	if (grinfo != NULL) {
		for (i=0; grinfo->gr_mem[i] != NULL; i++) {
			if (strcmp(curruser, grinfo->gr_mem[i]) == 0) retval = true;
		}
	}
#endif //HAVE_PAM
	return(retval);
}

bool
HylaFAXServer::pamCheck(const char* user, const char* pass)
{
	bool retval = false;
#ifdef HAVE_PAM
	if (user == NULL) user = the_user;
	if (pass == NULL) pass = passwd.c_str();
	struct pam_conv conv = {
		pamconv,
		(void*)pass
	};

	pam_handle_t *pamh = NULL;

	int pamret;

	pamret = pam_start(FAX_SERVICE, user, &conv, &pamh);
	if (pamret == PAM_SUCCESS) {
		pamret = pam_authenticate(pamh, 0);
	}

	if (pamret == PAM_SUCCESS) {
		pamret = pam_acct_mgmt(pamh, 0);
		retval = true;
	}

	if (pamret == PAM_SUCCESS) {
		retval = true;
	}

	pam_end(pamh, pamret);
	if (pamIsAdmin()) state |= S_PRIVILEGED;
#endif //HAVE_PAM
	return(retval);
}

void
HylaFAXServer::passCmd(const char* pass)
{

	pass++;
    } else
	state |= S_LREPLIES;
    if (pass[0] == '\0' || !(strcmp(crypt(pass, passwd), passwd) == 0 || pamCheck(the_user, pass))) {
	if (++loginAttempts >= maxLoginAttempts) {
	    reply(530, "Login incorrect (closing connection).");
	    logNotice("Repeated login failures for user %s from %s [%s]"


    initDefaultJob();		// setup connection-related state
    dirSetup();			// initialize directory handling
	if (pamIsAdmin()) state |= S_PRIVILEGED;
}

void

{
    fxAssert(IS(LOGGEDIN), "ADMIN command permitted when not logged in");
    // NB: null adminwd is permitted
    if ((strcmp(crypt(pass, adminwd), adminwd) != 0) && !pamIsAdmin()) {
	if (++adminAttempts >= maxAdminAttempts) {
	    reply(530, "Password incorrect (closing connection).");
	    logNotice("Repeated admin failures from %s [%s]"

Lines 995-1001 Link Here

(-)hylafax-4.1.8.chris/hfaxd/SNPPServer.c++ (-1 / +1 lines)
995		995
996	if (checkUser(loginID)) {	996	if (checkUser(loginID)) {
997	if (passwd != "") {	997	if (passwd != "") {
998	if (pass[0] == '\0' \|\| !streq(crypt(pass, passwd), passwd)) {	998	if (pass[0] == '\0' \|\| !(streq(crypt(pass, passwd), passwd) \|\| pamCheck(the_user, pass))) {
999	if (++loginAttempts >= maxLoginAttempts) {	999	if (++loginAttempts >= maxLoginAttempts) {
1000	reply(421, "Login incorrect (closing connection).");	1000	reply(421, "Login incorrect (closing connection).");
1001	logNotice("Repeated SNPP login failures for user %s from %s [%s]"	1001	logNotice("Repeated SNPP login failures for user %s from %s [%s]"




    bool check = false;
    FILE* db = fopen(fixPathname(userAccessFile), "r");
    if (db != NULL) {
	check = checkuser(db, name) || checkuser(name);
	fclose(db);
    } else
	logError("Unable to open the user access file %s: %s",

    return (false);
}

bool
HylaFAXServer::checkuser(const char* name)
{
	bool retval=false;
#ifdef HAVE_PAM
	struct passwd* uinfo=getpwnam(name);
	if (uinfo != NULL) {
		uid = uinfo->pw_uid;
		passwd = "*";
		adminwd = "*";
		retval = true;
	}
#endif //HAVE_PAM
	return(retval);
}

/*
 * Check the user name and host name/address against
 * the list of users and hosts that are permitted to

Lines 15-20 Link Here

(-)hylafax-4.1.8.chris/hfaxd/hfaxd.conf (+1 lines)
15	#MaxAdminAttempts: 5 # max # admin attempts before disconnect	15	#MaxAdminAttempts: 5 # max # admin attempts before disconnect
16	#MaxConsecutiveBadCmds: 10 # max # invalid cmds before disconnect	16	#MaxConsecutiveBadCmds: 10 # max # invalid cmds before disconnect
17	#FaxContact: FaxMaster # who gets questions/complaints	17	#FaxContact: FaxMaster # who gets questions/complaints
		18	#AdminGroup: faxadmin # which user group is admin (when using PAM)
18	#UserAccessFile: "/etc/hosts.hfaxd" # user+host access control file	19	#UserAccessFile: "/etc/hosts.hfaxd" # user+host access control file
19	#ShutdownFile: "/etc/shutdown" # server shutdown control filename	20	#ShutdownFile: "/etc/shutdown" # server shutdown control filename
20	#XferLogFile: "/etc/clientlog" # for logging client file transfers	21	#XferLogFile: "/etc/clientlog" # for logging client file transfers

