PSARC/2007/218 caller_context_t in all VOPs

PSARC/2007/227 VFS Feature Registration and ACL on Create
PSARC/2007/244 ZFS Case-insensitive support
PSARC/2007/315 Extensible Attribute Interfaces
PSARC/2007/394 ls(1) new command line options '-/' and '-%': CIFS system attributes support
PSARC/2007/403 Modified Access Checks for CIFS
PSARC/2007/410 Add system attribute support to chmod(1)
PSARC/2007/432 CIFS system attributes support for cp(1), pack(1), unpack(1), compress(1) and uncompress(1)
PSARC/2007/444 Rescind SETTABLE Attribute
PSARC/2007/459 CIFS system attributes support for cpio(1), pax(1), tar(1)
PSARC/2007/546 Update utilities to match CIFS system attributes changes.
PSARC/2007/560 ZFS sharesmb property
4890717 want append-only files
6417428 Case-insensitive file system name lookup to support CIFS
6417435 DOS attributes and additional timestamps to support for CIFS
6417442 File system quarantined and modified attributes to support an integrated Anti-Virus service
6417453 FS boolean property for rejecting/allowing invalid UTF-8 sequences in file names
6473733 RFE: Need support for open-deny modes
6473755 RFE:  Need ability to reconcile oplock and delegation conflicts
6494624 sharemgr needs to support CIFS shares better
6546705 All vnode operations need to pass caller_context_t
6546706 Need VOP_SETATTR/VOP_GETATTR to support new, optional attributes
6546893 Solaris system attribute support
6550962 ZFS ACL inheritance needs to be enhanced to support Automatic Inheritance
6553589 RFE: VFS Feature Registration facility
6553770 RFE: ZFS support for ACL-on-CREATE (PSARC 2007/227)
6565581 ls(1) should support file system attributes proposed in PSARC/2007/315
6566784 NTFS streams are not copied along with the files.
6576205 cp(1), pack(1) and compress(1) should support file system attributes proposed in PSARC/2007/315
6578875 RFE: kernel interfaces for nbmand need improvement
6578883 RFE: VOP_SHRLOCK needs additional access types
6578885 chmod(1) should support file system attributes proposed in PSARC/2007/315
6578886 RFE: disallow nbmand state to change on remount
6583349 ACL parser needs to support audit/alarm ACE types
6590347 tar(1) should support filesystem attributes proposed in PSARC/2007/315
6597357 *tar* xv@ doesn't show the hidden directory even though it is restored
6597360 *tar* should re-init xattr info if openat() fails during extraction of and extended attribute
6597368 *tar* cannot restore hard linked extended attributes
6597374 *tar* doesn't display "x " when hard linked attributes are restored
6597375 *tar* extended attribute header off by one
6614861 *cpio* incorrectly archives extended system attributes with -@
6614896 *pax* incorrectly archives extended system attributes with -@
6615225 *tar* incorrectly archives extended system attributes with -@
6617183 CIFS Service - PSARC 2006/715

