diff options
| author | semery <none@none> | 2007-01-08 22:48:10 -0800 |
|---|---|---|
| committer | semery <none@none> | 2007-01-08 22:48:10 -0800 |
| commit | 3bfb48feb84bb78924286a801c68f80198912fa7 (patch) | |
| tree | 2eb676597d732d4f08c1f4525422532bc9937c5e /usr/src | |
| parent | 3adfa9cd8a85081d32de7091fd58369411b3dade (diff) | |
| download | illumos-gate-3bfb48feb84bb78924286a801c68f80198912fa7.tar.gz | |
6266812 pam_krb5 and pam_krb5_migrate localize their syslog messagesonnv_56
6430941 pam_krb5 pam_sm_setcred can cause /tmp/krb5cc_<PAM_USER> to be owned by euid rather than PAM_USER
6484675 pam_krb5(5) needs some cleanup
6499804 pam_krb5 account management should not return success if user is not defined in kerberos realm
6507080 autofs no longer passing credential information in upcalls
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/autod_lookup.c | 8 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/autod_main.c | 63 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/autod_mount.c | 6 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/autod_nfs.c | 14 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/autod_readdir.c | 6 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/autod_xdr.c | 6 | ||||
| -rw-r--r-- | usr/src/cmd/fs.d/autofs/automount.h | 17 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c | 90 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_authenticate.c | 134 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_password.c | 62 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_setcred.c | 133 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/utils.c | 24 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/utils.h | 8 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c | 71 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/autofs/auto_subr.c | 17 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/autofs/auto_vnops.c | 3 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/autofs/auto_xdr.c | 6 | ||||
| -rw-r--r-- | usr/src/uts/common/rpcsvc/autofs_prot.x | 4 |
18 files changed, 331 insertions, 341 deletions
diff --git a/usr/src/cmd/fs.d/autofs/autod_lookup.c b/usr/src/cmd/fs.d/autofs/autod_lookup.c index cf8b06ecc9..4bc19f628e 100644 --- a/usr/src/cmd/fs.d/autofs/autod_lookup.c +++ b/usr/src/cmd/fs.d/autofs/autod_lookup.c @@ -21,7 +21,7 @@ /* * autod_lookup.c * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -46,9 +46,9 @@ do_lookup1( char *mapopts, char *path, uint_t isdirect, + uid_t uid, autofs_action_t *action, - struct linka *linkp, - ucred_t *cred) + struct linka *linkp) { struct mapline ml; struct mapent *mapents = NULL; @@ -122,7 +122,7 @@ do_lookup1( * to superusers. */ if (mapents == NULL && *action == AUTOFS_NONE) { - if (*key == '=' && ucred_geteuid(cred) == 0) { + if (*key == '=' && uid == 0) { if (isdigit(*(key+1))) { /* * If next character is a digit diff --git a/usr/src/cmd/fs.d/autofs/autod_main.c b/usr/src/cmd/fs.d/autofs/autod_main.c index ef616f9057..37d18600c1 100644 --- a/usr/src/cmd/fs.d/autofs/autod_main.c +++ b/usr/src/cmd/fs.d/autofs/autod_main.c @@ -46,7 +46,6 @@ #include <string.h> #include <thread.h> #include <locale.h> -#include <ucred.h> #include <door.h> #include "automount.h" #include <sys/vfs.h> @@ -64,17 +63,13 @@ static void autofs_doorfunc(void *, char *, size_t, door_desc_t *, uint_t); static void autofs_setdoor(int); -static void autofs_mntinfo_1_r(autofs_lookupargs *, - autofs_mountres *, ucred_t *); +static void autofs_mntinfo_1_r(autofs_lookupargs *, autofs_mountres *); static void autofs_mount_1_free_r(struct autofs_mountres *); -static void autofs_lookup_1_r(autofs_lookupargs *, - autofs_lookupres *, ucred_t *); +static void autofs_lookup_1_r(autofs_lookupargs *, autofs_lookupres *); static void autofs_lookup_1_free_args(autofs_lookupargs *); -static void autofs_unmount_1_r(umntrequest *, umntres *, - ucred_t *); +static void autofs_unmount_1_r(umntrequest *, umntres *); static void autofs_unmount_1_free_args(umntrequest *); -static void autofs_readdir_1_r(autofs_rddirargs *, - autofs_rddirres *, ucred_t *); +static void autofs_readdir_1_r(autofs_rddirargs *, autofs_rddirres *); static void autofs_readdir_1_free_r(struct autofs_rddirres *); static int decode_args(xdrproc_t, autofs_door_args_t *, caddr_t *, int); static bool_t encode_res(xdrproc_t, autofs_door_res_t **, caddr_t, int *); @@ -95,7 +90,6 @@ extern int _autofssys(int, void *); #define AUTOFS_DOOR "/var/run/autofs_door" #endif /* DEBUG */ - static thread_key_t s_thr_key; struct autodir *dir_head; @@ -299,14 +293,13 @@ usage() static void autofs_readdir_1_r( autofs_rddirargs *req, - autofs_rddirres *res, - ucred_t *autofs_cred) + autofs_rddirres *res) { if (trace > 0) trace_prt(1, "READDIR REQUEST : %s @ %ld\n", req->rda_map, req->rda_offset); - do_readdir(req, res, autofs_cred); + do_readdir(req, res); if (trace > 0) trace_prt(1, "READDIR REPLY : status=%d\n", res->rd_status); @@ -326,8 +319,7 @@ autofs_readdir_1_free_r(struct autofs_rddirres *res) static void autofs_unmount_1_r( umntrequest *m, - umntres *res, - ucred_t *autofs_cred) + umntres *res) { struct umntrequest *ul; @@ -357,8 +349,7 @@ autofs_unmount_1_r( static void autofs_lookup_1_r( autofs_lookupargs *m, - autofs_lookupres *res, - ucred_t *autofs_cred) + autofs_lookupres *res) { autofs_action_t action; struct linka link; @@ -378,7 +369,7 @@ autofs_lookup_1_r( bzero(&link, sizeof (struct linka)); status = do_lookup1(m->map, m->name, m->subdir, m->opts, m->path, - (uint_t)m->isdirect, &action, &link, autofs_cred); + (uint_t)m->isdirect, m->uid, &action, &link); if (status == 0) { /* * Return action list to kernel. @@ -402,8 +393,7 @@ autofs_lookup_1_r( static void autofs_mntinfo_1_r( autofs_lookupargs *m, - autofs_mountres *res, - ucred_t *autofs_cred) + autofs_mountres *res) { int status; action_list *alp = NULL; @@ -420,7 +410,7 @@ autofs_mntinfo_1_r( } status = do_mount1(m->map, m->name, m->subdir, m->opts, m->path, - (uint_t)m->isdirect, &alp, autofs_cred, DOMOUNT_USER); + (uint_t)m->isdirect, m->uid, &alp, DOMOUNT_USER); if (status != 0) { /* * An error occurred, free action list if allocated. @@ -671,12 +661,6 @@ autofs_doorfunc( autofs_door_res_t *door_res; autofs_door_res_t failed_res; - /* - * autofs_cred is nulled because door_cred assumes non-null - * to have been previously allocated. - */ - ucred_t *autofs_cred = NULL; - if (arg_size < sizeof (autofs_door_args_t)) { failed_res.res_status = EINVAL; error = door_return((char *)&failed_res, @@ -689,19 +673,6 @@ autofs_doorfunc( return; } - error = door_ucred(&autofs_cred); - if (error) { - failed_res.res_status = error; - error = door_return((char *)&failed_res, - sizeof (autofs_door_res_t), NULL, 0); - /* - * If we got here, door_return() failed - */ - syslog(LOG_ERR, "Bad cred, door_return() failed, %d", - error); - return; - } - timenow = time((time_t *)NULL); which = ((autofs_door_args_t *)argp)->cmd; @@ -720,7 +691,7 @@ autofs_doorfunc( } bzero(&lookup_res, sizeof (autofs_lookupres)); - autofs_lookup_1_r(xdrargs, &lookup_res, autofs_cred); + autofs_lookup_1_r(xdrargs, &lookup_res); autofs_lookup_1_free_args(xdrargs); free(xdrargs); @@ -751,8 +722,7 @@ autofs_doorfunc( break; } - autofs_mntinfo_1_r((autofs_lookupargs *)xdrargs, - &mount_res, autofs_cred); + autofs_mntinfo_1_r((autofs_lookupargs *)xdrargs, &mount_res); autofs_lookup_1_free_args(xdrargs); free(xdrargs); @@ -790,8 +760,7 @@ autofs_doorfunc( break; } - autofs_unmount_1_r(umnt_args, - &umount_res, autofs_cred); + autofs_unmount_1_r(umnt_args, &umount_res); error = umount_res.status; @@ -826,7 +795,7 @@ autofs_doorfunc( break; } - autofs_readdir_1_r(rddir_args, &rddir_res, autofs_cred); + autofs_readdir_1_r(rddir_args, &rddir_res); free(rddir_args->rda_map); free(rddir_args); @@ -847,7 +816,6 @@ autofs_doorfunc( break; #ifdef MALLOC_DEBUG case AUTOFS_DUMP_DEBUG: - ucred_free(autofs_cred); check_leaks("/var/tmp/automountd.leak"); error = door_return(NULL, 0, NULL, 0); /* @@ -867,7 +835,6 @@ autofs_doorfunc( res_size = sizeof (autofs_door_res_t); break; } - ucred_free(autofs_cred); error = door_return(res, res_size, NULL, 0); /* * If we got here, door_return failed. diff --git a/usr/src/cmd/fs.d/autofs/autod_mount.c b/usr/src/cmd/fs.d/autofs/autod_mount.c index e127b3dce4..b5826a0a20 100644 --- a/usr/src/cmd/fs.d/autofs/autod_mount.c +++ b/usr/src/cmd/fs.d/autofs/autod_mount.c @@ -21,7 +21,7 @@ /* * autod_mount.c * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -69,8 +69,8 @@ do_mount1( char *mapopts, char *path, uint_t isdirect, + uid_t uid, action_list **alpp, - ucred_t *cred, int flags) { struct mapline ml; @@ -178,7 +178,7 @@ retry: } else alp = NULL; err = - mount_nfs(me, spec_mntpnt, private, overlay, cred, + mount_nfs(me, spec_mntpnt, private, overlay, uid, &alp); /* * We must retry if we don't have access to the diff --git a/usr/src/cmd/fs.d/autofs/autod_nfs.c b/usr/src/cmd/fs.d/autofs/autod_nfs.c index 9f2b1821ac..dfc5ebd83c 100644 --- a/usr/src/cmd/fs.d/autofs/autod_nfs.c +++ b/usr/src/cmd/fs.d/autofs/autod_nfs.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -130,8 +130,8 @@ typedef struct mfs_snego_t mfs_snego_t; static struct cache_entry *cache_head = NULL; rwlock_t cache_lock; /* protect the cache chain */ -static enum nfsstat nfsmount(struct mapfs *, char *, char *, int, int, - ucred_t *, action_list *); +static enum nfsstat nfsmount(struct mapfs *, char *, char *, int, int, uid_t, + action_list *); static int is_nfs_port(char *); void netbuf_free(struct netbuf *); @@ -226,7 +226,7 @@ mount_nfs( char *mntpnt, char *prevhost, int overlay, - ucred_t *cred, + uid_t uid, action_list **alpp) { struct mapfs *mfs, *mp; @@ -274,7 +274,7 @@ mount_nfs( if (err) { cached = strcmp(me->map_mounter, MNTTYPE_CACHEFS) == 0; err = nfsmount(mfs, mntpnt, me->map_mntopts, - cached, overlay, cred, alp); + cached, overlay, uid, alp); if (err && trace > 1) { trace_prt(1, " Couldn't mount %s:%s, err=%d\n", mfs->mfs_host, mfs->mfs_dir, err); @@ -631,7 +631,7 @@ nfsmount( struct mapfs *mfs_in, char *mntpnt, char *opts, int cached, int overlay, - ucred_t *cred, + uid_t uid, action_list *alp) { CLIENT *cl; @@ -2032,7 +2032,7 @@ try_mnt_slash: if (is_system_labeled()) nfs_sec.sc_uid = (uid_t)0; else - nfs_sec.sc_uid = ucred_geteuid(cred); + nfs_sec.sc_uid = uid; /* * If AUTH_DH is a chosen flavor now, its data will be stored * in the sec_data structure via nfs_clnt_secdata(). diff --git a/usr/src/cmd/fs.d/autofs/autod_readdir.c b/usr/src/cmd/fs.d/autofs/autod_readdir.c index 74dc5108f0..db774ea789 100644 --- a/usr/src/cmd/fs.d/autofs/autod_readdir.c +++ b/usr/src/cmd/fs.d/autofs/autod_readdir.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -62,7 +62,7 @@ rwlock_t autofs_rddir_cache_lock; /* readdir cache lock */ struct autofs_rddir_cache *rddir_head; /* readdir cache head */ int -do_readdir(autofs_rddirargs *rda, autofs_rddirres *rd, ucred_t *cred) +do_readdir(autofs_rddirargs *rda, autofs_rddirres *rd) { struct dir_entry *list = NULL, *l; struct autofs_rddir_cache *rdcp = NULL; @@ -121,7 +121,7 @@ do_readdir(autofs_rddirargs *rda, autofs_rddirres *rd, ucred_t *cred) */ stack_op(INIT, NULL, stack, &stkptr); (void) getmapkeys(rda->rda_map, &list, &error, - &cache_time, stack, &stkptr, ucred_geteuid(cred)); + &cache_time, stack, &stkptr, rda->uid); if (!error) build_dir_entry_list(rdcp, list); else if (list) { diff --git a/usr/src/cmd/fs.d/autofs/autod_xdr.c b/usr/src/cmd/fs.d/autofs/autod_xdr.c index f64bc5a12b..d474378ff6 100644 --- a/usr/src/cmd/fs.d/autofs/autod_xdr.c +++ b/usr/src/cmd/fs.d/autofs/autod_xdr.c @@ -21,7 +21,7 @@ /* * autod_xdr.c * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -210,6 +210,8 @@ xdr_autofs_lookupargs(xdrs, objp) return (FALSE); if (!xdr_bool_t(xdrs, &objp->isdirect)) return (FALSE); + if (!xdr_u_int(xdrs, (uint_t *)&objp->uid)) + return (FALSE); return (TRUE); } @@ -293,6 +295,8 @@ xdr_autofs_rddirargs(xdrs, objp) return (FALSE); if (!xdr_u_int(xdrs, &objp->rda_count)) return (FALSE); + if (!xdr_u_int(xdrs, (uint_t *)&objp->uid)) + return (FALSE); return (TRUE); } diff --git a/usr/src/cmd/fs.d/autofs/automount.h b/usr/src/cmd/fs.d/autofs/automount.h index 0f5fbeb5b4..5c9b9950af 100644 --- a/usr/src/cmd/fs.d/autofs/automount.h +++ b/usr/src/cmd/fs.d/autofs/automount.h @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -36,7 +36,6 @@ #include <rpc/rpc.h> #include <sys/fs/autofs.h> #include <netinet/in.h> /* needed for sockaddr_in declaration */ -#include <ucred.h> #ifdef MALLOC_DEBUG #include <debug_alloc.h> @@ -278,16 +277,16 @@ extern enum clnt_stat pingnfs(char *, int, rpcvers_t *, rpcvers_t, extern void *autofs_get_buffer(size_t); extern int self_check(char *); -extern int do_mount1(char *, char *, char *, char *, char *, uint_t, - action_list **, ucred_t *, int); -extern int do_lookup1(char *, char *, char *, char *, char *, uint_t, - autofs_action_t *, struct linka *, ucred_t *); +extern int do_mount1(char *, char *, char *, char *, char *, uint_t, uid_t, + action_list **, int); +extern int do_lookup1(char *, char *, char *, char *, char *, uint_t, uid_t, + autofs_action_t *, struct linka *); extern int do_unmount1(umntrequest *); -extern int do_readdir(autofs_rddirargs *, autofs_rddirres *, ucred_t *); +extern int do_readdir(autofs_rddirargs *, autofs_rddirres *); extern int nfsunmount(struct mnttab *); extern int loopbackmount(char *, char *, char *, int); -extern int mount_nfs(struct mapent *, char *, char *, int, - ucred_t *, action_list **); +extern int mount_nfs(struct mapent *, char *, char *, int, uid_t, + action_list **); extern int mount_autofs(struct mapent *, char *, action_list *, char *rootp, char *subdir, char *key); extern int mount_generic(char *, char *, char *, char *, int); diff --git a/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c b/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c index 1397fe8f49..d838613187 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c +++ b/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -89,7 +88,7 @@ fetch_princ_entry( krb5_free_principal(context, princ); krb5_free_context(context); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): fetch_princ_entry: pwlen=0"); return (PAM_AUTH_ERR); } @@ -103,10 +102,9 @@ fetch_princ_entry( params.realm = admin_realm; if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): unable to get host based " - "service name for realm '%s'"), + "service name for realm '%s'", admin_realm); krb5_free_principal(context, princ); krb5_free_context(context); @@ -118,7 +116,7 @@ fetch_princ_entry( KADM5_API_VERSION_2, &server_handle); if (code != