1 files changed, 190 insertions, 44 deletions
diff --git a/Linux-PAM/modules/pam_unix/pam_unix_acct.c b/Linux-PAM/modules/pam_unix/pam_unix_acct.c
index 02e07ba6..cb2550df 100644
--- a/Linux-PAM/modules/pam_unix/pam_unix_acct.c
+++ b/Linux-PAM/modules/pam_unix/pam_unix_acct.c
@@ -14,13 +14,13 @@
  * 3. The name of the author may not be used to endorse or promote
  *    products derived from this software without specific prior
  *    written permission.
- * 
+ *
  * ALTERNATIVELY, this product may be distributed under the terms of
  * the GNU Public License, in which case the provisions of the GPL are
  * required INSTEAD OF the above restrictions.  (This clause is
  * necessary due to a potential bad interaction between the GPL and
  * the restrictions contained in a BSD-style copyright.)
- * 
+ *
  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -34,7 +34,7 @@
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include <security/_pam_aconf.h>
+#include "config.h"
 
 #include <stdlib.h>
 #include <stdio.h>
@@ -45,6 +45,12 @@
 #include <pwd.h>
 #include <shadow.h>
 #include <time.h>		/* for time() */
+#include <errno.h>
+#include <sys/wait.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#define SELINUX_ENABLED is_selinux_enabled()>0
+#endif
 
 #include <security/_pam_macros.h>
 
@@ -53,14 +59,130 @@
 #define PAM_SM_ACCOUNT
 
 #include <security/pam_modules.h>
-#include <security/_pam_modutil.h>
-
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif				/* LINUX_PAM */
+#include <security/pam_ext.h>
+#include <security/pam_modutil.h>
 
 #include "support.h"
- 
+
+#ifdef WITH_SELINUX
+
+struct spwd spwd;
+
+struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user)
+{
+  int retval=0, child, fds[2];
+  void (*sighandler)(int) = NULL;
+  D(("running verify_binary"));
+
+  /* create a pipe for the messages */
+  if (pipe(fds) != 0) {
+    D(("could not make pipe"));
+    pam_syslog(pamh, LOG_ERR, "Could not make pipe: %m");
+    return NULL;
+  }
+  D(("called."));
+
+  if (off(UNIX_NOREAP, ctrl)) {
+    /*
+     * This code arranges that the demise of the child does not cause
+     * the application to receive a signal it is not expecting - which
+     * may kill the application or worse.
+     *
+     * The "noreap" module argument is provided so that the admin can
+     * override this behavior.
+     */
+    sighandler = signal(SIGCHLD, SIG_DFL);
+  }
+
+  /* fork */
+  child = fork();
+  if (child == 0) {
+    size_t i=0;
+    struct rlimit rlim;
+    static char *envp[] = { NULL };
+    char *args[] = { NULL, NULL, NULL, NULL };
+
+    close(0); close(1);
+    /* reopen stdin as pipe */
+    close(fds[0]);
+    dup2(fds[1], STDOUT_FILENO);
+
+    /* XXX - should really tidy up PAM here too */
+
+    if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+      for (i=2; i < rlim.rlim_max; i++) {
+	if ((unsigned int)fds[1] != i) {
+	  close(i);
+	}
+      }
+    }
+
+    if (SELINUX_ENABLED && geteuid() == 0) {
+      /* must set the real uid to 0 so the helper will not error
+         out if pam is called from setuid binary (su, sudo...) */
+      setuid(0);
+    }
+
+    /* exec binary helper */
+    args[0] = x_strdup(CHKPWD_HELPER);
+    args[1] = x_strdup(user);
+    args[2] = x_strdup("verify");
+
+    execve(CHKPWD_HELPER, args, envp);
+
+    pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
+    /* should not get here: exit with error */
+    close (fds[1]);
+    D(("helper binary is not available"));
+    exit(PAM_AUTHINFO_UNAVAIL);
+  } else {
+    close(fds[1]);
+    if (child > 0) {
+      char buf[1024];
+      int rc=0;
+      rc=waitpid(child, &retval, 0);  /* wait for helper to complete */
+      if (rc<0) {
+	pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
+	retval = PAM_AUTH_ERR;
+      } else {
+	retval = WEXITSTATUS(retval);
+	if (retval != PAM_AUTHINFO_UNAVAIL) {
+          rc = pam_modutil_read(fds[0], buf, sizeof(buf) - 1);
+	  if(rc > 0) {
+	      buf[rc] = '\0';
+	      if (sscanf(buf,"%ld:%ld:%ld:%ld:%ld:%ld",
+		     &spwd.sp_lstchg, /* last password change */
+		     &spwd.sp_min, /* days until change allowed. */
+		     &spwd.sp_max, /* days before change required */
+		     &spwd.sp_warn, /* days warning for expiration */
+		     &spwd.sp_inact, /* days before account inactive */
+		     &spwd.sp_expire) /* date when account expires */ != 6 ) retval = PAM_AUTH_ERR;
+	    }
+	  else {
+	    pam_syslog(pamh, LOG_ERR, " ERROR %d: %m", rc); retval = PAM_AUTH_ERR;
+	  }
+	}
+      }
+    } else {
+      pam_syslog(pamh, LOG_ERR, "Fork failed: %m");
+      D(("fork failed"));
+      retval = PAM_AUTH_ERR;
+    }
+    close(fds[0]);
+  }
+  if (sighandler != SIG_ERR) {
+    (void) signal(SIGCHLD, sighandler);   /* restore old signal handler */
+  }
+  D(("Returning %d",retval));
+  if (retval != PAM_SUCCESS) {
+    return NULL;
+  }
+  return &spwd;
+}
+
+#endif
+
+
 /*
  * PAM framework looks for this entry-point to pass control to the
  * account management module.
@@ -70,31 +192,33 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 				int argc, const char **argv)
 {
 	unsigned int ctrl;
+	const void *void_uname;
 	const char *uname;
 	int retval, daysleft;
 	time_t curdays;
 	struct spwd *spent;
 	struct passwd *pwent;
-	char buf[80];
+	char buf[256];
 
