summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilip Prindeville <philipp@redfish-solutions.com>2018-01-23 11:21:56 -0700
committerPhilip Prindeville <philipp@redfish-solutions.com>2018-01-23 11:21:56 -0700
commitd45a2c53061a3db67e25d5997f3dcfda763b3408 (patch)
treeb8aa4bea9508fc3a315a7e1ac7d12c78d4ca2b8a
parent059e21e01fec0a72d41c8d05a2f52dc3cadcf0a0 (diff)
parent81e942c82564e0577e8ecf490b75ed99268a89cc (diff)
downloadpam_tacplus-1.5.0-beta.2.tar.gz
pam_tacplus-1.5.0-beta.2.zip
Merge branch 'master' of github.com:jeroennijhof/pam_tacplus into v1.5.xv1.5.0-beta.2
-rw-r--r--INSTALL4
-rw-r--r--configure.ac15
-rw-r--r--libtac/include/libtac.h12
-rw-r--r--libtac/lib/author_r.c1
-rw-r--r--libtac/lib/magic.c10
-rw-r--r--pam_tacplus.c40
-rw-r--r--support.c4
-rw-r--r--tacc.c73
8 files changed, 111 insertions, 48 deletions
diff --git a/INSTALL b/INSTALL
index 2099840..c12f41a 100644
--- a/INSTALL
+++ b/INSTALL
@@ -93,6 +93,10 @@ of `autoconf'.
targets like `make install' and `make uninstall' work correctly.
This target is generally not run by end users.
+ 9. If you're running SElinux in Enforcing mode, you need to set
+ your policy controls appropriately. For Fedora/RHEL/CentOS, this
+ is done with "setsebool -P nis_enabled 1" (as root).
+
Compilers and Options
=====================
diff --git a/configure.ac b/configure.ac
index e34c769..ff1b44e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,8 +36,13 @@ dnl Checks for libraries.
AC_CHECK_LIB(pam, pam_start)
AC_CHECK_LIB(tac, tac_connect)
AC_CHECK_LIB(crypto, MD5_Init)
-AC_CHECK_LIB(crypto, RAND_pseudo_bytes)
-AC_CHECK_LIB(util, logwtmp)
+AC_CHECK_LIB(crypto, RAND_pseudo_bytes,
+ [AC_DEFINE([HAVE_RAND_PSEUDO_BYTES], [1], [Define to 1 if you have the `RAND_pseudo_bytes' function.])])
+AC_CHECK_LIB(crypto, RAND_bytes,
+ [AC_DEFINE([HAVE_RAND_BYTES], [1], [Define to 1 if you have the `RAND_bytes' function.])])
+AC_CHECK_LIB(c, pututxline,
+ [AC_DEFINE([HAVE_PUTUTXLINE], [1], [Define to 1 if you have the `pututxline' function.])],
+ [AC_CHECK_LIB(util, logwtmp)])
case "$host" in
sparc-* | sparc64-*)
@@ -47,11 +52,11 @@ esac
dnl --------------------------------------------------------------------
dnl Checks for header files.
AC_HEADER_STDC
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h ])
-AC_CHECK_HEADERS([syslog.h unistd.h openssl/md5.h openssl/rand.h linux/random.h sys/random.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h strings.h sys/socket.h sys/time.h])
+AC_CHECK_HEADERS([syslog.h unistd.h openssl/md5.h openssl/rand.h sys/random.h])
AC_CHECK_HEADER(security/pam_appl.h, [], [AC_MSG_ERROR([PAM libraries missing. Install with "yum install pam-devel" or "apt-get install libpam-dev".])] )
AM_CONDITIONAL(MY_MD5, [test "$ac_cv_header_openssl_md5_h" = "no" ])
-AM_CONDITIONAL(TACC, [test "$ac_cv_lib_crypto_RAND_pseudo_bytes" = "yes"])
+AM_CONDITIONAL(TACC, [test "$ac_cv_lib_crypto_RAND_bytes" = "yes" || test "$ac_cv_lib_crypto_RAND_pseudo_bytes" = "yes"])
dnl --------------------------------------------------------------------
dnl Checks for typedefs, structures, and compiler characteristics.