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): fetch_princ_entry: " "init_with_pw failed: code = %d", code); krb5_free_principal(context, princ); @@ -129,7 +127,7 @@ fetch_princ_entry( if (_kadm5_get_kpasswd_protocol(server_handle) != KRB5_CHGPWD_RPCSEC) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): fetch_princ_entry: " "non-RPCSEC_GSS chpw server, can't get " "princ entry"); @@ -154,9 +152,8 @@ fetch_princ_entry( (void) kadm5_destroy(server_handle); krb5_free_principal(context, princ); krb5_free_context(context); - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (acct): krb5_timeofday fail: code=%d"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (acct): krb5_timeofday fail: code=%d", code); return (PAM_SYSTEM_ERR); } @@ -194,7 +191,7 @@ exp_warn( char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn start: user = '%s'", user ? user : "<null>"); @@ -207,14 +204,14 @@ exp_warn( if ((err = fetch_princ_entry(user, password, &prent, &now, debug)) != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn: fetch_pr failed %d", err); goto out; } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn: fetch_princ success:" " princ exp=%ld pw_exp = %ld, now =%ld, days=%ld", prent.princ_expire_time, @@ -252,7 +249,7 @@ exp_warn( out: if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn end: err = %d", err); return (err); @@ -295,18 +292,19 @@ pam_sm_acct_mgmt( nowarn = 1; flags = flags | PAM_SILENT; } else { - syslog(LOG_ERR, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): illegal option %s", argv[i]); } } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): debug=%d, nowarn=%d", debug, nowarn); - err = pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + if (rep_data != NULL) { /* * If the repository is not ours, @@ -314,7 +312,8 @@ pam_sm_acct_mgmt( */ if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (acct): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (acct): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -323,16 +322,9 @@ pam_sm_acct_mgmt( /* get user name */ - if ((err = pam_get_item(pamh, PAM_USER, (void **) &user)) - != PAM_SUCCESS) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (acct):" - " get user failed: err=%d"), - err); - goto out; - } + (void) pam_get_item(pamh, PAM_USER, (void **) &user); - if (user == NULL) { + if (user == NULL || *user == '\0') { err = PAM_USER_UNKNOWN; goto out; } @@ -342,9 +334,8 @@ pam_sm_acct_mgmt( (const void **)&userdata); if (err != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (acct): " - "no module data for KRB5_AUTOMIGRATE_DATA")); + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): " + "no module data for KRB5_AUTOMIGRATE_DATA"); } else { /* * We try and reauthenticate, since this user has a @@ -357,9 +348,9 @@ pam_sm_acct_mgmt( (const char **)argv); else if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): PAM_USER %s" - "does not match user %s from pam_get_data()"), + "does not match user %s from pam_get_data()", user, (char *)userdata); } @@ -375,15 +366,14 @@ pam_sm_acct_mgmt( * was instantiated (normal for auth 'acceptor') */ if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): no module data"); err = PAM_IGNORE; goto out; } else { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): get module" - " data failed: err=%d"), + " data failed: err=%d", err); } goto out; @@ -397,13 +387,25 @@ pam_sm_acct_mgmt( */ if (kmd->auth_status == PAM_IGNORE) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): kmd auth_status is IGNORE"); err = PAM_IGNORE; goto out; } /* + * auth mod set status to user_unknown, most likely cuz user is + * not a kerberos user. + */ + if (kmd->auth_status == PAM_USER_UNKNOWN) { + if (debug) + syslog(LOG_DEBUG, + "PAM-KRB5 (acct): kmd auth_status is USER UNKNOWN"); + err = PAM_USER_UNKNOWN; + goto out; + } + + /* * age_status will be set to PAM_NEW_AUTHTOK_REQD in pam_krb5's * 'auth' if the user's key/pw has expired and needs to be changed */ @@ -424,12 +426,14 @@ pam_sm_acct_mgmt( (void) exp_warn(pamh, user, kmd->password, debug); } - /* everything a-ok */ - err = PAM_SUCCESS; + /* + * Here we return any errors during the auth pass, if any. + */ + err = kmd->auth_status; out: if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): end: %s", pam_strerror(pamh, err)); return (err); diff --git a/usr/src/lib/pam_modules/krb5/krb5_authenticate.c b/usr/src/lib/pam_modules/krb5/krb5_authenticate.c index 8894197d73..aec4b426b7 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_authenticate.c +++ b/usr/src/lib/pam_modules/krb5/krb5_authenticate.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -111,15 +111,15 @@ pam_sm_authenticate( } else if (strcmp(argv[i], "err_on_exp") == 0) { err_on_exp = 1; } else { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth) unrecognized option %s"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (auth) unrecognized option %s", argv[i]); } } if (flags & PAM_SILENT) warn = 0; if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): pam_sm_authenticate flags=%d", flags); @@ -127,8 +127,8 @@ pam_sm_authenticate( if (user == NULL || *user == '\0') { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): user empty " - "or null"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): user empty or null"); return (PAM_USER_UNKNOWN); } @@ -142,7 +142,7 @@ pam_sm_authenticate( */ err = pam_get_data(pamh, KRB5_DATA, (const void**)&kmd); if (!