mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3:pam_smbpass: don't call openlog() or closelog() from pam_smbpass
Patch from Steve Langasek with tiny fixes by me to make it apply to master. Also see Debian bug #434372 and bugzilla #4831. Calling openlog() or closelog() inside a pam module is not good as these functions are not stackable and no program won't re-do openlog() just because a pam module might have called closelog().
This commit is contained in:
parent
6b7bd37570
commit
caeae66c5b
@ -58,26 +58,25 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
/* Samba initialization. */
|
/* Samba initialization. */
|
||||||
load_case_tables();
|
load_case_tables();
|
||||||
setup_logging( "pam_smbpass", False );
|
|
||||||
lp_set_in_client(True);
|
lp_set_in_client(True);
|
||||||
|
|
||||||
ctrl = set_ctrl( flags, argc, argv );
|
ctrl = set_ctrl(pamh, flags, argc, argv );
|
||||||
|
|
||||||
/* get the username */
|
/* get the username */
|
||||||
|
|
||||||
retval = pam_get_user( pamh, &name, "Username: " );
|
retval = pam_get_user( pamh, &name, "Username: " );
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG, "acct: could not identify user" );
|
_log_err(pamh, LOG_DEBUG, "acct: could not identify user" );
|
||||||
}
|
}
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG, "acct: username [%s] obtained", name );
|
_log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name );
|
||||||
}
|
}
|
||||||
|
|
||||||
if (geteuid() != 0) {
|
if (geteuid() != 0) {
|
||||||
_log_err( LOG_DEBUG, "Cannot access samba password database, not running as root.");
|
_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
|
||||||
return PAM_AUTHINFO_UNAVAIL;
|
return PAM_AUTHINFO_UNAVAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -85,7 +84,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
|
|||||||
from a SIGPIPE it's not expecting */
|
from a SIGPIPE it's not expecting */
|
||||||
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
|
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
|
||||||
if (!initialize_password_db(True, NULL)) {
|
if (!initialize_password_db(True, NULL)) {
|
||||||
_log_err( LOG_ALERT, "Cannot access samba password database" );
|
_log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return PAM_AUTHINFO_UNAVAIL;
|
return PAM_AUTHINFO_UNAVAIL;
|
||||||
}
|
}
|
||||||
@ -99,7 +98,7 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!pdb_getsampwnam(sampass, name )) {
|
if (!pdb_getsampwnam(sampass, name )) {
|
||||||
_log_err( LOG_DEBUG, "acct: could not identify user" );
|
_log_err(pamh, LOG_DEBUG, "acct: could not identify user");
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return PAM_USER_UNKNOWN;
|
return PAM_USER_UNKNOWN;
|
||||||
}
|
}
|
||||||
@ -112,8 +111,8 @@ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
|
if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG
|
_log_err(pamh, LOG_DEBUG,
|
||||||
, "acct: account %s is administratively disabled", name );
|
"acct: account %s is administratively disabled", name);
|
||||||
}
|
}
|
||||||
make_remark( pamh, ctrl, PAM_ERROR_MSG
|
make_remark( pamh, ctrl, PAM_ERROR_MSG
|
||||||
, "Your account has been disabled; "
|
, "Your account has been disabled; "
|
||||||
|
@ -81,10 +81,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
/* Samba initialization. */
|
/* Samba initialization. */
|
||||||
load_case_tables();
|
load_case_tables();
|
||||||
setup_logging("pam_smbpass",False);
|
|
||||||
lp_set_in_client(True);
|
lp_set_in_client(True);
|
||||||
|
|
||||||
ctrl = set_ctrl(flags, argc, argv);
|
ctrl = set_ctrl(pamh, flags, argc, argv);
|
||||||
|
|
||||||