 	D(("called."));
 
 	ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
 
-	retval = pam_get_item(pamh, PAM_USER, (const void **) &uname);
+	retval = pam_get_item(pamh, PAM_USER, &void_uname);
+	uname = void_uname;
 	D(("user = `%s'", uname));
 	if (retval != PAM_SUCCESS || uname == NULL) {
-		_log_err(LOG_ALERT, pamh
-			 ,"could not identify user (from uid=%d)"
-			 ,getuid());
+		pam_syslog(pamh, LOG_ALERT,
+			 "could not identify user (from uid=%lu)",
+			 (unsigned long int)getuid());
 		return PAM_USER_UNKNOWN;
 	}
 
-	pwent = _pammodutil_getpwnam(pamh, uname);
+	pwent = pam_modutil_getpwnam(pamh, uname);
 	if (!pwent) {
-		_log_err(LOG_ALERT, pamh
-			 ,"could not identify user (from getpwnam(%s))"
-			 ,uname);
+		pam_syslog(pamh, LOG_ALERT,
+			 "could not identify user (from getpwnam(%s))",
+			 uname);
 		return PAM_USER_UNKNOWN;
 	}
 
@@ -114,7 +238,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 					return PAM_CRED_INSUFFICIENT;
 			}
 		}
-		spent = _pammodutil_getspnam (pamh, uname);
+		spent = pam_modutil_getspnam (pamh, uname);
 		if (save_uid == pwent->pw_uid)
 			setreuid( save_uid, save_euid );
 		else {
@@ -124,10 +248,15 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 		}
 
 	} else if (_unix_shadowed (pwent))
-		spent = _pammodutil_getspnam (pamh, uname);
+		spent = pam_modutil_getspnam (pamh, uname);
 	else
 		return PAM_SUCCESS;
 
