diff options
| author | Steve Langasek <steve.langasek@canonical.com> | 2020-08-11 14:54:29 -0700 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2020-08-11 14:54:29 -0700 |
| commit | f6d08ed47a3da3c08345bce2ca366e961c52ad7c (patch) | |
| tree | dcbd0efb229b17f696f7195671f05b354b4f70fc /modules/pam_exec/pam_exec.c | |
| parent | 668b13da8f830c38388cecac45539972e80cb246 (diff) | |
| parent | 9e5bea9e146dee574796259ca464ad2435be3590 (diff) | |
| download | pam-f6d08ed47a3da3c08345bce2ca366e961c52ad7c.tar.gz pam-f6d08ed47a3da3c08345bce2ca366e961c52ad7c.tar.bz2 pam-f6d08ed47a3da3c08345bce2ca366e961c52ad7c.zip | |
New upstream version 1.4.0
Diffstat (limited to 'modules/pam_exec/pam_exec.c')
| -rw-r--r-- | modules/pam_exec/pam_exec.c | 69 |
1 files changed, 34 insertions, 35 deletions
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 52dc6818..5ca85ab3 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -49,16 +49,11 @@ #include <sys/stat.h> #include <sys/types.h> - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include <security/pam_modules.h> #include <security/pam_modutil.h> #include <security/pam_ext.h> #include <security/_pam_macros.h> +#include "pam_inline.h" #define ENV_ITEM(n) { (n), #n } static struct { @@ -102,11 +97,13 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int use_stdout = 0; int optargc; const char *logfile = NULL; - const char *authtok = NULL; + char authtok[PAM_MAX_RESP_SIZE] = {}; pid_t pid; int fds[2]; int stdout_fds[2]; FILE *stdout_file = NULL; + int retval; + const char *name; if (argc < 1) { pam_syslog (pamh, LOG_ERR, @@ -116,6 +113,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, for (optargc = 0; optargc < argc; optargc++) { + const char *str; + if (argv[optargc][0] == '/') /* paths starts with / */ break; @@ -123,11 +122,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, debug = 1; else if (strcasecmp (argv[optargc], "stdout") == 0) use_stdout = 1; - else if (strncasecmp (argv[optargc], "log=", 4) == 0) - logfile = &argv[optargc][4]; - else if (strncasecmp (argv[optargc], "type=", 5) == 0) + else if ((str = pam_str_skip_icase_prefix (argv[optargc], "log=")) != NULL) + logfile = str; + else if ((str = pam_str_skip_icase_prefix (argv[optargc], "type=")) != NULL) { - if (strcmp (pam_type, &argv[optargc][5]) != 0) + if (strcmp (pam_type, str) != 0) return PAM_IGNORE; } else if (strcasecmp (argv[optargc], "seteuid") == 0) @@ -140,6 +139,16 @@ call_exec (const char *pam_type, pam_handle_t *pamh, break; /* Unknown option, assume program to execute. */ } + /* Request user name to be available. */ + + retval = pam_get_user(pamh, &name, NULL); + if (retval != PAM_SUCCESS) + { + if (retval == PAM_CONV_AGAIN) + retval = PAM_INCOMPLETE; + return retval; + } + if (expose_authtok == 1) { if (strcmp (pam_type, "auth") != 0) @@ -151,7 +160,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, else { const void *void_pass; - int retval; retval = pam_get_item (pamh, PAM_AUTHTOK, &void_pass); if (retval != PAM_SUCCESS) @@ -180,12 +188,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (resp) { pam_set_item (pamh, PAM_AUTHTOK, resp); - authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + strncpy (authtok, resp, sizeof(authtok) - 1); _pam_drop (resp); } } else - authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + strncpy (authtok, void_pass, sizeof(authtok) - 1); if (pipe(fds) != 0) { @@ -221,27 +229,18 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (pid > 0) /* parent */ { int status = 0; - pid_t retval; + pid_t rc; if (expose_authtok) /* send the password to the child */ { - if (authtok != NULL) - { /* send the password to the child */ - if (debug) - pam_syslog (pamh, LOG_DEBUG, "send password to child"); - if (write(fds[1], authtok, strlen(authtok)+1) == -1) - pam_syslog (pamh, LOG_ERR, - "sending password to child failed: %m"); - authtok = NULL; - } - else - { - if (write(fds[1], "", 1) == -1) /* blank password */ - pam_syslog (pamh, LOG_ERR, - "sending password to child failed: %m"); - } - close(fds[0]); /* close here to avoid possible SIGPIPE above */ - close(fds[1]); + if (debug) + pam_syslog (pamh, LOG_DEBUG, "send password to child"); + if (write(fds[1], authtok, strlen(authtok)) == -1) + pam_syslog (pamh, LOG_ERR, + "sending password to child failed: %m"); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); } if (use_stdout) @@ -259,9 +258,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh, fclose(stdout_file); } - while ((retval = waitpid (pid, &status, 0)) == -1 && + while ((rc = waitpid (pid, &status, 0)) == -1 && errno == EINTR); - if (retval == (pid_t)-1) + if (rc == (pid_t)-1) { pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); return PAM_SYSTEM_ERR; @@ -423,7 +422,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, envlist = pam_getenvlist(pamh); for (envlen = 0; envlist[envlen] != NULL; ++envlen) /* nothing */ ; - nitems = sizeof(env_items) / sizeof(*env_items); + nitems = PAM_ARRAY_SIZE(env_items); /* + 2 because of PAM_TYPE and NULL entry */ tmp = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist)); if (tmp == NULL) |