diff options
Diffstat (limited to 'modules/pam_env')
| -rw-r--r-- | modules/pam_env/.cvsignore | 9 | ||||
| -rw-r--r-- | modules/pam_env/Makefile.am | 35 | ||||
| -rw-r--r-- | modules/pam_env/README.xml | 39 | ||||
| -rw-r--r-- | modules/pam_env/environment | 5 | ||||
| -rw-r--r-- | modules/pam_env/pam_env.8.xml | 206 | ||||
| -rw-r--r-- | modules/pam_env/pam_env.c | 832 | ||||
| -rw-r--r-- | modules/pam_env/pam_env.conf | 73 | ||||
| -rw-r--r-- | modules/pam_env/pam_env.conf.5.xml | 123 | ||||
| -rwxr-xr-x | modules/pam_env/tst-pam_env | 2 |
9 files changed, 0 insertions, 1324 deletions
diff --git a/modules/pam_env/.cvsignore b/modules/pam_env/.cvsignore deleted file mode 100644 index e35f869e..00000000 --- a/modules/pam_env/.cvsignore +++ /dev/null @@ -1,9 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in -README -pam_env.8 -pam_env.conf.5 diff --git a/modules/pam_env/Makefile.am b/modules/pam_env/Makefile.am deleted file mode 100644 index 87813688..00000000 --- a/modules/pam_env/Makefile.am +++ /dev/null @@ -1,35 +0,0 @@ -# -# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> -# - -CLEANFILES = *~ - -EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment - -man_MANS = pam_env.conf.5 pam_env.8 - -XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DDEFAULT_CONF_FILE=\"$(SCONFIGDIR)/pam_env.conf\" -AM_LDFLAGS = -no-undefined -avoid-version -module -if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif - -securelib_LTLIBRARIES = pam_env.la -pam_env_la_LIBADD = -L$(top_builddir)/libpam -lpam - -secureconf_DATA = pam_env.conf -sysconf_DATA = environment - -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_env.8.xml pam_env.conf.5.xml --include $(top_srcdir)/Make.xml.rules -endif - -TESTS = tst-pam_env diff --git a/modules/pam_env/README.xml b/modules/pam_env/README.xml deleted file mode 100644 index 21a9b855..00000000 --- a/modules/pam_env/README.xml +++ /dev/null @@ -1,39 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_env.8.xml"> ---> -<!-- -<!ENTITY accessconf SYSTEM "pam_env.conf.5.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_env-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/> - </section> - -</article> diff --git a/modules/pam_env/environment b/modules/pam_env/environment deleted file mode 100644 index f46b8d94..00000000 --- a/modules/pam_env/environment +++ /dev/null @@ -1,5 +0,0 @@ -# -# This file is parsed by pam_env module -# -# Syntax: simple "KEY=VAL" pairs on seperate lines -# diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml deleted file mode 100644 index 731c20b2..00000000 --- a/modules/pam_env/pam_env.8.xml +++ /dev/null @@ -1,206 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_env'> - - <refmeta> - <refentrytitle>pam_env</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_env-name'> - <refname>pam_env</refname> - <refpurpose> - PAM module to set/unset environment variables - </refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <cmdsynopsis id="pam_env-cmdsynopsis"> - <command>pam_env.so</command> - <arg choice="opt"> - debug - </arg> - <arg choice="opt"> - conffile=<replaceable>conf-file</replaceable> - </arg> - <arg choice="opt"> - envfile=<replaceable>env-file</replaceable> - </arg> - <arg choice="opt"> - readenv=<replaceable>0|1</replaceable> - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_env-description"> - <title>DESCRIPTION</title> - <para> - The pam_env PAM module allows the (un)setting of environment - variables. Supported is the use of previously set environment - variables as well as <emphasis>PAM_ITEM</emphasis>s such as - <emphasis>PAM_RHOST</emphasis>. - </para> - <para> - By default rules for (un)setting of variables is taken from the - config file <filename>/etc/security/pam_env.conf</filename> if - no other file is specified. - </para> - <para> - This module can also parse a file with simple - <emphasis>KEY=VAL</emphasis> pairs on seperate lines - (<filename>/etc/environment</filename> by default). You can - change the default file to parse, with the <emphasis>envfile</emphasis> - flag and turn it on or off by setting the <emphasis>readenv</emphasis> - flag to 1 or 0 respectively. - </para> - </refsect1> - - <refsect1 id="pam_env-options"> - <title>OPTIONS</title> - <variablelist> - - <varlistentry> - <term> - <option>conffile=<replaceable>/path/to/pam_env.conf</replaceable></option> - </term> - <listitem> - <para> - Indicate an alternative <filename>pam_env.conf</filename> - style configuration file to override the default. This can - be useful when different services need different environments. