From b01e1a5e2c27d6c642c72e79a326d37803827a78 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 18 Sep 2018 10:11:02 +0200 Subject: [PATCH 39/47] pam_sss: make flags public To allow the PAM responder to act on the config flags set for pam_sss the flags have to be made public first. Related to https://pagure.io/SSSD/sssd/issue/3650 Reviewed-by: Jakub Hrozek (cherry picked from commit d33a8bed5aad9135426c9ebdf101cf600685ab81) --- src/sss_client/pam_sss.c | 71 +++++++++++++++++++++--------------------------- src/sss_client/sss_cli.h | 9 ++++++ 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 59081cc675e5f466de42872ea9ce539c6df7ff79..b336d1f6197b09c062dd4ece836e088e52fe7393 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -52,15 +52,6 @@ #include #define _(STRING) dgettext (PACKAGE, STRING) -#define FLAGS_USE_FIRST_PASS (1 << 0) -#define FLAGS_FORWARD_PASS (1 << 1) -#define FLAGS_USE_AUTHTOK (1 << 2) -#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) -#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) -#define FLAGS_USE_2FA (1 << 5) -#define FLAGS_ALLOW_MISSING_NAME (1 << 6) -#define FLAGS_PROMPT_ALWAYS (1 << 7) - #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" #define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type" @@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags, pi->pam_service_size=strlen(pi->pam_service)+1; ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user)); - if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) { + if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) { pi->pam_user = ""; ret = PAM_SUCCESS; } if (ret != PAM_SUCCESS) return ret; if (pi->pam_user == NULL) { - if (flags & FLAGS_ALLOW_MISSING_NAME) { + if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) { pi->pam_user = ""; } else { D(("No user found, aborting.")); @@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, for (; argc-- > 0; ++argv) { if (strcmp(*argv, "forward_pass") == 0) { - *flags |= FLAGS_FORWARD_PASS; + *flags |= PAM_CLI_FLAGS_FORWARD_PASS; } else if (strcmp(*argv, "use_first_pass") == 0) { - *flags |= FLAGS_USE_FIRST_PASS; + *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS; } else if (strcmp(*argv, "use_authtok") == 0) { - *flags |= FLAGS_USE_AUTHTOK; + *flags |= PAM_CLI_FLAGS_USE_AUTHTOK; } else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) { if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') { logger(pamh, LOG_ERR, "Missing argument to option domains."); @@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, } else if (strcmp(*argv, "quiet") == 0) { *quiet_mode = true; } else if (strcmp(*argv, "ignore_unknown_user") == 0) { - *flags |= FLAGS_IGNORE_UNKNOWN_USER; + *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER; } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) { - *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL; + *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL; } else if (strcmp(*argv, "use_2fa") == 0) { - *flags |= FLAGS_USE_2FA; + *flags |= PAM_CLI_FLAGS_USE_2FA; } else if (strcmp(*argv, "allow_missing_name") == 0) { - *flags |= FLAGS_ALLOW_MISSING_NAME; + *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME; } else if (strcmp(*argv, "prompt_always") == 0) { - *flags |= FLAGS_PROMPT_ALWAYS; + *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, { int ret; - if ((flags & FLAGS_USE_FIRST_PASS) + if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS) || ( pi->pamstack_authtok != NULL && *(pi->pamstack_authtok) != '\0' - && !(flags & FLAGS_PROMPT_ALWAYS))) { + && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) { pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; pi->pam_authtok = strdup(pi->pamstack_authtok); if (pi->pam_authtok == NULL) { @@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, } pi->pam_authtok_size = strlen(pi->pam_authtok); } else { - if (flags & FLAGS_USE_2FA + if (flags & PAM_CLI_FLAGS_USE_2FA || (pi->otp_vendor != NULL && pi->otp_token_id != NULL && pi->otp_challenge != NULL)) { if (pi->password_prompting) { @@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, return ret; } - if (flags & FLAGS_FORWARD_PASS) { + if (flags & PAM_CLI_FLAGS_FORWARD_PASS) { if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) { ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok); } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA @@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, /* we query for the old password during PAM_PRELIM_CHECK to make * pam_sss work e.g. with pam_cracklib */ if (pam_flags & PAM_PRELIM_CHECK) { - if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) { - if (flags & FLAGS_USE_2FA + if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) { + if (flags & PAM_CLI_FLAGS_USE_2FA || (pi->otp_vendor != NULL && pi->otp_token_id != NULL && pi->otp_challenge != NULL)) { if (pi->password_prompting) { @@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, } } - if (flags & FLAGS_USE_AUTHTOK) { + if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) { pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD; pi->pam_newauthtok = strdup(pi->pamstack_authtok); if (pi->pam_newauthtok == NULL) { @@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, return ret; } - if (flags & FLAGS_FORWARD_PASS) { + if (flags & PAM_CLI_FLAGS_FORWARD_PASS) { ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok); if (ret != PAM_SUCCESS) { D(("Failed to set PAM_AUTHTOK [%s], " @@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, ret = get_pam_items(pamh, flags, &pi); if (ret != PAM_SUCCESS) { D(("get items returned error: %s", pam_strerror(pamh,ret))); - if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { + if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { ret = PAM_IGNORE; } - if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL + if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL && ret == PAM_AUTHINFO_UNAVAIL) { ret = PAM_IGNORE; } @@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, case SSS_PAM_AUTHENTICATE: /* * Only do preauth if - * - FLAGS_USE_FIRST_PASS is not set - * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set + * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set + * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set * - preauth indicator file exists. */ - if ( !(flags & FLAGS_USE_FIRST_PASS) + if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS) && (pi.pam_authtok == NULL - || (flags & FLAGS_PROMPT_ALWAYS)) + || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS)) && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, quiet_mode); @@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, * The means the preauth step has to be done here as well but * only if * - PAM_PRELIM_CHECK is set - * - FLAGS_USE_FIRST_PASS is not set - * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set + * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set + * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set * - preauth indicator file exists. */ if ( (pam_flags & PAM_PRELIM_CHECK) - && !(flags & FLAGS_USE_FIRST_PASS) + && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS) && (pi.pam_authtok == NULL - || (flags & FLAGS_PROMPT_ALWAYS)) + || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS)) && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, quiet_mode); @@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, pam_status = send_and_receive(pamh, &pi, task, quiet_mode); - if (flags & FLAGS_IGNORE_UNKNOWN_USER + if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && pam_status == PAM_USER_UNKNOWN) { pam_status = PAM_IGNORE; } - if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL + if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL && pam_status == PAM_AUTHINFO_UNAVAIL) { pam_status = PAM_IGNORE; } @@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, retry = true; retries--; - flags &= ~FLAGS_USE_FIRST_PASS; + flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS; ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); if (ret != PAM_SUCCESS) { D(("Failed to unset PAM_AUTHTOK [%s]", diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 24d28ed4b0acdd627067250970d91a0cb5cb05a0..3404715d811332e9013f3f88cb733c62147fb502 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -365,6 +365,15 @@ enum pam_item_type { SSS_PAM_ITEM_REQUESTED_DOMAINS, }; +#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0) +#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1) +#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2) +#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3) +#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) +#define PAM_CLI_FLAGS_USE_2FA (1 << 5) +#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6) +#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7) + #define SSS_NSS_MAX_ENTRIES 256 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4) struct sss_cli_req_data { -- 2.14.4