diff options
Diffstat (limited to 'modules/pam_exec')
| -rw-r--r-- | modules/pam_exec/.cvsignore | 6 | ||||
| -rw-r--r-- | modules/pam_exec/Makefile.am | 34 | ||||
| -rw-r--r-- | modules/pam_exec/README | 42 | ||||
| -rw-r--r-- | modules/pam_exec/README.xml | 41 | ||||
| -rw-r--r-- | modules/pam_exec/pam_exec.8 | 88 | ||||
| -rw-r--r-- | modules/pam_exec/pam_exec.8.xml | 189 | ||||
| -rw-r--r-- | modules/pam_exec/pam_exec.c | 285 | ||||
| -rwxr-xr-x | modules/pam_exec/tst-pam_exec | 2 |
8 files changed, 0 insertions, 687 deletions
diff --git a/modules/pam_exec/.cvsignore b/modules/pam_exec/.cvsignore deleted file mode 100644 index 9fb98574..00000000 --- a/modules/pam_exec/.cvsignore +++ /dev/null @@ -1,6 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in diff --git a/modules/pam_exec/Makefile.am b/modules/pam_exec/Makefile.am deleted file mode 100644 index 4fc28b28..00000000 --- a/modules/pam_exec/Makefile.am +++ /dev/null @@ -1,34 +0,0 @@ -# -# Copyright (c) 2006 Thorsten Kukuk <kukuk@suse.de> -# - -CLEANFILES = *~ - -EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_exec - -man_MANS = pam_exec.8 - -XMLS = README.xml pam_exec.8.xml - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam -if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif - -securelib_LTLIBRARIES = pam_exec.la - -if ENABLE_REGENERATE_MAN - -noinst_DATA = README - -README: pam_exec.8.xml - --include $(top_srcdir)/Make.xml.rules -endif - -TESTS = tst-pam_exec diff --git a/modules/pam_exec/README b/modules/pam_exec/README deleted file mode 100644 index 8ff9a742..00000000 --- a/modules/pam_exec/README +++ /dev/null @@ -1,42 +0,0 @@ -pam_exec — PAM module which calls an external command - -━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ - -DESCRIPTION - -pam_exec is a PAM module that can be used to run an external command. - -OPTIONS - -debug - - Print debug information. - -log=file - - The output of the command is appended to file - -seteuid - - Per default pam_exec.so will execute the external command with the real - user ID of the calling process. Specifying this option means the command is - run with the effective user ID. - -EXAMPLES - -Add the following line to /etc/pam.d/passwd to rebuild the NIS database after -each local password change: - - passwd optional pam_exec.so seteuid make -C /var/yp - - -This will execute the command - -make -C /var/yp - -with effective user ID. - -AUTHOR - -pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. - diff --git a/modules/pam_exec/README.xml b/modules/pam_exec/README.xml deleted file mode 100644 index 5e76cab3..00000000 --- a/modules/pam_exec/README.xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_exec.8.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_exec-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/> - </section> - -</article> diff --git a/modules/pam_exec/pam_exec.8 b/modules/pam_exec/pam_exec.8 deleted file mode 100644 index ae8f8a46..00000000 --- a/modules/pam_exec/pam_exec.8 +++ /dev/null @@ -1,88 +0,0 @@ -.\" Title: pam_exec -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/09/2006 -.\" Manual: Linux\-PAM Manual -.\" Source: Linux\-PAM Manual -.\" -.TH "PAM_EXEC" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.SH "NAME" -pam_exec \- PAM module which calls an external command -.SH "SYNOPSIS" -.HP 12 -\fBpam_exec.so\fR [debug] [seteuid] [log=\fIfile\fR] \fIcommand\fR [\fI...\fR] -.SH "DESCRIPTION" -.PP -pam_exec is a PAM module that can be used to run an external command. -.SH "OPTIONS" -.PP -.TP 3n -\fBdebug\fR -Print debug information. -.TP 3n -\fBlog=\fR\fB\fIfile\fR\fR -The output of the command is appended to -\fIfile\fR -.TP 3n -\fBseteuid\fR -Per default pam_exec.so will execute the external command with the real user ID of the calling process. Specifying this option means the command is run with the effective user ID. -.SH "MODULE SERVICES PROVIDED" -.PP -The services -\fBauth\fR, -\fBaccount\fR, -\fBpassword\fR -and -\fBsession\fR -are supported. -.SH "RETURN VALUES" -.PP -.TP 3n -PAM_SUCCESS -The external command runs successfull. -.TP 3n -PAM_SERVICE_ERR -No argument or a wrong number of arguments were given. -.TP 3n -PAM_SYSTEM_ERR -A system error occured or the command to execute failed. -.TP 3n -PAM_IGNORE - -\fBpam_setcred\fR -was called, which does not execute the command. -.SH "EXAMPLES" -.PP -Add the following line to -\fI/etc/pam.d/passwd\fR -to rebuild the NIS database after each local password change: -.sp -.RS 3n -.nf - passwd optional pam_exec.so seteuid