/* Get a few bytes so we can pass our return value to
|
/* Get a few bytes so we can pass our return value to
|
||||||
pam_sm_setcred(). */
|
pam_sm_setcred(). */
|
||||||
@ -99,29 +98,29 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|||||||
retval = pam_get_user( pamh, &name, "Username: " );
|
retval = pam_get_user( pamh, &name, "Username: " );
|
||||||
if ( retval != PAM_SUCCESS ) {
|
if ( retval != PAM_SUCCESS ) {
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err(LOG_DEBUG, "auth: could not identify user");
|
_log_err(pamh, LOG_DEBUG, "auth: could not identify user");
|
||||||
}
|
}
|
||||||
AUTH_RETURN;
|
AUTH_RETURN;
|
||||||
}
|
}
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG, "username [%s] obtained", name );
|
_log_err(pamh, LOG_DEBUG, "username [%s] obtained", name );
|
||||||
}
|
}
|
||||||
|
|
||||||
if (geteuid() != 0) {
|
if (geteuid() != 0) {
|
||||||
_log_err( LOG_DEBUG, "Cannot access samba password database, not running as root.");
|
_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
|
||||||
retval = PAM_AUTHINFO_UNAVAIL;
|
retval = PAM_AUTHINFO_UNAVAIL;
|
||||||
AUTH_RETURN;
|
AUTH_RETURN;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!initialize_password_db(True, NULL)) {
|
if (!initialize_password_db(True, NULL)) {
|
||||||
_log_err( LOG_ALERT, "Cannot access samba password database" );
|
_log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
|
||||||
retval = PAM_AUTHINFO_UNAVAIL;
|
retval = PAM_AUTHINFO_UNAVAIL;
|
||||||
AUTH_RETURN;
|
AUTH_RETURN;
|
||||||
}
|
}
|
||||||
|
|
||||||
sampass = samu_new( NULL );
|
sampass = samu_new( NULL );
|
||||||
if (!sampass) {
|
if (!sampass) {
|
||||||
_log_err( LOG_ALERT, "Cannot talloc a samu struct" );
|
_log_err(pamh, LOG_ALERT, "Cannot talloc a samu struct" );
|
||||||
retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
|
retval = nt_status_to_pam(NT_STATUS_NO_MEMORY);
|
||||||
AUTH_RETURN;
|
AUTH_RETURN;
|
||||||
}
|
}
|
||||||
@ -135,7 +134,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!found) {
|
if (!found) {
|
||||||
_log_err(LOG_ALERT, "Failed to find entry for user %s.", name);
|
_log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", name);
|
||||||
retval = PAM_USER_UNKNOWN;
|
retval = PAM_USER_UNKNOWN;
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
sampass = NULL;
|
sampass = NULL;
|
||||||
@ -154,7 +153,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
|
retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p);
|
||||||
if (retval != PAM_SUCCESS ) {
|
if (retval != PAM_SUCCESS ) {
|
||||||
_log_err(LOG_CRIT, "auth: no password provided for [%s]", name);
|
_log_err(pamh,LOG_CRIT, "auth: no password provided for [%s]", name);
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
AUTH_RETURN;
|
AUTH_RETURN;
|
||||||
}
|
}
|
||||||
@ -202,7 +201,7 @@ static int _smb_add_user(pam_handle_t *pamh, unsigned int ctrl,
|
|||||||
retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass );
|
retval = _pam_get_item( pamh, PAM_AUTHTOK, &pass );
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
_log_err( LOG_ALERT
|
_log_err(pamh, LOG_ALERT
|
||||||
, "pam_get_item returned error to pam_sm_authenticate" );
|
, "pam_get_item returned error to pam_sm_authenticate" );
|
||||||
return PAM_AUTHTOK_RECOVER_ERR;
|
return PAM_AUTHTOK_RECOVER_ERR;
|
||||||
} else if (pass == NULL) {
|
} else if (pass == NULL) {
|
||||||
|
@ -106,10 +106,9 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
/* Samba initialization. */
|
/* Samba initialization. */
|
||||||
load_case_tables();
|
load_case_tables();
|
||||||
setup_logging( "pam_smbpass", False );
|
|
||||||
lp_set_in_client(True);
|
