diff options
Diffstat (limited to 'modules/pam_keyinit')
| -rw-r--r-- | modules/pam_keyinit/.cvsignore | 6 | ||||
| -rw-r--r-- | modules/pam_keyinit/Makefile.am | 33 | ||||
| -rw-r--r-- | modules/pam_keyinit/README | 24 | ||||
| -rw-r--r-- | modules/pam_keyinit/README.xml | 41 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.8 | 133 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.8.xml | 241 | ||||
| -rw-r--r-- | modules/pam_keyinit/pam_keyinit.c | 269 | ||||
| -rwxr-xr-x | modules/pam_keyinit/tst-pam_keyinit | 2 |
8 files changed, 0 insertions, 749 deletions
diff --git a/modules/pam_keyinit/.cvsignore b/modules/pam_keyinit/.cvsignore deleted file mode 100644 index 9fb98574..00000000 --- a/modules/pam_keyinit/.cvsignore +++ /dev/null @@ -1,6 +0,0 @@ -*.la -*.lo -.deps -.libs -Makefile -Makefile.in diff --git a/modules/pam_keyinit/Makefile.am b/modules/pam_keyinit/Makefile.am deleted file mode 100644 index 49e34d75..00000000 --- a/modules/pam_keyinit/Makefile.am +++ /dev/null @@ -1,33 +0,0 @@ -# -# Copyright (c) 2006 David Howells <dhowells@redhat.com> -# - -CLEANFILES = *~ - -EXTRA_DIST = README $(XMLS) pam_keyinit.8 tst-pam_keyinit -XMLS = README.xml pam_keyinit.8.xml - -if HAVE_KEY_MANAGEMENT - man_MANS = pam_keyinit.8 - TESTS = tst-pam_keyinit -endif - -if ENABLE_REGENERATE_MAN -noinst_DATA = README -README: pam_keyinit.8.xml --include $(top_srcdir)/Make.xml.rules -endif - -securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) - -AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam -if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -endif - -if HAVE_KEY_MANAGEMENT - securelib_LTLIBRARIES = pam_keyinit.la -endif diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README deleted file mode 100644 index a27077b3..00000000 --- a/modules/pam_keyinit/README +++ /dev/null @@ -1,24 +0,0 @@ -# $Id$ -*- text -*- -# - -This module makes sure the calling process has its own session keyring rather -than using the default per-user session keyring. - -The following words may be supplied as arguments to the module through the PAM -configuration scripts: - - (*) "force" - - This will cause the process's current session keyring to be replaced with - a new one. If this isn't supplied, a session keyring will only be created - if the process doesn't already have its own. - - (*) "revoke" - - If the module actually created a keyring, this will cause that keyring to - be revoked on session closure. - - (*) "debug" - - This will cause the module to write some debugging information to the - syslog. diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml deleted file mode 100644 index 47659e89..00000000 --- a/modules/pam_keyinit/README.xml +++ /dev/null @@ -1,41 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml"> ---> -]> - -<article> - - <articleinfo> - - <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/> - </title> - - </articleinfo> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/> - </section> - - <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/> - </section> - -</article> diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 deleted file mode 100644 index 40b1e125..00000000 --- a/modules/pam_keyinit/pam_keyinit.8 +++ /dev/null @@ -1,133 +0,0 @@ -.\"Generated by db2man.xsl. Don't modify this, modify the source. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "PAM_KEYINIT" 8 "" "" "" -.SH NAME -pam_keyinit \- Kernel session keyring initialiser module -.SH "SYNOPSIS" -.ad l -.hy 0 -.HP 15 -\fBpam_keyinit\&.so\fR [debug] [force] [revoke] -.ad -.hy - -.SH "DESCRIPTION" - -.PP -The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. - -.PP -The session component of the module checks to see if the process's session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. - -.PP -If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. - -.PP -The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. - -.PP -This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. - -.PP -This module should not, generally, be invoked by programs like \fIsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. - -.PP -This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. - -.PP -The keyutils package is used to manipulate keys more directly\&. This included in the Fedora Extras 5+ and Red Hat Enterprise Linux 4 U2+ and can also be obtained from: - -.PP - Keyutils : \fIhttp://people.redhat.com/~dhowells/keyutils/\fR - -.SH "OPTIONS" - -.TP -\fBdebug\fR -Log debug information with \fBsyslog\fR(3)\&. - -.TP -\fBforce\fR -Causes the session keyring of the invoking process to be replaced unconditionally\&. - -.TP -\fBrevoke\fR -Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. - -.SH "MODULE SERVICES PROVIDED" - -.PP -Only the \fIsession\fR service is supported\&. - -.SH "RETURN VALUES" - -.TP -PAM_SUCCESS -This module will usually return this value - -.TP -PAM_AUTH_ERR -Authentication failure\&. - -.TP -PAM_BUF_ERR -Memory buffer error\&. - -.TP -PAM_IGNORE -The return value should be ignored by PAM dispatch\&. - -.TP -PAM_SERVICE_ERR -Cannot determine the user name\&. - -.TP -PAM_SESSION_ERR -This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. - -.TP -PAM_USER_UNKNOWN -User not known\&. - -.SH "EXAMPLES" - -.PP -Add this line to your login entries to start each login session with its own session keyring: - -.nf - -session required pam_keyinit\&.so - -.fi - - -.PP -This will prevent keys from one session leaking into another session for the same user\&. - -.SH "SEE ALSO" - -.PP - \fBpam\&.conf\fR(5), \fBpam\&.d\fR(8), \fBpam\fR(8) \fBkeyctl\fR(1) - -.SH "AUTHOR" - -.PP -pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&. - diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml deleted file mode 100644 index c7dddf54..00000000 --- a/modules/pam_keyinit/pam_keyinit.8.xml +++ /dev/null @@ -1,241 +0,0 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_keyinit"> - - <refmeta> - <refentrytitle>pam_keyinit</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_keyinit-name"> - <refname>pam_keyinit</refname> - <refpurpose>Kernel session keyring initialiser module</refpurpose> - </refnamediv> - - <refsynopsisdiv> - <cmdsynopsis id="pam_keyinit-cmdsynopsis"> - <command>pam_keyinit.so</command> - <arg choice="opt"> - debug - </arg> - <arg choice="opt"> - force - </arg> - <arg choice="opt"> - revoke - </arg> - </cmdsynopsis> - </refsynopsisdiv> - - <refsect1 id="pam_keyinit-description"> - <title>DESCRIPTION</title> - <para> - The pam_keyinit PAM module ensures that the invoking process has a - session keyring other than the user default session keyring. - </para> - <para> - The session component of the module checks to see if the process's - session keyring is the user default, and, if it is, creates a new - anonymous session keyring with which to replace it. - </para> - <para> - If a new session keyring is created, it will install a link to the user - common keyring in the session keyring so that keys common to the user - will be automatically accessible through it. - </para> - <para> - The session keyring of the invoking process will thenceforth be inherited - by all its children unless they override it. - </para> - <para> - This module is intended primarily for use by login processes. Be aware - that after the session keyring has been replaced, the old session keyring - and the keys it contains will no longer be accessible. - </para> - <para> - This module should not, generally, be invoked by programs like - <emphasis remap='B'>su</emphasis>, since it is usually desirable for the - key set to percolate through to the alternate context. The keys have - their own permissions system to manage this. - </para> - <para> - This module should be included as early as possible in a PAM - configuration, so that other PAM modules can attach tokens to the - keyring. - </para> - <para> - The keyutils package is used to manipulate keys more directly. This - can be obtained from: - </para> - <para> - <ulink url="http://people.redhat.com/~dhowells/keyutils/"> - Keyutils - </ulink> - </para> - </refsect1> - - <refsect1 id="pam_keyinit-options"> - <title>OPTIONS</title> - <variablelist> - <varlistentry> - <term> - <option>debug</option> - </term> - <listitem> - <para> - Log debug information with <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>force</option> - </term> - <listitem> - <para> - Causes the session keyring of the invoking process to be replaced - unconditionally. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term> - <option>revoke</option> - </term> - <listitem> - <para> - Causes the session keyring of the invoking process to be revoked - when the invoking process exits if the session keyring was created - for this process in the first place. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1 id="pam_keyinit-services"> - <title>MODULE SERVICES PROVIDED</title> - <para> - Only the <emphasis remap='B'>session</emphasis> service is supported. - </para> - </refsect1> - - <refsect1 id='pam_keyinit-return_values'> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - This module will usually return this value - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - Authentication failure. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_IGNORE</term> - <listitem> - <para> - The return value should be ignored by PAM dispatch. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_SERVICE_ERR</term> - <listitem> - <para> - Cannot determine the user name. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_SESSION_ERR</term> - <listitem> - <para> - This module will return this value if its arguments are invalid or - if a system error such as ENOMEM occurs. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User not known. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1 id='pam_keyinit-examples'> - <title>EXAMPLES</title> - <para> - Add this line to your login entries to start each login session with its - own session keyring: - <programlisting> -session required pam_keyinit.so - </programlisting> - </para> - <para> - This will prevent keys from one session leaking into another session for - the same user. - </para> - </refsect1> - - <refsect1 id='pam_keyinit-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - <citerefentry> - <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_keyinit-author'> - <title>AUTHOR</title> - <para> - pam_keyinit was written by David Howells, <dhowells@redhat.com>. - </para> - </refsect1> - -</refentry> diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c deleted file mode 100644 index 378a7723..00000000 --- a/modules/pam_keyinit/pam_keyinit.c +++ /dev/null @@ -1,269 +0,0 @@ -/* pam_keyinit.c: Initialise the session keyring on login through a PAM module - * - * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. - * Written by David Howells (dhowells@redhat.com) - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version - * 2 of the License, or (at your option) any later version. - */ - -#include "config.h" -#include <stdarg.h> -#include <string.h> -#include <syslog.h> -#include <pwd.h> -#include <unistd.h> -#include <errno.h> -#include <security/pam_modules.h> -#include <security/pam_modutil.h> -#include <security/pam_ext.h> -#include <sys/syscall.h> - -#define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */ -#define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */ -#define KEY_SPEC_USER_SESSION_KEYRING -5 /* - key ID for UID-session keyring */ - -#define KEYCTL_GET_KEYRING_ID 0 /* ask for a keyring's ID */ -#define KEYCTL_JOIN_SESSION_KEYRING 1 /* start named session keyring */ -#define KEYCTL_REVOKE 3 /* revoke a key */ -#define KEYCTL_LINK 8 /* link a key into a keyring */ - -static int my_session_keyring; -static int session_counter; -static int do_revoke; -static int revoke_as_uid; -static int revoke_as_gid; -static int xdebug = 0; - -static void debug(pam_handle_t *pamh, const char *fmt, ...) - __attribute__((format(printf, 2, 3))); - -static void debug(pam_handle_t *pamh, const char *fmt, ...) -{ - va_list va; - - if (xdebug) { - va_start(va, fmt); - pam_vsyslog(pamh, LOG_DEBUG, fmt, va); - va_end(va); - } -} - -static int error(pam_handle_t *pamh, const char *fmt, ...) - __attribute__((format(printf, 2, 3))); - -static int error(pam_handle_t *pamh, const char *fmt, ...) -{ - va_list va; - - va_start(va, fmt); - pam_vsyslog(pamh, LOG_ERR, fmt, va); - va_end(va); - - return PAM_SESSION_ERR; -} - -/* - * initialise the session keyring for this process - */ -static int init_keyrings(pam_handle_t *pamh, int force) -{ - int session, usession, ret; - - if (!force) { - /* get the IDs of the session keyring and the user session - * keyring */ - session = syscall(__NR_keyctl, - KEYCTL_GET_KEYRING_ID, - KEY_SPEC_SESSION_KEYRING, - 0); - debug(pamh, "GET SESSION = %d", session); - if (session < 0) { - /* don't worry about keyrings if facility not - * installed */ - if (errno == ENOSYS) - return PAM_SUCCESS; - return PAM_SESSION_ERR; - } - - usession = syscall(__NR_keyctl, - KEYCTL_GET_KEYRING_ID, - KEY_SPEC_USER_SESSION_KEYRING, - 0); - debug(pamh, "GET SESSION = %d", usession); - if (usession < 0) - return PAM_SESSION_ERR; - - /* if the user session keyring is our keyring, then we don't - * need to do anything if we're not forcing */ - if (session != usession) - return PAM_SUCCESS; - } - - /* create