1 files changed, 202 insertions, 0 deletions

diff --git a/usr/src/lib/pam_modules/smb/smb_passwd.c b/usr/src/lib/pam_modules/smb/smb_passwd.c
new file mode 100644
index 0000000000..9167d093a6
--- /dev/null
+++ b/usr/src/lib/pam_modules/smb/smb_passwd.c
@@ -0,0 +1,202 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <sys/types.h>
+#include <sys/varargs.h>
+#include <string.h>
+#include <syslog.h>
+#include <stdlib.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_impl.h>
+
+#include <libintl.h>
+#include <passwdutil.h>
+
+#include <smbsrv/libsmb.h>
+
+/*PRINTFLIKE3*/
+static void
+error(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
+{
+	va_list ap;
+	char message[PAM_MAX_MSG_SIZE];
+
+	if (nowarn)
+		return;
+
+	va_start(ap, fmt);
+	(void) vsnprintf(message, sizeof (message), fmt, ap);
+	(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, &message,
+	    NULL);
+	va_end(ap);
+}
+
+/*PRINTFLIKE3*/
+static void
+info(boolean_t nowarn, pam_handle_t *pamh, char *fmt, ...)
+{
+	va_list ap;
+	char message[PAM_MAX_MSG_SIZE];
+
+	if (nowarn)
+		return;
+
+	va_start(ap, fmt);
+	(void) vsnprintf(message, sizeof (message), fmt, ap);
+	(void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, &message,
+	    NULL);
+	va_end(ap);
+}
+
+int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+	boolean_t debug = B_FALSE;
+	boolean_t nowarn = B_FALSE;
+	pwu_repository_t files_rep;
+	char *user, *local_user;
+	char *newpw;
+	char *service;
+	int privileged;
+	int res;
+	int i;
+
+	for (i = 0; i < argc; i++) {
+		if (strcmp(argv[i], "debug") == 0)
+			debug = B_TRUE;
+		else if (strcmp(argv[i], "nowarn") == 0)
+			nowarn = B_TRUE;
+	}
+
+	if ((flags & PAM_PRELIM_CHECK) != 0)
+		return (PAM_IGNORE);
+
+	if ((flags & PAM_UPDATE_AUTHTOK) == 0)
+		return (PAM_SYSTEM_ERR);
+
+	if ((flags & PAM_SILENT) != 0)
+		nowarn = B_TRUE;
+
+	if (debug)
+		__pam_log(LOG_AUTH | LOG_DEBUG,
+		    "pam_smb_passwd: storing authtok");
+
+	(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
+	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
+
+	if (user == NULL || *user == '\0') {
+		__pam_log(LOG_AUTH | LOG_ERR,
+		    "pam_smb_passwd: username is empty");
+		return (PAM_USER_UNKNOWN);
+	}
+
+	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpw);
+	if (newpw == NULL) {
+		/*
+		 * A module on the stack has removed PAM_AUTHTOK. We fail
+		 */
+		return (PAM_AUTHTOK_ERR);
+	}
+
+	/* Check to see if this is a local user */
+	files_rep.type = "files";
+	files_rep.scope = NULL;
+	files_rep.scope_len = 0;
+	res = __user_to_authenticate(user, &files_rep, &local_user,
+	    &privileged);
+	if (res != PWU_SUCCESS) {
+		switch (res) {
+		case PWU_NOT_FOUND:
+			/* if not a local user, ignore */
+			if (debug) {
+				__pam_log(LOG_AUTH | LOG_DEBUG,
+				    "pam_smb_passwd: %s is not local", user);
+			}
+			return (PAM_IGNORE);
+		case PWU_DENIED:
+			return (PAM_PERM_DENIED);
+		}
+		return (PAM_SYSTEM_ERR);
+	}
+
+	res = smb_pwd_setpasswd(user, newpw);
+
+	/*
+	 * now map the various return states to user messages
+	 * and PAM return codes.
+	 */
+	switch (res) {
+	case SMB_PWE_SUCCESS:
+		info(nowarn, pamh, dgettext(TEXT_DOMAIN,
+		    "%s: SMB password successfully changed for %s"),
+		    service, user);
+		return (PAM_SUCCESS);
+
+	case SMB_PWE_STAT_FAILED:
+		__pam_log(LOG_AUTH | LOG_ERR,
+		    "%s: stat of SMB password file failed", service);
+		return (PAM_SYSTEM_ERR);
+
+	case SMB_PWE_OPEN_FAILED:
+	case SMB_PWE_WRITE_FAILED:
+	case SMB_PWE_CLOSE_FAILED:
+	case SMB_PWE_UPDATE_FAILED:
+		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
+		    "%s: Unexpected failure. SMB password database unchanged."),
+		    service);
+		return (PAM_SYSTEM_ERR);
+
+	case SMB_PWE_BUSY:
+		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
+		    "%s: SMB password database busy. Try again later."),
+		    service);
+
+		return (PAM_AUTHTOK_LOCK_BUSY);
+
+	case SMB_PWE_USER_UNKNOWN:
+		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
+		    "%s: %s does not exist."), service, user);
+		return (PAM_USER_UNKNOWN);
+
+	case SMB_PWE_USER_DISABLE:
+		error(nowarn, pamh, dgettext(TEXT_DOMAIN,
+		    "%s: %s is disable. SMB password database unchanged."),
+		    service, user);
+		return (PAM_IGNORE);
+
+	case SMB_PWE_DENIED:
+		return (PAM_PERM_DENIED);
+
+	default:
+		res = PAM_SYSTEM_ERR;
+		break;
+	}
+
+	return (res);
+}