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - A lot of debug informations are printed with - <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>envfile=<replaceable>/path/to/environment</replaceable></option> - </term> - <listitem> - <para> - Indicate an alternative <filename>environment</filename> - file to override the default. This can be useful when different - services need different environments. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>readenv=<replaceable>0|1</replaceable></option> - </term> - <listitem> - <para> - Turns on or off the reading of the file specified by envfile - (0 is off, 1 is on). By default this option is on. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1 id="pam_env-services"> - <title>MODULE SERVICES PROVIDED</title> - <para> - The <option>auth</option> and <option>session</option> services - are supported. - </para> - </refsect1> - - <refsect1 id="pam_env-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - Not all relevant data or options could be gotten. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_IGNORE</term> - <listitem> - <para> - No pam_env.conf and environment file was found. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Environment variables were set. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_env-files"> - <title>FILES</title> - <variablelist> - <varlistentry> - <term><filename>/etc/security/pam_env.conf</filename></term> - <listitem> - <para>Default configuration file</para> - </listitem> - </varlistentry> - <varlistentry> - <term><filename>/etc/environment</filename></term> - <listitem> - <para>Default environment file</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_env-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_env.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>. - </para> - </refsect1> - - <refsect1 id="pam_env-authors"> - <title>AUTHOR</title> - <para> - pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. - </para> - </refsect1> -</refentry> diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c deleted file mode 100644 index bcbb1881..00000000 --- a/modules/pam_env/pam_env.c +++ /dev/null @@ -1,832 +0,0 @@ -/* pam_env module */ - -/* - * $Id$ - * - * Written by Dave Kinchlea <kinch@kinch.ark.com> 1997/01/31 - * Inspired by Andrew Morgan <morgan@kernel.org>, who also supplied the - * template for this file (via pam_mail) - */ - -#define DEFAULT_ETC_ENVFILE "/etc/environment" -#define DEFAULT_READ_ENVFILE 1 - -#include "config.h" - -#include <ctype.h> -#include <errno.h> -#include <pwd.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -/* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module - * but strongly encouraged generally) it is used to instruct the - * modules include file to define the function prototypes. - */ - -#define PAM_SM_AUTH /* This is primarily a AUTH_SETCRED module */ -#define PAM_SM_SESSION /* But I like to be friendly */ -#define PAM_SM_PASSWORD /* "" */ -#define PAM_SM_ACCOUNT /* "" */ - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> -#include <security/pam_ext.h> - -/* This little structure makes it easier to keep variables together */ - -typedef struct var { - char *name; - char *value; - char *defval; - char *override; -} VAR; - -#define BUF_SIZE 1024 -#define MAX_ENV 8192 - -#define GOOD_LINE 0 -#define BAD_LINE 100 /* This must be > the largest PAM_* error code */ - -#define DEFINE_VAR 101 -#define UNDEFINE_VAR 102 -#define ILLEGAL_VAR 103 - -static int _assemble_line(FILE *, char *, int); -static int _parse_line(const pam_handle_t *, char *, VAR *); -static int _check_var(pam_handle_t *, VAR *); /* This is the real meat */ -static void _clean_var(VAR *); -static int _expand_arg(pam_handle_t *, char **); -static const char * _pam_get_item_byname(pam_handle_t *, const char *); -static int _define_var(pam_handle_t *, VAR *); -static int _undefine_var(pam_handle_t *, VAR *); - -/* This is a flag used to designate an empty string */ -static char quote='Z'; - -/* argument