diff options
Diffstat (limited to 'Linux-PAM/libpam')
29 files changed, 886 insertions, 88 deletions
diff --git a/Linux-PAM/libpam/Makefile b/Linux-PAM/libpam/Makefile index 2c0813f7..94d92de6 100644 --- a/Linux-PAM/libpam/Makefile +++ b/Linux-PAM/libpam/Makefile @@ -1,5 +1,5 @@ # -# $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:36 hartmans Exp $ +# $Id: Makefile,v 1.12 2005/03/29 20:41:20 toady Exp $ # # @@ -10,9 +10,15 @@ MOREFLAGS=-D"DEFAULT_MODULE_PATH=\"$(SECUREDIR)/\"" ifeq ($(WITH_LIBDEBUG),yes) LIBNAME=libpamd + CFLAGS += -D"DEBUG" + CFLAGS += -g else LIBNAME=libpam endif +ifeq ($(WITH_PRELUDE),yes) + CFLAGS += -DPRELUDE -DLIBPRELUDE_CONFIG_PREFIX=\"`libprelude-config --prefix`\" + LINKLIBS += -lprelude +endif VERSION=.$(MAJOR_REL) MODIFICATION=.$(MINOR_REL) @@ -24,7 +30,8 @@ dummy: ../Make.Rules all CFLAGS += $(DYNAMIC) $(STATIC) $(MOREFLAGS) \ -DLIBPAM_VERSION_MAJOR=$(MAJOR_REL) \ - -DLIBPAM_VERSION_MINOR=$(MINOR_REL) + -DLIBPAM_VERSION_MINOR=$(MINOR_REL) \ + -DLIBPAM_VERSION_STRING=\"$(MAJOR_REL).$(MINOR_REL)\" # dynamic library names @@ -37,7 +44,7 @@ LIBPAMFULL = $(LIBPAMNAME)$(MODIFICATION) LIBPAMSTATIC = $(LIBNAME).a ifdef STATIC -@echo Did you mean to set STATIC\? +# @echo Did you mean to set STATIC\? MODULES = $(shell cat ../modules/_static_module_objects) STATICOBJ = pam_static.o else @@ -50,7 +57,7 @@ endif LIBOBJECTS = pam_item.o pam_strerror.o pam_end.o pam_start.o pam_data.o \ pam_delay.o pam_dispatch.o pam_handlers.o pam_misc.o \ - pam_account.o pam_auth.o pam_session.o pam_password.o \ + pam_account.o pam_auth.o pam_prelude.o pam_session.o pam_password.o \ pam_env.o pam_log.o $(EXTRAS) ifeq ($(DYNAMIC_LIBPAM),yes) @@ -88,11 +95,14 @@ dynamic/%.o : %.c static/%.o : %.c $(CC) $(CFLAGS) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ +bootstrap-libpam: bootdir $(LIBPAM) +bootdir: + test -d dynamic || mkdir dynamic $(LIBPAM): $(DLIBOBJECTS) ifeq ($(DYNAMIC_LIBPAM),yes) ifeq ($(USESONAME),yes) - $(LD_L) $(SOSWITCH) $(LIBPAMNAME) -o $@ $(DLIBOBJECTS) \ + $(LD_L) $(SOSWITCH)$(LIBPAMNAME) -o $@ $(DLIBOBJECTS) \ $(MODULES) $(LINKLIBS) else $(LD_L) -o $@ $(DLIBOBJECTS) $(MODULES) $(LINKLIBS) @@ -107,9 +117,11 @@ endif $(LIBPAMSTATIC): $(SLIBOBJECTS) ifeq ($(STATIC_LIBPAM),yes) - ar cr $@ $(SLIBOBJECTS) $(MODULES) + $(AR) cru $@ $(SLIBOBJECTS) $(MODULES) +ifdef RANLIB $(RANLIB) $@ endif +endif install: all $(MKDIR) $(FAKEROOT)$(INCLUDED) $(FAKEROOT)$(libdir) @@ -123,7 +135,11 @@ ifdef MEMORY_DEBUG endif ifeq ($(DYNAMIC_LIBPAM),yes) $(INSTALL) -m $(SHLIBMODE) $(LIBPAM) $(FAKEROOT)$(libdir)/$(LIBPAMFULL) +ifndef FAKEROOT $(LDCONFIG) +else + $(LDCONFIG) -n $(FAKEROOT)$(libdir) +endif ifneq ($(DYNTYPE),"sl") ( cd $(FAKEROOT)$(libdir) ; rm -f $(LIBPAM) ; \ ln -sf $(LIBPAMNAME) $(LIBPAM) ) @@ -141,11 +157,14 @@ remove: rm -f $(FAKEROOT)$(INCLUDED)/pam_malloc.h rm -f $(FAKEROOT)$(libdir)/$(LIBPAM).* rm -f $(FAKEROOT)$(libdir)/$(LIBPAM) +ifndef FAKEROOT $(LDCONFIG) +endif rm -f $(FAKEROOT)$(libdir)/$(LIBPAMSTATIC) clean: rm -f a.out core *~ static/*.o dynamic/*.o + rm -f *.orig $(LIBPAMNAME) $(LIBPAMFULL) rm -f *.a *.o *.so ./include/security/*~ if [ -d dynamic ]; then rmdir dynamic ; fi if [ -d static ]; then rmdir static ; fi diff --git a/Linux-PAM/libpam/include/security/_pam_compat.h b/Linux-PAM/libpam/include/security/_pam_compat.h index b66a5479..33520a6c 100644 --- a/Linux-PAM/libpam/include/security/_pam_compat.h +++ b/Linux-PAM/libpam/include/security/_pam_compat.h @@ -2,7 +2,7 @@ #define _PAM_COMPAT_H /* - * $Id: _pam_compat.h,v 1.1.1.1 2001/04/29 04:17:10 hartmans Exp $ + * $Id: _pam_compat.h,v 1.1.1.1 2000/06/20 22:11:21 agmorgan Exp $ * * This file was contributed by Derrick J Brashear <shadow@dementia.org> * slight modification by Brad M. Garcia <bgarcia@fore.com> diff --git a/Linux-PAM/libpam/include/security/_pam_types.h b/Linux-PAM/libpam/include/security/_pam_types.h index 5bc4a43d..b4413ee3 100644 --- a/Linux-PAM/libpam/include/security/_pam_types.h +++ b/Linux-PAM/libpam/include/security/_pam_types.h @@ -1,7 +1,7 @@ /* * <security/_pam_types.h> * - * $Id: _pam_types.h,v 1.1.1.1 2001/04/29 04:17:10 hartmans Exp $ + * $Id: _pam_types.h,v 1.6 2005/03/16 00:06:01 toady Exp $ * * This file defines all of the types common to the Linux-PAM library * applications and modules. @@ -46,7 +46,7 @@ typedef struct pam_handle pam_handle_t; #define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */ /* due to insufficient credentials */ #define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */ - /* can not retrieve authenticaiton */ + /* can not retrieve authentication */ /* information */ #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */ /* authenticaiton module */ @@ -76,7 +76,7 @@ typedef struct pam_handle pam_handle_t; #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */ #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */ #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */ -#define PAM_IGNORE 25 /* Ingore underlying account module */ +#define PAM_IGNORE 25 /* Ignore underlying account module */ /* regardless of whether the control */ /* flag is required, optional, or sufficient */ #define PAM_ABORT 26 /* Critical error (?module fail now request) */ diff --git a/Linux-PAM/libpam/include/security/pam_appl.h b/Linux-PAM/libpam/include/security/pam_appl.h index 21bc2212..69ee544d 100644 --- a/Linux-PAM/libpam/include/security/pam_appl.h +++ b/Linux-PAM/libpam/include/security/pam_appl.h @@ -10,7 +10,7 @@ * Created: 15-Jan-96 by TYT * Last modified: 1996/3/5 by AGM * - * $Id: pam_appl.h,v 1.1.1.1 2001/04/29 04:17:11 hartmans Exp $ + * $Id: pam_appl.h,v 1.3 2000/11/19 23:54:02 agmorgan Exp $ */ #ifndef _SECURITY_PAM_APPL_H diff --git a/Linux-PAM/libpam/include/security/pam_malloc.h b/Linux-PAM/libpam/include/security/pam_malloc.h index 60a38857..bbf31338 100644 --- a/Linux-PAM/libpam/include/security/pam_malloc.h +++ b/Linux-PAM/libpam/include/security/pam_malloc.h @@ -1,5 +1,5 @@ /* - * $Id: pam_malloc.h,v 1.1.1.2 2002/09/15 20:08:40 hartmans Exp $ + * $Id: pam_malloc.h,v 1.3 2001/11/26 03:04:47 agmorgan Exp $ */ /* diff --git a/Linux-PAM/libpam/include/security/pam_modules.h b/Linux-PAM/libpam/include/security/pam_modules.h index 0fac9994..1f20993f 100644 --- a/Linux-PAM/libpam/include/security/pam_modules.h +++ b/Linux-PAM/libpam/include/security/pam_modules.h @@ -1,7 +1,7 @@ /* * <security/pam_modules.h> * - * $Id: pam_modules.h,v 1.1.1.1 2001/04/29 04:17:11 hartmans Exp $ + * $Id: pam_modules.h,v 1.3 2001/02/05 06:50:41 agmorgan Exp $ * */ diff --git a/Linux-PAM/libpam/pam_account.c b/Linux-PAM/libpam/pam_account.c index 71e04f15..3a4fb1fc 100644 --- a/Linux-PAM/libpam/pam_account.c +++ b/Linux-PAM/libpam/pam_account.c @@ -1,9 +1,9 @@ /* pam_account.c - PAM Account Management */ -#include <stdio.h> - #include "pam_private.h" +#include <stdio.h> + int pam_acct_mgmt(pam_handle_t *pamh, int flags) { int retval; diff --git a/Linux-PAM/libpam/pam_auth.c b/Linux-PAM/libpam/pam_auth.c index f8dd8c0d..f2743624 100644 --- a/Linux-PAM/libpam/pam_auth.c +++ b/Linux-PAM/libpam/pam_auth.c @@ -1,15 +1,16 @@ /* * pam_auth.c -- PAM authentication * - * $Id: pam_auth.c,v 1.1.1.1 2001/04/29 04:17:04 hartmans Exp $ + * $Id: pam_auth.c,v 1.5 2005/03/29 20:41:20 toady Exp $ * */ +#include "pam_private.h" +#include "pam_prelude.h" + #include <stdio.h> #include <stdlib.h> -#include "pam_private.h" - int pam_authenticate(pam_handle_t *pamh, int flags) { int retval; @@ -40,6 +41,10 @@ int pam_authenticate(pam_handle_t *pamh, int flags) D(("will resume when ready")); } +#ifdef PRELUDE + prelude_send_alert(pamh, retval); +#endif + return retval; } diff --git a/Linux-PAM/libpam/pam_data.c b/Linux-PAM/libpam/pam_data.c index 635357cd..6a90bd51 100644 --- a/Linux-PAM/libpam/pam_data.c +++ b/Linux-PAM/libpam/pam_data.c @@ -1,14 +1,14 @@ /* pam_data.c */ /* - * $Id: pam_data.c,v 1.1.1.1 2001/04/29 04:17:04 hartmans Exp $ + * $Id: pam_data.c,v 1.3 2003/07/13 20:01:44 vorlon Exp $ */ +#include "pam_private.h" + #include <stdlib.h> #include <string.h> -#include "pam_private.h" - static struct pam_data *_pam_locate_data(const pam_handle_t *pamh, const char *name) { diff --git a/Linux-PAM/libpam/pam_delay.c b/Linux-PAM/libpam/pam_delay.c index b2b7f0cb..01304629 100644 --- a/Linux-PAM/libpam/pam_delay.c +++ b/Linux-PAM/libpam/pam_delay.c @@ -4,7 +4,7 @@ * Copyright (c) Andrew G. Morgan <morgan@kernel.org> 1996-9 * All rights reserved. * - * $Id: pam_delay.c,v 1.1.1.2 2002/09/15 20:08:36 hartmans Exp $ + * $Id: pam_delay.c,v 1.6 2003/07/13 20:01:44 vorlon Exp $ * */ @@ -13,9 +13,9 @@ * attempt to overcome authentication-time attacks in a simple manner. */ +#include "pam_private.h" #include <unistd.h> #include <time.h> -#include "pam_private.h" /* ********************************************************************** * initialize the time as unset, this is set on the return from the diff --git a/Linux-PAM/libpam/pam_dispatch.c b/Linux-PAM/libpam/pam_dispatch.c index 2c82e81d..4af29f69 100644 --- a/Linux-PAM/libpam/pam_dispatch.c +++ b/Linux-PAM/libpam/pam_dispatch.c @@ -3,14 +3,14 @@ /* * Copyright (c) 1998 Andrew G. Morgan <morgan@kernel.org> * - * $Id: pam_dispatch.c,v 1.1.1.2 2002/09/15 20:08:36 hartmans Exp $ + * $Id: pam_dispatch.c,v 1.7 2005/01/07 15:31:26 t8m Exp $ */ +#include "pam_private.h" + #include <stdlib.h> #include <stdio.h> -#include "pam_private.h" - /* * this is the return code we return when a function pointer is NULL * or, the handler structure indicates a broken module config line @@ -184,8 +184,12 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, if ( impression == _PAM_UNDEF || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) { - impression = _PAM_POSITIVE; - status = retval; + /* in case of using cached chain + we could get here with PAM_IGNORE - don't return it */ + if ( retval != PAM_IGNORE || cached_retval == retval ) { + impression = _PAM_POSITIVE; + status = retval; + } } if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { goto decision_made; @@ -227,8 +231,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, if (impression == _PAM_UNDEF || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) { - impression = _PAM_POSITIVE; - status = retval; + if ( retval != PAM_IGNORE || cached_retval == retval ) { + impression = _PAM_POSITIVE; + status = retval; + } } } diff --git a/Linux-PAM/libpam/pam_end.c b/Linux-PAM/libpam/pam_end.c index 890d18f1..a0716175 100644 --- a/Linux-PAM/libpam/pam_end.c +++ b/Linux-PAM/libpam/pam_end.c @@ -1,13 +1,13 @@ /* pam_end.c */ /* - * $Id: pam_end.c,v 1.1.1.1 2001/04/29 04:17:05 hartmans Exp $ + * $Id: pam_end.c,v 1.3 2003/07/13 20:01:44 vorlon Exp $ */ -#include <stdlib.h> - #include "pam_private.h" +#include <stdlib.h> + int pam_end(pam_handle_t *pamh, int pam_status) { int ret; diff --git a/Linux-PAM/libpam/pam_env.c b/Linux-PAM/libpam/pam_env.c index 0f718ae3..9027bc79 100644 --- a/Linux-PAM/libpam/pam_env.c +++ b/Linux-PAM/libpam/pam_env.c @@ -7,17 +7,18 @@ * This file was written from a "hint" provided by the people at SUN. * and the X/Open XSSO draft of March 1997. * - * $Id: pam_env.c,v 1.1.1.1 2001/04/29 04:17:05 hartmans Exp $ + * $Id: pam_env.c,v 1.5 2004/09/22 09:37:47 kukuk Exp $ */ +#include "pam_private.h" + #include <string.h> #include <stdlib.h> + #ifdef sunos #define memmove(x,y,z) bcopy(y,x,z) #endif -#include "pam_private.h" - /* helper functions */ #ifdef DEBUG @@ -74,7 +75,7 @@ int _pam_make_env(pam_handle_t *pamh) /* * fill entries in pamh->env */ - + pamh->env->entries = PAM_ENV_CHUNK; pamh->env->requested = 1; pamh->env->list[0] = NULL; @@ -222,7 +223,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) /* add