pam_group: Add ruser and luser options.
[dragonfly.git] / lib / pam_module / pam_ksu / pam_ksu.c
CommitLineData
9392c205
PA
1/*-
2 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $
27 */
28
29#include <sys/param.h>
30#include <errno.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <unistd.h>
35
36#include <krb5.h>
37
38#define PAM_SM_AUTH
39#define PAM_SM_CRED
40#include <security/pam_appl.h>
41#include <security/pam_modules.h>
42#include <security/pam_mod_misc.h>
43
44static const char superuser[] = "root";
45
46static long get_su_principal(krb5_context, const char *, const char *,
47 char **, krb5_principal *);
48static int auth_krb5(pam_handle_t *, krb5_context, const char *,
49 krb5_principal);
50
51PAM_EXTERN int
52pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
53 int argc __unused, const char *argv[] __unused)
54{
55 krb5_context context;
56 krb5_principal su_principal;
57 const char *user;
58 const void *ruser;
59 char *su_principal_name;
60 long rv;
61 int pamret;
62
63 pamret = pam_get_user(pamh, &user, NULL);
64 if (pamret != PAM_SUCCESS)
65 return (pamret);
66 PAM_LOG("Got user: %s", user);
67 pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
68 if (pamret != PAM_SUCCESS)
69 return (pamret);
70 PAM_LOG("Got ruser: %s", (const char *)ruser);
71 rv = krb5_init_context(&context);
72 if (rv != 0) {
73 PAM_LOG("krb5_init_context failed: %s",
74 krb5_get_err_text(context, rv));
75 return (PAM_SERVICE_ERR);
76 }
77 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
78 if (rv != 0)
79 return (PAM_AUTH_ERR);
80 PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
81 rv = krb5_kuserok(context, su_principal, user);
82 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
83 free(su_principal_name);
84 krb5_free_principal(context, su_principal);
85 krb5_free_context(context);
86 return (pamret);
87}
88
89PAM_EXTERN int
90pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
91 int ac __unused, const char *av[] __unused)
92{
93
94 return (PAM_SUCCESS);
95}
96
97/* Authenticate using Kerberos 5.
98 * pamh -- The PAM handle.
99 * context -- An initialized krb5_context.
100 * su_principal_name -- The target principal name, used only for password prompts.
101 * If NULL, the password prompts will not include a principal
102 * name.
103 * su_principal -- The target krb5_principal.
104 * Note that a valid keytab in the default location with a host entry
105 * must be available, and that the PAM application must have sufficient
106 * privileges to access it.
107 * Returns PAM_SUCCESS if authentication was successful, or an appropriate
108 * PAM error code if it was not.
109 */
110static int
111auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
112 krb5_principal su_principal)
113{
114 krb5_creds creds;
115 krb5_get_init_creds_opt gic_opt;
116 krb5_verify_init_creds_opt vic_opt;
117 const char *pass;
118 char *prompt;
119 long rv;
120 int pamret;
121
122 prompt = NULL;
123 krb5_get_init_creds_opt_init(&gic_opt);
124 krb5_verify_init_creds_opt_init(&vic_opt);
125 if (su_principal_name != NULL)
126 asprintf(&prompt, "Password for %s:", su_principal_name);
127 else
128 asprintf(&prompt, "Password:");
129 if (prompt == NULL)
130 return (PAM_BUF_ERR);
131 pass = NULL;
132 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
133 free(prompt);
134 if (pamret != PAM_SUCCESS)
135 return (pamret);
136 rv = krb5_get_init_creds_password(context, &creds, su_principal,
137 pass, NULL, NULL, 0, NULL, &gic_opt);
138 if (rv != 0) {
139 PAM_LOG("krb5_get_init_creds_password: %s",
140 krb5_get_err_text(context, rv));
141 return (PAM_AUTH_ERR);
142 }
143 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
144 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
145 &vic_opt);
146 krb5_free_cred_contents(context, &creds);
147 if (rv != 0) {
148 PAM_LOG("krb5_verify_init_creds: %s",
149 krb5_get_err_text(context, rv));
150 return (PAM_AUTH_ERR);
151 }
152 return (PAM_SUCCESS);
153}
154
155/* Determine the target principal given the current user and the target user.
156 * context -- An initialized krb5_context.
157 * target_user -- The target username.
158 * current_user -- The current username.
159 * su_principal_name -- (out) The target principal name.
160 * su_principal -- (out) The target krb5_principal.
161 * When the target user is `root', the target principal will be a `root
162 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal
163 * will simply be the current user's default principal name. Note that
164 * in any case, if KRB5CCNAME is set and a credentials cache exists, the
165 * principal name found there will be the `starting point', rather than
166 * the ruser parameter.
167 *
168 * Returns 0 for success, or a com_err error code on failure.
169 */
170static long
171get_su_principal(krb5_context context, const char *target_user,
172 const char *current_user, char **su_principal_name,
173 krb5_principal *su_principal)
174{
175 krb5_principal default_principal;
176 krb5_ccache ccache;
177 char *principal_name, *ccname, *p;
178 long rv;
179 uid_t euid, ruid;
180
181 *su_principal = NULL;
182 default_principal = NULL;
183 /* Unless KRB5CCNAME was explicitly set, we won't really be able
184 * to look at the credentials cache since krb5_cc_default will
185 * look at getuid().
186 */
187 ruid = getuid();
188 euid = geteuid();
189 rv = seteuid(ruid);
190 if (rv != 0)
191 return (errno);
192 p = getenv("KRB5CCNAME");
193 if (p != NULL)
194 ccname = strdup(p);
195 else
196 asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
197 if (ccname == NULL)
198 return (errno);
199 rv = krb5_cc_resolve(context, ccname, &ccache);
200 free(ccname);
201 if (rv == 0) {
202 rv = krb5_cc_get_principal(context, ccache, &default_principal);
203 krb5_cc_close(context, ccache);
204 if (rv != 0)
205 default_principal = NULL; /* just to be safe */
206 }
207 rv = seteuid(euid);
208 if (rv != 0)
209 return (errno);
210 if (default_principal == NULL) {
211 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
212 if (rv != 0) {
213 PAM_LOG("Could not determine default principal name.");
214 return (rv);
215 }
216 }
217 /* Now that we have some principal, if the target account is
218 * `root', then transform it into a `root' instance, e.g.
219 * `user@REA.LM' -> `user/root@REA.LM'.
220 */
221 rv = krb5_unparse_name(context, default_principal, &principal_name);
222 krb5_free_principal(context, default_principal);
223 if (rv != 0) {
224 PAM_LOG("krb5_unparse_name: %s",
225 krb5_get_err_text(context, rv));
226 return (rv);
227 }
228 PAM_LOG("Default principal name: %s", principal_name);
229 if (strcmp(target_user, superuser) == 0) {
230 p = strrchr(principal_name, '@');
231 if (p == NULL) {
232 PAM_LOG("malformed principal name `%s'", principal_name);
233 free(principal_name);
234 return (rv);
235 }
236 *p++ = '\0';
237 *su_principal_name = NULL;
238 asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
239 free(principal_name);
240 } else
241 *su_principal_name = principal_name;
242
243 if (*su_principal_name == NULL)
244 return (errno);
245 rv = krb5_parse_name(context, *su_principal_name, &default_principal);
246 if (rv != 0) {
247 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name,
248 krb5_get_err_text(context, rv));
249 free(*su_principal_name);
250 return (rv);
251 }
252 PAM_LOG("Target principal name: %s", *su_principal_name);
253 *su_principal = default_principal;
254 return (0);
255}
256
257PAM_MODULE_ENTRY("pam_ksu");