diff --git a/libtac/include/libtac.h b/libtac/include/libtac.h
index c872ff7..23cdc28 100644
--- a/libtac/include/libtac.h
+++ b/libtac/include/libtac.h
@@ -44,6 +44,18 @@ extern "C" {
#endif
#include "tacplus.h"
+#if defined(__clang__)
+#define __CLANG_PREREQ(maj, min) ((__clang_major__ > (maj)) || (__clang_major__ == (maj) && __clang_minor__ >= (min)))
+#else
+#define __CLANG_PREREQ(maj, min) (0)
+#endif
+
+#if __GNUC_PREREQ(3, 2) || __CLANG_PREREQ(4, 0)
+#define __Unused __attribute__ ((unused))
+#else
+#define __Unused /* unused */
+#endif
+
#if defined(DEBUGTAC) && !defined(TACDEBUG)
# ifdef __GNUC__
#define TACDEBUG(level, fmt, ...) syslog(level, fmt, ## __VA_ARGS__)
diff --git a/libtac/lib/author_r.c b/libtac/lib/author_r.c
index 148f7ea..fa101e6 100644
--- a/libtac/lib/author_r.c
+++ b/libtac/lib/author_r.c
@@ -187,6 +187,7 @@ int tac_author_read(int fd, struct areply *re) {
/* XXX support optional vs mandatory arguments */
case TAC_PLUS_AUTHOR_STATUS_PASS_REPL:
tac_free_attrib(&re->attr);
+ /*FALLTHRU*/
case TAC_PLUS_AUTHOR_STATUS_PASS_ADD: {
u_char *argp;
diff --git a/libtac/lib/magic.c b/libtac/lib/magic.c
index a320df5..97aa035 100644
--- a/libtac/lib/magic.c
+++ b/libtac/lib/magic.c
@@ -63,17 +63,21 @@ magic()
{
u_int32_t num;
+#ifdef HAVE_RAND_BYTES
+ RAND_bytes((unsigned char *)&num, sizeof(num));
+#else
RAND_pseudo_bytes((unsigned char *)&num, sizeof(num));
+#endif
return num;
}
#elif defined(HAVE_GETRANDOM)
-# if defined(HAVE_LINUX_RANDOM_H)
-# include <linux/random.h>
-# elif defined(HAVE_SYS_RANDOM_H)
+# if defined(HAVE_SYS_RANDOM_H)
# include <sys/random.h>
+# else
+# error no header containing getrandom(2) declaration
# endif
/*
diff --git a/pam_tacplus.c b/pam_tacplus.c
index 324cd5d..19e2aca 100644
--- a/pam_tacplus.c
+++ b/pam_tacplus.c
@@ -654,33 +654,29 @@ int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
attr = arep.attr;
while (attr != NULL) {
- char attribute[attr->attr_len];
- char value[attr->attr_len];
- char *sep;
-
- sep = index(attr->attr, '=');
- if (sep == NULL)
- sep = index(attr->attr, '*');
- if (sep != NULL) {
- bcopy(attr->attr, attribute, attr->attr_len - strlen(sep));
- attribute[attr->attr_len - strlen(sep)] = '\0';
- bcopy(sep, value, strlen(sep));
- value[strlen(sep)] = '\0';
+ size_t len = strcspn(attr->attr, "=*");
+ if (len < attr->attr_len) {
+ char avpair[attr->attr_len+1];
+ bcopy(attr->attr, avpair, attr->attr_len+1); /* Also copy terminating NUL */
+ if (ctrl & PAM_TAC_DEBUG)
+ syslog(LOG_DEBUG, "%s: returned attribute `%s' from server",
+ __FUNCTION__, avpair);
+
+ avpair[len] = '='; // replace '*' by '='
size_t i;
- for (i = 0; attribute[i] != '\0'; i++) {
- attribute[i] = toupper(attribute[i]);