a session keyring, discarding the old one */ - ret = syscall(__NR_keyctl, - KEYCTL_JOIN_SESSION_KEYRING, - NULL); - debug(pamh, "JOIN = %d", ret); - if (ret < 0) - return PAM_SESSION_ERR; - - my_session_keyring = ret; - - /* make a link from the session keyring to the user keyring */ - ret = syscall(__NR_keyctl, - KEYCTL_LINK, - KEY_SPEC_USER_KEYRING, - KEY_SPEC_SESSION_KEYRING); - - return ret < 0 ? PAM_SESSION_ERR : PAM_SUCCESS; -} - -/* - * revoke the session keyring for this process - */ -static void kill_keyrings(pam_handle_t *pamh) -{ - int old_uid, old_gid; - - /* revoke the session keyring we created earlier */ - if (my_session_keyring > 0) { - debug(pamh, "REVOKE %d", my_session_keyring); - - old_uid = geteuid(); - old_gid = getegid(); - debug(pamh, "UID:%d [%d] GID:%d [%d]", - revoke_as_uid, old_uid, revoke_as_gid, old_gid); - - /* switch to the real UID and GID so that we have permission to - * revoke the key */ - if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) - error(pamh, "Unable to change GID to %d temporarily\n", - revoke_as_gid); - - if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0) - error(pamh, "Unable to change UID to %d temporarily\n", - revoke_as_uid); - - syscall(__NR_keyctl, - KEYCTL_REVOKE, - my_session_keyring); - - /* return to the orignal UID and GID (probably root) */ - if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) - error(pamh, "Unable to change UID back to %d\n", old_uid); - - if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) - error(pamh, "Unable to change GID back to %d\n", old_gid); - - my_session_keyring = 0; - } -} - -/* - * open a PAM session by making sure there's a session keyring - */ -PAM_EXTERN -int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -{ - struct passwd *pw; - const char *username; - int ret, old_uid, uid, old_gid, gid, loop, force = 0; - - for (loop = 0; loop < argc; loop++) { - if (strcmp(argv[loop], "force") == 0) - force = 1; - else if (strcmp(argv[loop], "debug") == 0) - xdebug = 1; - else if (strcmp(argv[loop], "revoke") == 0) - do_revoke = 1; - } - - /* don't do anything if already created a keyring (will be called - * multiple times if mentioned more than once in a pam script) - */ - session_counter++; - - debug(pamh, "OPEN %d", session_counter); - - if (my_session_keyring > 0) - return PAM_SUCCESS; - - /* look up the target UID */ - ret = pam_get_user(pamh, &username, "key user"); - if (ret != PAM_SUCCESS) - return ret; - - pw = pam_modutil_getpwnam(pamh, username); - if (!pw) { - error(pamh, "Unable to look up user \"%s\"\n", username); - return PAM_USER_UNKNOWN; - } - - revoke_as_uid = uid = pw->pw_uid; - old_uid = getuid(); - revoke_as_gid = gid = pw->pw_gid; - old_gid = getgid(); - debug(pamh, "UID:%d [%d] GID:%d [%d]", uid, old_uid, gid, old_gid); - - /* switch to the real UID and GID so that the keyring ends up owned by - * the right user */ - if (gid != old_gid && setregid(gid, -1) < 0) { - error(pamh, "Unable to change GID to %d temporarily\n", gid); - return PAM_SESSION_ERR; - } - - if (uid != old_uid && setreuid(uid, -1) < 0) { - error(pamh, "Unable to change UID to %d temporarily\n", uid); - setregid(old_gid, -1); - return PAM_SESSION_ERR; - } - - ret = init_keyrings(pamh, force); - - /* return to the orignal UID and GID (probably root) */ - if (uid != old_uid && setreuid(old_uid, -1) < 0) - ret = error(pamh, "Unable to change UID back to %d\n", old_uid); - - if (gid != old_gid && setregid(old_gid, -1) < 0) - ret = error(pamh, "Unable to change GID back to %d\n", old_gid); - - return ret; -} - -/* - * close a PAM session by revoking the session keyring if requested - */ -PAM_EXTERN -int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) -{ - debug(pamh, "CLOSE %d,%d,%d", - session_counter, my_session_keyring, do_revoke); - - session_counter--; - - if (session_counter == 0 && my_session_keyring > 0 && do_revoke) - kill_keyrings(pamh); - - return PAM_SUCCESS; -} - -#ifdef PAM_STATIC - -/* static module data */ - -struct pam_module _pam_keyinit_modstruct = { - "pam_keyinit", - NULL, - NULL, - NULL, - pam_sm_open_session, - pam_sm_close_session, - NULL -}; -#endif - diff --git a/modules/pam_keyinit/tst-pam_keyinit b/modules/pam_keyinit/tst-pam_keyinit deleted file mode 100755 index f0a7b9bc..00000000 --- a/modules/pam_keyinit/tst-pam_keyinit +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -../../tests/tst-dlopen .libs/pam_keyinit.so |