lp_set_in_client(True);
|
||||||
|
|
||||||
ctrl = set_ctrl(flags, argc, argv);
|
ctrl = set_ctrl(pamh, flags, argc, argv);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* First get the name of a user. No need to do anything if we can't
|
* First get the name of a user. No need to do anything if we can't
|
||||||
@ -119,16 +118,16 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
retval = pam_get_user( pamh, &user, "Username: " );
|
retval = pam_get_user( pamh, &user, "Username: " );
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG, "password: could not identify user" );
|
_log_err(pamh, LOG_DEBUG, "password: could not identify user");
|
||||||
}
|
}
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG, "username [%s] obtained", user );
|
_log_err(pamh, LOG_DEBUG, "username [%s] obtained", user);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (geteuid() != 0) {
|
if (geteuid() != 0) {
|
||||||
_log_err( LOG_DEBUG, "Cannot access samba password database, not running as root.");
|
_log_err(pamh, LOG_DEBUG, "Cannot access samba password database, not running as root.");
|
||||||
return PAM_AUTHINFO_UNAVAIL;
|
return PAM_AUTHINFO_UNAVAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -137,7 +136,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
|
oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN);
|
||||||
|
|
||||||
if (!initialize_password_db(False, NULL)) {
|
if (!initialize_password_db(False, NULL)) {
|
||||||
_log_err( LOG_ALERT, "Cannot access samba password database" );
|
_log_err(pamh, LOG_ALERT, "Cannot access samba password database" );
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return PAM_AUTHINFO_UNAVAIL;
|
return PAM_AUTHINFO_UNAVAIL;
|
||||||
}
|
}
|
||||||
@ -149,12 +148,12 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!pdb_getsampwnam(sampass,user)) {
|
if (!pdb_getsampwnam(sampass,user)) {
|
||||||
_log_err( LOG_ALERT, "Failed to find entry for user %s.", user );
|
_log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user);
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return PAM_USER_UNKNOWN;
|
return PAM_USER_UNKNOWN;
|
||||||
}
|
}
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_DEBUG, "Located account for %s", user );
|
_log_err(pamh, LOG_DEBUG, "Located account for %s", user);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (flags & PAM_PRELIM_CHECK) {
|
if (flags & PAM_PRELIM_CHECK) {
|
||||||
@ -180,7 +179,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
#define greeting "Changing password for "
|
#define greeting "Changing password for "
|
||||||
Announce = SMB_MALLOC_ARRAY(char, sizeof(greeting)+strlen(user));
|
Announce = SMB_MALLOC_ARRAY(char, sizeof(greeting)+strlen(user));
|
||||||
if (Announce == NULL) {
|
if (Announce == NULL) {
|
||||||
_log_err(LOG_CRIT, "password: out of memory");
|
_log_err(pamh, LOG_CRIT, "password: out of memory");
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return PAM_BUF_ERR;
|
return PAM_BUF_ERR;
|
||||||
@ -195,8 +194,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
SAFE_FREE( Announce );
|
SAFE_FREE( Announce );
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
_log_err( LOG_NOTICE
|
_log_err(pamh, LOG_NOTICE,
|
||||||
, "password - (old) token not obtained" );
|
"password - (old) token not obtained");
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return retval;
|
return retval;
|
||||||
@ -241,7 +240,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
_log_err( LOG_NOTICE, "password: user not authenticated" );
|
_log_err(pamh, LOG_NOTICE, "password: user not authenticated");
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
return retval;
