diff options
| -rw-r--r-- | bin/schroot/schroot-main-base.cc | 12 | ||||
| -rw-r--r-- | bin/schroot/schroot-main.cc | 23 | ||||
| -rw-r--r-- | sbuild/Makefile.am | 6 | ||||
| -rw-r--r-- | sbuild/sbuild-auth-conv-tty.cc | 18 | ||||
| -rw-r--r-- | sbuild/sbuild-auth-conv-tty.h | 19 | ||||
| -rw-r--r-- | sbuild/sbuild-auth-conv.h | 19 | ||||
| -rw-r--r-- | sbuild/sbuild-auth.cc | 451 | ||||
| -rw-r--r-- | sbuild/sbuild-auth.h | 83 | ||||
| -rw-r--r-- | sbuild/sbuild-session.cc | 14 | ||||
| -rw-r--r-- | sbuild/sbuild-session.h | 9 |
10 files changed, 140 insertions, 514 deletions
diff --git a/bin/schroot/schroot-main-base.cc b/bin/schroot/schroot-main-base.cc index c9e2a366..39328aa4 100644 --- a/bin/schroot/schroot-main-base.cc +++ b/bin/schroot/schroot-main-base.cc @@ -282,18 +282,6 @@ main_base::run_impl () verbosity = sbuild::auth::VERBOSITY_VERBOSE; this->session->get_auth()->set_verbosity(verbosity); -#ifdef SBUILD_FEATURE_PAM - /* Set up authentication timeouts. */ - std::tr1::shared_ptr<sbuild::auth_conv> - conv(new sbuild::auth_conv_tty - (std::tr1::dynamic_pointer_cast<sbuild::auth>(this->session))); - time_t curtime = 0; - time(&curtime); - conv->set_warning_timeout(curtime + 15); - conv->set_fatal_timeout(curtime + 20); - this->session->get_auth()->set_conv(conv); -#endif // SBUILD_FEATURE_PAM - /* Run session. */ this->session->run(); } diff --git a/bin/schroot/schroot-main.cc b/bin/schroot/schroot-main.cc index 7dd32030..b1d158ae 100644 --- a/bin/schroot/schroot-main.cc +++ b/bin/schroot/schroot-main.cc @@ -18,6 +18,12 @@ #include <config.h> +#include <sbuild/sbuild-config.h> +#ifdef SBUILD_FEATURE_PAM +#include <sbuild/sbuild-auth-pam.h> +#include <sbuild/sbuild-auth-conv-tty.h> +#endif + #include "schroot-main.h" #include <cstdlib> @@ -77,6 +83,23 @@ main::create_session(sbuild::session::operation sess_op) this->session = sbuild::session::ptr (new sbuild::session("schroot", this->config, sess_op, this->chroots)); +#ifdef SBUILD_FEATURE_PAM + sbuild::auth::ptr auth = sbuild::auth_pam::create("schroot"); + + sbuild::auth_conv_tty::auth_ptr auth_ptr = + std::tr1::dynamic_pointer_cast<sbuild::auth_pam>(auth); + + sbuild::auth_conv::ptr conv = sbuild::auth_conv_tty::create(auth_ptr); + + /* Set up authentication timeouts. */ + time_t curtime = 0; + time(&curtime); + conv->set_warning_timeout(curtime + 15); + conv->set_fatal_timeout(curtime + 20); + + this->session->set_auth(auth); +#endif // SBUILD_FEATURE_PAM + if (!this->options->user.empty()) this->session->get_auth()->set_user(this->options->user); } diff --git a/sbuild/Makefile.am b/sbuild/Makefile.am index 2215857d..0451c2d0 100644 --- a/sbuild/Makefile.am +++ b/sbuild/Makefile.am @@ -29,6 +29,7 @@ lib_LTLIBRARIES = libsbuild.la sbuild_public_h_sources = \ sbuild-auth.h \ + sbuild-auth-null.h \ sbuild-chroot.h \ sbuild-chroot-block-device.h \ sbuild-chroot-directory.h \ @@ -65,9 +66,10 @@ sbuild_public_h_sources = \ sbuild-util.h if BUILD_PAM -sbuild_public_auth_h_sources = \ +sbuild_public_auth_h_sources = \ sbuild-auth-conv.h \ sbuild-auth-conv-tty.h \ + sbuild-auth-pam.h \ sbuild-auth-message.h endif @@ -88,6 +90,7 @@ endif sbuild_public_cc_sources = \ sbuild-auth.cc \ + sbuild-auth-null.cc \ sbuild-chroot.cc \ sbuild-chroot-directory.cc \ sbuild-chroot-file.cc \ @@ -116,6 +119,7 @@ if BUILD_PAM