make \-C /var/yp - -.fi -.RE -.sp -This will execute the command -.sp -.RS 3n -.nf -make \-C /var/yp -.fi -.RE -.sp -with effective user ID. -.SH "SEE ALSO" -.PP - -\fBpam.conf\fR(5), -\fBpam.d\fR(8), -\fBpam\fR(8) -.SH "AUTHOR" -.PP -pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. diff --git a/modules/pam_exec/pam_exec.8.xml b/modules/pam_exec/pam_exec.8.xml deleted file mode 100644 index 1e8bb0ba..00000000 --- a/modules/pam_exec/pam_exec.8.xml +++ /dev/null @@ -1,189 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_exec"> - - <refmeta> - <refentrytitle>pam_exec</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_exec-name"> - <refname>pam_exec</refname> - <refpurpose>PAM module which calls an external command</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_exec-cmdsynopsis"> - <command>pam_exec.so</command> - <arg choice="opt"> - debug - </arg> - <arg choice="opt"> - seteuid - </arg> - <arg choice="opt"> - log=<replaceable>file</replaceable> - </arg> - <arg choice="plain"> - <replaceable>command</replaceable> - </arg> - <arg choice="opt"> - <replaceable>...</replaceable> - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_exec-description"> - - <title>DESCRIPTION</title> - - <para> - pam_exec is a PAM module that can be used to run - an external command. - </para> - - </refsect1> - - <refsect1 id="pam_exec-options"> - - <title>OPTIONS</title> - <para> - <variablelist> - - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - Print debug information. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>log=<replaceable>file</replaceable></option> - </term> - <listitem> - <para> - The output of the command is appended to - <filename>file</filename> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>seteuid</option> - </term> - <listitem> - <para> - Per default pam_exec.so will execute the external command - with the real user ID of the calling process. - Specifying this option means the command is run - with the effective user ID. - </para> - </listitem> - </varlistentry> - - </variablelist> - - </para> - </refsect1> - - <refsect1 id="pam_exec-services"> - <title>MODULE SERVICES PROVIDED</title> - <para> - The services <option>auth</option>, <option>account</option>, - <option>password</option> and <option>session</option> are supported. - </para> - </refsect1> - - <refsect1 id='pam_exec-return_values'> - <title>RETURN VALUES</title> - <para> - <variablelist> - - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The external command runs successfull. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_SERVICE_ERR</term> - <listitem> - <para> - No argument or a wrong number of arguments were given. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - A system error occured or the command to execute failed. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_IGNORE</term> - <listitem> - <para> - <function>pam_setcred</function> was called, which - does not execute the command. - </para> - </listitem> - </varlistentry> - - </variablelist> - </para> - </refsect1> - - <refsect1 id='pam_exec-examples'> - <title>EXAMPLES</title> - <para> - Add the following line to <filename>/etc/pam.d/passwd</filename> to - rebuild the NIS database after each local password change: - <programlisting> - passwd optional pam_exec.so seteuid make -C /var/yp - </programlisting> - - This will execute the command - <programlisting>make -C /var/yp</programlisting> - with effective user ID. - </para> - </refsect1> - - <refsect1 id='pam_exec-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_exec-author'> - <title>AUTHOR</title> - <para> - pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>. - </para> - </refsect1> - -</refentry> diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c deleted file mode 100644 index 34ba7404..00000000 --- a/modules/pam_exec/pam_exec.c +++ /dev/null @@ -1,285 +0,0 @@ -/* - * Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#if defined(HAVE_CONFIG_H) -#include "config.h" -#endif - -#include <time.h> -#include <errno.h> -#include <fcntl.h> -#include <stdio.