diff options
author | Philip Prindeville <philipp@redfish-solutions.com> | 2018-01-23 11:21:56 -0700 |
---|---|---|
committer | Philip Prindeville <philipp@redfish-solutions.com> | 2018-01-23 11:21:56 -0700 |
commit | d45a2c53061a3db67e25d5997f3dcfda763b3408 (patch) | |
tree | b8aa4bea9508fc3a315a7e1ac7d12c78d4ca2b8a | |
parent | 059e21e01fec0a72d41c8d05a2f52dc3cadcf0a0 (diff) | |
parent | 81e942c82564e0577e8ecf490b75ed99268a89cc (diff) | |
download | pam_tacplus-1.5.0-beta.2.tar.gz pam_tacplus-1.5.0-beta.2.zip |
Merge branch 'master' of github.com:jeroennijhof/pam_tacplus into v1.5.xv1.5.0-beta.2
-rw-r--r-- | INSTALL | 4 | ||||
-rw-r--r-- | configure.ac | 15 | ||||
-rw-r--r-- | libtac/include/libtac.h | 12 | ||||
-rw-r--r-- | libtac/lib/author_r.c | 1 | ||||
-rw-r--r-- | libtac/lib/magic.c | 10 | ||||
-rw-r--r-- | pam_tacplus.c | 40 | ||||
-rw-r--r-- | support.c | 4 | ||||
-rw-r--r-- | tacc.c | 73 |
8 files changed, 111 insertions, 48 deletions
@@ -93,6 +93,10 @@ of `autoconf'. targets like `make install' and `make uninstall' work correctly. This target is generally not run by end users. + 9. If you're running SElinux in Enforcing mode, you need to set + your policy controls appropriately. For Fedora/RHEL/CentOS, this + is done with "setsebool -P nis_enabled 1" (as root). + Compilers and Options ===================== diff --git a/configure.ac b/configure.ac index e34c769..ff1b44e 100644 --- a/configure.ac +++ b/configure.ac @@ -36,8 +36,13 @@ dnl Checks for libraries. AC_CHECK_LIB(pam, pam_start) AC_CHECK_LIB(tac, tac_connect) AC_CHECK_LIB(crypto, MD5_Init) -AC_CHECK_LIB(crypto, RAND_pseudo_bytes) -AC_CHECK_LIB(util, logwtmp) +AC_CHECK_LIB(crypto, RAND_pseudo_bytes, + [AC_DEFINE([HAVE_RAND_PSEUDO_BYTES], [1], [Define to 1 if you have the `RAND_pseudo_bytes' function.])]) +AC_CHECK_LIB(crypto, RAND_bytes, + [AC_DEFINE([HAVE_RAND_BYTES], [1], [Define to 1 if you have the `RAND_bytes' function.])]) +AC_CHECK_LIB(c, pututxline, + [AC_DEFINE([HAVE_PUTUTXLINE], [1], [Define to 1 if you have the `pututxline' function.])], + [AC_CHECK_LIB(util, logwtmp)]) case "$host" in sparc-* | sparc64-*) @@ -47,11 +52,11 @@ esac dnl -------------------------------------------------------------------- dnl Checks for header files. AC_HEADER_STDC -AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h ]) -AC_CHECK_HEADERS([syslog.h unistd.h openssl/md5.h openssl/rand.h linux/random.h sys/random.h]) +AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h]) +AC_CHECK_HEADERS([syslog.h unistd.h openssl/md5.h openssl/rand.h sys/random.h]) AC_CHECK_HEADER(security/pam_appl.h, [], [AC_MSG_ERROR([PAM libraries missing. Install with "yum install pam-devel" or "apt-get install libpam-dev".])] ) AM_CONDITIONAL(MY_MD5, [test "$ac_cv_header_openssl_md5_h" = "no" ]) -AM_CONDITIONAL(TACC, [test "$ac_cv_lib_crypto_RAND_pseudo_bytes" = "yes"]) +AM_CONDITIONAL(TACC, [test "$ac_cv_lib_crypto_RAND_bytes" = "yes" || test "$ac_cv_lib_crypto_RAND_pseudo_bytes" = "yes"]) dnl -------------------------------------------------------------------- dnl Checks for typedefs, structures, and compiler characteristics. diff --git a/libtac/include/libtac.h b/libtac/include/libtac.h index c872ff7..23cdc28 100644 --- a/libtac/include/libtac.h +++ b/libtac/include/libtac.h @@ -44,6 +44,18 @@ extern "C" { #endif #include "tacplus.h" +#if defined(__clang__) +#define __CLANG_PREREQ(maj, min) ((__clang_major__ > (maj)) || (__clang_major__ == (maj) && __clang_minor__ >= (min))) +#else +#define __CLANG_PREREQ(maj, min) (0) +#endif + +#if __GNUC_PREREQ(3, 2) || __CLANG_PREREQ(4, 0) +#define __Unused __attribute__ ((unused)) +#else +#define __Unused /* unused */ +#endif + #if