sbuild_public_auth_cc_sources = \ sbuild-auth-conv.cc \ sbuild-auth-conv-tty.cc \ + sbuild-auth-pam.cc \ sbuild-auth-message.cc endif diff --git a/sbuild/sbuild-auth-conv-tty.cc b/sbuild/sbuild-auth-conv-tty.cc index c76d154b..28ebab6b 100644 --- a/sbuild/sbuild-auth-conv-tty.cc +++ b/sbuild/sbuild-auth-conv-tty.cc @@ -119,8 +119,8 @@ error<auth_conv_tty::error_code>::error_strings (init_errors, init_errors + (sizeof(init_errors) / sizeof(init_errors[0]))); -auth_conv_tty::auth_conv_tty (weak_auth_ptr auth): - auth(auth), +auth_conv_tty::auth_conv_tty (auth_ptr auth): + auth(weak_auth_ptr(auth)), warning_timeout(0), fatal_timeout(0), start_time(0) @@ -131,16 +131,22 @@ auth_conv_tty::~auth_conv_tty () { } -auth_conv_tty::weak_auth_ptr +auth_conv::ptr +auth_conv_tty::create (auth_ptr auth) +{ + return ptr(new auth_conv_tty(auth)); +} + +auth_conv::auth_ptr auth_conv_tty::get_auth () { - return this->auth; + return auth_ptr(this->auth); } void -auth_conv_tty::set_auth (weak_auth_ptr auth) +auth_conv_tty::set_auth (auth_ptr auth) { - this->auth = auth; + this->auth = weak_auth_ptr(auth); } time_t diff --git a/sbuild/sbuild-auth-conv-tty.h b/sbuild/sbuild-auth-conv-tty.h index b091a100..5004a7a8 100644 --- a/sbuild/sbuild-auth-conv-tty.h +++ b/sbuild/sbuild-auth-conv-tty.h @@ -20,6 +20,7 @@ #define SBUILD_AUTH_CONV_TTY_H #include <sbuild/sbuild-auth-conv.h> +#include <sbuild/sbuild-auth.h> #include <sbuild/sbuild-custom-error.h> #include <security/pam_appl.h> @@ -56,16 +57,28 @@ namespace sbuild /// Exception type. typedef custom_error<error_code> error; + private: /// The constructor. - auth_conv_tty (weak_auth_ptr auth); + auth_conv_tty (auth_ptr auth); + + public: /// The destructor. virtual ~auth_conv_tty (); - virtual weak_auth_ptr + /** + * Create an auth_conv_tty object. + * + * @auth The authentication object this conversation handler will + * be associated with. + */ + static ptr + create (auth_ptr auth); + + virtual auth_ptr get_auth (); virtual void - set_auth (weak_auth_ptr auth); + set_auth (auth_ptr auth); virtual time_t get_warning_timeout (); diff --git a/sbuild/sbuild-auth-conv.h b/sbuild/sbuild-auth-conv.h index 81a05a2f..94886ca3 100644 --- a/sbuild/sbuild-auth-conv.h +++ b/sbuild/sbuild-auth-conv.h @@ -30,7 +30,7 @@ namespace sbuild { - class auth; + class auth_pam; /** * Authentication conversation handler interface. @@ -59,28 +59,35 @@ namespace sbuild public: /// A list of messages. typedef std::vector<auth_message> message_list; - typedef std::tr1::weak_ptr<auth> weak_auth_ptr; + typedef std::tr1::shared_ptr<auth_pam> auth_ptr; + typedef std::tr1::weak_ptr<auth_pam> weak_auth_ptr; + /// A shared_ptr to an auth_conv object. + typedef std::tr1::shared_ptr<auth_conv> ptr; + + protected: /// The constructor. auth_conv (); + + public: /// The destructor. virtual ~auth_conv (); /** * Get the auth object. * - * @returns the auth object as a weak reference. + * @returns the auth object. */ - virtual weak_auth_ptr + virtual auth_ptr get_auth () = 0; /** * Set the auth object. * - * @param auth the auth object as a weak reference. + * @param auth the auth object. */ virtual void - set_auth (weak_auth_ptr auth) = 0; + set_auth (auth_ptr auth) = 0; /** * Get the time at which the user will be warned. diff --git a/sbuild/sbuild-auth.cc b/sbuild/sbuild-auth.cc index cc7dca8d..165a8349 