New upstream version 0.76

6 files changed, 501 insertions, 0 deletions

diff --git a/Linux-PAM/examples/Makefile b/Linux-PAM/examples/Makefile
new file mode 100644
index 00000000..a55f1d21
--- /dev/null
+++ b/Linux-PAM/examples/Makefile
@@ -0,0 +1,54 @@
+#
+# $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:35 hartmans Exp $
+#
+
+include ../Make.Rules
+
+PROGS = blank xsh check_user
+SRCS = blank.c xsh.c check_user.c
+PROGSUID =
+
+ifeq ($(WITH_LIBDEBUG),yes)
+ LIBSUFFIX=d
+else
+ LIBSUFFIX=
+endif
+
+CFLAGS += -I$(absolute_srcdir)/libpam_misc/include
+
+LOADLIBES = -L$(absolute_objdir)/libpam -L$(absolute_objdir)/libpamc \
+    -L$(absolute_objdir)/libpam_misc -lpam -lpam_misc
+
+ifeq ($(STATIC_LIBPAM),yes)
+  ifneq ($(DYNAMIC),)
+    CFLAGS += $(CC_STATIC)
+    LOADLIBES += $(LIBDL)
+  endif
+endif
+
+all: $(PROGS)
+
+check_user: check_user.o
+	$(CC) $(CFLAGS) -o $@ $< $(LOADLIBES)
+
+blank: blank.o
+	$(CC) $(CFLAGS) -o $@ $< $(LOADLIBES)
+
+xsh: xsh.o
+	$(CC) $(CFLAGS) -o $@ $< $(LOADLIBES)
+
+clean:
+	rm -f *.a *.so *.o *~ $(PROGS) $(PROGSUID)
+	rm -f *.a *.out *.o *.so
+
+# note, the programs are test programs, they should not be
+# installed on your system!
+
+install: all
+	if [ -n "$(PROGS)" ]; then cp $(PROGS) ../bin ; fi
+	if [ -n "$(PROGSUID)" ]; then \
+		$(INSTALL) -m 4555 $(PROGSUID) ../bin ; fi
+
+remove:
+	cd ../bin ; rm -f $(PROGS) $(PROGSUID)
+	for x in $(PROGS) $(PROGSUID) ; do rm -f ../bin/$$x ; done
diff --git a/Linux-PAM/examples/blank.c b/Linux-PAM/examples/blank.c
new file mode 100644
index 00000000..e4129b4b
--- /dev/null
+++ b/Linux-PAM/examples/blank.c
@@ -0,0 +1,158 @@
+/*
+ * $Id: blank.c,v 1.1.1.1 2001/04/29 04:17:04 hartmans Exp $
+ */
+
+/* Andrew Morgan (morgan@parc.power.net) -- a self contained `blank'
+ * application
+ *
+ * I am not very proud of this code.  It makes use of a possibly ill-
+ * defined pamh pointer to call pam_strerror() with.  The reason that
+ * I was sloppy with this is historical (pam_strerror, prior to 0.59,
+ * did not require a pamh argument) and if this program is used as a
+ * model for anything, I should wish that you will take this error into
+ * account.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+
+/* ------ some local (static) functions ------- */
+
+static void bail_out(pam_handle_t *pamh, int really, int code, const char *fn)
+{
+     fprintf(stderr,"==> called %s()\n  got: `%s'\n", fn,
+	     pam_strerror(pamh, code));
+     if (really && code)
+	  exit (1);
+}
+
+/* ------ some static data objects ------- */
+
+static struct pam_conv conv = {
+     misc_conv,
+     NULL
+};
+
+/* ------- the application itself -------- */
+
+int main(int argc, char **argv)
+{
+     pam_handle_t *pamh=NULL;
+     char *username=NULL;
+     int retcode;
+
+     /* did the user call with a username as an argument ? */
+
+     if (argc > 2) {
+	  fprintf(stderr,"usage: %s [username]\n",argv[0]);
+     } else if (argc == 2) {
+	  username = argv[1];
+     } 
+
+     /* initialize the Linux-PAM library */
+     retcode = pam_start("blank", username, &conv, &pamh);
+     bail_out(pamh,1,retcode,"pam_start");
+
+     /* test the environment stuff */
+     {
+#define MAXENV 15
+	 const char *greek[MAXENV] = {