|
return retval;
|
||||||
@ -266,8 +265,8 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
if (on( SMB_DEBUG, ctrl )) {
|
if (on( SMB_DEBUG, ctrl )) {
|
||||||
_log_err( LOG_ALERT
|
_log_err(pamh, LOG_ALERT,
|
||||||
, "password: new password not obtained" );
|
"password: new password not obtained");
|
||||||
}
|
}
|
||||||
pass_old = NULL; /* tidy up */
|
pass_old = NULL; /* tidy up */
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
@ -288,7 +287,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new);
|
retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new);
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
_log_err(LOG_NOTICE, "new password not acceptable");
|
_log_err(pamh, LOG_NOTICE, "new password not acceptable");
|
||||||
pass_new = pass_old = NULL; /* tidy up */
|
pass_new = pass_old = NULL; /* tidy up */
|
||||||
TALLOC_FREE(sampass);
|
TALLOC_FREE(sampass);
|
||||||
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler);
|
||||||
@ -308,16 +307,17 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
/* password updated */
|
/* password updated */
|
||||||
if (!sid_to_uid(pdb_get_user_sid(sampass), &uid)) {
|
if (!sid_to_uid(pdb_get_user_sid(sampass), &uid)) {
|
||||||
_log_err( LOG_NOTICE, "Unable to get uid for user %s",
|
_log_err(pamh, LOG_NOTICE,
|
||||||
|
"Unable to get uid for user %s",
|
||||||
pdb_get_username(sampass));
|
pdb_get_username(sampass));
|
||||||
_log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)",
|
_log_err(pamh, LOG_NOTICE, "password for (%s) changed by (%s/%d)",
|
||||||
user, uidtoname(getuid()), getuid());
|
user, uidtoname(getuid()), getuid());
|
||||||
} else {
|
} else {
|
||||||
_log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
|
_log_err(pamh, LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)",
|
||||||
user, uid, uidtoname(getuid()), getuid());
|
user, uid, uidtoname(getuid()), getuid());
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
_log_err( LOG_ERR, "password change failed for user %s", user);
|
_log_err(pamh, LOG_ERR, "password change failed for user %s", user);
|
||||||
}
|
}
|
||||||
|
|
||||||
pass_old = pass_new = NULL;
|
pass_old = pass_new = NULL;
|
||||||
@ -328,7 +328,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
|||||||
|
|
||||||
} else { /* something has broken with the library */
|
} else { /* something has broken with the library */
|
||||||
|
|
||||||
_log_err( LOG_ALERT, "password received unknown request" );
|
_log_err(pamh, LOG_ALERT, "password received unknown request");
|
||||||
retval = PAM_ABORT;
|
retval = PAM_ABORT;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
* this program; if not, see <http://www.gnu.org/licenses/>.
|
* this program; if not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include "config.h"
|
||||||
#include "includes.h"
|
#include "includes.h"
|
||||||
#include "general.h"
|
#include "general.h"
|
||||||
|
|
||||||
@ -64,17 +65,42 @@ void _cleanup(pam_handle_t *, void *, int);
|
|||||||
char *_pam_delete(register char *);
|
char *_pam_delete(register char *);
|
||||||
|
|
||||||
/* syslogging function for errors and other information */
|
/* syslogging function for errors and other information */
|
||||||
|
#ifdef HAVE_PAM_VSYSLOG
|
||||||
void _log_err( int err, const char *format, ... )
|
void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
|
||||||
{
|
{
|
||||||
va_list args;
|
va_list args;
|
||||||
|
|
||||||
va_start( args, format );
|
va_start(args, format);
|
||||||
openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
|
pam_vsyslog(pamh, err, format, args);
|
||||||
vsyslog( err, format, args );
|
va_end(args);
