Lines 41-46
Link Here
|
41 |
#include <security/pam_modules.h> |
41 |
#include <security/pam_modules.h> |
42 |
#include <pam_mount.h> |
42 |
#include <pam_mount.h> |
43 |
|
43 |
|
|
|
44 |
#include <smbpwman/smbpw.h> |
45 |
|
44 |
gboolean debug; |
46 |
gboolean debug; |
45 |
config_t config; |
47 |
config_t config; |
46 |
pam_args_t args; |
48 |
pam_args_t args; |
Lines 76-87
Link Here
|
76 |
void clean_system_authtok(pam_handle_t * pamh, void *data, int errcode) |
78 |
void clean_system_authtok(pam_handle_t * pamh, void *data, int errcode) |
77 |
{ |
79 |
{ |
78 |
/* FIXME: not binary password safe */ |
80 |
/* FIXME: not binary password safe */ |
79 |
/* FIXME: valgrind does not like -- called previously? |
|
|
80 |
if (data) { |
81 |
if (data) { |
81 |
memset(data, 0x00, strlen(data)); |
82 |
memset(data, 0x00, strlen(data)); |
82 |
free(data); |
83 |
free(data); |
83 |
} |
84 |
} |
84 |
*/ |
|
|
85 |
} |
85 |
} |
86 |
|
86 |
|
87 |
/* ============================ converse () ================================ */ |
87 |
/* ============================ converse () ================================ */ |
Lines 162-168
Link Here
|
162 |
const void *tmp = NULL; |
211 |
const void *tmp = NULL; |
163 |
|
212 |
const void *dummy = NULL; |
164 |
assert(pamh); |
213 |
void *dummy2 = NULL; |
Lines 211-228
Link Here
|
211 |
ret = PAM_AUTH_ERR; |
210 |
ret = PAM_AUTH_ERR; |
212 |
goto _return; |
211 |
goto _return; |
213 |
} |
212 |
} |
214 |
if ((ret = |
213 |
if (smbpw_verify_socket_path(SOCKET_NAME) < 0) { |
215 |
pam_set_data(pamh, "pam_mount_system_authtok", authtok, |
214 |
l0g("pam_mount: smbpwman socket path %s is insecure", |
216 |
clean_system_authtok)) != PAM_SUCCESS) { |
215 |
SOCKET_NAME); |
217 |
l0g("pam_mount: %s\n", |
216 |
ret = PAM_AUTH_ERR; |
218 |
"error trying to save authtok for session code"); |
|
|
219 |
goto _return; |
217 |
goto _return; |
220 |
} |
218 |
} |
|
|
219 |
if ((ret = smbpw_store(config.user, authtok)) < 0) { |
220 |
l0g("pam_mount: error %i caching password", ret); |
221 |
ret = PAM_AUTH_ERR; |
222 |
goto _return; |
223 |
} |
224 |
/*ensure smbpw_store is called the same |
225 |
number of times as smbpw_retrieve so no |
226 |
credentials are left lying around */ |
227 |
if ((pam_get_data(pamh, "pam_mount_pw_stored", &dummy)) == PAM_SUCCESS) { |
228 |
authtok = smbpw_retrieve(config.user); |
229 |
} |
230 |
pam_set_data(pamh, "pam_mount_pw_stored", dummy2, NULL); |
221 |
_return: |
231 |
_return: |
222 |
assert(ret != PAM_SUCCESS |
|
|
223 |
|| pam_get_data(pamh, "pam_mount_system_authtok", |
224 |
&tmp) == PAM_SUCCESS); |
225 |
assert(ret != PAM_SUCCESS || tmp); |
226 |
|
232 |
|
227 |
return ret; |
233 |
return ret; |
228 |
} |
234 |
} |
Lines 305-310
Link Here
|
305 |
int vol; |
306 |
int vol; |
306 |
int ret = PAM_SUCCESS; |
307 |
int ret = PAM_SUCCESS; |
307 |
char *system_authtok; |
308 |
char *system_authtok; |
|
|
309 |
const char *pam_user; |
308 |
|
310 |
|
309 |
assert(pamh); |
311 |
assert(pamh); |
310 |
|
312 |
|
Lines 313-334
Link Here
|
313 |
if (chdir("/")) |
315 |
if (chdir("/")) |
314 |
l0g("pam_mount %s\n", "could not chdir"); |
316 |
l0g("pam_mount %s\n", "could not chdir"); |
315 |
if (config.user == NULL) { |
317 |
if (config.user == NULL) { |
316 |
l0g("pam_mount: username not read: pam_mount not conf. for auth?\n"); |
318 |
/* If config.user is not stored, try reading it as the |
317 |
/* do NOT return PAM_SERVICE_ERR or root will not be able |
319 |
authenticate and open_session may have been called in different |
318 |
* to su to other users */ |
320 |
processes (eg openssh) */ |
319 |
goto _return; |
321 |
if ((ret = pam_get_user(pamh, &pam_user, NULL)) != PAM_SUCCESS) |