parsing */ - -#define PAM_DEBUG_ARG 0x01 -#define PAM_NEW_CONF_FILE 0x02 -#define PAM_ENV_SILENT 0x04 -#define PAM_NEW_ENV_FILE 0x10 - -static int -_pam_parse (const pam_handle_t *pamh, int argc, const char **argv, - const char **conffile, const char **envfile, int *readenv) -{ - int ctrl=0; - - - /* step through arguments */ - for (; argc-- > 0; ++argv) { - - /* generic options */ - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; - else if (!strncmp(*argv,"conffile=",9)) { - *conffile = 9 + *argv; - if (**conffile != '\0') { - D(("new Configuration File: %s", *conffile)); - ctrl |= PAM_NEW_CONF_FILE; - } else { - pam_syslog(pamh, LOG_ERR, - "conffile= specification missing argument - ignored"); - } - } else if (!strncmp(*argv,"envfile=",8)) { - *envfile = 8 + *argv; - if (**envfile != '\0') { - D(("new Env File: %s", *envfile)); - ctrl |= PAM_NEW_ENV_FILE; - } else { - pam_syslog (pamh, LOG_ERR, - "envfile= specification missing argument - ignored"); - } - } else if (!strncmp(*argv,"readenv=",8)) - *readenv = atoi(8+*argv); - else - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } - - return ctrl; -} - -static int -_parse_config_file(pam_handle_t *pamh, int ctrl, const char *conffile) -{ - int retval; - const char *file; - char buffer[BUF_SIZE]; - FILE *conf; - VAR Var, *var=&Var; - - var->name=NULL; var->defval=NULL; var->override=NULL; - D(("Called.")); - - if (ctrl & PAM_NEW_CONF_FILE) { - file = conffile; - } else { - file = DEFAULT_CONF_FILE; - } - - D(("Config file name is: %s", file)); - - /* - * Lets try to open the config file, parse it and process - * any variables found. - */ - - if ((conf = fopen(file,"r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "Unable to open config file: %s: %m", file); - return PAM_IGNORE; - } - - /* _pam_assemble_line will provide a complete line from the config file, - * with all comments removed and any escaped newlines fixed up - */ - - while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) { - D(("Read line: %s", buffer)); - - if ((retval = _parse_line(pamh, buffer, var)) == GOOD_LINE) { - retval = _check_var(pamh, var); - - if (DEFINE_VAR == retval) { - retval = _define_var(pamh, var); - - } else if (UNDEFINE_VAR == retval) { - retval = _undefine_var(pamh, var); - } - } - if (PAM_SUCCESS != retval && ILLEGAL_VAR != retval - && BAD_LINE != retval && PAM_BAD_ITEM != retval) break; - - _clean_var(var); - - } /* while */ - - (void) fclose(conf); - - /* tidy up */ - _clean_var(var); /* We could have got here prematurely, - * this is safe though */ - D(("Exit.")); - return (retval != 0 ? PAM_ABORT : PAM_SUCCESS); -} - -static int -_parse_env_file(pam_handle_t *pamh, int ctrl, const char *env_file) -{ - int retval=PAM_SUCCESS, i, t; - const char *file; - char buffer[BUF_SIZE], *key, *mark; - FILE *conf; - - if (ctrl & PAM_NEW_ENV_FILE) - file = env_file; - else - file = DEFAULT_ETC_ENVFILE; - - D(("Env file name is: %s", file)); - - if ((conf = fopen(file,"r")) == NULL) { - pam_syslog(pamh, LOG_ERR, "Unable to open env file: %s: %m", file); - return PAM_IGNORE; - } - - while (_assemble_line(conf, buffer, BUF_SIZE) > 0) { - D(("Read line: %s", buffer)); - key = buffer; - - /* skip leading white space */ - key += strspn(key, " \n\t"); - - /* skip blanks lines and comments */ - if (!key || key[0] == '#') - continue; - - /* skip over "export " if present so we can be compat with - bash type declarations */ - if (strncmp(key, "export ", (size_t) 7) == 0) - key += 7; - - /* now find the end of value */ - mark = key; - while(mark[0] != '\n' && mark[0] != '#' && mark[0] != '\0') - mark++; - if (mark[0] != '\0') - mark[0] = '\0'; - - /* - * sanity check, the key must be alpha-numeric - */ - - for ( i = 0 ; key[i] != '=' && key[i] != '\0' ; i++ ) - if (!isalnum(key[i]) && key[i] != '_') { - D(("key is not alpha numeric - '%s', ignoring", key)); - continue; - } - - /* now we try to be smart about quotes around the value, - but not too smart, we can't get all fancy with escaped - values like bash */ - if (key[i] == '=' && (key[++i] == '\"' || key[i] == '\'')) { - for ( t = i+1 ; key[t] != '\0' ; t++) - if (key[t] != '\"' && key[t] != '\'') - key[i++] = key[t]; - else if (key[t+1] != '\0') - key[i++] = key[t]; - key[i] = '\0'; - } - - /* set the env var, if it fails, we