|
||||||
va_end( args );
|
|
||||||
closelog();
|
|
||||||
}
|
}
|
||||||
|
#else
|
||||||
|
void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
const char tag[] = "(pam_smbpass) ";
|
||||||
|
char *mod_format;
|
||||||
|
|
||||||
|
mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format));
|
||||||
|
/* try really, really hard to log something, since this may have
|
||||||
|
been a message about a malloc() failure... */
|
||||||
|
if (mod_format == NULL) {
|
||||||
|
va_start(args, format);
|
||||||
|
vsyslog(err | LOG_AUTH, format, args);
|
||||||
|
va_end(args);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
strncpy(mod_format, tag, strlen(tag)+1);
|
||||||
|
strncat(mod_format, format, strlen(format));
|
||||||
|
|
||||||
|
va_start(args, format);
|
||||||
|
vsyslog(err | LOG_AUTH, mod_format, args);
|
||||||
|
va_end(args);
|
||||||
|
|
||||||
|
free(mod_format);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/* this is a front-end for module-application conversations */
|
/* this is a front-end for module-application conversations */
|
||||||
|
|
||||||
@ -92,11 +118,11 @@ int converse( pam_handle_t * pamh, int ctrl, int nargs
|
|||||||
,response, conv->appdata_ptr);
|
,response, conv->appdata_ptr);
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
|
if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
|
||||||
_log_err(LOG_DEBUG, "conversation failure [%s]"
|
_log_err(pamh, LOG_DEBUG, "conversation failure [%s]"
|
||||||
,pam_strerror(pamh, retval));
|
,pam_strerror(pamh, retval));
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
_log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
|
_log_err(pamh, LOG_ERR, "couldn't obtain coversation function [%s]"
|
||||||
,pam_strerror(pamh, retval));
|
,pam_strerror(pamh, retval));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -123,7 +149,7 @@ int make_remark( pam_handle_t * pamh, unsigned int ctrl
|
|||||||
|
|
||||||
/* set the control flags for the SMB module. */
|
/* set the control flags for the SMB module. */
|
||||||
|
|
||||||
int set_ctrl( int flags, int argc, const char **argv )
|
int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv )
|
||||||
{
|
{
|
||||||
int i = 0;
|
int i = 0;
|
||||||
const char *service_file = NULL;
|
const char *service_file = NULL;
|
||||||
@ -165,7 +191,7 @@ int set_ctrl( int flags, int argc, const char **argv )
|
|||||||
/* Read some options from the Samba config. Can be overridden by
|
/* Read some options from the Samba config. Can be overridden by
|
||||||
the PAM config. */
|
the PAM config. */
|
||||||
if(lp_load(service_file,True,False,False,True) == False) {
|
if(lp_load(service_file,True,False,False,True) == False) {
|
||||||
_log_err( LOG_ERR, "Error loading service file %s", service_file );
|
_log_err(pamh, LOG_ERR, "Error loading service file %s", service_file);
|
||||||
}
|
}
|
||||||
|
|
||||||
secrets_init();
|
secrets_init();
|
||||||
@ -188,7 +214,7 @@ int set_ctrl( int flags, int argc, const char **argv )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (j >= SMB_CTRLS_) {
|
if (j >= SMB_CTRLS_) {
|
||||||
_log_err( LOG_ERR, "unrecognized option [%s]", *argv );
|
_log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv);
|
||||||
} else {
|
} else {
|
||||||
ctrl &= smb_args[j].mask; /* for turning things off */
|
ctrl &= smb_args[j].mask; /* for turning things off */
|
||||||
ctrl |= smb_args[j].flag; /* for turning things on */
|
ctrl |= smb_args[j].flag; /* for turning things on */
|
||||||
@ -227,7 +253,7 @@ void _cleanup( pam_handle_t * pamh, void *x, int error_status )
|
|||||||
* evidence of old token around for later stack analysis.