|
|
322 |
{ |
323 |
l0g("pam_mount: username not read and couldn't be fetched: pam_mount not conf. for auth?\n"); |
324 |
/* do NOT return PAM_SERVICE_ERR or root will not |
325 |
* be able to su to other users */ |
326 |
goto _return; |
327 |
} |
328 |
config.user=strdup(pam_user); |
320 |
} |
329 |
} |
321 |
if (strlen(config.user) > MAX_PAR) { |
330 |
if (strlen(config.user) > MAX_PAR) { |
322 |
l0g("pam_mount: username %s is too long\n", config.user); |
331 |
l0g("pam_mount: username %s is too long\n", config.user); |
323 |
ret = PAM_SERVICE_ERR; |
332 |
ret = PAM_SERVICE_ERR; |
324 |
goto _return; |
333 |
goto _return; |
325 |
} |
334 |
} |
326 |
if ((ret = |
335 |
if (!(system_authtok = smbpw_retrieve(config.user))) |
327 |
pam_get_data(pamh, "pam_mount_system_authtok", |
|
|
328 |
(const void **) &system_authtok)) != PAM_SUCCESS) |
329 |
{ |
336 |
{ |
330 |
l0g("pam_mount: %s\n", |
337 |
l0g("pam_mount: %s\n", |
331 |
"error trying to retrieve authtok from auth code"); |
338 |
"error trying to retrieve authtok from smbpwman cache"); |
332 |
goto _return; |
339 |
goto _return; |
333 |
} |
340 |
} |
334 |
if (!readconfig(config.user, CONFIGFILE, 1, &config)) { |
341 |
if (!readconfig(config.user, CONFIGFILE, 1, &config)) { |
Lines 379-391
Link Here
|
379 |
config.volume[vol].volume); |
386 |
config.volume[vol].volume); |
380 |
} |
387 |
} |
381 |
/* end root priv. */ |
388 |
/* end root priv. */ |
382 |
/* Paranoia? */ |
|
|
383 |
clean_system_authtok(pamh, system_authtok, 0); |
384 |
/* This code needs root priv. */ |
389 |
/* This code needs root priv. */ |
385 |
modify_pm_count(&config, config.user, "1"); |
390 |
modify_pm_count(&config, config.user, "1"); |
386 |
/* end root priv. */ |
391 |
/* end root priv. */ |
387 |
|
392 |
|
388 |
_return: |
393 |
_return: |
|
|
394 |
/* Paranoia? */ |
395 |
clean_system_authtok(pamh, system_authtok, 0); |
389 |
w4rn("pam_mount: done opening session\n"); |
396 |
w4rn("pam_mount: done opening session\n"); |
390 |
return ret; |
397 |
return ret; |
391 |
} |
398 |
} |
Lines 412-417
Link Here
|
412 |
int vol; |
419 |
int vol; |
413 |
/* FIXME: this currently always returns PAM_SUCCESS should return something else when errors occur but only after all unmounts are attempted??? */ |
420 |
/* FIXME: this currently always returns PAM_SUCCESS should return something else when errors occur but only after all unmounts are attempted??? */ |
414 |
int ret = PAM_SUCCESS; |
421 |
int ret = PAM_SUCCESS; |
|
|
422 |
const char *pam_user; |
415 |
|
423 |
|
416 |
assert(pamh); |
424 |
assert(pamh); |
417 |
|
425 |
|
Lines 419-428
Link Here
|
419 |
w4rn("pam_mount: real and effective user ID are %d and %d.\n", |
427 |
w4rn("pam_mount: real and effective user ID are %d and %d.\n", |
420 |
getuid(), geteuid()); |
428 |
getuid(), geteuid()); |
421 |
if (config.user == NULL) { |
429 |
if (config.user == NULL) { |
422 |
l0g("pam_mount: username not read: pam_mount not conf. for auth?\n"); |
430 |
if ((ret = pam_get_user(pamh, &pam_user, NULL)) != PAM_SUCCESS) |
423 |
/* do NOT return PAM_SERVICE_ERR or root will not be able |
431 |
{ |
424 |
* to su to other users */ |
432 |
l0g("pam_mount: username not read and couldn't be fetched: pam_mount not conf. for auth?\n"); |
425 |
goto _return; |
433 |
/* do NOT return PAM_SERVICE_ERR or root will not |
|
|
434 |
* be able to su to other users */ |
435 |
goto _return; |
436 |
} |
437 |
config.user=strdup(pam_user); |
426 |
} |
438 |
} |
427 |
if (config.volcount <= 0) |
439 |
if (config.volcount <= 0) |
428 |
w4rn("pam_mount: %s\n", "volcount is zero"); |
440 |
w4rn("pam_mount: %s\n", "volcount is zero"); |