Lines 116-121 Link Here

(-)hylafax-4.1.8.chris/man/hylafax-config.4f (+5 lines)
116	.ta \w'ModemAnswerResponseTimeout 'u +\w'integer 'u +\w'\s-1AT+FCLASS=2.0\s+1 'u	116	.ta \w'ModemAnswerResponseTimeout 'u +\w'integer 'u +\w'\s-1AT+FCLASS=2.0\s+1 'u
117	\fBTag Type Default Description\fP	117	\fBTag Type Default Description\fP
118	AdaptiveAnswer boolean \s-1No\s+1 enable adaptive answer of inbound calls	118	AdaptiveAnswer boolean \s-1No\s+1 enable adaptive answer of inbound calls
		119	AdminGroup string \s-1faxadmin\s+1 System user group for administration (if PAM enabled)
119	AnswerRotary string \s-1Any\s+1 alternatives for answering calls	120	AnswerRotary string \s-1Any\s+1 alternatives for answering calls
120	AnswerBias integer \- bias to apply to successful rotary answer	121	AnswerBias integer \- bias to apply to successful rotary answer
121	AreaCode\(S2 string \- local area code	122	AreaCode\(S2 string \- local area code
Lines 396-401 Link Here
396	second and subsequent	397	second and subsequent
397	.BR ModemAnswer*Cmd s.	398	.BR ModemAnswer*Cmd s.
398	.TP	399	.TP
		400	.B AdminGroup
		401	Tells PAM what user group is allowed to administer the fax server.
		402	Only useful if the server is compiled with PAM enabled.
		403	.TP
399	.B AnswerRotary	404	.B AnswerRotary
400	The sequence of answering techniques the server should	405	The sequence of answering techniques the server should
401	``rotate through'' when answer incoming calls.	406	``rotate through'' when answer incoming calls.

Lines 155-160 Link Here

(-)hylafax-4.1.8.chris/util/Str.h (+2 lines)
155		155
156	/////////////////////////////////////////////////////	156	/////////////////////////////////////////////////////
157	// Misc	157	// Misc
		158	const char* c_str() const
		159	{ return data; }
158	fxStr copy() const;	160	fxStr copy() const;
159	fxStr extract(u_int start,u_int len) const;	161	fxStr extract(u_int start,u_int len) const;
160	fxStr cut(u_int start,u_int len);	162	fxStr cut(u_int start,u_int len);