(err == PAM_SUCCESS || err == PAM_NO_MODULE_DATA)) - return (PAM_AUTH_ERR); + return (PAM_SYSTEM_ERR); if (kmd == NULL) { kmd = calloc(1, sizeof (krb5_module_data_t)); @@ -182,6 +182,11 @@ pam_sm_authenticate( } } + if ((kmd->user = strdup(user)) == NULL) { + result = PAM_BUF_ERR; + goto out; + } + kmd->auth_status = PAM_AUTH_ERR; kmd->debug = debug; kmd->warn = warn; @@ -204,7 +209,8 @@ pam_sm_authenticate( if (rep_data != NULL) { if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -217,7 +223,7 @@ pam_sm_authenticate( krb5_data->principal != NULL && strlen(krb5_data->principal)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Principal " "%s already authenticated", krb5_data->principal); @@ -237,7 +243,7 @@ pam_sm_authenticate( if ((strcmp(user, ROOT_UNAME) == 0) && key_in_keytab(user, debug)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): " "key for '%s' in keytab, returning IGNORE", user); result = PAM_IGNORE; @@ -251,7 +257,7 @@ pam_sm_authenticate( out: if (kmd) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): pam_sm_auth finalize" " ccname env, result =%d, env ='%s'," " age = %d, status = %d", @@ -272,10 +278,9 @@ out: if ((result = pam_putenv(pamh, kmd->env)) != PAM_SUCCESS) { /* should not happen but... */ - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth):" - " pam_putenv failed: result: %d"), + " pam_putenv failed: result: %d", result); goto cleanupccname; } @@ -291,7 +296,7 @@ out: } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): end: %s", pam_strerror(pamh, result)); return (result); @@ -330,7 +335,7 @@ attempt_krb5_auth( int result = PAM_AUTH_ERR; if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth: start: user='%s'", user ? user : "<null>"); @@ -338,9 +343,9 @@ attempt_krb5_auth( /* need to free context with krb5_free_context */ if (code = krb5_init_context(&kmd->kcontext)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): Error initializing " - "krb5: %s"), + "krb5: %s", error_message(code)); return (PAM_SYSTEM_ERR); } @@ -354,14 +359,17 @@ attempt_krb5_auth( if ((code = krb5_parse_name(kmd->kcontext, kuser, &me)) != 0) { krb5_free_context(kmd->kcontext); kmd->kcontext = NULL; - return (PAM_AUTH_ERR); + return (PAM_SYSTEM_ERR); } /* call krb5_free_cred_contents() on error */ my_creds = &kmd->initcreds; - if ((code = krb5_copy_principal(kmd->kcontext, me, &my_creds->client))) - goto out_err; + if ((code = + krb5_copy_principal(kmd->kcontext, me, &my_creds->client))) { + result = PAM_SYSTEM_ERR; + goto out_err; + } if (code = krb5_build_principal_ext(kmd->kcontext, &server, krb5_princ_realm(kmd->kcontext, me)->length, @@ -369,23 +377,26 @@ attempt_krb5_auth( tgtname.length, tgtname.data, krb5_princ_realm(kmd->kcontext, me)->length, krb5_princ_realm(kmd->kcontext, me)->data, 0)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth): attempt_krb5_auth: " - "krb5_build_princ_ext failed: %s"), - error_message(code)); + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (auth): attempt_krb5_auth: " + "krb5_build_princ_ext failed: %s", + error_message(code)); + result = PAM_SYSTEM_ERR; goto out; } if (code = krb5_copy_principal(kmd->kcontext, server, &my_creds->server)) { + result = PAM_SYSTEM_ERR; goto out_err; } if (code = krb5_timeofday(kmd->kcontext, &now)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth): attempt_krb5_auth: " - "krb5_timeofday failed: %s"), - error_message(code)); + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (auth): attempt_krb5_auth: " + "krb5_timeofday failed: %s", + error_message(code)); + result = PAM_SYSTEM_ERR; goto out; } @@ -415,10 +426,9 @@ attempt_krb5_auth( if (renew_timeval) { code = krb5_string_to_deltat(renew_timeval, &rlife); if (code != 0 || rlife == 0 || rlife > krb5_max_duration) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): Bad max_renewable_life " - " value '%s' in Kerberos config file"), + " value '%s' in Kerberos config file", renew_timeval); result = PAM_SYSTEM_ERR; goto out; @@ -428,9 +438,8 @@ attempt_krb5_auth( code = krb5_string_to_deltat(life_timeval, &lifetime); if (code != 0 || lifetime == 0 || lifetime > krb5_max_duration) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, "PAM-KRB5 (auth): Bad " - "lifetime value '%s' in Kerberos config file"), + __pam_log(LOG_AUTH | LOG_ERR, + "lifetime value '%s' in Kerberos config file", life_timeval); result = PAM_SYSTEM_ERR; goto out; @@ -449,30 +458,30 @@ attempt_krb5_auth( if (proxiable_flag) { /* Set in config file */ if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Proxiable tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_proxiable(&opts, TRUE); } if (forwardable_flag) { if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Forwardable tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_forwardable(&opts, TRUE); } if (renewable_flag) { if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Renewable tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_renew_life(&opts, rlife); } if (no_address_flag) { if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Addressless tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_address_list(&opts, NULL); } @@ -496,7 +505,7 @@ attempt_krb5_auth( } if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth: " "krb5_get_init_creds_password returns: %s", code == 0 ? "SUCCESS" : error_message(code)); @@ -542,29 +551,26 @@ attempt_krb5_auth( switch (code) { case KRB5_KT_NOTFOUND: - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): " "krb5_verify_init_creds failed:" " Key table entry \"host/%s\"" - " not found in %s"), + " not found in %s", fqdn, kt_name); break; case ENOENT: - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): " "krb5_verify_init_creds failed:" " Keytab file \"%s\"" - " does not exist.\n"), + " does not exist.\n", kt_name); break; default: - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): " "krb5_verify_init_creds failed:" - " %s"), + " %s", error_message(code)); break; } @@ -583,7 +589,8 @@ attempt_krb5_auth( result = PAM_USER_UNKNOWN; if (kmd->debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth:" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): attempt_krb5_auth:" " User is not part of the local Kerberos" " realm: %s", error_message(code)); break; @@ -607,7 +614,7 @@ attempt_krb5_auth( code = krb5_verifypw(kuser, *krb5_pass, kmd->debug); if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth: " "verifypw %d", code); @@ -621,7 +628,8 @@ attempt_krb5_auth( default: result = PAM_SYSTEM_ERR; if (kmd->debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): error %d - %s", + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): error %d - %s", code, error_message(code)); break; } @@ -636,7 +644,7 @@ attempt_krb5_auth( * use in acct_mgmt */ if (!