break out of the loop */ - retval = pam_putenv(pamh, key); - if (retval != PAM_SUCCESS) { - D(("error setting env \"%s\"", key)); - break; - } - } - - (void) fclose(conf); - - /* tidy up */ - D(("Exit.")); - return retval; -} - -/* - * This is where we read a line of the PAM config file. The line may be - * preceeded by lines of comments and also extended with "\\\n" - */ - -static int _assemble_line(FILE *f, char *buffer, int buf_len) -{ - char *p = buffer; - char *s, *os; - int used = 0; - - /* loop broken with a 'break' when a non-'\\n' ended line is read */ - - D(("called.")); - for (;;) { - if (used >= buf_len) { - /* Overflow */ - D(("_assemble_line: overflow")); - return -1; - } - if (fgets(p, buf_len - used, f) == NULL) { - if (used) { - /* Incomplete read */ - return -1; - } else { - /* EOF */ - return 0; - } - } - - /* skip leading spaces --- line may be blank */ - - s = p + strspn(p, " \n\t"); - if (*s && (*s != '#')) { - os = s; - - /* - * we are only interested in characters before the first '#' - * character - */ - - while (*s && *s != '#') - ++s; - if (*s == '#') { - *s = '\0'; - used += strlen(os); - break; /* the line has been read */ - } - - s = os; - - /* - * Check for backslash by scanning back from the end of - * the entered line, the '\n' has been included since - * normally a line is terminated with this - * character. fgets() should only return one though! - */ - - s += strlen(s); - while (s > os && ((*--s == ' ') || (*s == '\t') - || (*s == '\n'))); - - /* check if it ends with a backslash */ - if (*s == '\\') { - *s = '\0'; /* truncate the line here */ - used += strlen(os); - p = s; /* there is more ... */ - } else { - /* End of the line! */ - used += strlen(os); - break; /* this is the complete line */ - } - - } else { - /* Nothing in this line */ - /* Don't move p */ - } - } - - return used; -} - -static int -_parse_line (const pam_handle_t *pamh, char *buffer, VAR *var) -{ - /* - * parse buffer into var, legal syntax is - * VARIABLE [DEFAULT=[[string]] [OVERRIDE=[value]] - * - * Any other options defined make this a bad line, - * error logged and no var set - */ - - int length, quoteflg=0; - char *ptr, **valptr, *tmpptr; - - D(("Called buffer = <%s>", buffer)); - - length = strcspn(buffer," \t\n"); - - if ((var->name = malloc(length + 1)) == NULL) { - pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1); - return PAM_BUF_ERR; - } - - /* - * The first thing on the line HAS to be the variable name, - * it may be the only thing though. - */ - strncpy(var->name, buffer, length); - var->name[length] = '\0'; - D(("var->name = <%s>, length = %d", var->name, length)); - - /* - * Now we check for arguments, we only support two kinds and ('cause I am lazy) - * each one can actually be listed any number of times - */ - - ptr = buffer+length; - while ((length = strspn(ptr, " \t")) > 0) { - ptr += length; /* remove leading whitespace */ - D((ptr)); - if (strncmp(ptr,"DEFAULT=",8) == 0) { - ptr+=8; - D(("Default arg found: <%s>", ptr)); - valptr=&(var->defval); - } else if (strncmp(ptr, "OVERRIDE=", 9) == 0) { - ptr+=9; - D(("Override arg found: <%s>", ptr)); - valptr=&(var->override); - } else { - D(("Unrecognized options: <%s> - ignoring line", ptr)); - pam_syslog(pamh, LOG_ERR, "Unrecognized Option: %s - ignoring line", ptr); - return BAD_LINE; - } - - if ('"' != *ptr) { /* Escaped quotes not supported */ - length = strcspn(ptr, " \t\n"); - tmpptr = ptr+length; - } else { - tmpptr = strchr(++ptr, '"'); - if (!tmpptr) { - D(("Unterminated quoted string: %s", ptr-1)); - pam_syslog(pamh, LOG_ERR, "Unterminated quoted string: %s", ptr-1); - return BAD_LINE; - } - length = tmpptr - ptr; - if (*++tmpptr && ' ' != *tmpptr && '\t' != *tmpptr && '\n' != *tmpptr) { - D(("Quotes must cover the entire string: <%s>", ptr)); - pam_syslog(pamh, LOG_ERR, "Quotes must cover the entire string: <%s>", ptr); - return BAD_LINE; - } - quoteflg++; - } - if (length) { - if ((*valptr = malloc(length + 1)) == NULL) { - D(("Couldn't malloc %d bytes", length+1)); - pam_syslog(pamh, LOG_ERR, "Couldn't malloc %d bytes", length+1); - return PAM_BUF_ERR; - } - (void)strncpy(*valptr,ptr,length); - (*valptr)[length]='\0'; - } else if (quoteflg--) { - *valptr = "e; /* a quick hack to handle the empty string */ - } - ptr = tmpptr; /* Start the search where we stopped */ - } /* while */ - - /* - * The line is parsed, all is well. - */ - - D(("Exit.")); - ptr = NULL; tmpptr = NULL; valptr = NULL; - return GOOD_LINE; -} - -static int _check_var(pam_handle_t *pamh, VAR *var) -{ - /* - * Examine the variable and determine what action to take. - * Returns DEFINE_VAR, UNDEFINE_VAR depending on action to take - * or a PAM_* error code if passed back from other routines - * - * if no DEFAULT provided, the empty string is assumed - * if no OVERRIDE provided, the empty string is assumed - * if DEFAULT= and OVERRIDE evaluates to the empty string, - * this variable should be undefined - * if DEFAULT="" and OVERRIDE evaluates to the empty string, - * this variable should be defined with no value - * if OVERRIDE=value and value turns into the empty string, DEFAULT is used - * - * If DEFINE_VAR is to be returned, the correct value to define will - * be pointed to by var->value - */ - - int retval; - - D(("Called.")); - - /* - * First thing to do is to expand any arguments, but only - * if they are not the special quote values (cause expand_arg - * changes memory). - */ - - if (var->defval && ("e != var->defval) && - ((retval = _expand_arg(pamh, &(var->defval))) != PAM_SUCCESS)) { - return retval; - } - if (var->override && ("e != var->override) && - ((retval = _expand_arg(pamh, &(var->override))) != PAM_SUCCESS)) { - return retval; - } - - /* Now its easy */ - - if (var->override && *(var->override) && "e != var->override) { - /* if there is a non-empty string in var->override, we use it */ - D(("OVERRIDE variable <%s> being used: <%s>", var->name, var->override)); - var->value = var->override; - retval = DEFINE_VAR; - } else { - - var->value = var->defval; - if ("e == var->defval) { - /* - * This means that the empty string was given for defval value - * which indicates that a variable should be defined with no value - */ - *var->defval = '\0'; - D(("An empty variable: <%s>", var->name)); - retval = DEFINE_VAR; - } else if (var->defval) { - D(("DEFAULT variable <%s> being used: <%s>", var->name, var->defval)); - retval = DEFINE_VAR; - } else { - D(("UNDEFINE variable <%s>", var->name)); - retval = UNDEFINE_VAR; - } - } - - D(("Exit.")); - return retval; -} - -static int _expand_arg(pam_handle_t *pamh, char **value) -{ - const char *orig=*value, *tmpptr=NULL; - char *ptr; /* - * Sure would be nice to use tmpptr but it needs to be - * a constant so that the compiler will shut up when I - * call pam_getenv and _pam_get_item_byname -- sigh - */ - - /* No unexpanded variable can be bigger than BUF_SIZE */ - char type, tmpval[BUF_SIZE]; - - /* I know this shouldn't be hard-coded but it's so much easier this way */ - char tmp[MAX_ENV]; - - D(("Remember to initialize tmp!")); - memset(tmp, 0, MAX_ENV); - - /* - * (possibly non-existent) environment variables can be used as values - * by prepending a "$" and wrapping in {} (ie: ${HOST}), can escape with "\" - * (possibly non-existent) PAM items can be used as values - * by prepending a "@" and wrapping in {} (ie: @{PAM_RHOST}, can escape - * - */ - D(("Expanding <%s>",orig)); - while (*orig) { /* while there is some input to deal with */ - if ('\\' == *orig) { - ++orig; - if ('$' != *orig && '@' != *orig) { - D(("Unrecognized escaped character: <%c> - ignoring", *orig)); - pam_syslog(pamh, LOG_ERR, - "Unrecognized escaped character: <%c> - ignoring", - *orig); - } else if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>", - tmp, tmpptr); - } - continue; - } - if ('$' == *orig || '@' == *orig) { - if ('{' != *(orig+1)) { - D(("Expandable variables must be wrapped in {}" - " <%s> - ignoring", orig)); - pam_syslog(pamh, LOG_ERR, "Expandable variables must be wrapped in {}" - " <%s> - ignoring", orig); - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } - continue; - } else { - D(("Expandable argument: <%s>", orig)); - type = *orig; - orig+=2; /* skip the ${ or @{ characters */ - ptr = strchr(orig, '}'); - if (ptr) { - *ptr++ = '\0'; - } else { - D(("Unterminated expandable variable: <%s>", orig-2)); - pam_syslog(pamh, LOG_ERR, - "Unterminated expandable variable: <%s>", orig-2); - return PAM_ABORT; - } - strncpy(tmpval, orig, sizeof(tmpval)); - tmpval[sizeof(tmpval)-1] = '\0'; - orig=ptr; - /* - * so, we know