100644 --- a/sbuild/sbuild-auth.cc +++ b/sbuild/sbuild-auth.cc @@ -19,8 +19,6 @@ #include <config.h> #include "sbuild-auth.h" -#include "sbuild-auth-conv.h" -#include "sbuild-auth-conv-tty.h" #include <cassert> #include <cerrno> @@ -38,12 +36,6 @@ using std::endl; using boost::format; using namespace sbuild; -#if defined(__LINUX_PAM__) -#define PAM_TEXT_DOMAIN "Linux-PAM" -#elif defined(__sun__) -#define PAM_TEXT_DOMAIN "SUNW_OST_SYSOSPAM" -#endif - namespace { @@ -74,93 +66,7 @@ error<auth::error_code>::error_strings (init_errors, init_errors + (sizeof(init_errors) / sizeof(init_errors[0]))); -namespace -{ - -#ifdef SBUILD_FEATURE_PAM - /* This is the glue to link PAM user interaction with auth_conv. */ - int - auth_conv_hook (int num_msg, - const struct pam_message **msgm, - struct pam_response **response, - void *appdata_ptr) - { - log_debug(DEBUG_NOTICE) << "PAM conversation hook started" << endl; - - try - { - if (appdata_ptr == 0) - return PAM_CONV_ERR; - - auth_conv *conv = static_cast<auth_conv *>(appdata_ptr); - assert (conv != 0); - - /* Construct a message vector */ - auth_conv::message_list messages; - for (int i = 0; i < num_msg; ++i) - { - const struct pam_message *source = msgm[i]; - - auth_message - message(static_cast<auth_message::message_type>(source->msg_style), - source->msg); - - /* Replace PAM prompt */ - if (message.message == dgettext(PAM_TEXT_DOMAIN, "Password: ") || - message.message == dgettext(PAM_TEXT_DOMAIN, "Password:")) - { - std::string user = "unknown"; // Set in case auth is void - std::tr1::shared_ptr<auth> auth = conv->get_auth().lock(); - assert(auth && auth.get() != 0); // Check auth is not void - if (auth && auth.get() != 0) - user = auth->get_user(); - format fmt(_("[schroot] password for %1%: ")); - fmt % user; - message.message = fmt.str(); - } - - messages.push_back(message); - } - - /* Do the conversation; an exception will be thrown on failure */ - conv->conversation(messages); - - /* Copy response into **reponse */ - struct pam_response *reply = - static_cast<struct pam_response *> - (malloc(sizeof(struct pam_response) * num_msg)); - - for (int i = 0; i < num_msg; ++i) - { - reply[i].resp_retcode = 0; - reply[i].resp = strdup(messages[i].response.c_str()); - } - - *response = reply; - reply = 0; - - return PAM_SUCCESS; - } - catch (std::exception const& e) - { - sbuild::log_exception_error(e); - } - catch (...) - { - sbuild::log_error() << _("An unknown exception occurred") << endl; - } - - return PAM_CONV_ERR; - } -#endif // SBUILD_FEATURE_PAM - -} - - auth::auth (std::string const& service_name): -#ifdef SBUILD_FEATURE_PAM - pam(), -#endif // SBUILD_FEATURE_PAM service(service_name), uid(0), gid(0), @@ -174,12 +80,6 @@ auth::auth (std::string const& service_name): rgid(), ruser(), rgroup(), -#ifdef SBUILD_FEATURE_PAM - conv(), -#endif // SBUILD_FEATURE_PAM -#ifndef SBUILD_FEATURE_PAM - auth_environment(), -#endif // !SBUILD_FEATURE_PAM message_verbosity(VERBOSITY_NORMAL) { this->ruid = getuid(); @@ -327,13 +227,40 @@ auth::set_environment (environment const& environment) } environment -auth::get_pam_environment () const +auth::get_minimal_environment () const { -#ifdef SBUILD_FEATURE_PAM - return environment(pam_getenvlist(this->pam)); -#else // !SBUILD_FEATURE_PAM - return this->auth_environment; -#endif // SBUILD_FEATURE_PAM + environment minimal; + if (!this->user_environment.empty()) + minimal = this->user_environment; + + // For security, PATH is always set to a sane state for root, but + // only set in other cases if not preserving the environment. + if (this->uid == 0) + minimal.add(std::make_pair("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11")); + else if (this->user_environment.empty()) + minimal.add(std::make_pair("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games")); + + if (this->user_environment.empty()) + { + if (!this->home.empty() ) + minimal.add(std::make_pair("HOME", this->home)); + else + minimal.add(std::make_pair("HOME", "/")); + if (!this->user.empty()) + { + minimal.add(std::make_pair("LOGNAME", this->user)); + minimal.add(std::make_pair("USER", this->user)); + } + { + const char *term = getenv("TERM"); + if (term) + minimal.add(std::make_pair("TERM", term)); + } + if (!this->shell.empty()) + minimal.add(std::make_pair("SHELL", this->shell)); + } + + return minimal; } uid_t @@ -372,359 +299,47 @@ auth::set_verbosity (auth::verbosity verbosity) this->message_verbosity = verbosity; } -#ifdef SBUILD_FEATURE_PAM -auth::conv_ptr& -auth::get_conv () -{ - return this->conv; -} - -void -auth::set_conv (conv_ptr& conv) -{ - this->conv = conv; -} -#endif // SBUILD_FEATURE_PAM - void auth::start () { - assert(!this->user.empty()); - -#ifdef SBUILD_FEATURE_PAM - if (this->pam != 0) - { - log_debug(DEBUG_CRITICAL) - << "pam_start FAIL (already initialised)" << endl; - throw error("Init PAM", PAM_DOUBLE_INIT); - } - - struct pam_conv conv_hook = - { - auth_conv_hook, - reinterpret_cast<void *>(this->conv.get()) - }; - - int pam_status; - - if ((pam_status = - pam_start(this->service.c_str(), this->user.c_str(), - &conv_hook, &this->pam)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_start FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - log_debug(DEBUG_NOTICE) << "pam_start OK" << endl; -#endif // SBUILD_FEATURE_PAM } void auth::stop () { -#ifdef SBUILD_FEATURE_PAM - if (this->pam); // PAM must be initialised - { - int pam_status; - - if ((pam_status = - pam_end(this->pam, PAM_SUCCESS)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_end FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - this->pam = 0; - log_debug(DEBUG_NOTICE) << "pam_end OK" << endl; - } -#endif // SBUILD_FEATURE_PAM } void auth::authenticate (status auth_status) { -#ifdef SBUILD_FEATURE_PAM - assert(!this->user.empty()); - assert(this->pam != 0); // PAM must be initialised - - int pam_status; - - if ((pam_status = - pam_set_item(this->pam, PAM_RUSER, this->ruser.c_str())) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_set_item (PAM_RUSER) FAIL" << endl; - throw error(_("Set RUSER"), PAM, pam_strerror(pam_status)); - } - - long hl = 256; /* sysconf(_SC_HOST_NAME_MAX); BROKEN with Debian libc6 2.3.2.ds1-22 */ - - char *hostname = new char[hl]; - try - { - if (gethostname(hostname, hl) != 0) - { - log_debug(DEBUG_CRITICAL) << "gethostname FAIL" << endl; - throw error(HOSTNAME, strerror(errno)); - } - - if ((pam_status = - pam_set_item(this->pam, PAM_RHOST, hostname)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_set_item (PAM_RHOST) FAIL" << endl; - throw error(_("Set RHOST"), PAM, pam_strerror(pam_status)); - } - } - catch (error const& e) - { - delete[] hostname; - hostname = 0; - throw; - } - delete[] hostname; - hostname = 0; - - const char *tty = ttyname(STDIN_FILENO); - if (tty) - { - if ((pam_status = - pam_set_item(this->pam, PAM_TTY, tty)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_set_item (PAM_TTY) FAIL" << endl; - throw error(_("Set TTY"), PAM, pam_strerror(pam_status)); - } - } - - /* Authenticate as required. */ - switch (auth_status) - { - case STATUS_NONE: - if ((pam_status = pam_set_item(this->pam, PAM_USER, this->user.c_str())) - != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_set_item (PAM_USER) FAIL" << endl; - throw error(_("Set USER"), PAM, pam_strerror(pam_status)); - } - break; - - case STATUS_USER: - if ((pam_status = pam_authenticate(this->pam, 0)) != PAM_SUCCESS) - { - log_debug(DEBUG_INFO) << "pam_authenticate FAIL" << endl; - syslog(LOG_AUTH|LOG_WARNING, "%s->%s Authentication failure", - this->ruser.c_str(), this->user.c_str()); - throw error(AUTHENTICATION, pam_strerror(pam_status)); - } - log_debug(DEBUG_NOTICE) << "pam_authenticate OK" << endl; - break; - - case STATUS_FAIL: - { - log_debug(DEBUG_INFO) << "PAM auth premature FAIL" << endl; - syslog(LOG_AUTH|LOG_WARNING, - "%s->%s Unauthorised", - this->ruser.c_str(), this->user.c_str()); - error e(AUTHORISATION); - // TRANSLATORS: %1% = program name (PAM service name) - std::string reason(_("You do not have permission to access the %1% service.")); - reason += '\n'; - reason += _("This failure will be reported."); - format fmt(reason); - fmt % this->service; - e.set_reason(fmt.str()); - throw e; - } - default: - break; - } -#else // !SBUILD_FEATURE_PAM - throw error(AUTHENTICATION, strerror(ENOTSUP)); -#endif // SBUILD_FEATURE_PAM } void auth::setupenv () { -#ifdef SBUILD_FEATURE_PAM - assert(this->pam != 0); // PAM must be initialised - - int pam_status; -#endif // SBUILD_FEATURE_PAM - - environment environment; - if (!this->user_environment.empty()) - environment = this->user_environment; - - // For security, PATH is always set to a sane state for root, but - // only set in other cases if not preserving the environment. - if (this->uid == 0) - environment.add(std::make_pair("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11")); - else if (this->user_environment.empty()) - environment.add(std::make_pair("PATH", "/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games")); - - if (this->user_environment.empty()) - { - if (!this->home.empty() ) - environment.add(std::make_pair("HOME", this->home)); - else - environment.add(std::make_pair("HOME", "/")); - if (!this->user.empty()) - { - environment.add(std::make_pair("LOGNAME", this->user)); - environment.add(std::make_pair("USER", this->user)); - } - { - const char *term = getenv("TERM"); - if (term) - environment.add(std::make_pair("TERM", term)); - } - if (!this->shell.empty()) - environment.add(std::make_pair("SHELL", this->shell)); - } - -#ifdef SBUILD_FEATURE_PAM - // Move into PAM environment. - for (environment::const_iterator cur = environment.begin(); - cur != environment.end(); - ++cur) - { - std::string env_string = cur->first + "=" + cur->second; - if ((pam_status = - pam_putenv(this->pam, env_string.c_str())) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_putenv FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - log_debug(DEBUG_INFO) - << format("pam_putenv: set %1%=%2%") % cur->first % cur->second - << endl; - } - - log_debug(DEBUG_NOTICE) << "pam_putenv OK" << endl; -#else // !SBUILD_FEATURE_PAM - this->auth_environment = environment; -#endif // SBUILD_FEATURE_PAM } void auth::account () { -#ifdef SBUILD_FEATURE_PAM - assert(this->pam != 0); // PAM must be initialised - - int pam_status; - - if ((pam_status = - pam_acct_mgmt(this->pam, 0)) != PAM_SUCCESS) - { - /* We don't handle changing expired passwords here, since we are - not login or ssh. */ - log_debug(DEBUG_WARNING) << "pam_acct_mgmt FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - log_debug(DEBUG_NOTICE) << "pam_acct_mgmt OK" << endl; -#endif // SBUILD_FEATURE_PAM } void auth::cred_establish () { -#ifdef SBUILD_FEATURE_PAM - assert(this->pam != 0); // PAM must be initialised - - int pam_status; - - if ((pam_status = - pam_setcred(this->pam, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_setcred FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - log_debug(DEBUG_NOTICE) << "pam_setcred OK" << endl; - - const char *authuser = 0; - const void *tmpcast = reinterpret_cast<const void *>(authuser); - pam_get_item(this->pam, PAM_USER, &tmpcast); - log_debug(DEBUG_INFO) - << format("PAM authentication succeeded for user %1%") % authuser - << endl; -#endif // SBUILD_FEATURE_PAM } void auth::cred_delete () { -#ifdef SBUILD_FEATURE_PAM - assert(this->pam != 0); // PAM must be initialised - - int pam_status; - - if ((pam_status = - pam_setcred(this->pam, PAM_DELETE_CRED)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_setcred (delete) FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - log_debug(DEBUG_NOTICE) << "pam_setcred (delete) OK" << endl; -#endif // SBUILD_FEATURE_PAM } void auth::open_session () { -#ifdef SBUILD_FEATURE_PAM - assert(this->pam != 0); // PAM must be initialised - - int pam_status; - - if ((pam_status = - pam_open_session(this->pam, 0)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_open_session FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - log_debug(DEBUG_NOTICE) << "pam_open_session OK" << endl; -#endif // SBUILD_FEATURE_PAM } void auth::close_session () { -#ifdef SBUILD_FEATURE_PAM - assert(this->pam != 0); // PAM must be initialised - - int pam_status; - - if ((pam_status = - pam_close_session(this->pam, 0)) != PAM_SUCCESS) - { - log_debug(DEBUG_WARNING) << "pam_close_session FAIL" << endl; - throw error(PAM, pam_strerror(pam_status)); - } - - log_debug(DEBUG_NOTICE) << "pam_close_session OK" << endl; -#endif // SBUILD_FEATURE_PAM -} - -bool -auth::is_initialised () const -{ -#ifdef SBUILD_FEATURE_PAM - return this->pam != 0; -#else // !SBUILD_FEATURE_PAM - return true; -#endif // SBUILD_FEATURE_PAM -} - -#ifdef SBUILD_FEATURE_PAM -const char * -auth::pam_strerror (int pam_error) -{ - assert(this->pam != 0); // PAM must be initialised - - return ::pam_strerror (this->pam, pam_error); } -#endif // SBUILD_FEATURE_PAM diff --git a/sbuild/sbuild-auth.h b/sbuild/sbuild-auth.h index 2bb14d33..2ec59fc6 100644 --- a/sbuild/sbuild-auth.h +++ b/sbuild/sbuild-auth.h @@ -20,7 +20,6 @@ #define SBUILD_AUTH_H #include <sbuild/sbuild-config.h> -#include <sbuild/sbuild-auth-conv.h> #include <sbuild/sbuild-custom-error.h> #include <sbuild/sbuild-environment.h> #include <sbuild/sbuild-types.h> @@ -34,10 +33,6 @@ #include <pwd.h> #include <unistd.h> -#ifdef SBUILD_FEATURE_PAM -#include <security/pam_appl.h> -#endif // SBUILD_FEATURE_PAM - namespace sbuild { @@ -104,9 +99,10 @@ namespace sbuild /// Exception type. typedef custom_error<error_code> error; - /// A shared_ptr to an auth_conv object. - typedef std::tr1::shared_ptr<auth_conv> conv_ptr; + /// A shared_ptr to a auth object. + typedef std::tr1::shared_ptr<auth> ptr; + protected: /** * The constructor. * @@ -117,6 +113,7 @@ namespace sbuild */ auth (std::string const& service_name); + public: /** * The destructor. */ @@ -255,13 +252,23 @@ namespace sbuild set_environment (environment const& environment); /** + * Get the minimal environment. This is the user environment plus + * essential environment variables which are set if not already + * present. + * + * @returns an environment list. + */ + environment + get_minimal_environment () const; + + /** * Get the PAM environment. This is the environment as set by PAM * modules. * * @returns an environment list. */ - environment - get_pam_environment () const; + virtual environment + get_auth_environment () const = 0; /** * Get the "remote uid" of the user. This is the uid which is @@ -315,31 +322,13 @@ namespace sbuild void set_verbosity (verbosity verbosity); -#ifdef SBUILD_FEATURE_PAM - /** - * Get the conversation handler. - * - * @returns a shared_ptr to the handler. - */ - conv_ptr& - get_conv (); - - /** - * Set the conversation handler. - * - * @param conv a shared_ptr to the handler. - */ - void - set_conv (conv_ptr& conv); -#endif // SBUILD_FEATURE_PAM - /** * Start the PAM system. No other PAM functions may be called before * calling this function. * * An error will be thrown on failure. */ - void + virtual void start (); /** @@ -348,7 +337,7 @@ namespace sbuild * * An error will be thrown on failure. */ - void + virtual void stop (); /** @@ -363,7 +352,7 @@ namespace sbuild * @todo Use sysconf(_SC_HOST_NAME_MAX) when libc in a stable * release supports it. */ - void + virtual void authenticate (status auth_status); /** @@ -376,7 +365,7 @@ namespace sbuild * Note that the environment is not sanitised in any way. This is * the responsibility of the user. */ - void + virtual void setupenv (); /** @@ -384,7 +373,7 @@ namespace sbuild * * An error will be thrown on failure. */ - void + virtual void account (); /** @@ -392,7 +381,7 @@ namespace sbuild * * An error will be thrown on failure. */ - void + virtual void cred_establish (); /** @@ -400,7 +389,7 @@ namespace sbuild * * An error will be thrown on failure. */ - void + virtual void cred_delete (); /** @@ -408,7 +397,7 @@ namespace sbuild * * An error will be thrown on failure. */ - void + virtual void open_session (); /** @@ -416,7 +405,7 @@ namespace sbuild * * An error will be thrown on failure. */ - void + virtual void close_session (); /** @@ -443,24 +432,10 @@ namespace sbuild * Check if PAM is initialised (i.e. start has been called). * @returns true if initialised, otherwise false. */ - bool is_initialised () const; + virtual bool + is_initialised () const = 0; protected: -#ifdef SBUILD_FEATURE_PAM - /// The PAM handle. - pam_handle_t *pam; - - /** - * Get a description of a PAM error. - * - * @param pam_error the PAM error number. - * @returns the description. - */ - const char * - pam_strerror (int pam_error); -#endif // SBUILD_FEATURE_PAM - - private: /// The PAM service name. const std::string service; /// The uid to run as. @@ -487,10 +462,6 @@ namespace sbuild std::string ruser; /// The group name requesting authentication. std::string rgroup; -#ifdef SBUILD_FEATURE_PAM - /// The PAM conversation handler. - conv_ptr conv; -#endif // SBUILD_FEATURE_PAM #ifndef SBUILD_FEATURE_PAM /// Minimal environment. environment auth_environment; diff --git a/sbuild/sbuild-session.cc b/sbuild/sbuild-session.cc index dc6c6d07..60bcd979 100644 --- a/sbuild/sbuild-session.cc +++ b/sbuild/sbuild-session.cc @@ -18,6 +18,8 @@ #include <config.h> +#include "sbuild-chroot-config.h" +#include "sbuild-auth-null.h" #include "sbuild-chroot-plain.h" #ifdef SBUILD_FEATURE_LVMSNAP #include "sbuild-chroot-lvm-snapshot.h" @@ -246,7 +248,7 @@ session::session (std::string const& service, config_ptr& config, operation operation, sbuild::string_list const& chroots): - authstat(auth_ptr(new sbuild::auth(service))), + authstat(auth_null::create(service)), config(config), chroots(chroots), chroot_status(true), @@ -267,14 +269,14 @@ session::~session () { } -session::auth_ptr const& +auth::ptr const& session::get_auth () const { return this->authstat; } void -session::set_auth (auth_ptr& auth) +session::set_auth (auth::ptr& auth) { this->authstat = auth; } @@ -757,7 +759,7 @@ session::get_login_directories () const ret.push_back(this->cwd); // Set $HOME. - environment env = this->authstat->get_pam_environment(); + environment env = this->authstat->get_auth_environment(); std::string home; if (env.get("HOME", home) && std::find(ret.begin(), ret.end(), home) == ret.end()) @@ -918,7 +920,7 @@ session::get_user_command (sbuild::chroot::ptr& session_chroot, string_list& command) const { /* Search for program in path. */ - environment env = this->authstat->get_pam_environment(); + environment env = this->authstat->get_auth_environment(); std::string path; if (!env.get("PATH", path)) path.clear(); @@ -1235,7 +1237,7 @@ session::run_child (sbuild::chroot::ptr& session_chroot) /* Set up environment */ environment env; env.set_filter(session_chroot->get_environment_filter()); - env += this->authstat->get_pam_environment(); + env += this->authstat->get_auth_environment(); // Add equivalents to sudo's SUDO_USER, SUDO_UID, SUDO_GID, and // SUDO_COMMAND. diff --git a/sbuild/sbuild-session.h b/sbuild/sbuild-session.h index 966cec23..f3f2ed7d 100644 --- a/sbuild/sbuild-session.h +++ b/sbuild/sbuild-session.h @@ -99,9 +99,6 @@ namespace sbuild /// A shared_ptr to a session object. typedef std::tr1::shared_ptr<session> ptr; - /// A shared_ptr to an auth object. - typedef std::tr1::shared_ptr<auth> auth_ptr; - /** * The constructor. * @@ -123,7 +120,7 @@ namespace sbuild * * @returns a shared_ptr to the authentication state. */ - auth_ptr const& + auth::ptr const& get_auth () const; /** @@ -132,7 +129,7 @@ namespace sbuild * @param auth a shared_ptr to the authentication state. */ void - set_auth (auth_ptr& auth); + set_auth (auth::ptr& auth); /** * Get the configuration associated with this session. @@ -448,7 +445,7 @@ namespace sbuild struct sigaction *saved_signal); /// Authentication state. - auth_ptr authstat; + auth::ptr authstat; /// The chroot configuration. config_ptr config; /// The chroots to run the session operation in. |