From c9593778a6133bf29eb2f47c24cc6d2f5d729fc8 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 11 Jun 2020 17:39:03 +0200 Subject: Move check_user_in_passwd from pam_localuser.c to pam_modutil Signed-off-by: Fabrice Fontaine * modules/pam_localuser/pam_localuser.c: Include . (pam_sm_authenticate): Replace check_user_in_passwd with pam_modutil_check_user_in_passwd. (check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd, move to ... * libpam/pam_modutil_check_user.c: ... new file. * libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c. * libpam/include/security/pam_modutil.h (pam_modutil_check_user_in_passwd): New function declaration. * libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface. Co-authored-by: Dmitry V. Levin --- libpam/pam_modutil_check_user.c | 90 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 libpam/pam_modutil_check_user.c (limited to 'libpam/pam_modutil_check_user.c') diff --git a/libpam/pam_modutil_check_user.c b/libpam/pam_modutil_check_user.c new file mode 100644 index 00000000..898b13a9 --- /dev/null +++ b/libpam/pam_modutil_check_user.c @@ -0,0 +1,90 @@ +#include "pam_modutil_private.h" +#include + +#include +#include +#include + +int +pam_modutil_check_user_in_passwd(pam_handle_t *pamh, + const char *user_name, + const char *file_name) +{ + int rc; + size_t user_len; + FILE *fp; + char line[BUFSIZ]; + + /* Validate the user name. */ + if ((user_len = strlen(user_name)) == 0) { + pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); + return PAM_SERVICE_ERR; + } + + if (user_len > sizeof(line) - sizeof(":")) { + pam_syslog(pamh, LOG_NOTICE, "user name is too long"); + return PAM_SERVICE_ERR; + } + + if (strchr(user_name, ':') != NULL) { + /* + * "root:x" is not a local user name even if the passwd file + * contains a line starting with "root:x:". + */ + return PAM_PERM_DENIED; + } + + /* Open the passwd file. */ + if (file_name == NULL) { + file_name = "/etc/passwd"; + } + if ((fp = fopen(file_name, "r")) == NULL) { + pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name); + return PAM_SERVICE_ERR; + } + + /* + * Scan the file using fgets() instead of fgetpwent_r() because + * the latter is not flexible enough in handling long lines + * in passwd files. + */ + rc = PAM_PERM_DENIED; + while (fgets(line, sizeof(line), fp) != NULL) { + size_t line_len; + const char *str; + + /* + * Does this line start with the user name + * followed by a colon? + */ + if (strncmp(user_name, line, user_len) == 0 && + line[user_len] == ':') { + rc = PAM_SUCCESS; + break; + } + /* Has a newline been read? */ + line_len = strlen(line); + if (line_len < sizeof(line) - 1 || + line[line_len - 1] == '\n') { + /* Yes, continue with the next line. */ + continue; + } + + /* No, read till the end of this line first. */ + while ((str = fgets(line, sizeof(line), fp)) != NULL) { + line_len = strlen(line); + if (line_len == 0 || + line[line_len - 1] == '\n') { + break; + } + } + if (str == NULL) { + /* fgets returned NULL, we are done. */ + break; + } + /* Continue with the next line. */ + } + + fclose(fp); + return rc; +} -- cgit v1.2.3