(kmd->password = strdup(*krb5_pass))) { - syslog(LOG_ERR, "Cannot strdup password"); + __pam_log(LOG_AUTH | LOG_ERR, "Cannot strdup password"); result = PAM_BUF_ERR; goto out_err; } @@ -648,7 +656,7 @@ out_err: /* jump (or reach) here if error and cred cache has been init */ if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): clearing initcreds in " "pam_authenticate()"); @@ -666,7 +674,7 @@ out: } if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth returning %d", result); @@ -683,9 +691,8 @@ krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status) return; if (kmd->debug) { - syslog(LOG_DEBUG, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth): krb5_cleanup auth_status = %d"), + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): krb5_cleanup auth_status = %d", kmd->auth_status); } @@ -702,6 +709,9 @@ krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status) free(kmd->password); } + if (kmd->user != NULL) + free(kmd->user); + if ((pam_status != PAM_SUCCESS) || (kmd->auth_status != PAM_SUCCESS)) { krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds); diff --git a/usr/src/lib/pam_modules/krb5/krb5_password.c b/usr/src/lib/pam_modules/krb5/krb5_password.c index aa5bc598d2..6281bab567 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_password.c +++ b/usr/src/lib/pam_modules/krb5/krb5_password.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -66,7 +66,7 @@ set_ccname( int result; if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): password: finalize" " ccname env, login_result =%d, env ='%s'", login_result, kmd->env ? kmd->env : "<null>"); @@ -82,10 +82,9 @@ set_ccname( if ((result = pam_putenv(pamh, kmd->env)) != PAM_SUCCESS) { /* should not happen but... */ - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password):" - " pam_putenv failed: result: %d"), + " pam_putenv failed: result: %d", result); goto cleanupccname; } @@ -126,7 +125,7 @@ get_set_creds( */ login_result = attempt_krb5_auth(kmd, user, &newpass, 0); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): get_set_creds: login_result= %d", login_result); /* @@ -170,14 +169,13 @@ pam_sm_chauthtok( if (strcmp(argv[i], "debug") == 0) debug = 1; else - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (password): illegal option %s"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (password): illegal option %s", argv[i]); } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): start: flags = %x", flags); @@ -186,7 +184,8 @@ pam_sm_chauthtok( if (rep_data != NULL) { if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -196,15 +195,15 @@ pam_sm_chauthtok( if (flags & PAM_PRELIM_CHECK) { /* Nothing to do here */ if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): prelim check"); return (PAM_IGNORE); } /* make sure PAM framework is telling us to update passwords */ if (!(flags & PAM_UPDATE_AUTHTOK)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (password): bad flags: %d"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (password): bad flags: %d", flags); return (PAM_SYSTEM_ERR); } @@ -213,7 +212,7 @@ pam_sm_chauthtok( if ((err = pam_get_data(pamh, KRB5_DATA, (const void **)&kmd)) != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): get mod data failed %d", err); kmd = NULL; @@ -223,7 +222,7 @@ pam_sm_chauthtok( /* let's make sure we know the krb5 pw has expired */ if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): kmd age status %d", kmd ? kmd->age_status : -99); @@ -233,13 +232,14 @@ pam_sm_chauthtok( (void) pam_get_item(pamh, PAM_USER, (void **)&user); - if (user == NULL || user == '\0') { - syslog(LOG_ERR, "PAM-KRB5 (password): username is empty"); + if (user == NULL || *user == '\0') { + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (password): username is empty"); return (PAM_USER_UNKNOWN); } if (!get_pw_uid(user, &pw_uid)) { - syslog(LOG_ERR, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password): can't get uid for %s", user); return (PAM_USER_UNKNOWN); } @@ -251,7 +251,7 @@ pam_sm_chauthtok( if ((strcmp(user, ROOT_UNAME) == 0) && key_in_keytab(user, debug)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): " "key for '%s' in keytab, returning IGNORE", user); result = PAM_IGNORE; @@ -270,7 +270,8 @@ pam_sm_chauthtok( result = krb5_verifypw(user, oldpass, debug); if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (password): verifypw %d", result); + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (password): verifypw %d", result); /* * If it's a bad password or general failure, we are done. @@ -292,7 +293,8 @@ pam_sm_chauthtok( out: if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (password): out: returns %d", + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (password): out: returns %d", result); return (result); @@ -345,10 +347,9 @@ krb5_verifypw( if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password): unable to get host based " - "service name for realm %s\n"), + "service name for realm %s\n", admin_realm); krb5_free_principal(context, princ); return (3); @@ -359,7 +360,7 @@ krb5_verifypw( KADM5_API_VERSION_2, &server_handle); if (code != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5: krb5_verifypw: init_with_pw" " failed: (%s)", error_message(code)); krb5_free_principal(context, princ); @@ -441,10 +442,9 @@ krb5_changepw( if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password):unable to get host based " - "service name for realm %s\n"), + "service name for realm %s\n", admin_realm); return (PAM_SYSTEM_ERR); } @@ -455,7 +455,7 @@ krb5_changepw( free(cpw_service); if (code != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): changepw: " "init_with_pw failed: (%s)", error_message(code)); krb5_free_principal(context, princ); @@ -485,7 +485,7 @@ krb5_changepw( (void) kadm5_destroy(server_handle); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): changepw: end %d", code); if (code != 0) diff --git a/usr/src/lib/pam_modules/krb5/krb5_setcred.c b/usr/src/lib/pam_modules/krb5/krb5_setcred.c index 9715b94a03..962af0255f 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_setcred.c +++ b/usr/src/lib/pam_modules/krb5/krb5_setcred.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -76,7 +75,7 @@ pam_sm_setcred( int err = 0; int debug = 0; krb5_module_data_t *kmd = NULL; - char *user; + char *user = NULL; int result; krb5_repository_data_t *krb5_data = NULL; pam_repository_t *rep_data = NULL; @@ -89,7 +88,7 @@ pam_sm_setcred( } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): start: nowarn = %d, flags = 0x%x", flags & PAM_SILENT ? 1 : 0, flags); @@ -100,23 +99,20 @@ pam_sm_setcred( !(flags & PAM_REFRESH_CRED) && !(flags & PAM_DELETE_CRED) && !