diff options
| -rw-r--r-- | modules/pam_pwhistory/.gitignore | 1 | ||||
| -rw-r--r-- | modules/pam_pwhistory/Makefile.am | 21 | ||||
| -rw-r--r-- | modules/pam_pwhistory/opasswd.c | 67 | ||||
| -rw-r--r-- | modules/pam_pwhistory/opasswd.h | 31 | ||||
| -rw-r--r-- | modules/pam_pwhistory/pam_pwhistory.c | 218 | ||||
| -rw-r--r-- | modules/pam_pwhistory/pwhistory_helper.8.xml | 68 | ||||
| -rw-r--r-- | modules/pam_pwhistory/pwhistory_helper.c | 119 |
7 files changed, 478 insertions, 47 deletions
diff --git a/modules/pam_pwhistory/.gitignore b/modules/pam_pwhistory/.gitignore new file mode 100644 index 00000000..358515af --- /dev/null +++ b/modules/pam_pwhistory/.gitignore @@ -0,0 +1 @@ +pwhistory_helper diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am index bd9f1ea9..32b9fcc4 100644 --- a/modules/pam_pwhistory/Makefile.am +++ b/modules/pam_pwhistory/Makefile.am @@ -1,5 +1,6 @@ # # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2013 Red Hat, Inc. # CLEANFILES = *~ @@ -8,9 +9,9 @@ MAINTAINERCLEANFILES = $(MANS) README EXTRA_DIST = $(XMLS) if HAVE_DOC -dist_man_MANS = pam_pwhistory.8 +dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 endif -XMLS = README.xml pam_pwhistory.8.xml +XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml dist_check_SCRIPTS = tst-pam_pwhistory TESTS = $(dist_check_SCRIPTS) @@ -18,18 +19,26 @@ securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - $(WARN_CFLAGS) -AM_LDFLAGS = -no-undefined -avoid-version -module + $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" + +pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif noinst_HEADERS = opasswd.h securelib_LTLIBRARIES = pam_pwhistory.la -pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) +pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c +sbin_PROGRAMS = pwhistory_helper +pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@ +pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c +pwhistory_helper_LDFLAGS = @PIE_LDFLAGS@ +pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ + if ENABLE_REGENERATE_MAN dist_noinst_DATA = README -include $(top_srcdir)/Make.xml.rules diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c index 77142f2c..ac10f691 100644 --- a/modules/pam_pwhistory/opasswd.c +++ b/modules/pam_pwhistory/opasswd.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -38,6 +39,7 @@ #endif #include <pwd.h> +#include <shadow.h> #include <time.h> #include <ctype.h> #include <errno.h> @@ -47,6 +49,9 @@ #include <string.h> #include <stdlib.h> #include <syslog.h> +#ifdef HELPER_COMPILE +#include <stdarg.h> +#endif #include <sys/stat.h> #if defined HAVE_LIBXCRYPT @@ -55,7 +60,14 @@ #include <crypt.h> #endif +#ifdef HELPER_COMPILE +#define pam_modutil_getpwnam(h,n) getpwnam(n) +#define pam_modutil_getspnam(h,n) getspnam(n) +#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__) +#else +#include <security/pam_modutil.h> #include <security/pam_ext.h> +#endif #include <security/pam_modules.h> #include "opasswd.h" @@ -76,6 +88,19 @@ typedef struct { char *old_passwords; } opwd; +#ifdef HELPER_COMPILE +void +helper_log_err(int err, const char *format, ...) +{ + va_list args; + + va_start(args, format); + openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); + vsyslog(err, format, args); + va_end(args); + closelog(); +} +#endif static int parse_entry (char *line, opwd *data) @@ -117,9 +142,8 @@ compare_password(const char *newpass, const char *oldpass) } /* Check, if the new password is already in the opasswd file. */ -int -check_old_pass (pam_handle_t *pamh, const char *user, - const char *newpass, int debug) +PAMH_ARG_DECL(int +check_old_pass, const char *user, const char *newpass, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; @@ -128,6 +152,11 @@ check_old_pass (pam_handle_t *pamh, const char *user, opwd entry; int found = 0; +#ifndef HELPER_COMPILE + if (SELINUX_ENABLED) + return PAM_PWHISTORY_RUN_HELPER; +#endif + if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) { if (errno != ENOENT) @@ -213,9 +242,8 @@ check_old_pass (pam_handle_t *pamh, const char *user, return retval; } -int -save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, - const char *oldpass, int howmany, int debug UNUSED) +PAMH_ARG_DECL(int +save_old_pass, const char *user, int howmany, int debug UNUSED) { char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; @@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, char *buf = NULL; size_t buflen = 0; int found = 0; + struct passwd *pwd; + const char *oldpass; + + pwd = pam_modutil_getpwnam (pamh, user); + if (pwd == NULL) + return PAM_USER_UNKNOWN; if (howmany <= 0) return PAM_SUCCESS; +#ifndef HELPER_COMPILE + if (SELINUX_ENABLED) + return PAM_PWHISTORY_RUN_HELPER; +#endif + + if ((strcmp(pwd->pw_passwd, "x") == 0) || + ((pwd->pw_passwd[0] == '#') && + (pwd->pw_passwd[1] == '#') && + (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) + { + struct spwd *spw = pam_modutil_getspnam (pamh, user); + + if (spw == NULL) + return PAM_USER_UNKNOWN; + oldpass = spw->sp_pwdp; + } + else + oldpass = pwd->pw_passwd; + if (oldpass == NULL || *oldpass == '\0') return PAM_SUCCESS; @@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, { char *out; - if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) + if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0) { retval = PAM_AUTHTOK_ERR; if (oldpf) diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h index db3e6568..3f257288 100644 --- a/modules/pam_pwhistory/opasswd.h +++ b/modules/pam_pwhistory/opasswd.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,10 +37,30 @@ #ifndef __OPASSWD_H__ #define __OPASSWD_H__ -extern int check_old_pass (pam_handle_t *pamh, const char *user, - const char *newpass, int debug); -extern int save_old_pass (pam_handle_t *pamh, const char *user, - uid_t uid, const char *oldpass, - int howmany, int debug); +#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT + +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#define SELINUX_ENABLED (is_selinux_enabled()>0) +#else +#define SELINUX_ENABLED 0 +#endif + +#ifdef HELPER_COMPILE +#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) +#else +#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) +#endif + +#ifdef HELPER_COMPILE +void +helper_log_err(int err, const char *format, ...); +#endif + +PAMH_ARG_DECL(int +check_old_pass, const char *user, const char *newpass, int debug); + +PAMH_ARG_DECL(int +save_old_pass, const char *user, int howmany, int debug); #endif /* __OPASSWD_H__ */ diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c index cf4fc078..a16365f8 100644 --- a/modules/pam_pwhistory/pam_pwhistory.c +++ b/modules/pam_pwhistory/pam_pwhistory.c @@ -3,6 +3,7 @@ * * Copyright (c) 2008, 2012 Thorsten Kukuk * Author: Thorsten Kukuk <kukuk@thkukuk.de> + * Copyright (c) 2013 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -46,10 +47,14 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> -#include <shadow.h> #include <syslog.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <signal.h> +#include <fcntl.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> @@ -59,8 +64,6 @@ #include "opasswd.h" #include "pam_inline.h" -#define DEFAULT_BUFLEN 2048 - struct options_t { int debug; int enforce_for_root; @@ -105,6 +108,179 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); } +static int +run_save_helper(pam_handle_t *pamh, const char *user, + int howmany, int debug) +{ + int retval, child; + struct sigaction newsa, oldsa; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); + + child = fork(); + if (child == 0) + { + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; + + if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD) < 0) + { + _exit(PAM_SYSTEM_ERR); + } + + /* exec binary helper */ + DIAG_PUSH_IGNORE_CAST_QUAL; + args[0] = (char *)PWHISTORY_HELPER; + args[1] = (char *)"save"; + args[2] = (char *)user; + DIAG_POP_IGNORE_CAST_QUAL; + if (asprintf(&args[3], "%d", howmany) < 0 || + asprintf(&args[4], "%d", debug) < 0) + { + pam_syslog(pamh, LOG_ERR, "asprintf: %m"); + _exit(PAM_SYSTEM_ERR); + } + + execve(args[0], args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %s: %m", args[0]); + + _exit(PAM_SYSTEM_ERR); + } + else if (child > 0) + { + /* wait for child */ + int rc = 0; + while ((rc = waitpid (child, &retval, 0)) == -1 && + errno == EINTR); + if (rc < 0) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper save: waitpid: %m"); + retval = PAM_SYSTEM_ERR; + } + else if (!WIFEXITED(retval)) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval); + retval = PAM_SYSTEM_ERR; + } + else + { + retval = WEXITSTATUS(retval); + } + } + else + { + pam_syslog(pamh, LOG_ERR, "fork failed: %m"); + retval = PAM_SYSTEM_ERR; + } + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + + return retval; +} + +static int +run_check_helper(pam_handle_t *pamh, const char *user, + const char *newpass, int debug) +{ + int retval, child, fds[2]; + struct sigaction newsa, oldsa; + + /* create a pipe for the password */ + if (pipe(fds) != 0) + return PAM_SYSTEM_ERR; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = SIG_DFL; + sigaction(SIGCHLD, &newsa, &oldsa); + + child = fork(); + if (child == 0) + { + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + + /* reopen stdin as pipe */ + if (dup2(fds[0], STDIN_FILENO) != STDIN_FILENO) + { + pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", "stdin"); + _exit(PAM_SYSTEM_ERR); + } + + if (pam_modutil_sanitize_helper_fds(pamh, PAM_MODUTIL_IGNORE_FD, + PAM_MODUTIL_PIPE_FD, + PAM_MODUTIL_PIPE_FD) < 0) + { + _exit(PAM_SYSTEM_ERR); + } + + /* exec binary helper */ + DIAG_PUSH_IGNORE_CAST_QUAL; + args[0] = (char *)PWHISTORY_HELPER; + args[1] = (char *)"check"; + args[2] = (char *)user; + DIAG_POP_IGNORE_CAST_QUAL; + if (asprintf(&args[3], "%d", debug) < 0) + { + pam_syslog(pamh, LOG_ERR, "asprintf: %m"); + _exit(PAM_SYSTEM_ERR); + } + + execve(args[0], args, envp); + + pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %s: %m", args[0]); + + _exit(PAM_SYSTEM_ERR); + } + else if (child > 0) + { + /* wait for child */ + int rc = 0; + if (newpass == NULL) + newpass = ""; + + /* send the password to the child */ + if (write(fds[1], newpass, strlen(newpass)+1) == -1) + { + pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_SYSTEM_ERR; + } + newpass = NULL; + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + while ((rc = waitpid (child, &retval, 0)) == -1 && + errno == EINTR); + if (rc < 0) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper check: waitpid: %m"); + retval = PAM_SYSTEM_ERR; + } + else if (!WIFEXITED(retval)) + { + pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval); + retval = PAM_SYSTEM_ERR; + } + else + { + retval = WEXITSTATUS(retval); + } + } + else + { + pam_syslog(pamh, LOG_ERR, "fork failed: %m"); + close(fds[0]); + close(fds[1]); + retval = PAM_SYSTEM_ERR; + } + + sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ + + return retval; +} /* This module saves the current crypted password in /etc/security/opasswd and then compares the new password with all entries in this file. */ @@ -112,7 +288,6 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { - struct passwd *pwd; const char *newpass; const char *user; int retval, tries; @@ -148,31 +323,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - return PAM_USER_UNKNOWN; + retval = save_old_pass (pamh, user, options.remember, options.debug); - if ((strcmp(pwd->pw_passwd, "x") == 0) || - ((pwd->pw_passwd[0] == '#') && - (pwd->pw_passwd[1] == '#') && - (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) - { - struct spwd *spw = pam_modutil_getspnam (pamh, user); - if (spw == NULL) - return PAM_USER_UNKNOWN; + if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = run_save_helper(pamh, user, options.remember, options.debug); - retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, - options.remember, options.debug); - if (retval != PAM_SUCCESS) - return retval; - } - else - { - retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, - options.remember, options.debug); - if (retval != PAM_SUCCESS) - return retval; - } + if (retval != PAM_SUCCESS) + return retval; newpass = NULL; tries = 0; @@ -201,8 +358,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - if (check_old_pass (pamh, user, newpass, - options.debug) != PAM_SUCCESS) + retval = check_old_pass (pamh, user, newpass, options.debug); + if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = run_check_helper(pamh, user, newpass, options.debug); + + if (retval != PAM_SUCCESS) { if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml new file mode 100644 index 00000000..a0301764 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.8.