|
* evidence of old token around for later stack analysis.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
char * smbpXstrDup( const char *x )
|
char * smbpXstrDup( pam_handle_t *pamh, const char *x )
|
||||||
{
|
{
|
||||||
register char *newstr = NULL;
|
register char *newstr = NULL;
|
||||||
|
|
||||||
@ -237,7 +263,7 @@ char * smbpXstrDup( const char *x )
|
|||||||
for (i = 0; x[i]; ++i); /* length of string */
|
for (i = 0; x[i]; ++i); /* length of string */
|
||||||
if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
|
if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
|
||||||
i = 0;
|
i = 0;
|
||||||
_log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
|
_log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup");
|
||||||
} else {
|
} else {
|
||||||
while (i-- > 0) {
|
while (i-- > 0) {
|
||||||
newstr[i] = x[i];
|
newstr[i] = x[i];
|
||||||
@ -279,7 +305,7 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
|
|||||||
/* log the number of authentication failures */
|
/* log the number of authentication failures */
|
||||||
if (failure->count != 0) {
|
if (failure->count != 0) {
|
||||||
_pam_get_item( pamh, PAM_SERVICE, &service );
|
_pam_get_item( pamh, PAM_SERVICE, &service );
|
||||||
_log_err( LOG_NOTICE
|
_log_err(pamh, LOG_NOTICE
|
||||||
, "%d authentication %s "
|
, "%d authentication %s "
|
||||||
"from %s for service %s as %s(%d)"
|
"from %s for service %s as %s(%d)"
|
||||||
, failure->count
|
, failure->count
|
||||||
@ -288,7 +314,7 @@ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
|
|||||||
, service == NULL ? "**unknown**" : service
|
, service == NULL ? "**unknown**" : service
|
||||||
, failure->user, failure->id );
|
, failure->user, failure->id );
|
||||||
if (failure->count > SMB_MAX_RETRIES) {
|
if (failure->count > SMB_MAX_RETRIES) {
|
||||||
_log_err( LOG_ALERT
|
_log_err(pamh, LOG_ALERT
|
||||||
, "service(%s) ignoring max retries; %d > %d"
|
, "service(%s) ignoring max retries; %d > %d"
|
||||||
, service == NULL ? "**unknown**" : service
|
, service == NULL ? "**unknown**" : service
|
||||||
, failure->count
|
, failure->count
|
||||||
@ -324,8 +350,7 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
|
|||||||
|
|
||||||
if (!pdb_get_nt_passwd(sampass))
|
if (!pdb_get_nt_passwd(sampass))
|
||||||
{
|
{
|
||||||
_log_err( LOG_DEBUG, "user %s has null SMB password"
|
_log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name);
|
||||||
, name );
|
|
||||||
|
|
||||||
if (off( SMB__NONULL, ctrl )
|
if (off( SMB__NONULL, ctrl )
|
||||||
&& (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
|
&& (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
|
||||||
@ -335,7 +360,7 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
|
|||||||
const char *service;
|
const char *service;
|
||||||
|
|
||||||
_pam_get_item( pamh, PAM_SERVICE, &service );
|
_pam_get_item( pamh, PAM_SERVICE, &service );
|
||||||
_log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
|
_log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s",
|
||||||
uidtoname(getuid()), service ? service : "**unknown**", name);
|
uidtoname(getuid()), service ? service : "**unknown**", name);
|
||||||
return PAM_AUTH_ERR;
|
return PAM_AUTH_ERR;
|
||||||
}
|
}
|
||||||
@ -343,7 +368,7 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
|
|||||||
|
|
||||||
data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
|
data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
|
||||||
if (data_name == NULL) {
|
if (data_name == NULL) {
|
||||||
_log_err( LOG_CRIT, "no memory for data-name" );
|
_log_err(pamh, LOG_CRIT, "no memory for data-name" );
|
||||||
return PAM_AUTH_ERR;
|
return PAM_AUTH_ERR;
|
||||||
}
|
}
|
||||||
strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
|
strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
|
||||||
@ -390,31 +415,31 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
|
|||||||
retval = PAM_MAXTRIES;
|
retval = PAM_MAXTRIES;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
_log_err(LOG_NOTICE,
|
_log_err(pamh, LOG_NOTICE,
|
||||||
"failed auth request by %s for service %s as %s",
|
"failed auth request by %s for service %s as %s",
|
||||||
uidtoname(getuid()),
|
uidtoname(getuid()),
|
||||||
service ? service : "**unknown**", name);
|
service ? service : "**unknown**", name);
|
||||||
newauth->count = 1;
|
newauth->count = 1;
|
||||||
}
|
}
|
||||||
if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
|
if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
|
||||||
_log_err(LOG_NOTICE,
|
_log_err(pamh, LOG_NOTICE,
|
||||||
"failed auth request by %s for service %s as %s",
|
"failed auth request by %s for service %s as %s",
|
||||||
uidtoname(getuid()),
|
uidtoname(getuid()),
|
||||||
service ? service : "**unknown**", name);
|
service ? service : "**unknown**", name);
|
||||||
}
|
}
|
||||||
newauth->user = smbpXstrDup( name );
|
newauth->user = smbpXstrDup( pamh, name );
|
||||||
newauth->agent = smbpXstrDup( uidtoname( getuid() ) );
|
newauth->agent = smbpXstrDup( pamh, uidtoname( getuid() ) );
|
||||||
pam_set_data( pamh, data_name, newauth, _cleanup_failures );
|
pam_set_data( pamh, data_name, newauth, _cleanup_failures );
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
_log_err( LOG_CRIT, "no memory for failure recorder" );
|
_log_err(pamh, LOG_CRIT, "no memory for failure recorder" );
|
||||||
_log_err(LOG_NOTICE,
|
_log_err(pamh, LOG_NOTICE,
|
||||||
"failed auth request by %s for service %s as %s(%d)",
|
"failed auth request by %s for service %s as %s(%d)",
|
||||||
uidtoname(getuid()),
|
uidtoname(getuid()),
|
||||||
service ? service : "**unknown**", name);
|
service ? service : "**unknown**", name);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
_log_err(LOG_NOTICE,
|
_log_err(pamh, LOG_NOTICE,
|
||||||
"failed auth request by %s for service %s as %s(%d)",
|
"failed auth request by %s for service %s as %s(%d)",
|
||||||
uidtoname(getuid()),
|
uidtoname(getuid()),
|
||||||
service ? service : "**unknown**", name);
|
service ? service : "**unknown**", name);
|
||||||
@ -422,7 +447,7 @@ int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
|
|||||||
}
|
}
|
||||||
|
|
||||||
_pam_delete( data_name );
|
_pam_delete( data_name );
|
||||||
|
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -490,8 +515,8 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
|
|||||||
retval = _pam_get_item( pamh, authtok_flag, &item );
|
retval = _pam_get_item( pamh, authtok_flag, &item );
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
/* very strange. */
|
/* very strange. */
|
||||||
_log_err( LOG_ALERT
|
_log_err(pamh, LOG_ALERT,
|
||||||
, "pam_get_item returned error to smb_read_password" );
|
"pam_get_item returned error to smb_read_password");
|
||||||
return retval;
|
return retval;
|
||||||
} else if (item != NULL) { /* we have a password! */
|
} else if (item != NULL) { /* we have a password! */
|
||||||
*pass = item;
|
*pass = item;
|
||||||
@ -543,7 +568,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
|
|||||||
|
|
||||||
if (retval == PAM_SUCCESS) { /* a good conversation */
|
if (retval == PAM_SUCCESS) { /* a good conversation */
|
||||||
|
|
||||||
token = smbpXstrDup(resp[j++].resp);
|
token = smbpXstrDup(pamh, resp[j++].resp);
|
||||||
if (token != NULL) {
|
if (token != NULL) {
|
||||||
if (expect == 2) {
|
if (expect == 2) {
|
||||||
/* verify that password entered correctly */
|
/* verify that password entered correctly */
|
||||||
@ -555,7 +580,8 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
_log_err(LOG_NOTICE, "could not recover authentication token");