Return to bug 61544

Lines 95-100 Link Here

(-)hylafax-4.1.8.chris/hfaxd/Login.c++ (-2 / +81 lines)
95	loginRefused("user denied");	95	loginRefused("user denied");
96	}	96	}
97		97
		98	#ifdef HAVE_PAM
		99	int
		100	pamconv(int num_msg, const struct pam_message msg, struct pam_response resp, void *appdata)
		101	{
		102	int i;
		103	char password =(char) appdata;
		104	struct pam_response* replies;
		105	int retval = PAM_CONV_ERR;
		106
		107	replies=(struct pam_response*)calloc(num_msg, sizeof(struct pam_response));
		108
		109	for (i=0; i<num_msg; i++) {
		110	switch(msg[i]->msg_style) {
		111	case PAM_PROMPT_ECHO_OFF:
		112	replies[i].resp = x_strdup(password);
		113	replies[i].resp_retcode = 0;
		114	retval = PAM_SUCCESS;
		115	break;
		116	}
		117	}
		118	*resp = replies;
		119	return(retval);
		120	}
		121	#endif //HAVE_PAM
		122
		123	bool
		124	HylaFAXServer::pamIsAdmin(const char* user)
		125	{
		126	bool retval = false;
		127	#ifdef HAVE_PAM
		128	int i;
		129	static struct group* grinfo = getgrnam(admingroup);
		130	const char *curruser = (user == NULL ? the_user.c_str() : user);
		131	if (grinfo != NULL) {
		132	for (i=0; grinfo->gr_mem[i] != NULL; i++) {
		133	if (strcmp(curruser, grinfo->gr_mem[i]) == 0) retval = true;
		134	}
		135	}
		136	#endif //HAVE_PAM
		137	return(retval);
		138	}
		139
		140	bool
		141	HylaFAXServer::pamCheck(const char* user, const char* pass)
		142	{
		143	bool retval = false;
		144	#ifdef HAVE_PAM
		145	if (user == NULL) user = the_user;
		146	if (pass == NULL) pass = passwd.c_str();
		147	struct pam_conv conv = {
		148	pamconv,
		149	(void*)pass
		150	};
		151
		152	pam_handle_t *pamh = NULL;
		153
		154	int pamret;
		155
		156	pamret = pam_start(FAX_SERVICE, user, &conv, &pamh);
		157	if (pamret == PAM_SUCCESS) {
		158	pamret = pam_authenticate(pamh, 0);
		159	}
		160
		161	if (pamret == PAM_SUCCESS) {
162	pamret = pam_acct_mgmt(pamh, 0);
163	retval = true;
164	}
165
166	if (pamret == PAM_SUCCESS) {
167	retval = true;
168	}
169
170	pam_end(pamh, pamret);
171	if (pamIsAdmin()) state \|= S_PRIVILEGED;
172	#endif //HAVE_PAM
173	return(retval);
174	}
175
98	void	176	void
99	HylaFAXServer::passCmd(const char* pass)	177	HylaFAXServer::passCmd(const char* pass)
100	{	178	{
Lines 118-124 Link Here
118	pass++;	196	pass++;
119	} else	197	} else
120	state \|= S_LREPLIES;	198	state \|= S_LREPLIES;
121	if (pass[0] == '\0' \|\| strcmp(crypt(pass, passwd), passwd) != 0) {	199	if (pass[0] == '\0' \|\| !(strcmp(crypt(pass, passwd), passwd) == 0 \|\| pamCheck(the_user, pass))) {
122	if (++loginAttempts >= maxLoginAttempts) {	200	if (++loginAttempts >= maxLoginAttempts) {
123	reply(530, "Login incorrect (closing connection).");	201	reply(530, "Login incorrect (closing connection).");
124	logNotice("Repeated login failures for user %s from %s [%s]"	202	logNotice("Repeated login failures for user %s from %s [%s]"
Lines 176-181 Link Here
176		254
177	initDefaultJob(); // setup connection-related state	255	initDefaultJob(); // setup connection-related state
178	dirSetup(); // initialize directory handling	256	dirSetup(); // initialize directory handling
		257	if (pamIsAdmin()) state \|= S_PRIVILEGED;
179	}	258	}
180		259
181	void	260	void
Lines 183-189 Link Here
183	{	262	{
184	fxAssert(IS(LOGGEDIN), "ADMIN command permitted when not logged in");	263	fxAssert(IS(LOGGEDIN), "ADMIN command permitted when not logged in");
185	// NB: null adminwd is permitted	264	// NB: null adminwd is permitted
186	if (strcmp(crypt(pass, adminwd), adminwd) != 0) {	265	if ((strcmp(crypt(pass, adminwd), adminwd) != 0) && !pamIsAdmin()) {
187	if (++adminAttempts >= maxAdminAttempts) {	266	if (++adminAttempts >= maxAdminAttempts) {
188	reply(530, "Password incorrect (closing connection).");	267	reply(530, "Password incorrect (closing connection).");
189	logNotice("Repeated admin failures from %s [%s]"	268	logNotice("Repeated admin failures from %s [%s]"

Lines 55-61 Link Here

(-)hylafax-4.1.8.chris/hfaxd/User.c++ (-1 / +17 lines)
55	bool check = false;	55	bool check = false;
56	FILE* db = fopen(fixPathname(userAccessFile), "r");	56	FILE* db = fopen(fixPathname(userAccessFile), "r");
57	if (db != NULL) {	57	if (db != NULL) {
58	check = checkuser(db, name);	58	check = checkuser(db, name) \|\| checkuser(name);
59	fclose(db);	59	fclose(db);
60	} else	60	} else
61	logError("Unable to open the user access file %s: %s",	61	logError("Unable to open the user access file %s: %s",
Lines 82-87 Link Here
82	return (false);	82	return (false);
83	}	83	}
84		84
		85	bool
		86	HylaFAXServer::checkuser(const char* name)
		87	{
		88	bool retval=false;
		89	#ifdef HAVE_PAM
		90	struct passwd* uinfo=getpwnam(name);
		91	if (uinfo != NULL) {
		92	uid = uinfo->pw_uid;
		93	passwd = "*";
		94	adminwd = "*";
		95	retval = true;
		96	}
		97	#endif //HAVE_PAM
		98	return(retval);
		99	}
		100
85	/*	101	/*
86	* Check the user name and host name/address against	102	* Check the user name and host name/address against
87	* the list of users and hosts that are permitted to	103	* the list of users and hosts that are permitted to