- if (attribute[i] == '-')
- attribute[i] = '_';
+ for (i = 0; i < len; i++) {
+ avpair[i] = toupper(avpair[i]);
+ if (avpair[i] == '-')
+ avpair[i] = '_';
}
if (ctrl & PAM_TAC_DEBUG)
- syslog(LOG_DEBUG, "%s: returned attribute `%s%s' from server",
- __FUNCTION__, attribute, value);
+ syslog(LOG_DEBUG, "%s: setting PAM environment `%s'",
+ __FUNCTION__, avpair);
/* make returned attributes available for other PAM modules via PAM environment */
- if (pam_putenv(pamh,
- strncat(attribute, value, strlen(value))) != PAM_SUCCESS)
+ if (pam_putenv(pamh, avpair) != PAM_SUCCESS)
syslog(LOG_WARNING, "%s: unable to set PAM environment",
__FUNCTION__);
@@ -715,7 +711,11 @@ PAM_EXTERN
int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,
const char **argv) {
#if defined(HAVE_OPENSSL_RAND_H) && defined(HAVE_LIBCRYPTO)
+# if defined(HAVE_RAND_BYTES)
+ RAND_bytes((unsigned char *) &task_id, sizeof(task_id));
+# else
RAND_pseudo_bytes((unsigned char *) &task_id, sizeof(task_id));
+# endif
#else
task_id=(short int) magic();
#endif
diff --git a/support.c b/support.c
index 2406b32..ad45580 100644
--- a/support.c
+++ b/support.c
@@ -109,14 +109,12 @@ int converse(pam_handle_t * pamh, int nargs, const struct pam_message *message,
}
/* stolen from pam_stress */
-int tacacs_get_password (pam_handle_t * pamh, int flags,
+int tacacs_get_password (pam_handle_t * pamh, int flags __Unused,
int ctrl, char **password) {
const void *pam_pass;
char *pass = NULL;
- flags = flags; /* unused */
-
if (ctrl & PAM_TAC_DEBUG)
syslog (LOG_DEBUG, "%s: called", __FUNCTION__);
diff --git a/tacc.c b/tacc.c
index 8069323..f61e2d7 100644
--- a/tacc.c
+++ b/tacc.c
@@ -19,7 +19,6 @@
#include <string.h>
#include <syslog.h>
#include <errno.h>
-#include <utmp.h>
#include <sys/file.h>
#include <sys/types.h>
#include <sys/wait.h>
@@ -34,6 +33,12 @@
#include "config.h"
#endif
+#if defined(HAVE_PUTUTXLINE)
+#include <utmpx.h>
+#elif defined(HAVE_LOGWTMP)
+#include <utmp.h>
+#endif
+
#include "tacplus.h"
#include "libtac.h"
@@ -58,7 +63,6 @@
/* prototypes */
void sighandler(int sig);
-void showusage(char *argv0);
unsigned long getservername(char *serv);
void showusage(char *progname);
void showversion(char *progname);
@@ -79,6 +83,13 @@ typedef unsigned char flag;
flag quiet = 0;
char *user = NULL; /* global, because of signal handler */
+#if defined(HAVE_PUTUTXLINE)
+struct utmpx utmpx;
+#endif
+
+/* take the length of a string constant without the NUL */
+#define C_STRLEN(str) (sizeof("" str) - 1)
+
/* command line options */
static struct option long_options[] =
{
@@ -163,8 +174,12 @@ int main(int argc, char **argv) {
break;
case 'V':
showversion(argv[0]);
+ /*NOTREACHED*/
+ break;
case 'h':
showusage(argv[0]);
+ /*NOTREACHED*/