|
_log_err(pamh, LOG_NOTICE,
|
||||||
|
"could not recover authentication token");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -568,7 +594,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
|
|||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
if (retval != PAM_SUCCESS) {
|
||||||
if (on( SMB_DEBUG, ctrl ))
|
if (on( SMB_DEBUG, ctrl ))
|
||||||
_log_err( LOG_DEBUG, "unable to obtain a password" );
|
_log_err(pamh, LOG_DEBUG, "unable to obtain a password");
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
/* 'token' is the entered password */
|
/* 'token' is the entered password */
|
||||||
@ -583,7 +609,7 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
|
|||||||
|| (retval = _pam_get_item( pamh, authtok_flag
|
|| (retval = _pam_get_item( pamh, authtok_flag
|
||||||
,&item )) != PAM_SUCCESS)
|
,&item )) != PAM_SUCCESS)
|
||||||
{
|
{
|
||||||
_log_err( LOG_CRIT, "error manipulating password" );
|
_log_err(pamh, LOG_CRIT, "error manipulating password");
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -597,8 +623,8 @@ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
|
|||||||
|| (retval = _pam_get_data( pamh, data_name, &item ))
|
|| (retval = _pam_get_data( pamh, data_name, &item ))
|
||||||
!= PAM_SUCCESS)
|
!= PAM_SUCCESS)
|
||||||
{
|
{
|
||||||
_log_err( LOG_CRIT, "error manipulating password data [%s]"
|
_log_err(pamh, LOG_CRIT, "error manipulating password data [%s]",
|
||||||
, pam_strerror( pamh, retval ));
|
pam_strerror( pamh, retval ));
|
||||||
_pam_delete( token );
|
_pam_delete( token );
|
||||||
item = NULL;
|
item = NULL;
|
||||||
return retval;
|
return retval;
|
||||||
@ -622,8 +648,8 @@ int _pam_smb_approve_pass(pam_handle_t * pamh,
|
|||||||
if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
|
if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
|
||||||
{
|
{
|
||||||
if (on(SMB_DEBUG, ctrl)) {
|
if (on(SMB_DEBUG, ctrl)) {
|
||||||
_log_err( LOG_DEBUG,
|
_log_err(pamh, LOG_DEBUG,
|
||||||
"passwd: bad authentication token (null or unchanged)" );
|
"passwd: bad authentication token (null or unchanged)");
|
||||||
}
|
}
|
||||||
make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
|
make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
|
||||||
"No password supplied" : "Password unchanged" );
|
"No password supplied" : "Password unchanged" );
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
/* syslogging function for errors and other information */
|
/* syslogging function for errors and other information */
|
||||||
extern void _log_err(int, const char *, ...);
|
extern void _log_err(pam_handle_t *, int, const char *, ...);
|
||||||
|
|
||||||
/* set the control flags for the UNIX module. */
|
/* set the control flags for the UNIX module. */
|
||||||
extern int set_ctrl(int, int, const char **);
|
extern int set_ctrl(pam_handle_t *, int, int, const char **);
|
||||||
|
|
||||||
/* generic function for freeing pam data segments */
|
/* generic function for freeing pam data segments */
|
||||||
extern void _cleanup(pam_handle_t *, void *, int);
|
extern void _cleanup(pam_handle_t *, void *, int);
|
||||||
@ -12,7 +12,7 @@ extern void _cleanup(pam_handle_t *, void *, int);
|
|||||||
* evidence of old token around for later stack analysis.
|
* evidence of old token around for later stack analysis.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
extern char *smbpXstrDup(const char *);
|
extern char *smbpXstrDup(pam_handle_t *,const char *);
|
||||||
|
|
||||||
/* ************************************************************** *
|
/* ************************************************************** *
|
||||||
* Useful non-trivial functions *
|
* Useful non-trivial functions *
|
||||||
|
Loading…
Reference in New Issue
Block a user