a new NULL entry at end; increase counter */ pamh->env->list[pamh->env->requested++] = NULL; - + } else { /* replace old */ D(("replacing item: %s\n with: %s" , pamh->env->list[item], name_value)); @@ -343,6 +344,7 @@ static char **_copy_env(pam_handle_t *pamh) _pam_overwrite(dump[i]); _pam_drop(dump[i]); } + _pam_drop(dump); return NULL; } } diff --git a/Linux-PAM/libpam/pam_handlers.c b/Linux-PAM/libpam/pam_handlers.c index d00f1842..ed03eda8 100644 --- a/Linux-PAM/libpam/pam_handlers.c +++ b/Linux-PAM/libpam/pam_handlers.c @@ -4,10 +4,12 @@ * created by Marc Ewing. * Currently maintained by Andrew G. Morgan <morgan@kernel.org> * - * $Id: pam_handlers.c,v 1.1.1.2 2002/09/15 20:08:37 hartmans Exp $ + * $Id: pam_handlers.c,v 1.12 2005/02/07 08:18:53 kukuk Exp $ * */ +#include "pam_private.h" + #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -24,8 +26,6 @@ # endif /* PAM_SHL */ #endif /* PAM_DYNAMIC */ -#include "pam_private.h" - /* If not required, define as nothing */ #ifndef SHLIB_SYM_PREFIX # define SHLIB_SYM_PREFIX "" @@ -34,6 +34,9 @@ #define BUF_SIZE 1024 #define MODULE_CHUNK 4 #define UNKNOWN_MODULE_PATH "<*unknown module path*>" +#ifndef _PAM_ISA +#define _PAM_ISA "." +#endif static int _pam_assemble_line(FILE *f, char *buf, int buf_len); @@ -46,13 +49,23 @@ static int _pam_add_handler(pam_handle_t *pamh /* Values for module type */ +#define PAM_T_ANY 0 #define PAM_T_AUTH 1 #define PAM_T_SESS 2 #define PAM_T_ACCT 4 #define PAM_T_PASS 8 +static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name + , const char *service /* specific file */ + , int module_type /* specific type */ +#ifdef PAM_READ_BOTH_CONFS + , int not_other +#endif /* PAM_READ_BOTH_CONFS */ + ); + static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f , const char *known_service /* specific file */ + , int requested_module_type /* specific type */ #ifdef PAM_READ_BOTH_CONFS , int not_other #endif /* PAM_READ_BOTH_CONFS */ @@ -93,12 +106,21 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f /* accept "service name" or PAM_DEFAULT_SERVICE modules */ if (!_pam_strCMP(this_service, pamh->service_name) || other) { + int pam_include = 0; + /* This is a service we are looking for */ D(("_pam_init_handlers: Found PAM config entry for: %s" , this_service)); tok = _pam_StrTok(NULL, " \n\t", &nexttok); - if (!_pam_strCMP("auth", tok)) { + if (tok == NULL) { + /* module type does not exist */ + D(("_pam_init_handlers: empty module type for %s", this_service)); + _pam_system_log(LOG_ERR, "(%s) empty module type", this_service); + module_type = (requested_module_type != PAM_T_ANY) ? + requested_module_type : PAM_T_AUTH; /* most sensitive */ + must_fail = 1; /* install as normal but fail when dispatched */ + } else if (!_pam_strCMP("auth", tok)) { module_type = PAM_T_AUTH; } else if (!_pam_strCMP("session", tok)) { module_type = PAM_T_SESS; @@ -111,10 +133,17 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f D(("_pam_init_handlers: bad module type: %s", tok)); _pam_system_log(LOG_ERR, "(%s) illegal module type: %s", this_service, tok); - module_type = PAM_T_AUTH; /* most sensitive */ + module_type = (requested_module_type != PAM_T_ANY) ? + requested_module_type : PAM_T_AUTH; /* most sensitive */ must_fail = 1; /* install as normal but fail when dispatched */ } D(("Using %s config entry: %s", must_fail?"BAD ":"", tok)); + if (requested_module_type != PAM_T_ANY && + module_type != requested_module_type) { + D(("Skipping config entry: %s (requested=%d, found=%d)", + tok, requested_module_type, module_type)); + continue; + } /* reset the actions to .._UNDEF's -- this is so that we can work out which entries are not yet set (for default). */ @@ -124,7 +153,14 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f actions[i++] = _PAM_ACTION_UNDEF); } tok = _pam_StrTok(NULL, " \n\t", &nexttok); - if (!_pam_strCMP("required", tok)) { + if (tok == NULL) { + /* no module name given */ + D(("_pam_init_handlers: no control flag supplied")); + _pam_system_log(LOG_ERR, + "(%s) no control flag supplied", this_service); + _pam_set_default_control(actions, _PAM_ACTION_BAD); + must_fail = 1; + } else if (!_pam_strCMP("required", tok)) { D(("*PAM_F_REQUIRED*")); actions[PAM_SUCCESS] = _PAM_ACTION_OK; actions[PAM_NEW_AUTHTOK_REQD] = _PAM_ACTION_OK; @@ -146,6 +182,9 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f actions[PAM_SUCCESS] = _PAM_ACTION_DONE; actions[PAM_NEW_AUTHTOK_REQD] = _PAM_ACTION_DONE; _pam_set_default_control(actions, _PAM_ACTION_IGNORE); + } else if (!_pam_strCMP("include", tok)) { + D(("*PAM_F_INCLUDE*")); + pam_include = 1; } else { D(("will need to parse %s", tok)); _pam_parse_control(actions, tok); @@ -154,7 +193,18 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f } tok = _pam_StrTok(NULL, " \n\t", &nexttok); - if (tok != NULL) { + if (pam_include) { + if (_pam_load_conf_file(pamh, tok, this_service, module_type +#ifdef PAM_READ_BOTH_CONFS + , !other +#endif /* PAM_READ_BOTH_CONFS */ + ) == PAM_SUCCESS) + continue; + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + must_fail = 1; + nexttok = NULL; + } else if (tok != NULL) { mod_path = tok; D(("mod_path = %s",mod_path)); } else { @@ -213,6 +263,58 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f return ( (x < 0) ? PAM_ABORT:PAM_SUCCESS ); } +static int _pam_load_conf_file(pam_handle_t *pamh, const char *config_name + , const char *service /* specific file */ + , int module_type /* specific type */ +#ifdef PAM_READ_BOTH_CONFS + , int not_other +#endif /* PAM_READ_BOTH_CONFS */ + ) +{ + FILE *f; + char *config_path = NULL; + int retval = PAM_ABORT; + + D(("_pam_load_conf_file called")); + + if (config_name == NULL) { + D(("no config file supplied")); + _pam_system_log(LOG_ERR, "(%s) no config file supplied", service); + return PAM_ABORT; + } + + if (config_name[0] != '/') { + if (asprintf (&config_path, PAM_CONFIG_DF, config_name) < 0) { + _pam_system_log(LOG_CRIT, "asprintf failed"); + return PAM_BUF_ERR; + } + config_name = config_path; + } + + D(("opening %s", config_name)); + f = fopen(config_name, "r"); + if (f != NULL) { + retval = _pam_parse_conf_file(pamh, f, service, module_type +#ifdef PAM_READ_BOTH_CONFS + , not_other +#endif /* PAM_READ_BOTH_CONFS */ + ); + fclose(f); + if (retval != PAM_SUCCESS) + _pam_system_log(LOG_ERR, + "_pam_load_conf_file: error reading %s: %s", + config_name, pam_strerror(pamh, retval)); + } else { + D(("unable to open %s", config_name)); + _pam_system_log(LOG_ERR, + "_pam_load_conf_file: unable to open %s", + config_name); + } + + _pam_drop(config_path); + return retval; +} + /* Parse config file, allocate handler structures, dlopen() */ int _pam_init_handlers(pam_handle_t *pamh) { @@ -228,7 +330,7 @@ int _pam_init_handlers(pam_handle_t *pamh) } D(("_pam_init_handlers: initializing")); - + /* First clean the service structure */ _pam_free_handlers(pamh); @@ -273,7 +375,7 @@ int _pam_init_handlers(pam_handle_t *pamh) */ { struct stat test_d; - + /* Is there a PAM_CONFIG_D directory? */ if ( stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode) ) { char *filename; @@ -293,7 +395,7 @@ int _pam_init_handlers(pam_handle_t *pamh) f = fopen(filename, "r"); if (f != NULL) { /* would test magic here? */ - retval = _pam_parse_conf_file(pamh, f, pamh->service_name + retval = _pam_parse_conf_file(pamh, f, pamh->service_name, PAM_T_ANY #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -314,7 +416,7 @@ int _pam_init_handlers(pam_handle_t *pamh) D(("checking %s", PAM_CONFIG)); if ((f = fopen(PAM_CONFIG,"r")) != NULL) { - retval = _pam_parse_conf_file(pamh, f, NULL, 1); + retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY, 1); fclose(f); } else #endif /* PAM_READ_BOTH_CONFS */ @@ -335,6 +437,7 @@ int _pam_init_handlers(pam_handle_t *pamh) /* would test magic here? */ retval = _pam_parse_conf_file(pamh, f , PAM_DEFAULT_SERVICE + , PAM_T_ANY #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -367,7 +470,7 @@ int _pam_init_handlers(pam_handle_t *pamh) return PAM_ABORT; } - retval = _pam_parse_conf_file(pamh, f, NULL + retval = _pam_parse_conf_file(pamh, f, NULL, PAM_T_ANY #ifdef PAM_READ_BOTH_CONFS , 0 #endif /* PAM_READ_BOTH_CONFS */ @@ -489,7 +592,7 @@ int _pam_add_handler(pam_handle_t *pamh #ifdef PAM_SHL const char *_sym, *_sym2; #endif - char *mod_full_path=NULL; + char *mod_full_path=NULL, *mod_full_isa_path=NULL, *isa=NULL; servicefn func, func2; int success; @@ -554,6 +657,30 @@ int _pam_add_handler(pam_handle_t *pamh # endif /* PAM_SHL */ D(("_pam_add_handler: dlopen'ed")); if (mod->dl_handle == NULL) { + if (strstr(mod_path, "$ISA")) { + mod_full_isa_path = malloc(strlen(mod_path) + strlen(_PAM_ISA) + 1); + if (mod_full_isa_path == NULL) { + D(("_pam_handler: couldn't get memory for mod_path")); + _pam_system_log(LOG_ERR, "no memory for module path"); + success = PAM_ABORT; + } else { + strcpy(mod_full_isa_path, mod_path); + isa = strstr(mod_full_isa_path, "$ISA"); + if (isa) { + memmove(isa + strlen(_PAM_ISA), isa + 4, strlen(isa + 4) + 1); + memmove(isa, _PAM_ISA, strlen(_PAM_ISA)); + } + mod->dl_handle = +# ifdef PAM_SHL + shl_load(mod_full_isa_path, BIND_IMMEDIATE, 0L); +# else /* PAM_SHL */ + dlopen(mod_full_isa_path, RTLD_NOW); +# endif /* PAM_SHL */ + _pam_drop(mod_full_isa_path); + } + } + } + if (mod->dl_handle == NULL) { D(("_pam_add_handler: dlopen(%s) failed", mod_path)); _pam_system_log(LOG_ERR, "unable to dlopen(%s)", mod_path); # ifndef PAM_SHL @@ -600,7 +727,7 @@ int _pam_add_handler(pam_handle_t *pamh /* indicate its name - later we will search for it by this */ if ((mod->name = _pam_strdup(mod_path)) == NULL) { D(("_pam_handler: couldn't get memory for mod_path")); - _pam_system_log(LOG_ERR, "no memory for module path", mod_path); + _pam_system_log(LOG_ERR, "no memory for module path"); success = PAM_ABORT; } @@ -696,7 +823,7 @@ int _pam_add_handler(pam_handle_t *pamh } /* now identify this module's functions - for non-faulty modules */ - + #ifdef PAM_DYNAMIC if ((mod->type == PAM_MT_DYNAMIC_MOD) && # ifdef PAM_SHL @@ -823,7 +950,7 @@ int _pam_free_handlers(pam_handle_t *pamh) } /* Free all the handlers */ - + _pam_free_handlers_aux(&(pamh->handlers.conf.authenticate)); _pam_free_handlers_aux(&(pamh->handlers.conf.setcred)); _pam_free_handlers_aux(&(pamh->handlers.conf.acct_mgmt)); @@ -863,7 +990,7 @@ void _pam_start_handlers(pam_handle_t *pamh) pamh->handlers.module = NULL; /* initialize the .conf and .other entries */ - + pamh->handlers.conf.authenticate = NULL; pamh->handlers.conf.setcred = NULL; pamh->handlers.conf.acct_mgmt = NULL; diff --git a/Linux-PAM/libpam/pam_item.c b/Linux-PAM/libpam/pam_item.c index 3dcbf616..1425c600 100644 --- a/Linux-PAM/libpam/pam_item.c +++ b/Linux-PAM/libpam/pam_item.c @@ -1,16 +1,16 @@ /* pam_item.c */ /* - * $Id: pam_item.c,v 1.1.1.1 2001/04/29 04:17:06 hartmans Exp $ + * $Id: pam_item.c,v 1.5 2004/09/22 09:37:47 kukuk Exp $ */ +#include "pam_private.h" + #include <ctype.h> #include <stdlib.h> #include <string.h> #include <syslog.h> -#include "pam_private.h" - #define RESET(X, Y) \ { \ char *_TMP_ = (X); \ @@ -158,6 +158,8 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) "pam_get_item: nowhere to place requested item"); return PAM_PERM_DENIED; } + else + *item = NULL; switch (item_type) { case PAM_SERVICE: @@ -238,6 +240,12 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) struct pam_response *resp; D(("called.")); + if (user == NULL) { /* ensure that the module has supplied a destination */ + _pam_system_log(LOG_ERR, "pam_get_user: nowhere to record username"); + return PAM_PERM_DENIED; + } else + *user = NULL; + IF_NO_PAMH("pam_get_user", pamh, PAM_SYSTEM_ERR); if (pamh->pam_conversation == NULL) { @@ -245,12 +253,6 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) return PAM_SERVICE_ERR; } - if (user == NULL) { /* ensure the the module has suplied a destination */ - _pam_system_log(LOG_ERR, "pam_get_user: nowhere to record username"); - return PAM_PERM_DENIED; - } else - *user = NULL; - if (pamh->user) { /* have one so return it */ *user = pamh->user; return PAM_SUCCESS; diff --git a/Linux-PAM/libpam/pam_log.c b/Linux-PAM/libpam/pam_log.c index 2da1b280..c42fe015 100644 --- a/Linux-PAM/libpam/pam_log.c +++ b/Linux-PAM/libpam/pam_log.c @@ -1,7 +1,7 @@ /* * pam_log.c -- PAM system logging * - * $Id: pam_log.c,v 1.1.1.1 2001/04/29 04:17:07 hartmans Exp $ + * $Id: pam_log.c,v 1.2 2000/11/19 23:54:02 agmorgan Exp $ * */ diff --git a/Linux-PAM/libpam/pam_malloc.c b/Linux-PAM/libpam/pam_malloc.c index 7cc177c6..98b35f62 100644 --- a/Linux-PAM/libpam/pam_malloc.c +++ b/Linux-PAM/libpam/pam_malloc.c @@ -1,5 +1,5 @@ /* - * $Id: pam_malloc.c,v 1.1.1.2 2002/09/15 20:08:37 hartmans Exp $ + * $Id: pam_malloc.c,v 1.5 2001/12/09 21:44:58 agmorgan Exp $ */ /* diff --git a/Linux-PAM/libpam/pam_map.c b/Linux-PAM/libpam/pam_map.c index c4af41a9..86b16577 100644 --- a/Linux-PAM/libpam/pam_map.c +++ b/Linux-PAM/libpam/pam_map.c @@ -1,6 +1,6 @@ /* pam_map.c - PAM mapping interface * - * $Id: pam_map.c,v 1.1.1.1 2001/04/29 04:17:08 hartmans Exp $ + * $Id: pam_map.c,v 1.2 2000/12/04 19:02:34 baggins Exp $ * * This is based on the X/Open XSSO specification of March 1997. * It is not implemented as it is going to change... after 1997/9/25. diff --git a/Linux-PAM/libpam/pam_misc.c b/Linux-PAM/libpam/pam_misc.c index 53bd54de..cb0572b1 100644 --- a/Linux-PAM/libpam/pam_misc.c +++ b/Linux-PAM/libpam/pam_misc.c @@ -1,9 +1,11 @@ /* pam_misc.c -- This is random stuff */ /* - * $Id: pam_misc.c,v 1.1.1.2 2002/09/15 20:08:38 hartmans Exp $ + * $Id: pam_misc.c,v 1.4 2003/07/13 20:01:44 vorlon Exp $ */ +#include "pam_private.h" + #include <stdarg.h> #include <stdlib.h> #include <stdio.h> @@ -11,8 +13,6 @@ #include <syslog.h> #include <ctype.h> -#include "pam_private.h" - /* caseless string comparison: POSIX does not define this.. */ int _pam_strCMP(const char *s, const char *t) { diff --git a/Linux-PAM/libpam/pam_password.c b/Linux-PAM/libpam/pam_password.c index 756d8536..50c12adf 100644 --- a/Linux-PAM/libpam/pam_password.c +++ b/Linux-PAM/libpam/pam_password.c @@ -1,16 +1,16 @@ /* pam_password.c - PAM Password Management */ /* - * $Id: pam_password.c,v 1.1.1.1 2001/04/29 04:17:08 hartmans Exp $ + * $Id: pam_password.c,v 1.3 2003/07/13 20:01:44 vorlon Exp $ */ -#include <stdio.h> -#include <stdlib.h> - /* #define DEBUG */ #include "pam_private.h" +#include <stdio.h> +#include <stdlib.h> + int pam_chauthtok(pam_handle_t *pamh, int flags) { int retval; diff --git a/Linux-PAM/libpam/pam_prelude.c b/Linux-PAM/libpam/pam_prelude.c new file mode 100644 index 00000000..656376f5 --- /dev/null +++ b/Linux-PAM/libpam/pam_prelude.c @@ -0,0 +1,605 @@ +/* + * pam_prelude.c -- prelude reporting + * http://www.prelude-ids.org + * + * (C) Sebastien Tricaud 2005 <toady@gscore.org> + */ + +#include <stdio.h> +#include <syslog.h> + +#ifdef PRELUDE + +#include <libprelude/prelude.h> +#include <libprelude/prelude-log.h> +#include <libprelude/idmef-message-print.h> + +#include "pam_prelude.h" +#include "pam_private.h" + + +#define ANALYZER_CLASS "pam" +#define ANALYZER_MODEL "PAM" +#define ANALYZER_MANUFACTURER "Sebastien Tricaud, http://www.kernel.org/pub/linux/libs/pam/" + +#define DEFAULT_ANALYZER_NAME "PAM" +#define DEFAULT_ANALYZER_CONFIG LIBPRELUDE_CONFIG_PREFIX "/etc/prelude/default/idmef-client.conf" + +#define PAM_VERSION LIBPAM_VERSION_STRING + +static const char *pam_get_item_service(pam_handle_t *pamh); +static const char *pam_get_item_user(pam_handle_t *pamh); +static const char *pam_get_item_user_prompt(pam_handle_t *pamh); +static const char *pam_get_item_tty(pam_handle_t *pamh); +static const char *pam_get_item_ruser(pam_handle_t *pamh); +static const char *pam_get_item_rhost(pam_handle_t *pamh); + +static int setup_analyzer(idmef_analyzer_t *analyzer); +static void pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval); +static int pam_alert_prelude_init(pam_handle_t *pamh, int authval); +static int generate_additional_data(idmef_alert_t *alert, const char *meaning, const char *data); + + +/******************* + * some syslogging * + *******************/ +static void +_pam_log(int err, const char *format, ...) +{ + va_list args; + va_start(args, format); + +#ifdef MAIN + vfprintf(stderr,format,args); + fprintf(stderr,"\n"); +#else + openlog("libpam", LOG_CONS|LOG_PID, LOG_AUTH); + vsyslog(err, format, args); + closelog(); +#endif + va_end(args); +} + +static const char * +pam_get_item_service(pam_handle_t *pamh) +{ + const char *service = NULL; + + pam_get_item(pamh, PAM_SERVICE, (const void **)&service); + + return (const char *)service; +} + +static const char * +pam_get_item_user(pam_handle_t *pamh) +{ + const char *user = NULL; + + pam_get_item(pamh, PAM_USER, (const void **)&user); + + return (const char *)user; +} + +static const char * +pam_get_item_user_prompt(pam_handle_t *pamh) +{ + const char *user_prompt = NULL; + + pam_get_item(pamh, PAM_USER_PROMPT, (const void **)&user_prompt); + + return (const char *)user_prompt; +} + +static const char * +pam_get_item_tty(pam_handle_t *pamh) +{ + const char *tty = NULL; + + pam_get_item(pamh, PAM_TTY, (const void **)&tty); + + return (const char *)tty; +} + +static const char * +pam_get_item_ruser(pam_handle_t *pamh) +{ + const char *ruser = NULL; + + pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); + + return (const char *)ruser; +} + +static const char * +pam_get_item_rhost(pam_handle_t *pamh) +{ + const char *rhost = NULL; + + pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); + + return (const char *)rhost; +} + +/***************************************************************** + * Returns a string concerning the authentication value provided * + *****************************************************************/ +static const char * +pam_get_alert_description(int authval) +{ + const char *retstring = NULL; + + switch(authval) { + case PAM_SUCCESS: + retstring = "Authentication success"; + break; + case PAM_OPEN_ERR: + retstring = "dlopen() failure when dynamically loading a service module"; + break; + case PAM_SYMBOL_ERR: + retstring = "Symbol not found"; + break; + case PAM_SERVICE_ERR: + retstring = "Error in service module"; + break; + case PAM_SYSTEM_ERR: + retstring = "System error"; + break; + case PAM_BUF_ERR: + retstring = "Memory buffer error"; + break; + case PAM_PERM_DENIED: + retstring = "Permission denied"; + break; + case PAM_AUTH_ERR: + retstring = "Authentication failure"; + break; + case PAM_CRED_INSUFFICIENT: + retstring = "Can not access authentication data due to insufficient credentials"; + break; + case PAM_AUTHINFO_UNAVAIL: + retstring = "Underlying authentication service can not retrieve authenticaiton information"; + break; + case PAM_USER_UNKNOWN: + retstring = "User not known to the underlying authentication module"; + break; + case PAM_MAXTRIES: + retstring = "An authentication service has maintained a retry count which has been reached. No further retries should be attempted"; + break; + case PAM_NEW_AUTHTOK_REQD: + retstring = "New authentication token required. This is normally returned if the machine security policies require that the password should be changed beccause the password is NULL or it has aged"; + break; + case PAM_ACCT_EXPIRED: + retstring = "User account has expired"; + break; + case PAM_SESSION_ERR: + retstring = "Can not make/remove an entry for the specified session"; + break; + case PAM_CRED_UNAVAIL: + retstring = "Underlying authentication service can not retrieve user credentials unavailable"; + break; + case PAM_CRED_EXPIRED: + retstring = "User credentials expired"; + break; + case PAM_CRED_ERR: + retstring = "Failure setting user credentials"; + break; + case PAM_NO_MODULE_DATA: + retstring = "No module specific data is present"; + break; + case PAM_CONV_ERR: + retstring = "Conversation error"; + break; + case PAM_AUTHTOK_ERR: + retstring = "Authentication token manipulation error"; + break; + case PAM_AUTHTOK_RECOVER_ERR: + retstring = "Authentication information cannot be recovered"; + break; + case PAM_AUTHTOK_LOCK_BUSY: + retstring = "Authentication token lock busy"; + break; + case PAM_AUTHTOK_DISABLE_AGING: + retstring = "Authentication token aging disabled"; + break; + case PAM_TRY_AGAIN: + retstring = "Preliminary check by password service"; + break; + case PAM_IGNORE: + retstring = "Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient"; + break; + case PAM_ABORT: + retstring = "Critical error (?module fail now request)"; + break; + case PAM_AUTHTOK_EXPIRED: + retstring = "User's authentication token has expired"; + break; + case PAM_MODULE_UNKNOWN: + retstring = "Module is not known"; + break; + case PAM_BAD_ITEM: + retstring = "Bad item passed to pam_*_item()"; + break; + case PAM_CONV_AGAIN: + retstring = "Conversation function is event driven and data is not available yet"; + break; + case PAM_INCOMPLETE: + retstring = "Please call this function again to complete authentication stack. Before calling again, verify that conversation is completed"; + break; + + default: + retstring = "Authentication Failure!. You should not see this message."; + } + + return retstring; + +} + +/* Courteously stolen from prelude-lml */ +static int +generate_additional_data(idmef_alert_t *alert, const char *meaning, const char *data) +{ + int ret; + prelude_string_t *str; + idmef_additional_data_t *adata; + + ret = idmef_alert_new_additional_data(alert, &adata, -1); + if ( ret < 0 ) + return ret; + + ret = idmef_additional_data_new_meaning(adata, &str); + if ( ret < 0 ) + return ret; + + ret = prelude_string_set_ref(str, meaning); + if ( ret < 0 ) + return ret; + + return idmef_additional_data_set_string_ref(adata, data); +} + +extern void +prelude_send_alert(pam_handle_t *pamh, int authval) +{ + + int ret; + + prelude_log_set_flags(PRELUDE_LOG_FLAGS_SYSLOG); + + ret = pam_alert_prelude_init(pamh, authval); + if ( ret < 0 ) + _pam_log(LOG_WARNING, + "No prelude alert sent"); + + prelude_deinit(); + +} + +static int +setup_analyzer(idmef_analyzer_t *analyzer) +{ + int ret; + prelude_string_t *string; + + ret = idmef_analyzer_new_model(analyzer, &string); + if ( ret < 0 ) + goto err; + prelude_string_set_constant(string, ANALYZER_MODEL); + + ret = idmef_analyzer_new_class(analyzer, &string); + if ( ret < 0 ) + goto err; + prelude_string_set_constant(string, ANALYZER_CLASS); + + ret = idmef_analyzer_new_manufacturer(analyzer, &string); + if ( ret < 0 ) + goto err; + prelude_string_set_constant(string, ANALYZER_MANUFACTURER); + + ret = idmef_analyzer_new_version(analyzer, &string); + if ( ret < 0 ) + goto err; + prelude_string_set_constant(string, PAM_VERSION); + + + return 0; + + err: + _pam_log(LOG_WARNING, + "%s: IDMEF error: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + + return -1; +} + +static void +pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval) +{ + int ret; + idmef_time_t *clienttime; + idmef_alert_t *alert; + prelude_string_t *str; + idmef_message_t *idmef = NULL; + idmef_classification_t *class; + prelude_client_t *client = (prelude_client_t *)data; + idmef_source_t *source; + idmef_target_t *target; + idmef_user_t *user; + idmef_user_id_t *user_id; + idmef_process_t *process; + idmef_classification_t *classification; + idmef_impact_t *impact; + idmef_assessment_t *assessment; + idmef_node_t *node; + idmef_analyzer_t *analyzer; + + + ret = idmef_message_new(&idmef); + if ( ret < 0 ) + goto err; + + ret = idmef_message_new_alert(idmef, &alert); + if ( ret < 0 ) + goto err; + + ret = idmef_alert_new_classification(alert, &class); + if ( ret < 0 ) + goto err; + + ret = idmef_classification_new_text(class, &str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_new_ref(&str, msg); + if ( ret < 0 ) + goto err; + + idmef_classification_set_text(class, str); + + ret = idmef_time_new_from_gettimeofday(&clienttime); + if ( ret < 0 ) + goto err; + idmef_alert_set_create_time(alert, clienttime); + + idmef_alert_set_analyzer(alert, + idmef_analyzer_ref(prelude_client_get_analyzer(client)), + 0); + + /********** + * SOURCE * + **********/ + ret = idmef_alert_new_source(alert, &source, -1); + if ( ret < 0 ) + goto err; + + /* BEGIN: Sets the user doing authentication stuff */ + ret = idmef_source_new_user(source, &user); + if ( ret < 0 ) + goto err; + idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION); + + ret = idmef_user_new_user_id(user, &user_id, 0); + if ( ret < 0 ) + goto err; + idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER); + + if ( pam_get_item_ruser(pamh) ) { + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, pam_get_item_ruser(pamh)); + if ( ret < 0 ) + goto err; + + idmef_user_id_set_name(user_id, str); + } + /* END */ + /* BEGIN: Adds TTY infos */ + if ( pam_get_item_tty(pamh) ) { + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, pam_get_item_tty(pamh)); + if ( ret < 0 ) + goto err; + + idmef_user_id_set_tty(user_id, str); + } + /* END */ + /* BEGIN: Sets the source node (rhost) */ + ret = idmef_source_new_node(source, &node); + if ( ret < 0 ) + goto err; + idmef_node_set_category(node, IDMEF_NODE_CATEGORY_HOSTS); + + if ( pam_get_item_rhost(pamh) ) { + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, pam_get_item_rhost(pamh)); + if ( ret < 0 ) + goto err; + + idmef_node_set_name(node, str); + } + /* END */ + /* BEGIN: Describe the service */ + ret = idmef_source_new_process(source, &process); + if ( ret < 0 ) + goto err; + idmef_process_set_pid(process, getpid()); + + if ( pam_get_item_service(pamh) ) { + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, pam_get_item_service(pamh)); + if ( ret < 0 ) + goto err; + + idmef_process_set_name(process, str); + } + /* END */ + + /********** + * TARGET * + **********/ + + ret = idmef_alert_new_target(alert, &target, -1); + if ( ret < 0 ) + goto err; + + + /* BEGIN: Sets the target node */ + analyzer = prelude_client_get_analyzer(client); + if ( ! analyzer ) goto err; + + node = idmef_analyzer_get_node(analyzer); + if ( ! node ) goto err; + idmef_target_set_node(target, node); + node = idmef_node_ref(node); + if ( ! node ) goto err; + /* END */ + /* BEGIN: Sets the user doing authentication stuff */ + ret = idmef_target_new_user(target, &user); + if ( ret < 0 ) + goto err; + idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION); + + ret = idmef_user_new_user_id(user, &user_id, 0); + if ( ret < 0 ) + goto err; + idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER); + + if ( pam_get_item_user(pamh) ) { + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, pam_get_item_user(pamh)); + if ( ret < 0 ) + goto err; + + idmef_user_id_set_name(user_id, str); + } + /* END */ + /* BEGIN: Short description of the alert */ + ret = idmef_alert_new_classification(alert, &classification); + if ( ret < 0 ) + goto err; + + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, + authval == PAM_SUCCESS ? + "Authentication Success" : "Authentication Failure"); + if ( ret < 0 ) + goto err; + + idmef_classification_set_text(classification, str); + /* END */ + /* BEGIN: Long description of the alert */ + ret = idmef_alert_new_assessment(alert, &assessment); + if ( ret < 0 ) + goto err; + + ret = idmef_assessment_new_impact(assessment, &impact); + if ( ret < 0 ) + goto err; + + ret = prelude_string_new(&str); + if ( ret < 0 ) + goto err; + + ret = prelude_string_set_ref(str, + pam_get_alert_description(authval)); + if ( ret < 0 ) + goto err; + + idmef_impact_set_description(impact, str); + /* END */ + /* BEGIN: Adding additional data */ + if ( pam_get_item_user_prompt(pamh) ) { + ret = generate_additional_data(alert, "Local User Prompt", + pam_get_item_user_prompt(pamh)); + if ( ret < 0 ) + goto err; + } + /* END */ + + prelude_client_send_idmef(client, idmef); + + if ( idmef ) + idmef_message_destroy(idmef); + + return; + err: + _pam_log(LOG_WARNING, + "%s: IDMEF error: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + + if ( idmef ) + idmef_message_destroy(idmef); + +} + +static int +pam_alert_prelude_init(pam_handle_t *pamh, int authval) +{ + + int ret; + prelude_client_t *client = NULL; + + ret = prelude_init(NULL, NULL); + if ( ret < 0 ) { + _pam_log(LOG_WARNING, + "%s: Unable to initialize the Prelude library: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + return -1; + } + + ret = prelude_client_new(&client, DEFAULT_ANALYZER_NAME); + if ( ! client ) { + _pam_log(LOG_WARNING, + "%s: Unable to create a prelude client object: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + + return -1; + } + + + ret = setup_analyzer(prelude_client_get_analyzer(client)); + if ( ret < 0 ) { + _pam_log(LOG_WARNING, + "%s: Unable to setup analyzer: %s\n", + prelude_strsource(ret), prelude_strerror(ret)); + + prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE); + + return -1; + } + + ret = prelude_client_start(client); + if ( ret < 0 ) { + _pam_log(LOG_WARNING, + "%s: Unable to initialize prelude client: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + + prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE); + + return -1; + } + + pam_alert_prelude("libpam