+	     "a=alpha", "b=beta", "c=gamma", "d=delta", "e=epsilon",
+	     "f=phi", "g=psi", "h=eta", "i=iota", "j=mu", "k=nu",
+	     "l=zeta", "h=", "d", "k=xi"
+	 };
+	 char **env;
+	 int i;
+
+	 for (i=0; i<MAXENV; ++i) {
+	     retcode = pam_putenv(pamh,greek[i]);
+	     bail_out(pamh,0,retcode,"pam_putenv");
+	 }
+	 env = pam_getenvlist(pamh);
+	 if (env)
+	     env = pam_misc_drop_env(env);
+	 else
+	     fprintf(stderr,"???\n");
+	 fprintf(stderr,"a test: c=[%s], j=[%s]\n"
+		 , pam_getenv(pamh, "c"), pam_getenv(pamh, "j"));
+     }
+
+     /* to avoid using goto we abuse a loop here */
+     for (;;) {
+	  /* authenticate the user --- `0' here, could have been PAM_SILENT
+	   *	| PAM_DISALLOW_NULL_AUTHTOK */
+
+	  retcode = pam_authenticate(pamh, 0);
+	  bail_out(pamh,0,retcode,"pam_authenticate");
+
+	  /* has the user proved themself valid? */
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: invalid request\n",argv[0]);
+	       break;
+	  }
+
+	  /* the user is valid, but should they have access at this
+	     time? */
+
+	  retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */
+	  bail_out(pamh,0,retcode,"pam_acct_mgmt");
+
+	  if (retcode == PAM_NEW_AUTHTOK_REQD) {
+	       fprintf(stderr,"Application must request new password...\n");
+	       retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK);
+	       bail_out(pamh,0,retcode,"pam_chauthtok");
+	  }
+
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: invalid request\n",argv[0]);
+	       break;
+	  }
+
+	  /* `0' could be as above */
+	  retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+	  bail_out(pamh,0,retcode,"pam_setcred1");
+
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem setting user credentials\n"
+		       ,argv[0]);
+	       break;
+	  }
+
+	  /* open a session for the user --- `0' could be PAM_SILENT */
+	  retcode = pam_open_session(pamh,0);
+	  bail_out(pamh,0,retcode,"pam_open_session");
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem opening a session\n",argv[0]);
+	       break;
+	  }
+
+	  fprintf(stderr,"The user has been authenticated and `logged in'\n");
+
+	  /* close a session for the user --- `0' could be PAM_SILENT
+	   * it is possible that this pam_close_call is in another program..
+	   */
+
+	  retcode = pam_close_session(pamh,0);
+	  bail_out(pamh,0,retcode,"pam_close_session");
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem closing a session\n",argv[0]);
+	       break;
+	  }
+	  
+	  retcode = pam_setcred(pamh, PAM_DELETE_CRED);
+	  bail_out(pamh,0,retcode,"pam_setcred2");
+
+	  break;                      /* don't go on for ever! */
+     }
+
+     /* close the Linux-PAM library */
+     retcode = pam_end(pamh, PAM_SUCCESS);
+     pamh = NULL;
+
+     bail_out(pamh,1,retcode,"pam_end");
+
+     exit(0);
+}
diff --git a/Linux-PAM/examples/check_user.c b/Linux-PAM/examples/check_user.c
new file mode 100644
index 00000000..295d6715
--- /dev/null
+++ b/Linux-PAM/examples/check_user.c
@@ -0,0 +1,60 @@
+/*
+  $Id: check_user.c,v 1.1.1.1 2001/04/29 04:17:04 hartmans Exp $
+  
+  This program was contributed by Shane Watts <shane@icarus.bofh.asn.au>
+  slight modifications by AGM.
+
+  You need to add the following (or equivalent) to the /etc/pam.conf file.