defined(DEBUGTAC) && !defined(TACDEBUG) # ifdef __GNUC__ #define TACDEBUG(level, fmt, ...) syslog(level, fmt, ## __VA_ARGS__) diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c index 148f7ea..fa101e6 100644 --- a/libtac/lib/author_r.c +++ b/libtac/lib/author_r.c @@ -187,6 +187,7 @@ int tac_author_read(int fd, struct areply *re) { /* XXX support optional vs mandatory arguments */ case TAC_PLUS_AUTHOR_STATUS_PASS_REPL: tac_free_attrib(&re->attr); + /*FALLTHRU*/ case TAC_PLUS_AUTHOR_STATUS_PASS_ADD: { u_char *argp; diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c index a320df5..97aa035 100644 --- a/libtac/lib/magic.c +++ b/libtac/lib/magic.c @@ -63,17 +63,21 @@ magic() { u_int32_t num; +#ifdef HAVE_RAND_BYTES + RAND_bytes((unsigned char *)&num, sizeof(num)); +#else RAND_pseudo_bytes((unsigned char *)&num, sizeof(num)); +#endif return num; } #elif defined(HAVE_GETRANDOM) -# if defined(HAVE_LINUX_RANDOM_H) -# include <linux/random.h> -# elif defined(HAVE_SYS_RANDOM_H) +# if defined(HAVE_SYS_RANDOM_H) # include <sys/random.h> +# else +# error no header containing getrandom(2) declaration # endif /* diff --git a/pam_tacplus.c b/pam_tacplus.c index 324cd5d..19e2aca 100644 --- a/pam_tacplus.c +++ b/pam_tacplus.c @@ -654,33 +654,29 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc, attr = arep.attr; while (attr != NULL) { - char attribute[attr->attr_len]; - char value[attr->attr_len]; - char *sep; - - sep = index(attr->attr, '='); - if (sep == NULL) - sep = index(attr->attr, '*'); - if (sep != NULL) { - bcopy(attr->attr, attribute, attr->attr_len - strlen(sep)); - attribute[attr->attr_len - strlen(sep)] = '\0'; - bcopy(sep, value, strlen(sep)); - value[strlen(sep)] = '\0'; + size_t len = strcspn(attr->attr, "=*"); + if (len < attr->attr_len) { + char avpair[attr->attr_len+1]; + bcopy(attr->attr, avpair, attr->attr_len+1); /* Also copy terminating NUL */ + if (ctrl & PAM_TAC_DEBUG) + syslog(LOG_DEBUG, "%s: returned attribute `%s' from server", + __FUNCTION__, avpair); + + avpair[len] = '='; // replace '*' by '=' size_t i; - for (i = 0; attribute[i] != '\0'; i++) { - attribute[i] = toupper(attribute[i]); - if (attribute[i] == '-') - attribute[i] = '_'; + for (i = 0; i < len; i++) { + avpair[i] = toupper(avpair[i]); + if (avpair[i] == '-') + avpair[i] = '_'; } if (ctrl & PAM_TAC_DEBUG) - syslog(LOG_DEBUG, "%s: returned attribute `%s%s' from server", - __FUNCTION__, attribute, value); + syslog(LOG_DEBUG, "%s: setting PAM environment `%s'", + __FUNCTION__, avpair); /* make returned attributes available for other PAM modules via PAM environment */ - if (pam_putenv(pamh, - strncat(attribute, value, strlen(value))) != PAM_SUCCESS) + if (pam_putenv(pamh, avpair) != PAM_SUCCESS) syslog(LOG_WARNING, "%s: unable to set PAM environment", __FUNCTION__); @@ -715,7 +711,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc, const char **argv) { #if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO) +# if defined(HAVE_RAND_BYTES) + RAND_bytes((unsigned char *) &task_id, sizeof(task_id)); +# else RAND_pseudo_bytes((unsigned char *) &task_id, sizeof(task_id)); +# endif #else task_id=(short int) magic(); #endif @@ -109,14 +109,12 @@ int converse(pam_handle_t * pamh, int nargs, const struct pam_message *message, } /* stolen from pam_stress */ -int tacacs_get_password (pam_handle_t * pamh, int flags, +int tacacs_get_password (pam_handle_t * pamh, int flags __Unused, int ctrl, char **password) { const void *pam_pass; char *pass = NULL; - flags = flags; /* unused */ - if (ctrl & PAM_TAC_DEBUG) syslog (LOG_DEBUG, "%s: called", __FUNCTION__); @@ -19,7 +19,6 @@ #include <string.h> #include <syslog.h> #include <errno.h> -#include <utmp.h> #include <sys/file.h> #include <sys/types.h> #include <sys/wait.h> @@ -34,6 +33,12 @@ #include "config.h" #endif +#if defined(HAVE_PUTUTXLINE) +#include <utmpx.h> +#elif defined(HAVE_LOGWTMP) +#include <utmp.h> +#endif + #include "tacplus.h" #include "libtac.h" @@ -58,7 +63,6 @@ /* prototypes */ void sighandler(int sig); -void showusage(char *argv0); unsigned long getservername(char *serv); void showusage(char *progname); void showversion(char *progname); @@ -79,6 +83,13 @@ typedef unsigned char flag; flag quiet = 0; char *user = NULL; /* global, because of signal handler */ +#if defined(HAVE_PUTUTXLINE) +struct utmpx utmpx; +#endif + +/* take the length of a string constant without the NUL */ +#define C_STRLEN(str) (sizeof("" str) - 1) + /* command line options */ static struct option long_options[] = { @@ -163,8 +174,12 @@ int main(int argc, char **argv) { break; case 'V': showversion(argv[0]); + /*NOTREACHED*/ + break; case 'h': showusage(argv[0]); + /*NOTREACHED*/ + break; case 'u': user = optarg; break; @@ -173,8 +188,7 @@ int main(int argc, char **argv) { break; case 'L': // tac_login is a global variable initialized in libtac - bzero(tac_login, sizeof(tac_login)); - strncpy(tac_login, optarg, sizeof(tac_login) - 1); + xstrcpy(tac_login, optarg, sizeof(tac_login)); break; case 'p': pass = optarg; @@ -316,7 +330,11 @@ int main(int argc, char **argv) { struct tac_attrib *attr = NULL; sprintf(buf, "%lu", time(0)); tac_add_attrib(&attr, "start_time", buf); +#ifdef HAVE_RAND_BYTES + RAND_bytes((unsigned char *) &task_id, sizeof(task_id)); +#else RAND_pseudo_bytes((unsigned char *) &task_id, sizeof(task_id)); +#endif sprintf(buf, "%hu", task_id); tac_add_attrib(&attr, "task_id", buf); tac_add_attrib(&attr, "service", service); @@ -347,10 +365,28 @@ int main(int argc, char **argv) { } /* log in local utmp */ -#ifdef HAVE_LOGWTMP - if (log_wtmp) + if (log_wtmp) { +#if defined(HAVE_PUTUTXLINE) + struct timeval tv; + + gettimeofday(&tv, NULL); + + memset(&utmpx, 0, sizeof(utmpx)); + utmpx.ut_type = USER_PROCESS; + utmpx.ut_pid = getpid(); + xstrcpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line)); + strncpy(utmpx.ut_id, tty + C_STRLEN("tty"), sizeof(utmpx.ut_id)); + xstrcpy(utmpx.ut_host, "dialup", sizeof(utmpx.ut_host)); + utmpx.ut_tv.tv_sec = tv.tv_sec; + utmpx.ut_tv.tv_usec = tv.tv_usec; + xstrcpy(utmpx.ut_user, user, sizeof(utmpx.ut_user)); + /* ut_addr unused ... */ + setutxent(); + pututxline(&utmpx); +#elif defined(HAVE_LOGWTMP) logwtmp(tty, user, "dialup"); #endif + } if (command != NULL) { int ret; @@ -429,17 +465,24 @@ int main(int argc, char **argv) { } /* logout from utmp */ -#ifdef HAVE_LOGWTMP - if (log_wtmp) + if (log_wtmp) { +#if defined(HAVE_PUTUTXLINE) + utmpx.ut_type = DEAD_PROCESS; + memset(utmpx.ut_line, 0, sizeof(utmpx.ut_line)); + memset(utmpx.ut_user, 0, sizeof(utmpx.ut_user)); + memset(utmpx.ut_host, 0, sizeof(utmpx.ut_host)); + utmpx.ut_tv.tv_sec = utmpx.ut_tv.tv_usec = 0; + setutxent(); + pututxline(&utmpx); +#elif defined(HAVE_LOGWTMP) logwtmp(tty, "", ""); #endif + } exit(EXIT_OK); } -void sighandler(int sig) { - sig = sig; /* unused */ - +void sighandler(int sig __Unused) { TACDEBUG(LOG_DEBUG, "caught signal %d", sig); } @@ -565,19 +608,15 @@ unsigned long getservername(char *serv) { return (-1); } -void timeout_handler(int signum) { - signum = signum; /* unused */ - +void timeout_handler(int signum __Unused) { syslog(LOG_ERR, "timeout reading password from user %s", user); } #ifdef TACDEBUG_AT_RUNTIME -void logmsg(int level, const char *fmt, ...) +void logmsg(int level __Unused, const char *fmt, ...) { va_list ap; - level = level; /* unused */ - va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); |