we need to expand tmpval, it is either - * an environment variable or a PAM_ITEM. type will tell us which - */ - switch (type) { - - case '$': - D(("Expanding env var: <%s>",tmpval)); - tmpptr = pam_getenv(pamh, tmpval); - D(("Expanded to <%s>", tmpptr)); - break; - - case '@': - D(("Expanding pam item: <%s>",tmpval)); - tmpptr = _pam_get_item_byname(pamh, tmpval); - D(("Expanded to <%s>", tmpptr)); - break; - - default: - D(("Impossible error, type == <%c>", type)); - pam_syslog(pamh, LOG_CRIT, "Impossible error, type == <%c>", type); - return PAM_ABORT; - } /* switch */ - - if (tmpptr) { - if ((strlen(tmp) + strlen(tmpptr)) < MAX_ENV) { - strcat(tmp, tmpptr); - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - pam_syslog (pamh, LOG_ERR, - "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - } - } /* if ('{' != *orig++) */ - } else { /* if ( '$' == *orig || '@' == *orig) */ - if ((strlen(tmp) + 1) < MAX_ENV) { - tmp[strlen(tmp)] = *orig++; /* Note the increment */ - } else { - /* is it really a good idea to try to log this? */ - D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - pam_syslog(pamh, LOG_ERR, - "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); - } - } - } /* for (;*orig;) */ - - if (strlen(tmp) > strlen(*value)) { - free(*value); - if ((*value = malloc(strlen(tmp) +1)) == NULL) { - D(("Couldn't malloc %d bytes for expanded var", strlen(tmp)+1)); - pam_syslog (pamh, LOG_ERR, "Couldn't malloc %lu bytes for expanded var", - (unsigned long)strlen(tmp)+1); - return PAM_BUF_ERR; - } - } - strcpy(*value, tmp); - memset(tmp,'\0',sizeof(tmp)); - D(("Exit.")); - - return PAM_SUCCESS; -} - -static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) -{ - /* - * This function just allows me to use names as given in the config - * file and translate them into the appropriate PAM_ITEM macro - */ - - int item; - const void *itemval; - - D(("Called.")); - if (strcmp(name, "PAM_USER") == 0) { - item = PAM_USER; - } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { - item = PAM_USER_PROMPT; - } else if (strcmp(name, "PAM_TTY") == 0) { - item = PAM_TTY; - } else if (strcmp(name, "PAM_RUSER") == 0) { - item = PAM_RUSER; - } else if (strcmp(name, "PAM_RHOST") == 0) { - item = PAM_RHOST; - } else { - D(("Unknown PAM_ITEM: <%s>", name)); - pam_syslog (pamh, LOG_ERR, "Unknown PAM_ITEM: <%s>", name); - return NULL; - } - - if (pam_get_item(pamh, item, &itemval) != PAM_SUCCESS) { - D(("pam_get_item failed")); - return NULL; /* let pam_get_item() log the error */ - } - D(("Exit.")); - return itemval; -} - -static int _define_var(pam_handle_t *pamh, VAR *var) -{ - /* We have a variable to define, this is a simple function */ - - char *envvar; - int retval = PAM_SUCCESS; - - D(("Called.")); - if (asprintf(&envvar, "%s=%s", var->name, var->value) < 0) { - pam_syslog(pamh, LOG_ERR, "out of memory"); - return PAM_BUF_ERR; - } - - retval = pam_putenv(pamh, envvar); - _pam_drop(envvar); - D(("Exit.")); - return retval; -} - -static int _undefine_var(pam_handle_t *pamh, VAR *var) -{ - /* We have a variable to undefine, this is a simple function */ - - D(("Called and exit.")); - return pam_putenv(pamh, var->name); -} - -static void _clean_var(VAR *var) -{ - if (var->name) { - free(var->name); - } - if (var->defval && ("e != var->defval)) { - free(var->defval); - } - if (var->override && ("e != var->override)) { - free(var->override); - } - var->name = NULL; - var->value = NULL; /* never has memory specific to it */ - var->defval = NULL; - var->override = NULL; - return; -} - - - -/* --- authentication management functions (only) --- */ - -PAM_EXTERN int -pam_sm_authenticate (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - return PAM_IGNORE; -} - -PAM_EXTERN int -pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; - const char *conf_file = NULL, *env_file = NULL; - - /* - * this module sets environment variables read in from a file - */ - - D(("Called.")); - ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); - - retval = _parse_config_file(pamh, ctrl, conf_file); - - if(readenv && retval == PAM_SUCCESS) { - retval = _parse_env_file(pamh, ctrl, env_file); - if (retval == PAM_IGNORE) - retval = PAM_SUCCESS; - } - - /* indicate success or failure */ - - D(("Exit.")); - return retval; -} - -PAM_EXTERN int -pam_sm_acct_mgmt (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - pam_syslog (pamh, LOG_NOTICE, "pam_sm_acct_mgmt called inappropriately"); - return PAM_SERVICE_ERR; -} - -PAM_EXTERN int -pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - int retval, ctrl, readenv=DEFAULT_READ_ENVFILE; - const char *conf_file = NULL, *env_file = NULL; - - /* - * this module sets environment variables read in from a file - */ - - D(("Called.")); - ctrl = _pam_parse(pamh, argc, argv, &conf_file, &env_file, &readenv); - - retval = _parse_config_file(pamh, ctrl, conf_file); - - if(readenv && retval == PAM_SUCCESS) { - retval = _parse_env_file(pamh, ctrl, env_file); - if (retval == PAM_IGNORE) - retval = PAM_SUCCESS; - } - - /* indicate success or failure */ - - D(("Exit.")); - return retval; -} - -PAM_EXTERN int -pam_sm_close_session (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - D(("Called and Exit")); - return PAM_SUCCESS; -} - -PAM_EXTERN int -pam_sm_chauthtok (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - pam_syslog (pamh, LOG_NOTICE, "pam_sm_chauthtok called inappropriately"); - return PAM_SERVICE_ERR; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_env_modstruct = { - "pam_env", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; - -#endif - -/* end of module definition */ diff --git a/modules/pam_env/pam_env.conf b/modules/pam_env/pam_env.conf deleted file mode 100644 index d0ba35c2..00000000 --- a/modules/pam_env/pam_env.conf +++ /dev/null @@ -1,73 +0,0 @@ -# -# This is the configuration file for pam_env, a PAM module to load in -# a configurable list of environment variables for a -# -# The original idea for this came from Andrew G. Morgan ... -#<quote> -# Mmm. Perhaps you might like to write a pam_env module that reads a -# default environment from a file? I can see that as REALLY -# useful... Note it would be an "auth" module that returns PAM_IGNORE -# for the auth part and sets the environment returning PAM_SUCCESS in -# the setcred function... -#</quote> -# -# What I wanted was the REMOTEHOST variable set, purely for selfish -# reasons, and AGM didn't want it added to the SimpleApps login -# program (which is where I added the patch). So, my first concern is -# that variable, from there there are numerous others that might/would -# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... -# -# Of course, these are a different kind of variable than REMOTEHOST in -# that they are things that are likely to be configured by -# administrators rather than set by logging in, how to treat them both -# in the same config file? -# -# Here is my idea: -# -# Each line starts with the variable name, there are then two possible -# options for each variable DEFAULT and OVERRIDE. -# DEFAULT allows and administrator to set the value of the -# variable to some default value, if none is supplied then the empty -# string is assumed. The OVERRIDE option tells pam_env that it should -# enter in its value (overriding the default value) if there is one -# to use. OVERRIDE is not used, "" is assumed and no override will be -# done. -# -# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] -# -# (Possibly non-existent) environment variables may be used in values -# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may -# be used in values using the @{string} syntax. Both the $ and @ -# characters can be backslash escaped to be used as literal values -# values can be delimited with "", escaped " not supported. -# Note that many environment variables that you would like to use -# may not be set by the time the module is called. -# For example, HOME is used below several times, but -# many PAM applications don't make it available by the time you need it. -# -# -# First, some special variables -# -# Set the REMOTEHOST variable for any hosts that are remote, default -# to "localhost" rather than not being set at all -#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} -# -# Set the DISPLAY variable if it seems reasonable -#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} -# -# -# Now some simple variables -# -#PAGER DEFAULT=less -#MANPAGER DEFAULT=less -#LESS DEFAULT="M q e h15 z23 b80" -#NNTPSERVER DEFAULT=localhost -#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ -#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 -# -# silly examples of escaped variables, just to show how they work. -# -#DOLLAR DEFAULT=\$ -#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} -#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} -#ATSIGN DEFAULT="" OVERRIDE=\@ diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml deleted file mode 100644 index 090e0e75..00000000 --- a/modules/pam_env/pam_env.conf.5.xml +++ /dev/null @@ -1,123 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_env.conf"> - - <refmeta> - <refentrytitle>pam_env.conf</refentrytitle> - <manvolnum>5</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv> - <refname>pam_env.conf</refname> - <refpurpose>the environment variables config file</refpurpose> - </refnamediv> - - - <refsect1 id='pam_env.conf-description'> - <title>DESCRIPTION</title> - - <para> - The <filename>/etc/security/pam_env.conf</filename> file specifies - the environment variables to be set, unset or modified by - <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>. - When someone logs in, this file is read and the environment - variables are set according. - </para> - <para> - Each line starts with the variable name, there are then two possible - options for each variable DEFAULT and OVERRIDE. DEFAULT allows and - administrator to set the value of the variable to some default - value, if none is supplied then the empty string is assumed. The - OVERRIDE option tells pam_env that it should enter in its value - (overriding the default value) if there is one to use. OVERRIDE is - not used, "" is assumed and no override will be done. - </para> - <para> - <replaceable>VARIABLE</replaceable> - [<replaceable>DEFAULT=[value]</replaceable>] - [<replaceable>OVERRIDE=[value]</replaceable>] - </para> - - <para> - (Possibly non-existent) environment variables may be used in values - using the ${string} syntax and (possibly non-existent) PAM_ITEMs may - be used in values using the @{string} syntax. Both the $ and @ - characters can be backslash escaped to be used as literal values - values can be delimited with "", escaped " not supported. - Note that many environment variables that you would like to use - may not be set by the time the module is called. - For example, HOME is used below several times, but - many PAM applications don't make it available by the time you need it. - </para> - - <para> - The "<emphasis>#</emphasis>" character at start of line (no space - at front) can be used to mark this line as a comment line. - </para> - - </refsect1> - - <refsect1 id="pam_env.conf-examples"> - <title>EXAMPLES</title> - <para> - These are some example lines which might be specified in - <filename>/etc/security/pam_env.conf</filename>. - </para> - - <para> - Set the REMOTEHOST variable for any hosts that are remote, default - to "localhost" rather than not being set at all - </para> - <programlisting> - REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} - </programlisting> - - <para> - Set the DISPLAY variable if it seems reasonable - </para> - <programlisting> - DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} - </programlisting> - - <para> - Now some simple variables - </para> - <programlisting> - PAGER DEFAULT=less - MANPAGER DEFAULT=less - LESS DEFAULT="M q e h15 z23 b80" - NNTPSERVER DEFAULT=localhost - PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ - :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 - </programlisting> - - <para> - Silly examples of escaped variables, just to show how they work. - </para> - <programlisting> - DOLLAR DEFAULT=\$ - DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} - DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} - ATSIGN DEFAULT="" OVERRIDE=\@ - </programlisting> - </refsect1> - - <refsect1 id="pam_env.conf-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, - <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> - </para> - </refsect1> - - <refsect1 id="pam_env.conf-author"> - <title>AUTHOR</title> - <para> - pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. - </para> - </refsect1> -</refentry> diff --git a/modules/pam_env/tst-pam_env b/modules/pam_env/tst-pam_env deleted file mode 100755 index c40e70a8..00000000 --- a/modules/pam_env/tst-pam_env +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_env.so |