(flags & PAM_SILENT)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (setcred): illegal flag %d"), flags); + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (setcred): illegal flag %d", flags); err = PAM_SYSTEM_ERR; goto out; } - err = pam_get_item(pamh, PAM_USER, (void**) &user); - if (err != PAM_SUCCESS) - return (err); + (void) pam_get_item(pamh, PAM_USER, (void**) &user); - if (user == NULL || !user[0]) - return (PAM_AUTH_ERR); + if (user == NULL || *user == '\0') + return (PAM_USER_UNKNOWN); if (pam_get_data(pamh, KRB5_DATA, (const void**)&kmd) != PAM_SUCCESS) { if (debug) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kmd get failed, kmd=0x%p", kmd); } @@ -126,7 +122,7 @@ pam_sm_setcred( * or for PAM_DELETE_CRED */ if (flags & (PAM_REFRESH_CRED|PAM_DELETE_CRED)) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): inst kmd structure"); kmd = calloc(1, sizeof (krb5_module_data_t)); @@ -149,7 +145,7 @@ pam_sm_setcred( } else { /* pam_get_data success */ if (kmd == NULL) { if (debug) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kmd structure" " gotten but is NULL for user %s", user); } @@ -158,7 +154,7 @@ pam_sm_setcred( } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kmd auth_status: %s", pam_strerror(pamh, kmd->auth_status)); @@ -173,7 +169,6 @@ pam_sm_setcred( kmd->debug = debug; - /* * User must have passed pam_authenticate() * in order to use PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED @@ -181,7 +176,7 @@ pam_sm_setcred( if ((flags & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED)) && (kmd->auth_status != PAM_SUCCESS)) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): unable to " "setcreds, not authenticated!"); return (PAM_CRED_UNAVAIL); @@ -195,19 +190,27 @@ pam_sm_setcred( * leaks. */ if (kmd->kcontext != NULL && kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kcontext != NULL, " "possible memory leak."); /* + * Use the authenticated and validated user, if applicable. + */ + if (kmd->user != NULL) + user = kmd->user; + + /* * If auth was short-circuited we will not have anything to * renew, so just return here. */ - err = pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + if (rep_data != NULL) { if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (setcred): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (setcred): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -220,7 +223,7 @@ pam_sm_setcred( krb5_data->principal != NULL && strlen(krb5_data->principal)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): " "Principal %s already " "authenticated, " @@ -244,8 +247,8 @@ pam_sm_setcred( err = attempt_refresh_cred(kmd, user, PAM_ESTABLISH_CRED); } - if (err) - syslog(LOG_ERR, + if (err != PAM_SUCCESS) + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (setcred): pam_setcred failed " "for %s (%s).", user, pam_strerror(pamh, err)); @@ -263,10 +266,8 @@ out: /* * 'kmd' is not freed here, it is handled in krb5_cleanup */ - - if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): end: %s", pam_strerror(pamh, err)); return (err); @@ -291,7 +292,7 @@ attempt_refresh_cred( /* User must have passed pam_authenticate() */ if (kmd->auth_status != PAM_SUCCESS) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): unable to " "setcreds, not authenticated!"); return (PAM_CRED_UNAVAIL); @@ -300,14 +301,14 @@ attempt_refresh_cred( /* Create a new context here. */ if (krb5_init_context(&kmd->kcontext) != 0) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): unable to " "initialize krb5 context"); return (PAM_SYSTEM_ERR); } if (krb5_cc_default(kmd->kcontext, &kmd->ccache) != 0) { - return (PAM_CRED_ERR); + return (PAM_SYSTEM_ERR); } if ((code = get_kmd_kuser(kmd->kcontext, (const char *)user, kuser, @@ -316,7 +317,7 @@ attempt_refresh_cred( } if (krb5_parse_name(kmd->kcontext, kuser, &me) != 0) { - return (PAM_CRED_ERR); + return (PAM_SYSTEM_ERR); } if (code = krb5_build_principal_ext(kmd->kcontext, &server, @@ -325,19 +326,20 @@ attempt_refresh_cred( tgtname.length, tgtname.data, krb5_princ_realm(kmd->kcontext, me)->length, krb5_princ_realm(kmd->kcontext, me)->data, 0)) { - code = PAM_CRED_ERR; - goto out; + krb5_free_principal(kmd->kcontext, me); + return (PAM_SYSTEM_ERR); } code = krb5_renew_tgt(kmd, me, server, flag); -out: - if (server) - krb5_free_principal(kmd->kcontext, server); - if (me) - krb5_free_principal(kmd->kcontext, me); + krb5_free_principal(kmd->kcontext, server); + krb5_free_principal(kmd->kcontext, me); if (code) { + if (kmd->debug) + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5(setcred): krb5_renew_tgt() " + "failed: %s", error_message((errcode_t)code)); return (PAM_CRED_ERR); } else { return (PAM_SUCCESS); @@ -375,19 +377,17 @@ krb5_renew_tgt( if ((flag != PAM_REFRESH_CRED) && (flag != PAM_REINITIALIZE_CRED) && (flag != PAM_ESTABLISH_CRED)) - return (PAM_SYSTEM_ERR); + return (KRB5KRB_ERR_GENERIC); /* this is needed only for the ktkt_warnd */ - if (krb5_unparse_name(kmd->kcontext, me, &client_name) != 0) { - krb5_free_principal(kmd->kcontext, me); - return (PAM_CRED_ERR); - } + if ((retval = krb5_unparse_name(kmd->kcontext, me, &client_name)) != 0) + return (retval); (void) memset((char *)credsp, 0, sizeof (krb5_creds)); if ((retval = krb5_copy_principal(kmd->kcontext, server, &credsp->server))) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_copy_principal " "failed: %s", error_message((errcode_t)retval)); @@ -398,10 +398,9 @@ krb5_renew_tgt( retval = krb5_cc_get_principal(kmd->kcontext, kmd->ccache, &credsp->client); if (retval && (kmd->debug)) - syslog(LOG_DEBUG, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): User not in cred " - "cache (%s)"), error_message((errcode_t)retval)); + "cache (%s)", error_message((errcode_t)retval)); if ((retval == KRB5_FCC_NOFILE) && (flag & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED))) { @@ -411,14 +410,14 @@ krb5_renew_tgt( */ if ((retval = krb5_cc_initialize(kmd->kcontext, kmd->ccache, me)) != 0) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_cc_initialize " "failed: %s", error_message((errcode_t)retval)); goto cleanup_creds; } else if ((retval = krb5_cc_store_cred(kmd->kcontext, kmd->ccache, &my_creds)) != 0) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_cc_store_cred " "failed: %s", error_message((errcode_t)retval)); @@ -430,10 +429,9 @@ krb5_renew_tgt( * This might be due to permission error on the cache, * or maybe we are looking in the wrong cache file! */ - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (setcred): Cannot find creds" - " for %s (%s)"), + " for %s (%s)", client_name ? client_name : "(unknown)", error_message((errcode_t)retval)); @@ -449,7 +447,7 @@ krb5_renew_tgt( if ((retval = krb5_get_credentials_renew(kmd->kcontext, 0, kmd->ccache, &creds, &credsp))) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_get_credentials", "_renew(reinitialize) failed: %s", error_message((errcode_t)retval)); @@ -547,7 +545,7 @@ krb5_renew_tgt( (retval = krb5_get_credentials_renew(kmd->kcontext, 0, kmd->ccache, &creds, &credsp))) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_get_credentials" "_renew(update) failed: %s", error_message((errcode_t)retval)); @@ -585,7 +583,7 @@ krb5_renew_tgt( fetched = fetched->next; if (retval) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5(setcred): krb5_cc_store_cred() " "failed: %s", error_message((errcode_t)retval)); @@ -624,22 +622,23 @@ cleanup_creds: if (get_pw_uid(username, &uuid) == 0 || get_pw_gid(username, &ugid) == 0) { - syslog(LOG_ERR, "PAM-KRB5 (setcred): Unable to " + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (setcred): Unable to " "find matching uid/gid pair for user `%s'", username); - return (PAM_SYSTEM_ERR); + return (KRB5KRB_ERR_GENERIC); } if (!