From 645c0d47c7eefcec78033c459f8982442d28619a Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 17 Jul 2008 18:00:58 +0000 Subject: -make this work with the openpam version in -current (I didn't try whether it still works on 4.0. Would be nice if someone did it.) -supply an example pam.conf file -slow down to avoid abuse, better cleanup in error cases, more paranoia thanks to Joerg for suggestions --- security/pam-pwauth_suid/MESSAGE | 6 +++--- security/pam-pwauth_suid/Makefile | 17 ++++++++++------- security/pam-pwauth_suid/PLIST | 6 ++++-- security/pam-pwauth_suid/files/pam_pwauth_suid.c | 22 +++++++++++++++++++--- .../pam-pwauth_suid/files/pwauth_suid_helper.c | 9 ++++++--- security/pam-pwauth_suid/files/xscreensaver | 2 ++ 6 files changed, 44 insertions(+), 18 deletions(-) create mode 100644 security/pam-pwauth_suid/files/xscreensaver (limited to 'security') diff --git a/security/pam-pwauth_suid/MESSAGE b/security/pam-pwauth_suid/MESSAGE index ddac09e8820..73a834782cf 100644 --- a/security/pam-pwauth_suid/MESSAGE +++ b/security/pam-pwauth_suid/MESSAGE @@ -1,6 +1,6 @@ =========================================================================== -$NetBSD: MESSAGE,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $ +$NetBSD: MESSAGE,v 1.2 2008/07/17 18:00:58 drochner Exp $ -The PAM authentication module "pam_pwauth_suid.so.0" needs to be -installed into the directory "/usr/lib/security". +A sample pam.d file for xscreensaver can be found in +${PREFIX}/share/examples/pam-pwauth_suid =========================================================================== diff --git a/security/pam-pwauth_suid/Makefile b/security/pam-pwauth_suid/Makefile index 8e1de661f07..390c9f949da 100644 --- a/security/pam-pwauth_suid/Makefile +++ b/security/pam-pwauth_suid/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.4 2008/06/25 18:17:33 drochner Exp $ +# $NetBSD: Makefile,v 1.5 2008/07/17 18:00:58 drochner Exp $ -DISTNAME= pam-pwauth_suid-1.1 +DISTNAME= pam-pwauth_suid-1.2 CATEGORIES= security DISTFILES= # empty @@ -10,11 +10,12 @@ COMMENT= PAM authentication module for unprivileged users NO_CHECKSUM= yes WRKSRC= ${WRKDIR} -HLPDEF+= -DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\" +PAMDEF+= -DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\" +PAMDEF+= -DNO_STATIC_MODULES PKG_DESTDIR_SUPPORT= user-destdir -INSTALLATION_DIRS= lib/security libexec +INSTALLATION_DIRS= lib/security libexec share/examples/pam-pwauth_suid do-extract: ${CP} ${FILESDIR}/pam_pwauth_suid.c ${FILESDIR}/pwauth_suid_helper.c \ @@ -22,18 +23,20 @@ do-extract: do-build: (cd ${WRKSRC} && \ - ${CC} ${CFLAGS} -c -fPIC ${HLPDEF} pam_pwauth_suid.c && \ - ${LD} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so.0 && \ + ${CC} ${CFLAGS} -c -fPIC ${PAMDEF} pam_pwauth_suid.c && \ + ${LD} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so && \ ${CC} ${CFLAGS} pwauth_suid_helper.c -o pwauth_suid_helper -lcrypt) do-install: ${INSTALL_DATA_DIR} ${DESTDIR}${PREFIX}/lib/security - ${INSTALL_DATA} ${WRKSRC}/pam_pwauth_suid.so.0 \ + ${INSTALL_DATA} ${WRKSRC}/pam_pwauth_suid.so \ ${DESTDIR}${PREFIX}/lib/security ${INSTALL_PROGRAM_DIR} ${DESTDIR}${PREFIX}/libexec ${INSTALL_PROGRAM} ${WRKSRC}/pwauth_suid_helper \ ${DESTDIR}${PREFIX}/libexec ${CHMOD} 04555 ${DESTDIR}${PREFIX}/libexec/pwauth_suid_helper + sed -e 's|@PREFIX@|${PREFIX}|g' ${FILESDIR}/xscreensaver > \ + ${DESTDIR}${PREFIX}/share/examples/pam-pwauth_suid/xscreensaver .include "../../mk/pam.buildlink3.mk" .include "../../mk/bsd.pkg.mk" diff --git a/security/pam-pwauth_suid/PLIST b/security/pam-pwauth_suid/PLIST index a9f5d6e38be..033c8d49b1b 100644 --- a/security/pam-pwauth_suid/PLIST +++ b/security/pam-pwauth_suid/PLIST @@ -1,3 +1,5 @@ -@comment $NetBSD: PLIST,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $ -lib/security/pam_pwauth_suid.so.0 +@comment $NetBSD: PLIST,v 1.2 2008/07/17 18:00:58 drochner Exp $ +lib/security/pam_pwauth_suid.so libexec/pwauth_suid_helper +share/examples/pam-pwauth_suid/xscreensaver +@dirrm share/examples/pam-pwauth_suid diff --git a/security/pam-pwauth_suid/files/pam_pwauth_suid.c b/security/pam-pwauth_suid/files/pam_pwauth_suid.c index 4144a263a78..87f010fb7b7 100644 --- a/security/pam-pwauth_suid/files/pam_pwauth_suid.c +++ b/security/pam-pwauth_suid/files/pam_pwauth_suid.c @@ -1,6 +1,7 @@ -/* $NetBSD: pam_pwauth_suid.c,v 1.2 2007/09/05 20:29:05 drochner Exp $ */ +/* $NetBSD: pam_pwauth_suid.c,v 1.3 2008/07/17 18:00:58 drochner Exp $ */ #include +#define PAM_SM_AUTH #include #include @@ -26,8 +27,10 @@ askhelper(const char *user, const char *pass) /* make sure only we get the exit status of the helper */ sigemptyset(&chldsig); sigaddset(&chldsig, SIGCHLD); - if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0) - return errno; + if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0) { + err = errno; + goto error2; + } pid = vfork(); switch (pid) { @@ -42,6 +45,7 @@ askhelper(const char *user, const char *pass) _exit(errno); default: /* parent */ (void)close(fd[0]); + fd[0] = -1; break; } @@ -65,6 +69,10 @@ askhelper(const char *user, const char *pass) error: sigprocmask(SIG_SETMASK, &omask, 0); +error2: + if (fd[0] != -1) + (void)close(fd[0]); + (void)close(fd[1]); return err; } @@ -88,4 +96,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, return PAM_SUCCESS; } +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + + return PAM_SUCCESS; +} + PAM_MODULE_ENTRY("pam_passwdhelper"); diff --git a/security/pam-pwauth_suid/files/pwauth_suid_helper.c b/security/pam-pwauth_suid/files/pwauth_suid_helper.c index e1f77b3a72b..e987ccf942c 100644 --- a/security/pam-pwauth_suid/files/pwauth_suid_helper.c +++ b/security/pam-pwauth_suid/files/pwauth_suid_helper.c @@ -1,4 +1,4 @@ -/* $NetBSD: pwauth_suid_helper.c,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $ */ +/* $NetBSD: pwauth_suid_helper.c,v 1.2 2008/07/17 18:00:58 drochner Exp $ */ #include #include @@ -36,6 +36,7 @@ main(int argc, char **argv) if (buflen == 0) return (ENOMEM); /* pwbuf is \0-terminated here b/c pwbuf is in bss */ + pwbuf[sizeof(pwbuf) - 1] = '\0'; /* be paranoid */ /* * Use username as key rather than uid so that it will not @@ -49,10 +50,12 @@ main(int argc, char **argv) /* * Forcibly eat up some wall time to prevent use of this program - * to brute-force? For now assume that process startup time etc. - * make it already ineffective. + * to brute-force. */ + usleep(100000); + pwhash = crypt(pwbuf, pwent->pw_passwd); + memset(pwbuf, 0, sizeof(pwbuf)); if (pwhash && strcmp(pwhash, pwent->pw_passwd) == 0) return (0); diff --git a/security/pam-pwauth_suid/files/xscreensaver b/security/pam-pwauth_suid/files/xscreensaver new file mode 100644 index 00000000000..d4276e2d925 --- /dev/null +++ b/security/pam-pwauth_suid/files/xscreensaver @@ -0,0 +1,2 @@ +# $NetBSD: xscreensaver,v 1.1 2008/07/17 18:00:58 drochner Exp $ +auth required @PREFIX@/lib/security/pam_pwauth_suid.so -- cgit v1.2.3