+  # check authorization
+  check   auth       required     pam_unix_auth.so
+  check   account    required     pam_unix_acct.so
+*/
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <stdio.h>
+
+static struct pam_conv conv = {
+    misc_conv,
+    NULL
+};
+
+int main(int argc, char *argv[])
+{
+    pam_handle_t *pamh=NULL;
+    int retval;
+    const char *user="nobody";
+
+    if(argc == 2) {
+	user = argv[1];
+    }
+
+    if(argc > 2) {
+	fprintf(stderr, "Usage: check_user [username]\n");
+	exit(1);
+    }
+
+    retval = pam_start("check", user, &conv, &pamh);
+	
+    if (retval == PAM_SUCCESS)
+        retval = pam_authenticate(pamh, 0);    /* is user really user? */
+
+    if (retval == PAM_SUCCESS)
+        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */
+
+    /* This is where we have been authorized or not. */
+
+    if (retval == PAM_SUCCESS) {
+	fprintf(stdout, "Authenticated\n");
+    } else {
+	fprintf(stdout, "Not Authenticated\n");
+    }
+
+    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
+	pamh = NULL;
+	fprintf(stderr, "check_user: failed to release authenticator\n");
+	exit(1);
+    }
+
+    return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */
+}
diff --git a/Linux-PAM/examples/vpass.c b/Linux-PAM/examples/vpass.c
new file mode 100644
index 00000000..9a07ee38
--- /dev/null
+++ b/Linux-PAM/examples/vpass.c
@@ -0,0 +1,47 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <security/pam_appl.h>
+
+static int test_conv(int num_msg, const struct pam_message **msgm,
+		     struct pam_response **response, void *appdata_ptr)
+{
+    return 0;
+}
+
+static struct pam_conv conv = {
+    test_conv,
+    NULL
+};
+
+int main(void)
+{
+    char *user;
+    pam_handle_t *pamh;
+    struct passwd *pw;
+    uid_t uid;
+    int res;
+
+    uid = geteuid();
+    pw = getpwuid(uid);
+    if (pw) {
+	user = pw->pw_name;
+    } else {
+	fprintf(stderr, "Invalid userid: %d\n", uid);
+	exit(1);
+    }
+
+    pam_start("vpass", user, &conv, &pamh);
+    pam_set_item(pamh, PAM_TTY, "/dev/tty");
+    if ((res = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
+	fprintf(stderr, "Oops: %s\n", pam_strerror(pamh, res));
+	exit(1);
+    }
+
+    pam_end(pamh, res);
+    exit(0);
+}
+
+
diff --git a/Linux-PAM/examples/wrap_xsh.sh b/Linux-PAM/examples/wrap_xsh.sh
new file mode 100755
index 00000000..af01697e
--- /dev/null
+++ b/Linux-PAM/examples/wrap_xsh.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+export LD_PRELOAD=../libpam/libpam.so:../libpam_misc/libpam_misc.so
+ldd ./xsh
+./xsh "$@"
+
diff --git a/Linux-PAM/examples/xsh.c b/Linux-PAM/examples/xsh.c
new file mode 100644
index 00000000..0e092402
--- /dev/null
+++ b/Linux-PAM/examples/xsh.c
@@ -0,0 +1,177 @@
+/*
+ * $Id: xsh.c,v 1.1.1.2 2002/09/15 20:08:35 hartmans Exp $
+ */
+
+/* Andrew Morgan (morgan@kernel.org) -- an example application
+ * that invokes a shell, based on blank.c */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+
+#include <security/_pam_aconf.h>
+
+#include <pwd.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+/* ------ some local (static) functions ------- */
+
+static void bail_out(pam_handle_t *pamh,int really, int code, const char *fn)
+{
+     fprintf(stderr,"==> called %s()\n  got: `%s'\n", fn,
+	     pam_strerror(pamh,code));
+     if (really && code)
+	  exit (1);
+}
+
+/* ------ some static data objects ------- */
+
+static struct pam_conv conv = {
+     misc_conv,
+     NULL
+};
+
+/* ------- the application itself -------- */
+
+int main(int argc, char **argv)
+{
+     pam_handle_t *pamh=NULL;
+     const char *username=NULL;
+     const char *service="xsh";
+     int retcode;
+
+     /* did the user call with a username as an argument ?