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pwhistory_helper"> + + <refmeta> + <refentrytitle>pwhistory_helper</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pwhistory_helper-name"> + <refname>pwhistory_helper</refname> + <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pwhistory_helper-cmdsynopsis"> + <command>pwhistory_helper</command> + <arg choice="opt"> + ... + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pwhistory_helper-description"> + + <title>DESCRIPTION</title> + + <para> + <emphasis>pwhistory_helper</emphasis> is a helper program for the + <emphasis>pam_pwhistory</emphasis> module that transfers password hashes + from passwd or shadow file to the opasswd file and checks a password + supplied by user against the existing hashes in the opasswd file. + </para> + + <para> + The purpose of the helper is to enable tighter confinement of + login and password changing services. The helper is thus called only + when SELinux is enabled on the system. + </para> + + <para> + The interface of the helper - command line options, and input/output + data format are internal to the <emphasis>pam_pwhistory</emphasis> + module and it should not be called directly from applications. + </para> + </refsect1> + + <refsect1 id='pwhistory_helper-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pwhistory_helper-author'> + <title>AUTHOR</title> + <para> + Written by Tomas Mraz based on the code originally in + <emphasis>pam_pwhistory and pam_unix</emphasis> modules. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c new file mode 100644 index 00000000..b08a14a7 --- /dev/null +++ b/modules/pam_pwhistory/pwhistory_helper.c @@ -0,0 +1,119 @@ +/* + * Copyright (c) 2013 Red Hat, Inc. + * Author: Tomas Mraz <tmraz@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <errno.h> +#include <unistd.h> +#include <signal.h> +#include <security/_pam_types.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include "opasswd.h" +#include "pam_inline.h" + + +static int +check_history(const char *user, const char *debug) +{ + char pass[PAM_MAX_RESP_SIZE + 1]; + char *passwords[] = { pass }; + int npass; + int dbg = atoi(debug); /* no need to be too fancy here */ + int retval; + + /* read the password from stdin (a pipe from the pam_pwhistory module) */ + npass = pam_read_passwords(STDIN_FILENO, 1, passwords); + + if (npass != 1) + { /* is it a valid password? */ + helper_log_err(LOG_DEBUG, "no password supplied"); + return PAM_AUTHTOK_ERR; + } + + retval = check_old_pass(user, pass, dbg); + + memset(pass, '\0', PAM_MAX_RESP_SIZE); /* clear memory of the password */ + + return retval; +} + +static int +save_history(const char *user, const char *howmany, const char *debug) +{ + int num = atoi(howmany); + int dbg = atoi(debug); /* no need to be too fancy here */ + int retval; + + retval = save_old_pass(user, num, dbg); + + return retval; +} + +int +main(int argc, char *argv[]) +{ + const char *option; + const char *user; + + /* + * we establish that this program is running with non-tty stdin. + * this is to discourage casual use. + */ + + if (isatty(STDIN_FILENO) || argc < 4) + { + fprintf(stderr, + "This binary is not designed for running in this way.\n"); + return PAM_SYSTEM_ERR; + } + + option = argv[1]; + user = argv[2]; + + if (strcmp(option, "check") == 0 && argc == 4) + return check_history(user, argv[3]); + else if (strcmp(option, "save") == 0 && argc == 5) + return save_history(user, argv[3], argv[4]); + + fprintf(stderr, "This binary is not designed for running in this way.\n"); + + return PAM_SYSTEM_ERR; +} |