+#ifdef WITH_SELINUX
+	if (!spent && SELINUX_ENABLED )
+	    spent = _unix_run_verify_binary(pamh, ctrl, uname);
+#endif
+
 	if (!spent)
 		if (on(UNIX_BROKEN_SHADOW,ctrl))
 			return PAM_SUCCESS;
@@ -138,58 +267,75 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 	curdays = time(NULL) / (60 * 60 * 24);
 	D(("today is %d, last change %d", curdays, spent->sp_lstchg));
 	if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)) {
-		_log_err(LOG_NOTICE, pamh
-			 ,"account %s has expired (account expired)"
-			 ,uname);
+		pam_syslog(pamh, LOG_NOTICE,
+			 "account %s has expired (account expired)",
+			 uname);
 		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
-			    "Your account has expired; please contact your system administrator");
+			     _("Your account has expired; please contact your system administrator"));
 		D(("account expired"));
 		return PAM_ACCT_EXPIRED;
 	}
 	if (spent->sp_lstchg == 0) {
-		_log_err(LOG_NOTICE, pamh
-			 ,"expired password for user %s (root enforced)"
-			 ,uname);
+		pam_syslog(pamh, LOG_NOTICE,
+			 "expired password for user %s (root enforced)",
+			 uname);
 		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
-			    "You are required to change your password immediately (root enforced)");
+			     _("You are required to change your password immediately (root enforced)"));
 		D(("need a new password"));
 		return PAM_NEW_AUTHTOK_REQD;
 	}
 	if (curdays < spent->sp_lstchg) {
-		_log_err(LOG_DEBUG, pamh
-			 ,"account %s has password changed in future"
-			 ,uname);
+		pam_syslog(pamh, LOG_DEBUG,
+			 "account %s has password changed in future",
+			 uname);
 		return PAM_SUCCESS;
 	}
 	if ((curdays - spent->sp_lstchg > spent->sp_max)
 	    && (curdays - spent->sp_lstchg > spent->sp_inact)
 	    && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
 	    && (spent->sp_max != -1) && (spent->sp_inact != -1)) {
-		_log_err(LOG_NOTICE, pamh
-		    ,"account %s has expired (failed to change password)"
-			 ,uname);
+		pam_syslog(pamh, LOG_NOTICE,
+		    "account %s has expired (failed to change password)",
+		    uname);
 		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
-			    "Your account has expired; please contact your system administrator");
+			     _("Your account has expired; please contact your system administrator"));
 		D(("account expired 2"));
 		return PAM_ACCT_EXPIRED;
 	}
 	if ((curdays - spent->sp_lstchg > spent->sp_max) && (spent->sp_max != -1)) {
-		_log_err(LOG_DEBUG, pamh
-			 ,"expired password for user %s (password aged)"
-			 ,uname);
+		pam_syslog(pamh, LOG_DEBUG,
+			 "expired password for user %s (password aged)",
+			 uname);
 		_make_remark(pamh, ctrl, PAM_ERROR_MSG,
-			    "You are required to change your password immediately (password aged)");
+			     _("You are required to change your password immediately (password aged)"));
 		D(("need a new password 2"));
 		return PAM_NEW_AUTHTOK_REQD;
 	}
 	if ((curdays - spent->sp_lstchg > spent->sp_max - spent->sp_warn)
 	    && (spent->sp_max != -1) && (spent->sp_warn != -1)) {
 		daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
-		_log_err(LOG_DEBUG, pamh
-			 ,"password for user %s will expire in %d days"
-			 ,uname, daysleft);
-		snprintf(buf, 80, "Warning: your password will expire in %d day%.2s",
-			 daysleft, daysleft == 1 ? "" : "s");
+		pam_syslog(pamh, LOG_DEBUG,
+			 "password for user %s will expire in %d days",
+			 uname, daysleft);
+#ifdef HAVE_DNGETTEXT
+		snprintf (buf, sizeof (buf),
+			  dngettext(PACKAGE,
+				    "Warning: your password will expire in %d day",
+				    "Warning: your password will expire in %d days",
+				    daysleft),
+			  daysleft);
+#else
+		if (daysleft == 1)
+		  snprintf(buf, sizeof (buf),
+			   _("Warning: your password will expire in %d day"),
+			   daysleft);
+		else
+		  snprintf(buf, sizeof (buf),
+			   /* TRANSLATORS: only used if dngettext is not support
+ed */
+			   _("Warning: your password will expire in %d days"),
+			   daysleft);
+#endif
 		_make_remark(pamh, ctrl, PAM_TEXT_INFO, buf);
 	}