+      * did they also */
+
+     if (argc > 3) {
+	  fprintf(stderr,"usage: %s [username [service-name]]\n",argv[0]);
+     }
+     if ((argc >= 2) && (argv[1][0] != '-')) {
+	  username = argv[1];
+     }
+     if (argc == 3) {
+	 service = argv[2];
+     }
+
+     /* initialize the Linux-PAM library */
+     retcode = pam_start(service, username, &conv, &pamh);
+     bail_out(pamh,1,retcode,"pam_start");
+
+     /* fill in the RUSER and RHOST etc. fields */
+     {
+	 char buffer[100];
+	 struct passwd *pw;
+	 const char *tty;
+
+	 pw = getpwuid(getuid());
+	 if (pw != NULL) {
+	     retcode = pam_set_item(pamh, PAM_RUSER, pw->pw_name);
+	     bail_out(pamh,1,retcode,"pam_set_item(PAM_RUSER)");
+	 }
+
+	 retcode = gethostname(buffer, sizeof(buffer)-1);
+	 if (retcode) {
+	     perror("failed to look up hostname");
+	     retcode = pam_end(pamh, PAM_ABORT);
+	     bail_out(pamh,1,retcode,"pam_end");
+	 }
+	 retcode = pam_set_item(pamh, PAM_RHOST, buffer);
+	 bail_out(pamh,1,retcode,"pam_set_item(PAM_RHOST)");
+
+	 tty = ttyname(fileno(stdin));
+	 if (tty) {
+	     retcode = pam_set_item(pamh, PAM_TTY, tty);
+	     bail_out(pamh,1,retcode,"pam_set_item(PAM_RHOST)");
+	 }
+     }
+
+     /* to avoid using goto we abuse a loop here */
+     for (;;) {
+	  /* authenticate the user --- `0' here, could have been PAM_SILENT
+	   *	| PAM_DISALLOW_NULL_AUTHTOK */
+
+	  retcode = pam_authenticate(pamh, 0);
+	  bail_out(pamh,0,retcode,"pam_authenticate");
+
+	  /* has the user proved themself valid? */
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: invalid request\n",argv[0]);
+	       break;
+	  }
+
+	  /* the user is valid, but should they have access at this
+	     time? */
+
+	  retcode = pam_acct_mgmt(pamh, 0); /* `0' could be as above */
+	  bail_out(pamh,0,retcode,"pam_acct_mgmt");
+
+	  if (retcode == PAM_NEW_AUTHTOK_REQD) {
+	       fprintf(stderr,"Application must request new password...\n");
+	       retcode = pam_chauthtok(pamh,PAM_CHANGE_EXPIRED_AUTHTOK);
+	       bail_out(pamh,0,retcode,"pam_chauthtok");
+	  }
+
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: invalid request\n",argv[0]);
+	       break;
+	  }
+
+	  /* `0' could be as above */
+	  retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+	  bail_out(pamh,0,retcode,"pam_setcred");
+
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem setting user credentials\n"
+		       ,argv[0]);
+	       break;
+	  }
+
+	  /* open a session for the user --- `0' could be PAM_SILENT */
+	  retcode = pam_open_session(pamh,0);
+	  bail_out(pamh,0,retcode,"pam_open_session");
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem opening a session\n",argv[0]);
+	       break;
+	  }
+
+	  pam_get_item(pamh, PAM_USER, (const void **) &username);
+	  fprintf(stderr,
+		  "The user [%s] has been authenticated and `logged in'\n",
+		  username);
+
+	  /* this is always a really bad thing for security! */
+	  system("/bin/sh");
+
+	  /* close a session for the user --- `0' could be PAM_SILENT
+	   * it is possible that this pam_close_call is in another program..
+	   */
+
+	  retcode = pam_close_session(pamh,0);
+	  bail_out(pamh,0,retcode,"pam_close_session");
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem closing a session\n",argv[0]);
+	       break;
+	  }
+	  
+	  /* `0' could be as above */
+	  retcode = pam_setcred(pamh, PAM_DELETE_CRED);
+	  bail_out(pamh,0,retcode,"pam_setcred");
+	  if (retcode != PAM_SUCCESS) {
+	       fprintf(stderr,"%s: problem deleting user credentials\n"
+		       ,argv[0]);
+	       break;
+	  }
+
+	  break;                      /* don't go on for ever! */
+     }
+
+     /* close the Linux-PAM library */
+     retcode = pam_end(pamh, PAM_SUCCESS);
+     pamh = NULL;
+     bail_out(pamh,1,retcode,"pam_end");
+
+     exit(0);
+}