+ break;
case 'u':
user = optarg;
break;
@@ -173,8 +188,7 @@ int main(int argc, char **argv) {
break;
case 'L':
// tac_login is a global variable initialized in libtac
- bzero(tac_login, sizeof(tac_login));
- strncpy(tac_login, optarg, sizeof(tac_login) - 1);
+ xstrcpy(tac_login, optarg, sizeof(tac_login));
break;
case 'p':
pass = optarg;
@@ -316,7 +330,11 @@ int main(int argc, char **argv) {
struct tac_attrib *attr = NULL;
sprintf(buf, "%lu", time(0));
tac_add_attrib(&attr, "start_time", buf);
+#ifdef HAVE_RAND_BYTES
+ RAND_bytes((unsigned char *) &task_id, sizeof(task_id));
+#else
RAND_pseudo_bytes((unsigned char *) &task_id, sizeof(task_id));
+#endif
sprintf(buf, "%hu", task_id);
tac_add_attrib(&attr, "task_id", buf);
tac_add_attrib(&attr, "service", service);
@@ -347,10 +365,28 @@ int main(int argc, char **argv) {
}
/* log in local utmp */
-#ifdef HAVE_LOGWTMP
- if (log_wtmp)
+ if (log_wtmp) {
+#if defined(HAVE_PUTUTXLINE)
+ struct timeval tv;
+
+ gettimeofday(&tv, NULL);
+
+ memset(&utmpx, 0, sizeof(utmpx));
+ utmpx.ut_type = USER_PROCESS;
+ utmpx.ut_pid = getpid();
+ xstrcpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line));
+ strncpy(utmpx.ut_id, tty + C_STRLEN("tty"), sizeof(utmpx.ut_id));
+ xstrcpy(utmpx.ut_host, "dialup", sizeof(utmpx.ut_host));
+ utmpx.ut_tv.tv_sec = tv.tv_sec;
+ utmpx.ut_tv.tv_usec = tv.tv_usec;
+ xstrcpy(utmpx.ut_user, user, sizeof(utmpx.ut_user));
+ /* ut_addr unused ... */
+ setutxent();
+ pututxline(&utmpx);
+#elif defined(HAVE_LOGWTMP)
logwtmp(tty, user, "dialup");
#endif
+ }
if (command != NULL) {
int ret;
@@ -429,17 +465,24 @@ int main(int argc, char **argv) {
}
/* logout from utmp */
-#ifdef HAVE_LOGWTMP
- if (log_wtmp)
+ if (log_wtmp) {
+#if defined(HAVE_PUTUTXLINE)
+ utmpx.ut_type = DEAD_PROCESS;
+ memset(utmpx.ut_line, 0, sizeof(utmpx.ut_line));
+ memset(utmpx.ut_user, 0, sizeof(utmpx.ut_user));
+ memset(utmpx.ut_host, 0, sizeof(utmpx.ut_host));
+ utmpx.ut_tv.tv_sec = utmpx.ut_tv.tv_usec = 0;
+ setutxent();
+ pututxline(&utmpx);
+#elif defined(HAVE_LOGWTMP)
logwtmp(tty, "", "");
#endif
+ }
exit(EXIT_OK);
}
-void sighandler(int sig) {
- sig = sig; /* unused */
-
+void sighandler(int sig __Unused) {
TACDEBUG(LOG_DEBUG, "caught signal %d", sig);
}
@@ -565,19 +608,15 @@ unsigned long getservername(char *serv) {
return (-1);
}
-void timeout_handler(int signum) {
- signum = signum; /* unused */
-
+void timeout_handler(int signum __Unused) {
syslog(LOG_ERR, "timeout reading password from user %s", user);
}
#ifdef TACDEBUG_AT_RUNTIME
-void logmsg(int level, const char *fmt, ...)
+void logmsg(int level __Unused, const char *fmt, ...)
{
va_list ap;
- level = level; /* unused */
-
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);