(filepath = strchr(kmd->env, ':')) || !(filepath+1)) { - syslog(LOG_ERR, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (setcred): Invalid pathname " "for credential cache of user `%s'", username); - return (PAM_SYSTEM_ERR); + return (KRB5KRB_ERR_GENERIC); } if (chown(filepath+1, uuid, ugid)) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): chown to user " "`%s' failed for FILE=%s", username, filepath); @@ -652,9 +651,9 @@ cleanup_creds: kwarn_del_warning(client_name); if (kwarn_add_warning(client_name, creds.times.endtime) != 0) { - syslog(LOG_NOTICE, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_NOTICE, "PAM-KRB5 (auth): kwarn_add_warning" - " failed: ktkt_warnd(1M) down?")); + " failed: ktkt_warnd(1M) down?"); } } } @@ -687,15 +686,15 @@ static int attempt_delete_initcred(krb5_module_data_t *kmd) { if (kmd == NULL) - return (0); + return (PAM_SUCCESS); if (kmd->debug) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): deleting user's " "credentials (initcreds)"); } krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds); (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds)); kmd->auth_status = PAM_AUTHINFO_UNAVAIL; - return (0); + return (PAM_SUCCESS); } diff --git a/usr/src/lib/pam_modules/krb5/utils.c b/usr/src/lib/pam_modules/krb5/utils.c index 18c3a8f155..360f71686c 100644 --- a/usr/src/lib/pam_modules/krb5/utils.c +++ b/usr/src/lib/pam_modules/krb5/utils.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -99,7 +98,6 @@ get_pw_gid(char *user, gid_t *gid) * procedure as for server principals and lowercase the domainname. * * Returns: - * PAM_AUTH_ERR - if local host name is not found * PAM_BUF_ERR - if there is an error from krb5_sname_to_principal(), * or krb5_unparse_name() * 0 - if there was no error @@ -157,7 +155,7 @@ key_in_keytab(const char *user, int debug) if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): start for user '%s'", whoami, user ? user : "<null>"); @@ -167,7 +165,7 @@ key_in_keytab(const char *user, int debug) /* need to free context with krb5_free_context */ if (code = krb5_init_context(&kcontext)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): Error initializing " "krb5: %s", whoami, error_message(code)); @@ -182,7 +180,7 @@ key_in_keytab(const char *user, int debug) /* need to free princ with krb5_free_principal */ if ((code = krb5_parse_name(kcontext, kuser, &princ)) != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): can't parse name (%s)", whoami, error_message(code)); goto out; @@ -191,7 +189,7 @@ key_in_keytab(const char *user, int debug) /* need to close keytab handle with krb5_kt_close */ if ((code = krb5_kt_default(kcontext, &kt_handle))) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): krb5_kt_default failed (%s)", whoami, error_message(code)); goto out; @@ -201,20 +199,20 @@ key_in_keytab(const char *user, int debug) if (code != 0) { if (code == ENOENT) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "Keytab does not exist", whoami); } else if (code == KRB5_KT_NOTFOUND) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "No entry for principal " "'%s' exists in keytab", whoami, kuser); } else { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "krb5_kt_get_entry failed (%s)", whoami, error_message(code)); @@ -222,7 +220,7 @@ key_in_keytab(const char *user, int debug) } else { /* Key found in keytab, return success */ (void) krb5_kt_free_entry(kcontext, &kt_ent); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "keytab entry for '%s' found", whoami, user); diff --git a/usr/src/lib/pam_modules/krb5/utils.h b/usr/src/lib/pam_modules/krb5/utils.h index f9959cb102..a976a5ced6 100644 --- a/usr/src/lib/pam_modules/krb5/utils.h +++ b/usr/src/lib/pam_modules/krb5/utils.h @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -42,6 +41,7 @@ extern "C" { #define ROOT_UNAME "root" typedef struct { + char *user; int debug; int warn; int err_on_exp; diff --git a/usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c b/usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c index 4fa48f1720..38a75026f5 100644 --- a/usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c +++ b/usr/src/lib/pam_modules/krb5_migrate/krb5_migrate_authenticate.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -89,9 +88,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, (strcmp((strstr(argv[i], "=") + 1), "") != 0)) { service = (char *)strdup(strstr(argv[i], "=") + 1); } else { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): unrecognized " - "option %s"), + "option %s", argv[i]); } } @@ -109,9 +108,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, */ if (user == NULL || (user[0] == '\0')) { if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5-AUTOMIGRATE (auth): " - "user empty or null")); + "user empty or null"); goto cleanup; } @@ -125,9 +124,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, if (password == NULL || (password[0] == '\0')) { if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5-AUTOMIGRATE (auth): " - "authentication token is empty or null")); + "authentication token is empty or null"); goto cleanup; } @@ -136,9 +135,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, * Now, lets do the all krb5/kadm5 setup for the principal addition */ if (retval = krb5_init_context(&context)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error initializing " - "krb5: %s"), + "krb5: %s", error_message(retval)); goto cleanup; } @@ -147,9 +146,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, (void) memset(&kadm5_userprinc, 0, sizeof (kadm5_userprinc)); if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining " - "default krb5 realm")); + "default krb5 realm"); goto cleanup; } @@ -158,9 +157,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, if (kadm5_get_adm_host_srv_name(context, def_realm, &kadmin_princ)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining " - "host based service name for realm %s\n"), def_realm); + "host based service name for realm %s\n", def_realm); goto cleanup; } @@ -168,18 +167,18 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, (service != NULL)?service:"host", KRB5_NT_SRV_HST, &svcprinc)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while creating " - "krb5 host service principal: %s"), + "krb5 host service principal: %s", error_message(retval)); goto cleanup; } if (retval = krb5_unparse_name(context, svcprinc, &svcprincstr)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while " - "unparsing principal name: %s"), + "unparsing principal name: %s", error_message(retval)); krb5_free_principal(context, svcprinc); goto cleanup; @@ -197,9 +196,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, KADM5_API_VERSION_2, &handle); if (retval) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while " - "doing kadm5_init_with_skey: %s"), + "doing kadm5_init_with_skey: %s", error_message(retval)); goto cleanup; } @@ -220,9 +219,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, if (retval = krb5_parse_name(context, userprincstr, &userprinc)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while " - "parsing user principal name: %s"), + "parsing user principal name: %s", error_message(retval)); goto cleanup; } @@ -236,10 +235,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, switch (retval) { case KADM5_AUTH_GET: if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5-AUTOMIGRATE (auth): %s does " "not have the GET privilege " - "for kadm5_get_principal: %s"), + "for kadm5_get_principal: %s", svcprincstr, error_message(retval)); break; @@ -256,9 +255,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, * Principal already exists in the KDC database, quit now */ if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5-AUTOMIGRATE (auth): Principal %s " - "already exists in Kerberos KDC database"), + "already exists in Kerberos KDC database", userprincstr); goto cleanup; } @@ -267,9 +266,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, if (retval = krb5_parse_name(context, userprincstr, &(kadm5_userprinc.principal))) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Error while " - "parsing user principal name: %s"), + "parsing user principal name: %s", error_message(retval)); goto cleanup; } @@ -287,17 +286,17 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, switch (retval) { case KADM5_AUTH_ADD: if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5-AUTOMIGRATE (auth): %s does " "not have the ADD privilege " - "for kadm5_create_principal: %s"), + "for kadm5_create_principal: %s", svcprincstr, error_message(retval)); break; default: - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5-AUTOMIGRATE (auth): Generic error" - "while doing kadm5_create_principal: %s"), + "while doing kadm5_create_principal: %s", error_message(retval)); break; } @@ -318,9 +317,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, messages, NULL); } if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5-AUTOMIGRATE (auth): User %s " - "has been added to the Kerberos KDC database"), + "has been added to the Kerberos KDC database", userprincstr); /* diff --git a/usr/src/uts/common/fs/autofs/auto_subr.c b/usr/src/uts/common/fs/autofs/auto_subr.c index 42ee1f0d3c..41cfd3c5cd 100644 --- a/usr/src/uts/common/fs/autofs/auto_subr.c +++ b/usr/src/uts/common/fs/autofs/auto_subr.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -84,8 +84,8 @@ static int auto_perform_actions(fninfo_t *, fnnode_t *, action_list *, cred_t *); static int auto_getmntpnt(vnode_t *, char *, vnode_t **, cred_t *); static int auto_lookup_request(fninfo_t *, char *, struct linka *, - bool_t, bool_t *); -static int auto_mount_request(fninfo_t *, char *, action_list **, + bool_t, bool_t *, cred_t *); +static int auto_mount_request(fninfo_t *, char *, action_list **, cred_t *, bool_t); extern struct autofs_globals *autofs_zone_init(void); @@ -159,7 +159,7 @@ auto_lookup_aux(fnnode_t *fnp, char *name, cred_t *cred) fnip = vfstofni(fntovn(fnp)->v_vfsp); bzero(&link, sizeof (link)); - error = auto_lookup_request(fnip, name, &link, TRUE, &mountreq); + error = auto_lookup_request(fnip, name, &link, TRUE, &mountreq, cred); if (!error) { if (link.link != NULL || link.link != '\0') { /* @@ -263,7 +263,7 @@ auto_mount_thread(struct autofs_callargs *argsp) cred = argsp->fnc_cred; ASSERT(crgetzoneid(argsp->fnc_cred) == fnip->fi_zoneid); - error = auto_mount_request(fnip, name, &alp, TRUE); + error = auto_mount_request(fnip, name, &alp, cred, TRUE); if (!error) error = auto_perform_actions(fnip, fnp, alp, cred); mutex_enter(&fnp->fn_lock); @@ -539,7 +539,8 @@ auto_lookup_request( char *key, struct linka *lnp, bool_t hard, - bool_t *mountreq) + bool_t *mountreq, + cred_t *cred) { int error; struct autofs_globals *fngp; @@ -565,6 +566,7 @@ auto_lookup_request( reqst.subdir = fnip->fi_subdir; reqst.opts = fnip->fi_opts; reqst.isdirect = fnip->fi_flags & MF_DIRECT ? TRUE : FALSE; + reqst.uid = crgetuid(cred); resp = kmem_zalloc(sizeof (*resp), KM_SLEEP); @@ -640,6 +642,7 @@ auto_mount_request( fninfo_t *fnip, char *key, action_list **alpp, + cred_t *cred, bool_t hard) { int error; @@ -664,6 +667,7 @@ auto_mount_request( reqst.subdir = fnip->fi_subdir; reqst.opts = fnip->fi_opts; reqst.isdirect = fnip->fi_flags & MF_DIRECT ? TRUE : FALSE; + reqst.uid = crgetuid(cred); xdrres = kmem_zalloc(sizeof (*xdrres), KM_SLEEP); @@ -676,7 +680,6 @@ auto_mount_request( sizeof (autofs_mountres), hard); - if (!error) { fngp->fng_verbose = xdrres->mr_verbose; switch (xdrres->mr_type.status) { diff --git a/usr/src/uts/common/fs/autofs/auto_vnops.c b/usr/src/uts/common/fs/autofs/auto_vnops.c index 3e8a9159db..16c5a26781 100644 --- a/usr/src/uts/common/fs/autofs/auto_vnops.c +++ b/usr/src/uts/common/fs/autofs/auto_vnops.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -909,6 +909,7 @@ again: rda.rda_offset = (uint_t)uiop->uio_offset; rd.rd_rddir.rddir_entries = dp; rda.rda_count = rd.rd_rddir.rddir_size = (uint_t)alloc_count; + rda.uid = crgetuid(cred); error = auto_calldaemon(fngp->fng_zoneid, AUTOFS_READDIR, diff --git a/usr/src/uts/common/fs/autofs/auto_xdr.c b/usr/src/uts/common/fs/autofs/auto_xdr.c index 5448874357..dd657e4310 100644 --- a/usr/src/uts/common/fs/autofs/auto_xdr.c +++ b/usr/src/uts/common/fs/autofs/auto_xdr.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -281,6 +281,8 @@ xdr_autofs_lookupargs(XDR *xdrs, autofs_lookupargs *objp) return (FALSE); if (!xdr_bool_t(xdrs, &objp->isdirect)) return (FALSE); + if (!xdr_u_int(xdrs, (uint_t *)&objp->uid)) + return (FALSE); return (TRUE); } @@ -351,6 +353,8 @@ xdr_autofs_rddirargs(XDR *xdrs, autofs_rddirargs *objp) return (FALSE); if (!xdr_u_int(xdrs, &objp->rda_count)) return (FALSE); + if (!xdr_u_int(xdrs, (uint_t *)&objp->uid)) + return (FALSE); return (TRUE); } diff --git a/usr/src/uts/common/rpcsvc/autofs_prot.x b/usr/src/uts/common/rpcsvc/autofs_prot.x index 0e9e6b6821..24dd00e1c0 100644 --- a/usr/src/uts/common/rpcsvc/autofs_prot.x +++ b/usr/src/uts/common/rpcsvc/autofs_prot.x @@ -19,7 +19,7 @@ * CDDL HEADER END */ %/* -% * Copyright 2006 Sun Microsystems, Inc. All rights reserved. +% * Copyright 2007 Sun Microsystems, Inc. All rights reserved. % * Use is subject to license terms. % */ % @@ -86,6 +86,7 @@ struct autofs_lookupargs { string subdir<AUTOFS_MAXPATHLEN>; /* subdir within map */ string opts<AUTOFS_MAXOPTSLEN>; bool_t isdirect; /* direct mountpoint? */ + uid_t uid; /* uid of caller */ }; /* @@ -231,6 +232,7 @@ struct autofs_rddirargs { string rda_map<AUTOFS_MAXPATHLEN>; u_int rda_offset; /* starting offset */ u_int rda_count; /* total size requested */ + uid_t uid; /* uid of caller */ }; struct autofsrddir { |