[22715] | 1 | /* |
---|
| 2 | * pam_mktemp.c |
---|
| 3 | * PAM session management functions for pam_mktemp.so |
---|
| 4 | * |
---|
| 5 | * Copyright © 2007 Tim Abbott <tabbott@mit.edu> and Anders Kaseorg |
---|
| 6 | * <andersk@mit.edu> |
---|
| 7 | * |
---|
| 8 | * Permission is hereby granted, free of charge, to any person |
---|
| 9 | * obtaining a copy of this software and associated documentation |
---|
| 10 | * files (the "Software"), to deal in the Software without |
---|
| 11 | * restriction, including without limitation the rights to use, copy, |
---|
| 12 | * modify, merge, publish, distribute, sublicense, and/or sell copies |
---|
| 13 | * of the Software, and to permit persons to whom the Software is |
---|
| 14 | * furnished to do so, subject to the following conditions: |
---|
| 15 | * |
---|
| 16 | * The above copyright notice and this permission notice shall be |
---|
| 17 | * included in all copies or substantial portions of the Software. |
---|
| 18 | * |
---|
| 19 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
---|
| 20 | * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
---|
| 21 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
---|
| 22 | * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS |
---|
| 23 | * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN |
---|
| 24 | * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN |
---|
| 25 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
---|
| 26 | * SOFTWARE. |
---|
| 27 | */ |
---|
| 28 | |
---|
| 29 | #include <sys/types.h> |
---|
| 30 | #include <sys/wait.h> |
---|
| 31 | #include <unistd.h> |
---|
| 32 | #include <syslog.h> |
---|
| 33 | #include <pwd.h> |
---|
| 34 | #include <stdio.h> |
---|
| 35 | #include <string.h> |
---|
| 36 | #include <stdlib.h> |
---|
| 37 | #include <errno.h> |
---|
| 38 | #include <security/pam_appl.h> |
---|
| 39 | #include <security/pam_modules.h> |
---|
| 40 | #include <security/pam_misc.h> |
---|
| 41 | |
---|
| 42 | #define MAXBUF 256 |
---|
| 43 | |
---|
| 44 | void mktemp_cleanup(pam_handle_t *pamh, void *data, int pam_end_status); |
---|
| 45 | |
---|
| 46 | /* Initiate session management by creating temporary file. */ |
---|
| 47 | int |
---|
| 48 | pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) |
---|
| 49 | { |
---|
| 50 | int i; |
---|
| 51 | int debug = 0; |
---|
| 52 | int pamret; |
---|
| 53 | int n; |
---|
| 54 | const char *user; |
---|
| 55 | struct passwd *pw; |
---|
| 56 | char mktemp_buf[MAXBUF]; |
---|
| 57 | char envput[MAXBUF]; |
---|
| 58 | const char *prefix = "/tmp/tempfile"; |
---|
| 59 | const char *var = NULL; |
---|
| 60 | int fd; |
---|
[22756] | 61 | int dir = 0; |
---|
[22715] | 62 | |
---|
| 63 | for (i = 0; i < argc; i++) { |
---|
| 64 | if (strcmp(argv[i], "debug") == 0) |
---|
| 65 | debug = 1; |
---|
| 66 | else if (strncmp(argv[i], "prefix=", 7) == 0) |
---|
| 67 | prefix = argv[i] + 7; |
---|
| 68 | else if (strncmp(argv[i], "var=", 4) == 0) |
---|
| 69 | var = argv[i] + 4; |
---|
[22756] | 70 | else if (strcmp(argv[i], "dir") == 0) |
---|
[22715] | 71 | dir = 1; |
---|
| 72 | } |
---|
| 73 | |
---|
| 74 | if (var == NULL) { |
---|
| 75 | syslog(LOG_ERR, "pam_mktemp: No variable to set"); |
---|
| 76 | return PAM_SESSION_ERR; |
---|
| 77 | } |
---|
| 78 | if ((pamret = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { |
---|
| 79 | syslog(LOG_ERR, "pam_mktemp: pam_get_user: %s", pam_strerror(pamh, pamret)); |
---|
| 80 | return PAM_SESSION_ERR; |
---|
| 81 | } |
---|
| 82 | errno = 0; |
---|
| 83 | pw = getpwnam(user); |
---|
| 84 | if (pw == NULL) { |
---|
| 85 | if (errno != 0) |
---|
| 86 | syslog(LOG_ERR, "pam_mktemp: getpwnam: %m"); |
---|
| 87 | else |
---|
| 88 | syslog(LOG_ERR, "pam_mktemp: no such user: %s", user); |
---|
| 89 | return PAM_SESSION_ERR; |
---|
| 90 | } |
---|
| 91 | |
---|
| 92 | n = snprintf(mktemp_buf, MAXBUF, "%s-%d-XXXXXX", prefix, pw->pw_uid); |