alert" , client, pamh, authval); + + prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS); + + return 0; +} + +#endif PRELUDE diff --git a/Linux-PAM/libpam/pam_prelude.h b/Linux-PAM/libpam/pam_prelude.h new file mode 100644 index 00000000..13ee6fdb --- /dev/null +++ b/Linux-PAM/libpam/pam_prelude.h @@ -0,0 +1,16 @@ +/* + * pam_prelude.h -- prelude ids reporting + * http://www.prelude-ids.org + * + * (C) Sebastien Tricaud 2005 <toady@gscore.org> + */ + +#ifndef _SECURITY_PAM_PRELUDE_H +#define _SECURITY_PAM_PRELUDE_H + +#include <security/_pam_types.h> + +void prelude_send_alert(pam_handle_t *pamh, int authval); + +#endif /* _SECURITY_PAM_PRELUDE_H */ + diff --git a/Linux-PAM/libpam/pam_private.h b/Linux-PAM/libpam/pam_private.h index 7b4c7490..3c8d8538 100644 --- a/Linux-PAM/libpam/pam_private.h +++ b/Linux-PAM/libpam/pam_private.h @@ -1,7 +1,7 @@ /* * pam_private.h * - * $Id: pam_private.h,v 1.1.1.2 2002/09/15 20:08:39 hartmans Exp $ + * $Id: pam_private.h,v 1.6 2004/09/15 12:06:17 kukuk Exp $ * * This is the Linux-PAM Library Private Header. It contains things * internal to the Linux-PAM library. Things not needed by either an @@ -250,7 +250,13 @@ void _pam_set_default_control(int *control_array, int default_action); void _pam_parse_control(int *control_array, char *tok); -void _pam_system_log(int priority, const char *format, ... ); +void _pam_system_log(int priority, const char *format, ... ) +#ifdef __GNUC__ + __attribute__ ((format (printf, 2, 3))); +#else + ; +#endif + #define _PAM_SYSTEM_LOG_PREFIX "PAM " /* diff --git a/Linux-PAM/libpam/pam_second.c b/Linux-PAM/libpam/pam_second.c index 21b5b993..fa3bdf78 100644 --- a/Linux-PAM/libpam/pam_second.c +++ b/Linux-PAM/libpam/pam_second.c @@ -2,7 +2,7 @@ * pam_second.c -- PAM secondary authentication * (based on XSSO draft spec of March 1997) * - * $Id: pam_second.c,v 1.1.1.2 2002/09/15 20:08:39 hartmans Exp $ + * $Id: pam_second.c,v 1.3 2001/09/19 06:18:46 agmorgan Exp $ * */ diff --git a/Linux-PAM/libpam/pam_session.c b/Linux-PAM/libpam/pam_session.c index 0ee5a61e..c468cf96 100644 --- a/Linux-PAM/libpam/pam_session.c +++ b/Linux-PAM/libpam/pam_session.c @@ -1,13 +1,13 @@ /* pam_session.c - PAM Session Management */ /* - * $Id: pam_session.c,v 1.1.1.1 2001/04/29 04:17:09 hartmans Exp $ + * $Id: pam_session.c,v 1.4 2003/07/13 20:01:44 vorlon Exp $ */ -#include <stdio.h> - #include "pam_private.h" +#include <stdio.h> + int pam_open_session(pam_handle_t *pamh, int flags) { D(("called")); diff --git a/Linux-PAM/libpam/pam_start.c b/Linux-PAM/libpam/pam_start.c index 53517fe0..5d6e066a 100644 --- a/Linux-PAM/libpam/pam_start.c +++ b/Linux-PAM/libpam/pam_start.c @@ -3,18 +3,18 @@ /* Creator Marc Ewing * Maintained by AGM * - * $Id: pam_start.c,v 1.1.1.1 2001/04/29 04:17:09 hartmans Exp $ + * $Id: pam_start.c,v 1.5 2004/09/14 13:48:41 kukuk Exp $ * */ +#include "pam_private.h" + #include <ctype.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <syslog.h> -#include "pam_private.h" - int pam_start ( const char *service_name, const char *user, @@ -24,11 +24,21 @@ int pam_start ( D(("called pam_start: [%s] [%s] [%p] [%p]" ,service_name, user, pam_conversation, pamh)); + if (pamh == NULL) { + _pam_system_log(LOG_CRIT, "pam_start: invalid argument: pamh == NULL"); + return (PAM_BUF_ERR); + } + if ((*pamh = calloc(1, sizeof(**pamh))) == NULL) { _pam_system_log(LOG_CRIT, "pam_start: calloc failed for *pamh"); return (PAM_BUF_ERR); } + /* All service names should be files below /etc/pam.d and nothing + else. Forbid paths. */ + if (strrchr(service_name, '/') != NULL) + service_name = strrchr(service_name, '/') + 1; + /* Mark the caller as the application - permission to do certain things is limited to a module or an application */ diff --git a/Linux-PAM/libpam/pam_static.c b/Linux-PAM/libpam/pam_static.c index f7e0645f..5a2b5a5d 100644 --- a/Linux-PAM/libpam/pam_static.c +++ b/Linux-PAM/libpam/pam_static.c @@ -2,7 +2,7 @@ /* created by Michael K. Johnson, johnsonm@redhat.com * - * $Id: pam_static.c,v 1.1.1.1 2001/04/29 04:17:10 hartmans Exp $ + * $Id: pam_static.c,v 1.1.1.1 2000/06/20 22:11:21 agmorgan Exp $ */ /* This whole file is only used for PAM_STATIC */ diff --git a/Linux-PAM/libpam/pam_strerror.c b/Linux-PAM/libpam/pam_strerror.c index f287b5ad..788c7a51 100644 --- a/Linux-PAM/libpam/pam_strerror.c +++ b/Linux-PAM/libpam/pam_strerror.c @@ -1,7 +1,7 @@ /* pam_strerror.c */ /* - * $Id: pam_strerror.c,v 1.1.1.2 2002/09/15 20:08:39 hartmans Exp $ + * $Id: pam_strerror.c,v 1.4 2005/01/07 15:31:26 t8m Exp $ */ #include "pam_private.h" @@ -48,7 +48,7 @@ const char *pam_strerror(pam_handle_t *pamh, int errnum) case PAM_USER_UNKNOWN: return "User not known to the underlying authentication module"; case PAM_MAXTRIES: - return "Have exhasted maximum number of retries for service."; + return "Have exhausted maximum number of retries for service."; case PAM_NEW_AUTHTOK_REQD: return "Authentication token is no longer valid; new one required."; case PAM_ACCT_EXPIRED: @@ -78,7 +78,7 @@ const char *pam_strerror(pam_handle_t *pamh, int errnum) case PAM_TRY_AGAIN: return "Failed preliminary check by password service"; case PAM_IGNORE: - return "Please ignore underlying account module"; + return "The return value should be ignored by PAM dispatch"; case PAM_MODULE_UNKNOWN: return "Module is unknown"; case PAM_AUTHTOK_EXPIRED: diff --git a/Linux-PAM/libpam/pam_tokens.h b/Linux-PAM/libpam/pam_tokens.h index 0300fdf1..69e79489 100644 --- a/Linux-PAM/libpam/pam_tokens.h +++ b/Linux-PAM/libpam/pam_tokens.h @@ -1,7 +1,7 @@ /* * pam_tokens.h * - * $Id: pam_tokens.h,v 1.1.1.1 2001/04/29 04:17:10 hartmans Exp $ + * $Id: pam_tokens.h,v 1.3 2001/01/22 06:07:29 agmorgan Exp $ * * This is a Linux-PAM Library Private Header file. It contains tokens * that are used when we parse the configuration file(s). |