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/wait.h> -#include <sys/stat.h> -#include <sys/types.h> - - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include <security/pam_modules.h> -#include <security/pam_modutil.h> -#include <security/pam_ext.h> - -static int -call_exec (pam_handle_t *pamh, int argc, const char **argv) -{ - int debug = 0; - int call_setuid = 0; - int optargc; - const char *logfile = NULL; - pid_t pid; - - if (argc < 1) { - pam_syslog (pamh, LOG_ERR, - "This module needs at least one argument"); - return PAM_SERVICE_ERR; - } - - for (optargc = 0; optargc < argc; optargc++) - { - if (argv[optargc][0] == '/') /* paths starts with / */ - break; - - if (strcasecmp (argv[optargc], "debug") == 0) - debug = 1; - else if (strncasecmp (argv[optargc], "log=", 4) == 0) - logfile = &argv[optargc][4]; - else if (strcasecmp (argv[optargc], "seteuid") == 0) - call_setuid = 1; - else - break; /* Unknown option, assume program to execute. */ - } - - - if (optargc >= argc) { - pam_syslog (pamh, LOG_ERR, "No path given as argument"); - return PAM_SERVICE_ERR; - } - - pid = fork(); - if (pid == -1) - return PAM_SYSTEM_ERR; - if (pid > 0) /* parent */ - { - int status = 0; - pid_t retval; - while ((retval = waitpid (pid, &status, 0)) == -1 && - errno == EINTR); - if (retval == (pid_t)-1) - { - pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); - return PAM_SYSTEM_ERR; - } - else if (status != 0) - { - if (WIFEXITED(status)) - { - pam_syslog (pamh, LOG_ERR, "%s failed: exit code %d", - argv[optargc], WEXITSTATUS(status)); - pam_error (pamh, _("%s failed: exit code %d"), - argv[optargc], WEXITSTATUS(status)); - } - else if (WIFSIGNALED(status)) - { - pam_syslog (pamh, LOG_ERR, "%s failed: caught signal %d%s", - argv[optargc], WTERMSIG(status), - WCOREDUMP(status) ? " (core dumped)" : ""); - pam_error (pamh, _("%s failed: caught signal %d%s"), - argv[optargc], WTERMSIG(status), - WCOREDUMP(status) ? " (core dumped)" : ""); - } - else - { - pam_syslog (pamh, LOG_ERR, "%s failed: unknown status 0x%x", - argv[optargc], status); - pam_error (pamh, _("%s failed: unknown status 0x%x"), - argv[optargc], status); - } - return PAM_SYSTEM_ERR; - } - return PAM_SUCCESS; - } - else /* child */ - { - char **arggv; - int i; - - for (i = 0; i < sysconf (_SC_OPEN_MAX); i++) - close (i); - - /* New stdin. */ - if ((i = open ("/dev/null", O_RDWR)) < 0) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "open of /dev/null failed: %m"); - exit (err); - } - /* New stdout and stderr. */ - if (logfile) - { - time_t tm = time (NULL); - char *buffer = NULL; - - if ((i = open (logfile, O_CREAT|O_APPEND|O_WRONLY, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "open of %s failed: %m", - logfile); - exit (err); - } - if (asprintf (&buffer, "*** %s", ctime (&tm)) > 0) - { - pam_modutil_write (i, buffer, strlen (buffer)); - free (buffer); - } - } - else - if (dup (i) == -1) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "dup failed: %m"); - exit (err); - } - if (dup (i) == -1) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "dup failed: %m"); - exit (err); - } - - if (call_setuid) - if (setuid (geteuid ()) == -1) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "setuid(%lu) failed: %m", - (unsigned long) geteuid ()); - exit (err); - } - - if (setsid () == -1) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "setsid failed: %m"); - exit (err); - } - - arggv = calloc (argc + 4, sizeof (char *)); - if (arggv == NULL) - exit (ENOMEM); - - for (i = 0; i < (argc - optargc); i++) - arggv[i] = argv[i+optargc]; - arggv[i] = NULL; - - if (debug) - pam_syslog (pamh, LOG_DEBUG, "Calling %s ...", arggv[0]); - - if (execv (arggv[0], arggv) == -1) - { - int err = errno; - pam_syslog (pamh, LOG_ERR, "execv(%s,...) failed: %m", - arggv[0]); - exit (err); - } - exit (1); /* should never be reached. */ - } - return PAM_SYSTEM_ERR; -} - -PAM_EXTERN int -pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - return call_exec (pamh, argc, argv); -} - -PAM_EXTERN int -pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - return PAM_IGNORE; -} - -/* password updating functions */ - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - if (flags & PAM_PRELIM_CHECK) - return PAM_SUCCESS; - return call_exec (pamh, argc, argv); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - return call_exec (pamh, argc, argv); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - return call_exec (pamh, argc, argv); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - return call_exec (pamh, argc, argv); -} - -#ifdef PAM_STATIC -struct pam_module _pam_exec_modstruct = { - "pam_exec", - pam_sm_authenticate, - pam_sm_setcred, - pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - pam_sm_chauthtok, -}; -#endif diff --git a/modules/pam_exec/tst-pam_exec b/modules/pam_exec/tst-pam_exec deleted file mode 100755 index a0b00393..00000000 --- a/modules/pam_exec/tst-pam_exec +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_exec.so |