---|
| 93 | if (n < 0 || n >= MAXBUF) { |
---|
| 94 | syslog(LOG_ERR, "pam_mktemp: snprintf failed"); |
---|
| 95 | return PAM_SESSION_ERR; |
---|
| 96 | } |
---|
| 97 | if (dir) { |
---|
| 98 | if (mkdtemp(mktemp_buf) == NULL) { |
---|
| 99 | syslog(LOG_ERR, "pam_mktemp: mkdtemp: %m"); |
---|
| 100 | return PAM_SESSION_ERR; |
---|
| 101 | } |
---|
| 102 | } |
---|
| 103 | else { |
---|
| 104 | fd = mkstemp(mktemp_buf); |
---|
| 105 | if (fd == -1) { |
---|
| 106 | syslog(LOG_ERR, "pam_mktemp: mkstemp: %m"); |
---|
| 107 | return PAM_SESSION_ERR; |
---|
| 108 | } |
---|
| 109 | if (close(fd) != 0) { |
---|
| 110 | syslog(LOG_ERR, "pam_mktemp: close: %m"); |
---|
| 111 | return PAM_SESSION_ERR; |
---|
| 112 | } |
---|
| 113 | } |
---|
| 114 | if (chown(mktemp_buf, pw->pw_uid, -1) != 0) { |
---|
| 115 | syslog(LOG_ERR, "pam_mktemp: chown: %m"); |
---|
| 116 | return PAM_SESSION_ERR; |
---|
| 117 | } |
---|
| 118 | if (debug) |
---|
| 119 | syslog(LOG_DEBUG, "pam_mktemp: using temporary file %s", mktemp_buf); |
---|
| 120 | |
---|
| 121 | n = snprintf(envput, MAXBUF, "%s=%s", var, mktemp_buf); |
---|
| 122 | if (n < 0 || n >= MAXBUF) { |
---|
| 123 | syslog(LOG_ERR, "pam_mktemp: snprintf failed"); |
---|
| 124 | return PAM_SESSION_ERR; |
---|
| 125 | } |
---|
| 126 | pamret = pam_putenv(pamh, envput); |
---|
| 127 | if (pamret != PAM_SUCCESS) { |
---|
| 128 | syslog(LOG_ERR, "pam_mktemp: pam_putenv: %s", |
---|
| 129 | pam_strerror(pamh, pamret)); |
---|
| 130 | return PAM_SESSION_ERR; |
---|
| 131 | } |
---|
| 132 | pamret = pam_set_data(pamh, var, mktemp_buf, mktemp_cleanup); |
---|
| 133 | if (pamret != PAM_SUCCESS) { |
---|
| 134 | syslog(LOG_ERR, "pam_mktemp: pam_set_data: %s", |
---|
| 135 | pam_strerror(pamh, pamret)); |
---|
| 136 | return PAM_SESSION_ERR; |
---|
| 137 | } |
---|
| 138 | return PAM_SUCCESS; |
---|
| 139 | } |
---|
| 140 | |
---|
| 141 | void |
---|
| 142 | mktemp_cleanup(pam_handle_t *pamh, void *data, int pam_end_status) |
---|
| 143 | { |
---|
| 144 | return; |
---|
| 145 | } |
---|
| 146 | |
---|
| 147 | /* Terminate session management by destroying old temporary file. */ |
---|
| 148 | int |
---|
| 149 | pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) |
---|
| 150 | { |
---|
| 151 | int i; |
---|
| 152 | int debug = 0; |
---|
| 153 | const char *mktemp_buf; |
---|
| 154 | const char *var = NULL; |
---|
| 155 | |
---|
| 156 | for (i = 0; i < argc; i++) { |
---|
| 157 | if (strcmp(argv[i], "debug") == 0) |
---|
| 158 | debug = 1; |
---|
| 159 | else if (strncmp(argv[i], "var=", 4) == 0) |
---|
| 160 | var = argv[i] + 4; |
---|
| 161 | } |
---|
| 162 | |
---|
| 163 | if (var == NULL) { |
---|
| 164 | syslog(LOG_ERR, "pam_mktemp: Nothing to cleanup"); |
---|
| 165 | return PAM_SESSION_ERR; |
---|
| 166 | } |
---|
| 167 | |
---|
| 168 | mktemp_buf = pam_getenv(pamh, var); |
---|
| 169 | if (mktemp_buf == NULL) { |
---|
| 170 | syslog(LOG_ERR, "pam_mktemp: cannot get %s environment variable", |
---|
| 171 | var); |
---|
| 172 | return PAM_SESSION_ERR; |
---|
| 173 | } |
---|
| 174 | |
---|
| 175 | if (debug) |
---|
| 176 | syslog(LOG_DEBUG, "pam_mktemp: removing %s", |
---|
| 177 | mktemp_buf); |
---|
| 178 | if (remove(mktemp_buf) != 0) { |
---|
| 179 | syslog(LOG_ERR, "pam_mktemp: remove(): %m"); |
---|
| 180 | return PAM_SESSION_ERR; |
---|
| 181 | } |
---|
| 182 | |
---|
| 183 | return PAM_SUCCESS; |
---|
| 184 | } |
---|
| 185 | |
---|
| 186 | int |
---|
| 187 | pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) |
---|
| 188 | { |
---|
| 189 | if (flags == PAM_ESTABLISH_CRED) |
---|
| 190 | return pam_sm_open_session(pamh, flags, argc, argv); |
---|
| 191 | return PAM_SUCCESS; |
---|
| 192 | } |
---|
| 193 | |
---|
| 194 | int |
---|
| 195 | pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) |
---|
| 196 | { |
---|
| 197 | return PAM_SUCCESS; |
---|
| 198 | } |
---|
| 199 | |
---|